Solved

Cannot access certain websites behind cisco router

Posted on 2009-05-12
6
646 Views
Last Modified: 2013-11-16
We have a Cisco 1841 setup and can access pretty much any website we choose but recently we have found a few that we cannot access.  The main one is webtoastmedia.com and also a few others sites that are hosted on the same server.  When we try to browse the sites we get the error that Internet Explorer cannot display the page.  Also we cannot ping the websites from a computer or the router.  The router shows the following error:

CForce1841#ping webtoastmedia.com

Translating "webtoastmedia.com"...domain server (255.255.255.255) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 70.86.13.210, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


I know the sites work because we can access them from computers that are not behind our router.  Below is the router config....thanks for your time.

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname domain1841
!
boot-start-marker
boot-end-marker
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
aaa authentication login default local
aaa session-id common
ip subnet-zero
ip cef
!
ip dhcp excluded-address XXX.XXX.XXX.114
ip dhcp excluded-address XXX.XXX.XXX.118
ip dhcp excluded-address XXX.XXX.XXX.66
ip dhcp excluded-address XXX.XXX.XXX.65
ip dhcp excluded-address XXX.XXX.XXX.128
ip dhcp excluded-address XXX.XXX.XXX.37
ip dhcp excluded-address XXX.XXX.XXX.119
ip dhcp excluded-address XXX.XXX.XXX.115
ip dhcp excluded-address XXX.XXX.XXX.170
ip dhcp excluded-address XXX.XXX.XXX.171
ip dhcp excluded-address XXX.XXX.XXX.120
ip dhcp excluded-address XXX.XXX.XXX.116
ip dhcp excluded-address XXX.XXX.XXX.172
ip dhcp excluded-address XXX.XXX.XXX.79
!
ip dhcp pool ippool
   network XXX.XXX.XXX.0 255.255.255.0
   default-router XXX.XXX.XXX.115
   dns-server XXX.XXX.XXX.118 XXX.XXX.XXX.119
   domain-name domain.local
   netbios-name-server XXX.XXX.XXX.118
!
ip domain name domain.net
ip inspect max-incomplete high 2500
ip inspect max-incomplete low 2000
ip inspect one-minute high 2500
ip inspect one-minute low 2000
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip inspect name autosec_inspect icmp
ip ips po max-events 100
login block-for 180 attempts 3 within 10
login on-failure log
login on-success log
no ftp-server write-enable
!
archive
 log config
  logging enable
 path flash:
 maximum 14
 write-memory
!
no crypto isakmp ccm
!
interface FastEthernet0/0
 ip address XXX.XXX.XXX.115 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address XXX.XXX.XXX.162 255.255.255.224
 ip access-group autosec_firewall_acl in
 ip nat outside
 ip inspect autosec_inspect out
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.161
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/1 overload
ip nat inside source static XXX.XXX.XXX.114 XXX.XXX.XXX.163
ip nat inside source static XXX.XXX.XXX.128 XXX.XXX.XXX.164
ip nat inside source static XXX.XXX.XXX.120 XXX.XXX.XXX.165
ip nat inside source static XXX.XXX.XXX.66 XXX.XXX.XXX.166
ip nat inside source static XXX.XXX.XXX.65 XXX.XXX.XXX.168
ip nat inside source static XXX.XXX.XXX.170 XXX.XXX.XXX.170
ip nat inside source static XXX.XXX.XXX.171 XXX.XXX.XXX.171
ip nat inside source static XXX.XXX.XXX.172 XXX.XXX.XXX.172
ip nat inside source static XXX.XXX.XXX.37 XXX.XXX.XXX.190
!
ip access-list extended autosec_firewall_acl
 permit udp any any eq bootpc
 permit tcp any any eq 1723
 permit tcp any host XXX.XXX.XXX.163 eq www
 permit tcp any host XXX.XXX.XXX.163 eq ftp
 permit tcp any host XXX.XXX.XXX.163 eq smtp
 permit tcp any host XXX.XXX.XXX.163 eq domain
 permit udp any host XXX.XXX.XXX.163 eq domain
 permit tcp any host XXX.XXX.XXX.163 eq pop3
 permit tcp any host XXX.XXX.XXX.165 eq 443
 permit tcp any host XXX.XXX.XXX.165 eq smtp
 permit tcp any host XXX.XXX.XXX.165 eq 3389
 permit tcp any host XXX.XXX.XXX.165 eq www
 permit tcp any host XXX.XXX.XXX.168 eq 4899
 permit tcp any host XXX.XXX.XXX.166 eq 4899
 permit tcp any host XXX.XXX.XXX.162 eq 22
 permit udp any host XXX.XXX.XXX.190 eq 5632
 permit tcp any host XXX.XXX.XXX.190 eq 5631
 permit gre any any
 permit tcp any host XXX.XXX.XXX.165 eq 4922
 permit tcp any host XXX.XXX.XXX.165 eq 143
 permit tcp any host XXX.XXX.XXX.165 eq 993
 permit udp any any eq ntp
 permit tcp any host XXX.XXX.XXX.163 eq 4922
 permit tcp any host XXX.XXX.XXX.164 range 9091 9113
 permit tcp any host XXX.XXX.XXX.164 eq www
 permit tcp any host XXX.XXX.XXX.175 eq www
 permit tcp any host XXX.XXX.XXX.175 range 9091 9113
 permit tcp any host XXX.XXX.XXX.170 eq www
 permit tcp any host XXX.XXX.XXX.170 eq smtp
 permit tcp any host XXX.XXX.XXX.170 eq domain
 permit udp any host XXX.XXX.XXX.170 eq domain
 permit tcp any host XXX.XXX.XXX.170 eq 443
 permit tcp any host XXX.XXX.XXX.170 eq 4922
 permit tcp any host XXX.XXX.XXX.171 eq smtp
 permit tcp any host XXX.XXX.XXX.171 eq www
 permit tcp any host XXX.XXX.XXX.171 eq 4922
 permit tcp any host XXX.XXX.XXX.171 eq domain
 permit tcp any host XXX.XXX.XXX.171 eq 443
 permit tcp any host XXX.XXX.XXX.170 eq ftp
 permit tcp any host XXX.XXX.XXX.170 eq pop3
 permit tcp any host XXX.XXX.XXX.171 eq 3389
 permit tcp any host XXX.XXX.XXX.171 eq 143
 permit tcp any host XXX.XXX.XXX.171 eq 993
 permit tcp any host XXX.XXX.XXX.171 eq 1433
 permit udp any host XXX.XXX.XXX.171 eq domain
 permit tcp any host XXX.XXX.XXX.172 eq www
 permit tcp any host XXX.XXX.XXX.172 eq smtp
 permit tcp any host XXX.XXX.XXX.172 eq 443
 permit tcp any host XXX.XXX.XXX.172 eq ftp
 permit tcp any host XXX.XXX.XXX.172 eq pop3
 permit tcp any host XXX.XXX.XXX.168 eq 48560
 permit tcp any host XXX.XXX.XXX.163 eq ftp-data
 permit tcp any host XXX.XXX.XXX.163 range 1300 1350
 permit tcp any host XXX.XXX.XXX.172 range 1400 1450
 permit tcp any host XXX.XXX.XXX.171 eq pop3
 permit icmp any any echo-reply
 deny   ip any any log
ip access-list extended nonat
 deny   ip host XXX.XXX.XXX.114 any
 deny   ip host XXX.XXX.XXX.120 any
 deny   ip host XXX.XXX.XXX.66 any
 deny   ip host XXX.XXX.XXX.65 any
 deny   ip host XXX.XXX.XXX.128 any
 deny   ip host XXX.XXX.XXX.37 any
 deny   ip host XXX.XXX.XXX.170 any
 deny   ip host XXX.XXX.XXX.171 any
 deny   ip host XXX.XXX.XXX.172 any
 permit ip XXX.XXX.XXX.0 0.0.0.255 any
ip access-list extended nonatstatic
 permit ip XXX.XXX.XXX.0 0.0.0.255 any
!
route-map nonatstatic permit 10
 match ip address nonatstatic
!
route-map nonat permit 10
 match ip address nonat
!
control-plane
!
line con 0
 password 7 09424B0500041C4B5958
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
ntp clock-period 17178320
ntp server 66.220.9.122
ntp server 128.250.33.242
end
0
Comment
Question by:red24698
  • 3
  • 2
6 Comments
 
LVL 2

Expert Comment

by:xnatex21
ID: 24368792
I have a couple of comments that might get you started in the right direction as I've had a very similar issue both at home and at work.

1- Run a tracert to see where you are getting blocked. If your problem is like ours was, then you're not even getting past the router (we thought that the site had blocked our external IP).

2- If it's cheap and easy, restoring the router to manufacturer defaults and then reconfiguring was the only way we were able to correct the issue. Some times its cheaper less time consuming to start at the very 1st step.
0
 

Author Comment

by:red24698
ID: 24368824
well your right with your comment a tracert goes no further than the router...geez i really dont want to have to re-do it though thats staying after hours and all kinds of mess haha...any other suggestions?
0
 
LVL 2

Expert Comment

by:xnatex21
ID: 24368899
Well, I'll give you a little more info into our situation and you can decide what's best for you.

The company I work for has outsourced the Network mgmt. This company dedicated two level 3 (their highest levels) Network engineers to find the problem with the router. After 2 weeks, 100s of emails and 3-4 calls a day, they decided to listen try what our ISP's Network engineer suggested and restore defaults/reconfigure. Problem solved. Haven't had an issue since.

Of course, if I were you, I'd wait to hear from a few other people here before you go to that extreme, but I wouldn't waste too much time since you might end up doing the reconfigure anyway.

Good luck
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:red24698
ID: 24369026
Wow that is crazy...yea I agree with you though that I will have to do that if I dont get any other suggestions....anybody else out there in cisco help land?
0
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24370339
Try killing your ip inspect and ips statements.  I've seen both of these freak out and dump traffic for no apparent reason at times.

As an addition, you can try setting up a debug ruleset with the ip of the destination address, then try pinging against it to see what exactly it is failing against.

Review the following document for specifics on how to setup a debug ACL and track traffic.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
0
 

Accepted Solution

by:
red24698 earned 0 total points
ID: 25099124
It has fixed itself...not sure what was causing it but now it is working.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now