Cisco 881 k9 Router Blocks Access to Website - Page 2

okoroji80 · ‎10-16-2013

Dear Support team i have a Cisco 881 k9 box that does not allow access to a particular Website.

how could i address this issue.

I have the following Access-list on the router:

ip nat inside source list 110 interfa

ip route 0.0.0.0 0.0.0.0 197.255.52.89

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 110 deny ip 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

no cdp run

!

okoroji80 · ‎11-09-2013

Thanks Richard.

Below is the sh run from the router:

CADD#sh run

Building configuration...

Current configuration : 5577 bytes

!

! No configuration change since last restart

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CADD

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

memory-size iomem 10

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2894833554

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2894833554

revocation-check none

rsakeypair TP-self-signed-2894833554

!

crypto pki certificate chain TP-self-signed-2894833554

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32383934 38333335 3534301E 170D3132 31313035 31313537

35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38393438

33333535 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100F637 402332A2 8BF12546 60372AF1 8E615D5B 89118B76 417848D7 F258FA4C

947C166F 36FAADD7 ADBF58EF DB5007DC D7BF4BE8 A05C8A85 886CB822 51C06C

5903F329 FD9E3566 87B26DA9 8BC4B23D 944F14ED F4511649 728699C7 D5CB0A20

C8E1DFFE DDF33B71 6D0B8BB3 14E599C1 EB531F8C 1764DBA6 D42BE811 782B91DD

441F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14E1227C 362D6F7D E3EC6AEF 14599717 9459F4E3 CB301D06

03551D0E 04160414 E1227C36 2D6F7DE3 EC6AEF14 59971794 59F4E3CB 300D0609

2A864886 F70D0101 05050003 8181009A 672189B2 D212FBBD 73F21893 39B1D83E

7C296FAA 814D4E4F F0D6DADB F4EBB692 7A4B550F F7DFCC29 6FBA67DF 88B816

328FEC89 CE5AB267 B0454114 6B96EEFF 560D89B5 A91F3442 78868E9B BC92E32A

F617BDD6 E0FDE132 654039E5 2D436D2E 5AA6FE20 DCC8281F C1BD4E62 D6FE673C

F502BBB4 0418C766 9D25C66E 623E09

quit

ip source-route

!

ip dhcp excluded-address 192.168.1.1

!

ip dhcp pool inside DHCP

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 80.89.176.10 80.89.176.11

!

ip cef

no ip domain lookup

ip domain name www.caddcentreng.com

no ipv6 cef

!

license udi pid CISCO881-K9 sn FCZ1639C0R7

!

interface FastEthernet0

description LAN

switchport access vlan 10

no ip address

!

interface FastEthernet1

description LAN

switchport access vlan 10

no ip address

!

interface FastEthernet2

description LAN

switchport access vlan 10

no ip address

!

interface FastEthernet3

description LAN

switchport access vlan 10

no ip address

!

interface FastEthernet4

description WAN

ip address 197.255.x.x 255.255.x.x

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.10.10.1 255.255.255.248

ip tcp adjust-mss 1452

!

interface Vlan10

description LAN

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 110 interfa

ip route 0.0.0.0 0.0.0.0 197.255.x .x

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 110 deny ip 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 permit ip 192.64.112.0 0.0.0.255 any

no cdp run

!

Richard Burts · ‎11-09-2013

Thank you for the additional information. The posted config does show that there are not access lists applied to interfaces which might have caused this issue.

Based on the posted config I do have these comments:

- as Alain has already pointed out the router has no ip domain-lookup configured. This will prevent ping (or any other access) from the router using names and would allow access using IP addresses.

- if you want the router to be able to access anything using names then you need to have ip domain-lookup enabled and you need to configure names servers for the router to use. My personal opinion is that it helpful to have name lookup enabled on the router - especially because it helps in troubleshooting issues such as the one raised in this thread.

- There are 2 IP subnets mentioned in the config. Obviously the one most in use is 192.168.1.0/24. But there is also 10.10.10.0/28. Is this second subnet in use at all?

- access list 110 mentions 2 networks. There is 192.168.1.0/24 which we know about and there is also 192.64.112.0/24. What is this second network and is it used somewhere?

I am also a bit uncertain about what the current question really is. The original post raised a question about problems with access to a specific site. The discussion has kind of shifted to questions about whether DNS is working. Do we have one question here or do we have two questions?

HTH

Rick

HTH

Rick

okoroji80 · ‎11-12-2013

Thanks Rick,

Please noet the following about your comment on the config posted above:

10.10.10.0/28. Is this second subnet in use at all? ----------this is the management IP for Vlan 1

access-list 110 permit ip 192.64.112.0 0.0.0.255 ---------- this is used to permit traffic going to the DNS server

The DNS has IP Add of : 192.64.112.59

What is the syntax for setting up the nslookup

cadet alain · ‎11-12-2013

Hi,

ACL 110 is a NAT ACL so it is for matching source traffic entering nat inside interface that is to be natted out the nat outside interface, this is not an ACL for traffic filtering and this line

access-list 110 permit ip 192.64.112.0 0.0.0.255 is not needed and will never be matched as the DNS servers are these ones

80.89.176.10 80.89.176.11

and will never appear as src address on the inside interface.

If you want to communicate with hostnames on the router itself then just configure ip domain-lookup and add this too:

ip name-server 80.89.176.10

ip name-server 80.89.176.11

For nslookup: open command line window and enter this nslookup followed by the fqdn

Regards

Alain

Don't forget to rate helpful posts.