IOS firewall (Cisco 871) blocking a Web page (index.jsp)

Unanswered Question
Apr 4th, 2007

Hello all,

A customer of ours is having an issue where they can't go to one website after we've installed a Cisco 871 router for them. Everything else works fine.

The website in question is

http://www.ab.bluecross.ca/ibluelink.html

and then when they click "Enter the secure site" the operation will time out and they get "Page cannot be displayed.."

The page is

http://ibluelink.ab.bluecross.ca/index.jsp.

Of course, it does not happen when we switch back to their "home grade" router.. I also can access that site from anywhere else without any problems.

If you have any ideas/suggestions we would greatly appreciate that!

Please find enclosed the config (I only edited the private info).

Thanks VERY much in advance!

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
spejic Wed, 04/04/2007 - 09:26

C871#sh run

Building configuration...

Current configuration : 5675 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname C871

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login LEMMEIN local

aaa authorization network VPNGROUPSCV local

!

aaa session-id common

!

resource policy

!

ip subnet-zero

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.71.1 192.168.71.99

ip dhcp excluded-address 192.168.71.151 192.168.71.254

!

ip dhcp pool Administration

import all

network 192.168.71.0 255.255.255.0

domain-name scv.local

dns-server 192.168.71.199 64.59.135.133

default-router 192.168.71.1

!

!

ip name-server 64.59.135.133

ip name-server 64.59.135.135

ip inspect name ISITLEGIT cuseeme

ip inspect name ISITLEGIT dns

ip inspect name ISITLEGIT ftp

ip inspect name ISITLEGIT h323

ip inspect name ISITLEGIT https

ip inspect name ISITLEGIT icmp

ip inspect name ISITLEGIT imap

ip inspect name ISITLEGIT pop3

ip inspect name ISITLEGIT netshow

ip inspect name ISITLEGIT rcmd

ip inspect name ISITLEGIT realaudio

ip inspect name ISITLEGIT rtsp

ip inspect name ISITLEGIT esmtp

ip inspect name ISITLEGIT sqlnet

ip inspect name ISITLEGIT streamworks

ip inspect name ISITLEGIT tftp

ip inspect name ISITLEGIT tcp

ip inspect name ISITLEGIT udp

ip inspect name ISITLEGIT vdolive

spejic Wed, 04/04/2007 - 09:27

username unitypro password xxx

username User1password xxx

username User2 password xxx

!

!

!

crypto isakmp policy 5

encr aes

authentication pre-share

group 2

!

crypto isakmp client configuration group SCVREMOTE

key THESECRETKEY

pool RAPOOLSCV

acl 123

include-local-lan

netmask 255.255.255.0

!

!

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

!

crypto dynamic-map DYNAMAP 1

set transform-set ESP-AES-SHA

reverse-route

!

!

crypto map SCVCRYPTOMAP client authentication list LEMMEIN

crypto map SCVCRYPTOMAP isakmp authorization list VPNGROUPSCV

crypto map SCVCRYPTOMAP client configuration address respond

crypto map SCVCRYPTOMAP 65535 ipsec-isakmp dynamic DYNAMAP

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description Firewalled interface facing the Internet

mac-address 000c.4148.827f

ip address SHAWPUBLICIP 255.255.252.0

ip access-group 110 in

ip nat outside

ip inspect ISITLEGIT out

ip virtual-reassembly

duplex auto

speed auto

crypto map SCVCRYPTOMAP

!

interface Vlan1

description Local Interface

ip address 192.168.71.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip local pool RAPOOLSCV 192.168.71.245 192.168.71.249

ip classless

ip route 0.0.0.0 0.0.0.0 SHAWPUBLICGW

ip route 10.0.71.0 255.255.255.0 192.168.71.10

spejic Wed, 04/04/2007 - 09:28

ip http server

no ip http secure-server

ip nat inside source route-map NONATFORVPN interface FastEthernet4 overload

!

access-list 100 remark INSIDE-IN

access-list 101 remark No NAT for VPN

access-list 101 deny ip 192.168.71.0 0.0.0.255 host 192.168.71.245

access-list 101 deny ip 192.168.71.0 0.0.0.255 host 192.168.71.246

access-list 101 deny ip 192.168.71.0 0.0.0.255 host 192.168.71.247

access-list 101 deny ip 192.168.71.0 0.0.0.255 host 192.168.71.248

access-list 101 deny ip 192.168.71.0 0.0.0.255 host 192.168.71.249

access-list 101 permit ip 192.168.71.0 0.0.0.255 any

access-list 105 remark INSIDE-OUT

access-list 110 remark Outside Interface Access List

access-list 110 permit udp host 64.59.135.133 eq domain host SHAWPUBLICIP

access-list 110 permit udp host 64.59.135.135 eq domain host SHAWPUBLICIP

access-list 110 permit ahp any host SHAWPUBLICIP

access-list 110 permit esp any host SHAWPUBLICIP

access-list 110 permit udp any host SHAWPUBLICIP eq isakmp

access-list 110 permit udp any host SHAWPUBLICIP eq non500-isakmp

access-list 110 permit ip host 192.168.71.249 192.168.71.0 0.0.0.255

access-list 110 permit ip host 192.168.71.248 192.168.71.0 0.0.0.255

access-list 110 permit ip host 192.168.71.247 192.168.71.0 0.0.0.255

access-list 110 permit ip host 192.168.71.246 192.168.71.0 0.0.0.255

access-list 110 permit ip host 192.168.71.245 192.168.71.0 0.0.0.255

access-list 110 deny ip 192.168.71.0 0.0.0.255 any

access-list 110 permit icmp any host SHAWPUBLICIP echo-reply

access-list 110 permit icmp any host SHAWPUBLICIP time-exceeded

access-list 110 permit icmp any host SHAWPUBLICIP unreachable

access-list 110 deny ip 10.0.0.0 0.255.255.255 any

access-list 110 deny ip 172.16.0.0 0.15.255.255 any

access-list 110 deny ip 192.168.0.0 0.0.255.255 any

access-list 110 deny ip 127.0.0.0 0.255.255.255 any

access-list 110 deny ip host 255.255.255.255 any

access-list 110 deny ip host 0.0.0.0 any

access-list 110 deny ip any any

access-list 115 remark OUTSIDE-OUT

access-list 123 remark Split Tunneling

access-list 123 permit ip 192.168.71.0 0.0.0.255 any

!

route-map NONATFORVPN permit 1

match ip address 101

!

!

control-plane

!

banner motd ^C

****************************

* Property of *

* %CUSTOMER% *

* No Unauthorized Access *

* Device Maintained by *

* ------------------------------- *

* 1(403)555-5555 *

****************************^C

!

line con 0

logging synchronous

no modem enable

line aux 0

line vty 0 4

!

scheduler max-task-time 5000

end

C871#

juan_m_12 Wed, 04/25/2007 - 10:21

hello, i checked the webpage i appears that you solve the problem, can u post the solution? it was related to the IOS firewall?

thank you

Juan Manuel Garcia

Actions

This Discussion