Unable to access some websites from behind Cisco877

Post the config of the router.

In the SDM manager, show startup-config:


Using 11220 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HoMainInternetRouter
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 ##########
enable password #######
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3946608639
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3946608639
 revocation-check none
 rsakeypair TP-self-signed-3946608639
!
!
crypto pki certificate chain TP-self-signed-3946608639
 certificate self-signed 01 nvram:IOS-Self-Sig#8.cer
dot11 syslog
ip cef
!
!
ip port-map user-protocol--1 port tcp 3389
ip name-server a.b.c.d
ip name-server a.b.c.e
!
parameter-map type protocol-info msn-servers
 server name messenger.hotmail.com
 server name gateway.messenger.hotmail.com
 server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
 server name login.oscar.aol.com
 server name toc.oscar.aol.com
 server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
 server name scs.msg.yahoo.com
 server name scsa.msg.yahoo.com
 server name scsb.msg.yahoo.com
 server name scsc.msg.yahoo.com
 server name scsd.msg.yahoo.com
 server name cs16.msg.dcn.yahoo.com
 server name cs19.msg.dcn.yahoo.com
 server name cs42.msg.dcn.yahoo.com
 server name cs53.msg.dcn.yahoo.com
 server name cs54.msg.dcn.yahoo.com
 server name ads1.vip.scd.yahoo.com
 server name radio1.launch.vip.dal.yahoo.com
 server name in1.msg.vip.re2.yahoo.com
 server name data1.my.vip.sc5.yahoo.com
 server name address1.pim.vip.mud.yahoo.com
 server name edit.messenger.yahoo.com
 server name messenger.yahoo.com
 server name http.pager.yahoo.com
 server name privacy.yahoo.com
 server name csa.yahoo.com
 server name csb.yahoo.com
 server name csc.yahoo.com

parameter-map type regex sdm-regex-nonascii
 pattern [^\x00-\x80]

!
!
username me privilege 15 password 0 ########
!
!
archive
 log config
  hidekeys
!
!
!
class-map type inspect smtp match-any sdm-app-smtp
 match  data-length gt 5000000
class-map type inspect match-any SDM_HTTPS
 match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
 match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
 match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
 match class-map SDM_HTTPS
 match class-map SDM_SSH
 match class-map SDM_SHELL
class-map type inspect match-all sdm-nat-user-protocol--1-3
 match access-group 104
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-2
 match access-group 110
 match protocol smtp
class-map type inspect http match-any sdm-app-nonascii
 match  req-resp header regex sdm-regex-nonascii
class-map type inspect match-all sdm-nat-user-protocol--1-2
 match access-group 103
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 102
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 105
 match protocol smtp
class-map type inspect match-all sdm-nat-imap-1
 match access-group 107
 match protocol imap
class-map type inspect imap match-any sdm-app-imap
 match  invalid-command
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol dns
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-nat-pop3-1
 match access-group 106
 match protocol pop3
class-map type inspect pop3 match-any sdm-app-pop3
 match  invalid-command
class-map type inspect match-all sdm-access
 match class-map sdm-cls-access
 match access-group 101
class-map type inspect http match-any sdm-http-blockparam
 match  request port-misuse im
 match  request port-misuse p2p
 match  request port-misuse tunneling
 match  req-resp protocol-violation
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect http match-any sdm-app-httpmethods
 match  request method bcopy
 match  request method bdelete
 match  request method bmove
 match  request method bpropfind
 match  request method bproppatch
 match  request method connect
 match  request method copy
 match  request method delete
 match  request method edit
 match  request method getattribute
 match  request method getattributenames
 match  request method getproperties
 match  request method index
 match  request method lock
 match  request method mkcol
 match  request method mkdir
 match  request method move
 match  request method notify
 match  request method options
 match  request method poll
 match  request method post
 match  request method propfind
 match  request method proppatch
 match  request method put
 match  request method revadd
 match  request method revlabel
 match  request method revlog
 match  request method revnum
 match  request method save
 match  request method search
 match  request method setattribute
 match  request method startrev
 match  request method stoprev
 match  request method subscribe
 match  request method trace
 match  request method unedit
 match  request method unlock
 match  request method unsubscribe
class-map type inspect match-all sdm-nat-https-1
 match access-group 108
 match protocol https
class-map type inspect match-all sdm-nat-imaps-1
 match access-group 109
 match protocol imaps
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class type inspect sdm-nat-user-protocol--1-2
  inspect
 class type inspect sdm-nat-user-protocol--1-3
  inspect
 class type inspect sdm-nat-smtp-1
  inspect
 class type inspect sdm-nat-pop3-1
  inspect
 class type inspect sdm-nat-imap-1
  inspect
 class type inspect sdm-nat-https-1
  inspect
 class type inspect sdm-nat-imaps-1
  inspect
 class type inspect sdm-nat-smtp-2
  inspect
 class class-default
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect SDM-Voice-permit
  inspect
 class class-default
  pass
policy-map type inspect http sdm-action-app-http
 class type inspect http sdm-http-blockparam
  log
  reset
 class type inspect http sdm-app-httpmethods
  log
  reset
 class type inspect http sdm-app-nonascii
  log
  reset
policy-map type inspect pop3 sdm-action-pop3
 class type inspect pop3 sdm-app-pop3
  log
  reset
policy-map type inspect sdm-permit
 class type inspect sdm-access
  inspect
 class class-default
policy-map type inspect imap sdm-action-imap
 class type inspect imap sdm-app-imap
  log
  reset
policy-map type inspect smtp sdm-action-smtp
 class type inspect smtp sdm-app-smtp
  reset
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.2 point-to-point
 pvc 8/35
  encapsulation aal5snap
  protocol ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 no cdp enable
!
interface FastEthernet1
 shutdown
 no cdp enable
!
interface FastEthernet2
 shutdown
 no cdp enable
!
interface FastEthernet3
 shutdown
 no cdp enable
!
interface Vlan1
 description $FW_INSIDE$
 ip address 192.168.1.10 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 no ip address
!
interface Dialer1
 description $FW_OUTSIDE$
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 2
 ppp authentication chap pap callin
 ppp chap hostname ##########
 ppp chap password 0 ########
 ppp pap sent-username ####### password 0 #######
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.50 3389 interface Dialer1 65050
ip nat inside source static tcp 192.168.1.45 3389 interface Dialer1 65045
ip nat inside source static tcp 192.168.1.54 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.50 25 interface Dialer1 25
ip nat inside source static tcp 192.168.1.50 110 interface Dialer1 110
ip nat inside source static tcp 192.168.1.50 143 interface Dialer1 143
ip nat inside source static tcp 192.168.1.50 443 interface Dialer1 443
ip nat inside source static tcp 192.168.1.50 993 interface Dialer1 993
ip nat inside source static tcp 192.168.1.45 1723 interface Dialer1 1723
!
ip access-list extended SDM_HTTPS
 remark SDM_ACL Category=1
 permit tcp any any eq 443
ip access-list extended SDM_SHELL
 remark SDM_ACL Category=1
 permit tcp any any eq cmd
ip access-list extended SDM_SSH
 remark SDM_ACL Category=1
 permit tcp any any eq 22
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.1.50
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.1.45
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.1.54
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 192.168.1.50
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 192.168.1.50
access-list 107 remark SDM_ACL Category=0
access-list 107 permit ip any host 192.168.1.50
access-list 108 remark SDM_ACL Category=0
access-list 108 permit ip any host 192.168.1.50
access-list 109 remark SDM_ACL Category=0
access-list 109 permit ip any host 192.168.1.50
access-list 110 remark SDM_ACL Category=0
access-list 110 permit ip any host 192.168.1.50
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
snmp-server community public RO
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 no modem enable
line aux 0
line vty 0 4
 password ########
 login
!
scheduler max-task-time 5000
no process cpu extended
no process cpu autoprofile hog
end

You're saying that with this config that you can't get to experts-exchange.com and hotmail.com but you can get to other sites???

Yes, so many websites (ie: experts-exchange.com) are not accessible.

I have an OpenVPN subscription on my laptop, and in order to access those websites I am connecting through the VPN.

When VPN connection is being on, everything is becoming faster, but it should be the vise versa !

Some other sites are working well, some are not.

Have you tried a different PC?

There is nothing in your router config that would cause that behavior. So it would appear to be something about your PC.

For example: www.bbc.co.uk and www.aljazeera.net are both opening either with VPN or without. But they are opening faster with VPN.

I have tested everything in the environment and for many PCs before posting here. The issue seems to be in the router itself.

We have another gateway to the internet (192.168.1.9), and also everything works well when I change the default gateway of my PC to 192.168.1.9

There is nothing in the config of the router that can block access to a particular website. Perhaps there is another router or firewall that the traffic is passing through?

Have you done a traceroute from the PC to the unreachable website?

Here are two traceroutes, The first one using gateway 10 (Cisco877), and the second using gateway 9 (Linksys). I hope this will help detecting the problem:

Tracing route to experts-exchange.com [64.156.132.140]
over a maximum of 30 hops:

  1     3 ms     1 ms     1 ms  192.168.1.10
  2     *       12 ms     8 ms  b-skb.qualitynet.net [62.150.126.77]
  3     8 ms     8 ms     8 ms  62.150.94.5
  4     9 ms     8 ms    10 ms  172.16.33.2
  5     9 ms     9 ms     8 ms  172.16.33.5
  6     8 ms    10 ms     8 ms  jun-skb.qualitynet.net [62.150.200.5]
  7   172 ms   176 ms   160 ms  195.229.27.29
  8     *      123 ms   137 ms  csk011.emirates.net.ae [195.229.31.11]
  9   134 ms   136 ms   137 ms  195.229.1.177
 10   182 ms   194 ms   146 ms  195.229.1.166
 11     *      177 ms   175 ms  213.242.115.13
 12   186 ms   182 ms   240 ms  ae-2-3.bar1.Marseille1.Level3.net [4.69.143.249]
 13   131 ms   140 ms   126 ms  ae-7-7.ebr1.Paris1.Level3.net [4.69.143.238]
 14   227 ms   213 ms   189 ms  ae-48-48.ebr1.London1.Level3.net [4.69.143.113]
 15   158 ms     *      188 ms  vlan103.ebr2.London1.Level3.net [4.69.143.94]
 16   239 ms   215 ms   220 ms  ae-42-42.ebr1.NewYork1.Level3.net [4.69.137.70]
 17   258 ms   268 ms   266 ms  ae-81-81.csw3.NewYork1.Level3.net [4.69.134.74]
 18   252 ms   295 ms   336 ms  ae-82-82.ebr2.NewYork1.Level3.net [4.69.148.41]
 19   347 ms   458 ms     *     ae-2-2.ebr4.SanJose1.Level3.net [4.69.135.185]
 20   278 ms   288 ms   298 ms  ae-71-71.csw2.SanJose1.Level3.net [4.69.153.6]
 21   330 ms   315 ms   310 ms  ae-72-72.ebr2.SanJose1.Level3.net [4.69.153.21]
 22   380 ms   358 ms   359 ms  ae-1-6.bar2.SanFrancisco1.Level3.net [4.69.140.153]
 23   391 ms   372 ms   368 ms  ae-4-4.car2.SanFrancisco1.Level3.net [4.69.133.157]
 24   348 ms   350 ms   351 ms  ge-9-1.hsa1.SanFrancisco1.Level3.net [4.69.142.150]
 25     *        *        *     Request timed out.
 26     *      300 ms     *     64.156.132.140
 27   269 ms   291 ms   284 ms  64.156.132.140


Tracing route to experts-exchange.com [64.156.132.140]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  192.168.1.9
  2     8 ms     7 ms    11 ms  91.140.128.1
  3     8 ms     8 ms     7 ms  10.2.5.254
  4    40 ms    39 ms    43 ms  if-14-0.core1.RSD-Riyad.as6453.net [116.0.78.61]
  5   126 ms   129 ms   127 ms  Pos-channel1.mcore3.LDN-London.as6453.net [116.0.78.42]
  6   126 ms     *        *     Vlan62.icore1.LDN-London.as6453.net [195.219.83.1]
  7   311 ms   313 ms   326 ms  Vlan533.icore1.LDN-London.as6453.net [195.219.83.102]
  8   302 ms   281 ms   288 ms  ae-34-52.ebr2.London1.Level3.net [4.69.139.97]
  9   296 ms   294 ms   294 ms  ae-44-44.ebr1.NewYork1.Level3.net [4.69.137.78]
 10   312 ms   325 ms   299 ms  ae-71-71.csw2.NewYork1.Level3.net [4.69.134.70]
 11   300 ms   312 ms   289 ms  ae-72-72.ebr2.NewYork1.Level3.net [4.69.148.37]
 12   308 ms   308 ms   310 ms  ae-2-2.ebr4.SanJose1.Level3.net [4.69.135.185]
 13   316 ms   305 ms   321 ms  ae-81-81.csw3.SanJose1.Level3.net [4.69.153.10]
 14   324 ms   310 ms   316 ms  ae-82-82.ebr2.SanJose1.Level3.net [4.69.153.25]
 15   295 ms   303 ms   347 ms  ae-1-6.bar2.SanFrancisco1.Level3.net [4.69.140.153]
 16   320 ms   323 ms   335 ms  ae-4-4.car2.SanFrancisco1.Level3.net [4.69.133.157]
 17   387 ms   368 ms   366 ms  ge-9-1.hsa1.SanFrancisco1.Level3.net [4.69.142.150]
 18     *        *        *     Request timed out.
 19   332 ms   319 ms   323 ms  64.156.132.140

ICMP is getting through.

Could be an MTU issue. Try a ping and use a 1500 byte packet size.

If that works, then something is blocking the HTTP traffic to certain sites. But it is NOT the Cisco 877.

I would check with the provider of the circuit. Maybe they are blocking the traffic.

That's great ! I will check it when I will be back to the office.

Sorry for the delay.

@donjohnston

You drawn my attention to the MTU size, I feel it's configured wrong. I think it should be 1492 instead of 1500, here is show interface Dialer 1 :

Dialer1 is up, line protocol is up (spoofing)
  Hardware is Unknown
  Description: $FW_OUTSIDE$
  Internet address is a.b.c.d/32
  MTU 1500 bytes, BW 56 Kbit/sec, DLY 20000 usec,
     reliability 255/255, txload 49/255, rxload 214/255
  Encapsulation PPP, loopback not set
  Keepalive set (10 sec)
  DTR is pulsed for 1 seconds on reset
  Interface is bound to Vi2
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 22:48:11
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair

Does that affect our main issue? If so, how to change it to 1492 ?

ping -t https://www.experts-exchange.com -l 1500

Request timed out

ping -t https://www.experts-exchange.com -l 1492

Request timed out

ping -t https://www.experts-exchange.com 

There are replies

>Does that affect our main issue? If so, how to change it to 1492 ?

No.

Keep doing the pings while reducing the size until you find the size that goes through successfully.

I have reduced while testing ping to www.google.com and https://www.experts-exchange.com

Both of them gave the same result:

Replied                         when packet size is 1472 or less

Request timed out        when packet size is 1473 or above

Then set the mtu of the dialer interface (or atm subinterface) to 1472.

int dialer 1
 mtu 1472

Unfortunately the same result :(

I have tested to reduced the MTU to 1200 also, and also the same.

Any suggestion ?

I suggest to try restoring the router to it's factory default state and re-configuring again.

How to restore the router to factory default state?

Did you try changing the MTU size on the ATM interface?

Yes, the same problem.

Would you please help me reconfigure the router from the begining and then I will accept and close this question? I hope that rebuilding configuration will solve the problem.

I have erased the config and reloaded the router. Then I have setup Vlan1 on FastEthernet 0 and both of them are up.

I am doing the following to configure the router: (Unfortunately not able to access internet after doing these configurations)

ip route 0.0.0.0 0.0.0.0 dialer0
interface Dialer0
 mtu 1492
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname *username*
 ppp chap password *password*

int atm0
 dsl operating-mode auto
 pvc 8/35
  encapsulation aal5mux
  protocol ppp dialer dialer pool-member 1

interface fastethernet 0
no shutdown

interface vlan 1
ip nat inside
ip address 192.168.1.10 255.255.255.0

dialer-list 1 protocol ip permit


What is the missing in this config ?

I am sorry for wasting your precious time.

Shall I use encapsulation aal5snap or aal5mux ?

Previously I was using aal5mux when it was working

>Previously I was using aal5mux when it was working

Then that's what you should use.