Solved: Cisco 2911 - unable to access certain websites

theitmedic · ‎09-19-2011

I recently upgraded my Cisco 1711 router to a Cisco 2911 router. Everything seemed to work alright until we found out that we can no longer access certain websites. One of them is www.google.com. Our Cisco 2911 is NATing all internal clients. The acls allow everything outbound. I’m not sure why we can’t get to www.google.com but I can if I bypass the 2911 router. Is there anything that I can look at to determine why we can’t get to

www.google.com. This all worked prior to the migration from the Cisco 1711 to the 2911 and the configurations didn't really change either. The Cisco 2911 is running Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)

no ip source-route

no ip cef

!

ip dhcp excluded-address 192.168.0.1 192.168.0.189

!

ip dhcp pool Inside-LAN

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

dns-server 24.92.226.11 24.92.226.12

!

no ip bootp server

ip name-server 24.92.226.11

ip name-server 24.92.226.12

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip ips config location flash:ips retries 1

ip ips notify SDEE

ip ips name iosips

!

ip ips signature-category

category all

retired true

category ios_ips basic

retired false

!

interface GigabitEthernet0/0

description Internet GigabitEthernet0/0

ip address x.x.x.x 255.255.255.248

ip access-group 103 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip inspect DEFAULT100 out

ip ips iosips in

ip ips iosips out

ip virtual-reassembly

ip route-cache same-interface

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface GigabitEthernet0/1

description LAN Inside GigabitEthernet0/1

ip address 192.168.0.1 255.255.255.0

ip access-group 102 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip route-cache same-interface

duplex auto

speed auto

no cdp enable

no mop enabled

!

no ip classless

!

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload

!

access-list 102 remark ------ Inside Interface IN Rules ------

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 permit ip any any

access-list 103 remark ------ Outside Interface IN Rules ------

access-list 103 permit udp host 129.6.15.28 eq ntp any eq ntp

access-list 103 permit udp host 129.6.15.29 eq ntp any eq ntp

access-list 103 permit udp any any eq domain

access-list 103 permit udp any eq domain any

access-list 103 permit ahp any any

access-list 103 permit esp any any

access-list 103 permit udp any any eq isakmp

access-list 103 permit udp any any eq non500-isakmp

access-list 103 deny ip 192.168.0.0 0.0.0.255 any

access-list 103 permit udp any eq bootps any eq bootpc

access-list 103 permit icmp any any echo-reply

access-list 103 permit icmp any any time-exceeded

access-list 103 permit icmp any any unreachable

access-list 103 deny ip 10.0.0.0 0.255.255.255 any

access-list 103 deny ip 172.16.0.0 0.15.255.255 any

access-list 103 deny ip 192.168.0.0 0.0.255.255 any

access-list 103 deny ip 127.0.0.0 0.255.255.255 any

access-list 103 deny ip host 255.255.255.255 any

access-list 103 deny ip any any log

!

route-map SDM_RMAP_1 permit 1

match ip address 101

Gregg..

Jon Marshall · ‎09-19-2011

Gregg

You have disabled CEF on this router and you have also disabled "ip classless" . The effect of this could be the cause of you only being able to get to certain websites and not to others.

Can you post the output of "sh ip route" from your router. Note if you have to x.x.x.x out addresses can you include the first 2 octets at least as these are needed.

If this is the problem the solution is either to enable CEF (is there a reason you have disabled it ?) or enable "ip classless" (again any reason why you have disabled it ?)

Note - if you aren't sure why either have been disabled then turning on "ip classless" will probably have the least effect on the rest of the router although it's difficult to be sure as it's not clear why both have been disabled in the first place.

Jon

View solution in original post

Jon Marshall · ‎09-19-2011

Gregg

Glad it's working.

The "no ip classless" command only takes effect nowadays if CEF is disabled. If CEF is enabled then the command "no ip classless" has no effect. So it may well be that on your 1711 you had CEF enabled and that is why it worked.

Jon

View solution in original post

Jon Marshall · ‎09-19-2011

Gregg

You have disabled CEF on this router and you have also disabled "ip classless" . The effect of this could be the cause of you only being able to get to certain websites and not to others.

Can you post the output of "sh ip route" from your router. Note if you have to x.x.x.x out addresses can you include the first 2 octets at least as these are needed.

If this is the problem the solution is either to enable CEF (is there a reason you have disabled it ?) or enable "ip classless" (again any reason why you have disabled it ?)

Note - if you aren't sure why either have been disabled then turning on "ip classless" will probably have the least effect on the rest of the router although it's difficult to be sure as it's not clear why both have been disabled in the first place.

Jon

theitmedic · ‎09-19-2011

I enabled "ip classless" and everything worked. We are able to get to google.com now. I'm not sure why it worked on the Cisco 1711. The 1711 had it set to "no ip classless".

CEF is disabled because there is a bug in the 15.0(1) code that breaks being able to VPN into the Cisco 2911 router and then trying to access the local LAN.

The bug is known to Cisco. https://supportforums.cisco.com/message/3436746#3436746

Thank you

Gregg.

Jon Marshall · ‎09-19-2011

Gregg

Glad it's working.

The "no ip classless" command only takes effect nowadays if CEF is disabled. If CEF is enabled then the command "no ip classless" has no effect. So it may well be that on your 1711 you had CEF enabled and that is why it worked.

Jon