itseasysolutions
asked on
Cisco 877 blocking some websites
I have a Cisco 877W which I have setup and connects to the internet and the wireless seems to work fine. BUT some web sites are blocked for instance experts-exchange.com and some web sites only parlty load e.g. bbc.co.uk. I am new to Cisco's and I have trawled through loads of web sites looking for simalar problems but to no avail. Anyway I setup the router through SDM and its wizards. So could some one look through my running log and tell me whre I'm going wrong. Many thanks.
Building configuration...
Current configuration : 8067 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
!
crypto pki trustpoint TP-self-signed-3225135223
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3225135223
revocation-check none
rsakeypair TP-self-signed-3225135223
!
!
crypto pki certificate chain TP-self-signed-3225135223
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323235 31333532 3233301E 170D3032 30333031 30303332
32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32323531
33353232 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B707 30C184A8 296F8531 93D03AD3 69DAA216 2B44F664 A1D9E826 43D5BE23
00F94D40 161CF269 D7134163 9D373E6D B255A707 D0A4074B C7145F6E 46A7522C
5E6CC2C2 78819A90 50A0224A 03CCD5C8 8F49A6B0 E46EEFEF 59882C46 001338F0
37CA1931 81956986 607C5578 9C952325 143FABC0 16E6AE46 DBF76206 5840754E
A3510203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14A1AD85 3FB344AF 0ED7D156 BEF0CF5B 3ED62233
C1301D06 03551D0E 04160414 A1AD853F B344AF0E D7D156BE F0CF5B3E D62233C1
300D0609 2A864886 F70D0101 04050003 81810034 CE42E175 70AB81F2 F413EBA3
6FA8E3CF E56EE9C3 586268F4 636C57AC 441118CA 2C80BD70 3F3C51DF 8B82AFC1
001FEA10 2314B886 EE3A5BCF EED8637A 717BA1B2 DBDB917C BB076D9F 71E35556
13FA399E 61D46525 7815E2DC DB2FF91F AE73B629 30D9A2E9 FB63F095 FCB3247C
7531EBC4 7917E09B 86A91079 33EFE789 8E3B76
quit
!
dot11 ssid hardware
vlan 1
authentication open
guest-mode
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.10.1 192.168.10.19
ip dhcp excluded-address 192.168.10.250 192.168.10.254
!
ip dhcp pool sdm-pool
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 193.36.79.100 80.10.246.1
lease 0 2
!
!
ip domain name yourdomain.com
ip name-server 193.36.79.100
ip name-server 80.10.246.1
ip name-server 198.6.1.2
!
!
!
username Admin privilege 15 secret 5 $1$L/uf$1tv6MWiDHgAvIJslmqVu..
archive
log config
hidekeys
!
!
!
class-map type inspect match-all sdm-cls-sdm-permit-icmpreply-1
match access-group name anyall
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-service-sdm-inspect-1
match protocol http
match protocol https
class-map type inspect match-any all
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-cls-sdm-permit-1
match class-map all
match access-group name all
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
inspect
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class class-default
pass
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 key 1 size 40bit 0 ******* transmit-key
encryption vlan 1 mode wep mandatory
!
ssid hardware
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
bridge-group 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ********@fs
ppp chap password 0 *****
ppp pap sent-username *****@fs password 0 ******
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip route 0.0.0.0 0.0.0.0 91.109.64.1 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended all
remark SDM_ACL Category=128
permit ip any any
ip access-list extended anyall
remark SDM_ACL Category=128
permit ip any any
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn cef
end
My guess is that you have used the SDM firewall wizard and told it to use the high" security level. By default this level will inspect the packets for compliance. If the packet does not meet certain standards of how the router thinks the pack should be formed, it gets droped. Since you say you are not especially familiar with Cisco I would say the easiest way to resolve this would be to use the SDM to clear out you current firewall configuration and rerun the wizard with medium or low security levels. Medium will still inspect the traffic but if there is a problem they will log it instead of dropping it.
ASKER
Hi,
I have used the SDM firewall wizard and set the security level to low. I have run the wizard several time and done a factory reset on the router and still have the same problems. Is there a CLI command to allow malformed or fragmented packet through as this feels like the source of the plroblem.
I have used the SDM firewall wizard and set the security level to low. I have run the wizard several time and done a factory reset on the router and still have the same problems. Is there a CLI command to allow malformed or fragmented packet through as this feels like the source of the plroblem.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry I haven't got back sooner, had to go away for a day. I have found out that it is something to do with the wireless being setup. I have reset (factory) the router and reconfigured it with the firewall on set to low and all works fine until I configure the wireless and then the router goes back to blocking some web pages etc. The router does this to both the wireless land and the wired lan. So any ideas on how to setup the wireless lan without it messing up the wired lan?