03-21-2003 06:42 AM - edited 03-09-2019 02:36 AM
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
I have a 1720 router which I use for VPN and internet use. The vpn works fine and so does the internet, however users cannot open internet pages. HTTPS works fine so does FTP but 90% of HTTP does not.
I have included my config so any help would be much appreciated.
Current configuration : 3918 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname --moderator edit-- Router
!
logging buffered 16000 debugging
no logging monitor
enable secret 5 --moderator edit--
!
memory-size iomem 15
clock timezone London 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
no ip domain-lookup
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool local
network 192.168.0.0 255.255.0.0
default-router 192.168.1.1
dns-server --moderator edit-- 10.10.10.9
lease 20
!
no ip bootp server
ip inspect name IOSFirewall cuseeme timeout 3600
ip inspect name IOSFirewall ftp timeout 3600
ip inspect name IOSFirewall http timeout 3600
ip inspect name IOSFirewall smtp timeout 3600
ip inspect name IOSFirewall tftp timeout 3600
ip inspect name IOSFirewall udp timeout 3600
ip inspect name IOSFirewall tcp timeout 3600
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 2
authentication pre-share
group 2
crypto isakmp key ******** address IP address no-xauth
!
!
crypto ipsec transform-set cisco-Paris esp-des esp-sha-hmac
!
crypto map Jeyes local-address Dialer1
crypto map Jeyes 2 ipsec-isakmp
set peer IP address
set security-association lifetime kilobytes
set security-association lifetime seconds 86400
set transform-set cisco-Paris
match address 110
!
!
!
!
interface Ethernet0
description Connected to the Internet
no ip address
ip access-group 199 in
no keepalive
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
crypto map Jeyes
!
interface FastEthernet0
description Paris Site
ip address 192.168.1.1 255.255.0.0
ip access-group 101 in
ip nat inside
ip inspect IOSFirewall in
ip tcp adjust-mss 1452
speed 10
!
interface Dialer1
description connected to the internet
ip address --moderator edit-- 172.16.1.40 255.0.0.0
ip access-group 199 in
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname ******************
ppp chap password 7 ******************
ppp pap sent-username **************** password 7 *****************
crypto map Jeyes
!
ip nat inside source list 100 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip pim bidir-enable
!
!
access-list 100 deny ip 192.168.0.0 0.0.255.255 --moderator edit-- 10.10.11.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit tcp 192.168.0.0 0.0.255.255 any
access-list 101 permit udp 192.168.0.0 0.0.255.255 any
access-list 101 permit icmp 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any any
access-list 110 permit ip 192.168.0.0 0.0.255.255 --moderator edit-- 10.10.11.0 0.0.0.255
access-list 199 deny ip 127.0.0.0 0.255.255.255 any
access-list 199 permit esp any any
access-list 199 permit udp any any eq isakmp
access-list 199 permit tcp --moderator edit-- 10.10.11.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 199 permit udp --moderator edit-- 10.10.11.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 199 permit icmp --moderator edit-- 10.10.11.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 199 permit tcp any host --moderator edit-- 172.16.1.40 eq smtp
access-list 199 permit icmp any any echo
access-list 199 permit icmp any any echo-reply
access-list 199 permit icmp any any unreachable
access-list 199 permit icmp any any time-exceeded
access-list 199 permit icmp any any traceroute
access-list 199 deny ip any any
dialer-list 2 protocol ip permit
!
!
line con 0
password 7 --moderator edit--
logging synchronous
line aux 0
line vty 0 4
password 7 --moderator edit--
login
line vty 5 15
login
03-26-2003 10:49 PM
Pl. check to see if removing the following line from config helps:
ip inspect name IOSFirewall http timeout 3600
If it fixes your problem, then the most of the sites you are browsing are serving java applet. When you inspect http, you are blocking all the java applet.
03-29-2003 06:56 AM
I have the same problem which is actually with you. I have installed the router 1710. If you know how to configure it, please let me know. I got another problem in this environment. I cannot receive some of the e-mail from Internet. Do you have a same problem?
Regards
05-16-2003 08:15 AM
I resolved the problem by assigning static IP addresses to the clients. This then made them work. I also get the email problem but not all the time. If you have solved this then please let me know
Regards
06-17-2003 07:14 AM
I have had a similar problem with the emails. If I recall correctly it was related to the fact that microsoft uses esmtp and since you are inspecting smtp, some esmtp commands will be invalid and discarded. Try to remove the line inspect smtp.
Regards
06-23-2003 05:16 PM
Same problem, a little different.
I am having the same trouble. We cannot send/receive mail with a small number of domains. We discovered that the trouble is related to a NAT statement on the router, - 'IP nat inside source 192.xxx.xxx.xxx 200.xxx.xxx.xxx' (not real numbers).
If the previous message concerning inspecting smtp doesn't answer your question, maybe it NAT related. I'd do more than point you in the direction, however, I still haven't worked out a solution.
Good luck
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide