Solved

Cisco 877 blocking some websites

Posted on 2009-04-13
4
768 Views
Last Modified: 2012-05-06
I have a Cisco 877W which I have setup and connects to the internet and the wireless seems to work fine. BUT some web sites are blocked for instance experts-exchange.com and some web sites only parlty load e.g. bbc.co.uk. I am new to Cisco's and I have trawled through loads of web sites looking for simalar problems but to no avail. Anyway I setup the router through SDM and its wizards. So could some one look through my running log and tell me whre I'm going wrong. Many thanks.
Building configuration...
 

Current configuration : 8067 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname yourname

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

! 

!

!

crypto pki trustpoint TP-self-signed-3225135223

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3225135223

 revocation-check none

 rsakeypair TP-self-signed-3225135223

!

!

crypto pki certificate chain TP-self-signed-3225135223

 certificate self-signed 01

  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 

  69666963 6174652D 33323235 31333532 3233301E 170D3032 30333031 30303332 

  32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32323531 

  33353232 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 

  8100B707 30C184A8 296F8531 93D03AD3 69DAA216 2B44F664 A1D9E826 43D5BE23 

  00F94D40 161CF269 D7134163 9D373E6D B255A707 D0A4074B C7145F6E 46A7522C 

  5E6CC2C2 78819A90 50A0224A 03CCD5C8 8F49A6B0 E46EEFEF 59882C46 001338F0 

  37CA1931 81956986 607C5578 9C952325 143FABC0 16E6AE46 DBF76206 5840754E 

  A3510203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 

  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 

  301F0603 551D2304 18301680 14A1AD85 3FB344AF 0ED7D156 BEF0CF5B 3ED62233 

  C1301D06 03551D0E 04160414 A1AD853F B344AF0E D7D156BE F0CF5B3E D62233C1 

  300D0609 2A864886 F70D0101 04050003 81810034 CE42E175 70AB81F2 F413EBA3 

  6FA8E3CF E56EE9C3 586268F4 636C57AC 441118CA 2C80BD70 3F3C51DF 8B82AFC1 

  001FEA10 2314B886 EE3A5BCF EED8637A 717BA1B2 DBDB917C BB076D9F 71E35556 

  13FA399E 61D46525 7815E2DC DB2FF91F AE73B629 30D9A2E9 FB63F095 FCB3247C 

  7531EBC4 7917E09B 86A91079 33EFE789 8E3B76

  	quit

!

dot11 ssid hardware

   vlan 1

   authentication open 

   guest-mode

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 192.168.10.1 192.168.10.19

ip dhcp excluded-address 192.168.10.250 192.168.10.254

!

ip dhcp pool sdm-pool

   import all

   network 192.168.10.0 255.255.255.0

   default-router 192.168.10.1 

   dns-server 193.36.79.100 80.10.246.1 

   lease 0 2

!

!

ip domain name yourdomain.com

ip name-server 193.36.79.100

ip name-server 80.10.246.1

ip name-server 198.6.1.2

!

!

!

username Admin privilege 15 secret 5 $1$L/uf$1tv6MWiDHgAvIJslmqVu..

archive

 log config

  hidekeys

!

!

!

class-map type inspect match-all sdm-cls-sdm-permit-icmpreply-1

 match access-group name anyall

class-map type inspect match-any sdm-cls-insp-traffic

 match protocol cuseeme

 match protocol dns

 match protocol ftp

 match protocol h323

 match protocol https

 match protocol icmp

 match protocol imap

 match protocol pop3

 match protocol netshow

 match protocol shell

 match protocol realmedia

 match protocol rtsp

 match protocol smtp extended

 match protocol sql-net

 match protocol streamworks

 match protocol tftp

 match protocol vdolive

 match protocol tcp

 match protocol udp

class-map type inspect match-all sdm-insp-traffic

 match class-map sdm-cls-insp-traffic

class-map type inspect match-any SDM-Voice-permit

 match protocol h323

 match protocol skinny

 match protocol sip

class-map type inspect match-any sdm-cls-icmp-access

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-any sdm-service-sdm-inspect-1

 match protocol http

 match protocol https

class-map type inspect match-any all

 match protocol tcp

 match protocol udp

class-map type inspect match-all sdm-cls-sdm-permit-1

 match class-map all

 match access-group name all

class-map type inspect match-all sdm-icmp-access

 match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-invalid-src

 match access-group 100

class-map type inspect match-all sdm-protocol-http

 match protocol http

!

!

policy-map type inspect sdm-permit-icmpreply

 class type inspect sdm-icmp-access

  inspect

 class class-default

  pass

policy-map type inspect sdm-inspect

 class type inspect sdm-invalid-src

  inspect

 class type inspect sdm-insp-traffic

  inspect

 class type inspect sdm-protocol-http

  inspect

 class type inspect SDM-Voice-permit

  inspect

 class class-default

  pass

policy-map type inspect sdm-permit

 class class-default

  pass

!

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

 service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

 service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

 service-policy type inspect sdm-inspect

!

bridge irb

!

!

interface ATM0

 no ip address

 no atm ilmi-keepalive

 dsl operating-mode auto 

!

interface ATM0.1 point-to-point

 no snmp trap link-status

 pvc 0/38 

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

 !

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

 no ip address

 !

 encryption vlan 1 key 1 size 40bit 0 ******* transmit-key

 encryption vlan 1 mode wep mandatory 

 !

 ssid hardware

 !

 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

 station-role root

!

interface Dot11Radio0.1

 encapsulation dot1Q 1 native

 no cdp enable

 bridge-group 1

 bridge-group 1 subscriber-loop-control

 bridge-group 1 spanning-disabled

 bridge-group 1 block-unknown-source

 no bridge-group 1 source-learning

 no bridge-group 1 unicast-flooding

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

 no ip address

 bridge-group 1

!

interface Dialer0

 description $FW_OUTSIDE$

 ip address negotiated

 ip nat outside

 ip virtual-reassembly

 zone-member security out-zone

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 no cdp enable

 ppp authentication chap pap callin

 ppp chap hostname ********@fs

 ppp chap password 0 *****

 ppp pap sent-username *****@fs password 0 ******

!

interface BVI1

 description $ES_LAN$$FW_INSIDE$

 ip address 192.168.10.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 zone-member security in-zone

!

ip route 0.0.0.0 0.0.0.0 Dialer0 permanent

ip route 0.0.0.0 0.0.0.0 91.109.64.1 permanent

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

!

ip access-list extended all

 remark SDM_ACL Category=128

 permit ip any any

ip access-list extended anyall

 remark SDM_ACL Category=128

 permit ip any any

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

dialer-list 1 protocol ip permit

no cdp run

!

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

banner login ^C

-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device. 

This feature requires the one-time use of the username "cisco" 

with the password "cisco". The default username and password have a privilege level of 15.
 

Please change these publicly known initial credentials using SDM or the IOS CLI. 

Here are the Cisco IOS commands.
 

username <myuser>  privilege 15 secret 0 <mypassword>

no username cisco
 

Replace <myuser> and <mypassword> with the username and password you want to use. 
 

For more information about SDM please follow the instructions in the QUICK START 

GUIDE for your router or go to http://www.cisco.com/go/sdm 

-----------------------------------------------------------------------

^C

!

line con 0

 login local

 no modem enable

line aux 0

line vty 0 4

 login local

 transport input telnet ssh

!

scheduler max-task-time 5000
 

!

webvpn cef

end

Open in new window

0
Comment
Question by:itseasysolutions
  • 2
4 Comments
 
LVL 8

Expert Comment

by:Sniper98G
Comment Utility
My guess is that you have used the SDM firewall wizard and told it to use the high" security level. By default this level will inspect the packets for compliance. If the packet does not meet certain standards of how the router thinks the pack should be formed, it gets droped. Since you say you are not especially familiar with Cisco I would say the easiest way to resolve this would be to use the SDM to clear out you current firewall configuration and rerun the wizard with medium or low security levels. Medium will still inspect the traffic but if there is a problem they will log it instead of dropping it.
0
 

Author Comment

by:itseasysolutions
Comment Utility
Hi,
I have used the SDM firewall wizard and set the security level to low. I have run the wizard several time and done a factory reset on the router and still have the same problems. Is there a CLI command to allow malformed or fragmented packet through as this feels like the source of the plroblem.
0
 
LVL 10

Accepted Solution

by:
atlas_shuddered earned 500 total points
Comment Utility
You may want to look at changing the MSS (Maximum Segment Size) as this is a common issue with Cisco equipment leading to site load failures.

ip tcp adjust-mss xxxx - where x is the segment size set 40 bytes lower than the MTU size on the network.
0
 

Author Comment

by:itseasysolutions
Comment Utility
Sorry I haven't got back sooner, had to go away for a day. I have found out that it is something to do with the wireless being setup. I have reset (factory) the router and reconfigured it with the firewall on set to low and all works fine until I configure the wireless and then the router goes back to blocking some web pages etc. The router does this to both the wireless land and the wired lan. So any ideas on how to setup the wireless lan without it messing up the wired lan?
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now