HTTP Page problem

stephen.parker · ‎03-21-2003

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

I have a 1720 router which I use for VPN and internet use. The vpn works fine and so does the internet, however users cannot open internet pages. HTTPS works fine so does FTP but 90% of HTTP does not.

I have included my config so any help would be much appreciated.

Current configuration : 3918 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname --moderator edit-- Router

!

logging buffered 16000 debugging

no logging monitor

enable secret 5 --moderator edit--

!

memory-size iomem 15

clock timezone London 0

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

no ip domain-lookup

ip dhcp excluded-address 192.168.1.1

!

ip dhcp pool local

network 192.168.0.0 255.255.0.0

default-router 192.168.1.1

dns-server --moderator edit-- 10.10.10.9

lease 20

!

no ip bootp server

ip inspect name IOSFirewall cuseeme timeout 3600

ip inspect name IOSFirewall ftp timeout 3600

ip inspect name IOSFirewall http timeout 3600

ip inspect name IOSFirewall smtp timeout 3600

ip inspect name IOSFirewall tftp timeout 3600

ip inspect name IOSFirewall udp timeout 3600

ip inspect name IOSFirewall tcp timeout 3600

ip audit notify log

ip audit po max-events 100

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

crypto isakmp policy 1

hash md5

authentication pre-share

!

crypto isakmp policy 2

authentication pre-share

group 2

crypto isakmp key ******** address IP address no-xauth

!

crypto ipsec transform-set cisco-Paris esp-des esp-sha-hmac

!

crypto map Jeyes local-address Dialer1

crypto map Jeyes 2 ipsec-isakmp

set peer IP address

set security-association lifetime kilobytes

set security-association lifetime seconds 86400

set transform-set cisco-Paris

match address 110

!

interface Ethernet0

description Connected to the Internet

no ip address

ip access-group 199 in

no keepalive

half-duplex

pppoe enable

pppoe-client dial-pool-number 1

crypto map Jeyes

!

interface FastEthernet0

description Paris Site

ip address 192.168.1.1 255.255.0.0

ip access-group 101 in

ip nat inside

ip inspect IOSFirewall in

ip tcp adjust-mss 1452

speed 10

!

interface Dialer1

description connected to the internet

ip address --moderator edit-- 172.16.1.40 255.0.0.0

ip access-group 199 in

ip mtu 1492

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 2

ppp authentication chap pap callin

ppp chap hostname ******************

ppp chap password 7 ******************

ppp pap sent-username **************** password 7 *****************

crypto map Jeyes

!

ip nat inside source list 100 interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

ip pim bidir-enable

!

access-list 100 deny ip 192.168.0.0 0.0.255.255 --moderator edit-- 10.10.11.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

access-list 101 permit tcp 192.168.0.0 0.0.255.255 any

access-list 101 permit udp 192.168.0.0 0.0.255.255 any

access-list 101 permit icmp 192.168.0.0 0.0.255.255 any

access-list 101 deny ip any any

access-list 110 permit ip 192.168.0.0 0.0.255.255 --moderator edit-- 10.10.11.0 0.0.0.255

access-list 199 deny ip 127.0.0.0 0.255.255.255 any

access-list 199 permit esp any any

access-list 199 permit udp any any eq isakmp

access-list 199 permit tcp --moderator edit-- 10.10.11.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 199 permit udp --moderator edit-- 10.10.11.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 199 permit icmp --moderator edit-- 10.10.11.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 199 permit tcp any host --moderator edit-- 172.16.1.40 eq smtp

access-list 199 permit icmp any any echo

access-list 199 permit icmp any any echo-reply

access-list 199 permit icmp any any unreachable

access-list 199 permit icmp any any time-exceeded

access-list 199 permit icmp any any traceroute

access-list 199 deny ip any any

dialer-list 2 protocol ip permit

!

line con 0

password 7 --moderator edit--

logging synchronous

line aux 0

line vty 0 4

password 7 --moderator edit--

login

line vty 5 15

login

mhoda · ‎03-26-2003

Pl. check to see if removing the following line from config helps:

ip inspect name IOSFirewall http timeout 3600

If it fixes your problem, then the most of the sites you are browsing are serving java applet. When you inspect http, you are blocking all the java applet.

godlam · ‎03-29-2003

I have the same problem which is actually with you. I have installed the router 1710. If you know how to configure it, please let me know. I got another problem in this environment. I cannot receive some of the e-mail from Internet. Do you have a same problem?

Regards

stephen.parker · ‎05-16-2003

I resolved the problem by assigning static IP addresses to the clients. This then made them work. I also get the email problem but not all the time. If you have solved this then please let me know

Regards

hugo.pernicha · ‎06-17-2003

I have had a similar problem with the emails. If I recall correctly it was related to the fact that microsoft uses esmtp and since you are inspecting smtp, some esmtp commands will be invalid and discarded. Try to remove the line inspect smtp.

Regards

rkahler · ‎06-23-2003

Same problem, a little different.

I am having the same trouble. We cannot send/receive mail with a small number of domains. We discovered that the trouble is related to a NAT statement on the router, - 'IP nat inside source 192.xxx.xxx.xxx 200.xxx.xxx.xxx' (not real numbers).

If the previous message concerning inspecting smtp doesn't answer your question, maybe it NAT related. I'd do more than point you in the direction, however, I still haven't worked out a solution.

Good luck