04-04-2007 09:25 AM - edited 03-11-2019 02:56 AM
Hello all,
A customer of ours is having an issue where they can't go to one website after we've installed a Cisco 871 router for them. Everything else works fine.
The website in question is
http://www.ab.bluecross.ca/ibluelink.html
and then when they click "Enter the secure site" the operation will time out and they get "Page cannot be displayed.."
The page is
http://ibluelink.ab.bluecross.ca/index.jsp.
Of course, it does not happen when we switch back to their "home grade" router.. I also can access that site from anywhere else without any problems.
If you have any ideas/suggestions we would greatly appreciate that!
Please find enclosed the config (I only edited the private info).
Thanks VERY much in advance!
04-04-2007 09:26 AM
C871#sh run
Building configuration...
Current configuration : 5675 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname C871
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login LEMMEIN local
aaa authorization network VPNGROUPSCV local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.71.1 192.168.71.99
ip dhcp excluded-address 192.168.71.151 192.168.71.254
!
ip dhcp pool Administration
import all
network 192.168.71.0 255.255.255.0
domain-name scv.local
dns-server 192.168.71.199 64.59.135.133
default-router 192.168.71.1
!
!
ip name-server 64.59.135.133
ip name-server 64.59.135.135
ip inspect name ISITLEGIT cuseeme
ip inspect name ISITLEGIT dns
ip inspect name ISITLEGIT ftp
ip inspect name ISITLEGIT h323
ip inspect name ISITLEGIT https
ip inspect name ISITLEGIT icmp
ip inspect name ISITLEGIT imap
ip inspect name ISITLEGIT pop3
ip inspect name ISITLEGIT netshow
ip inspect name ISITLEGIT rcmd
ip inspect name ISITLEGIT realaudio
ip inspect name ISITLEGIT rtsp
ip inspect name ISITLEGIT esmtp
ip inspect name ISITLEGIT sqlnet
ip inspect name ISITLEGIT streamworks
ip inspect name ISITLEGIT tftp
ip inspect name ISITLEGIT tcp
ip inspect name ISITLEGIT udp
ip inspect name ISITLEGIT vdolive
04-04-2007 09:27 AM
username unitypro password xxx
username User1password xxx
username User2 password xxx
!
!
!
crypto isakmp policy 5
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group SCVREMOTE
key THESECRETKEY
pool RAPOOLSCV
acl 123
include-local-lan
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto dynamic-map DYNAMAP 1
set transform-set ESP-AES-SHA
reverse-route
!
!
crypto map SCVCRYPTOMAP client authentication list LEMMEIN
crypto map SCVCRYPTOMAP isakmp authorization list VPNGROUPSCV
crypto map SCVCRYPTOMAP client configuration address respond
crypto map SCVCRYPTOMAP 65535 ipsec-isakmp dynamic DYNAMAP
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description Firewalled interface facing the Internet
mac-address 000c.4148.827f
ip address SHAWPUBLICIP 255.255.252.0
ip access-group 110 in
ip nat outside
ip inspect ISITLEGIT out
ip virtual-reassembly
duplex auto
speed auto
crypto map SCVCRYPTOMAP
!
interface Vlan1
description Local Interface
ip address 192.168.71.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool RAPOOLSCV 192.168.71.245 192.168.71.249
ip classless
ip route 0.0.0.0 0.0.0.0 SHAWPUBLICGW
ip route 10.0.71.0 255.255.255.0 192.168.71.10
04-04-2007 09:28 AM
ip http server
no ip http secure-server
ip nat inside source route-map NONATFORVPN interface FastEthernet4 overload
!
access-list 100 remark INSIDE-IN
access-list 101 remark No NAT for VPN
access-list 101 deny ip 192.168.71.0 0.0.0.255 host 192.168.71.245
access-list 101 deny ip 192.168.71.0 0.0.0.255 host 192.168.71.246
access-list 101 deny ip 192.168.71.0 0.0.0.255 host 192.168.71.247
access-list 101 deny ip 192.168.71.0 0.0.0.255 host 192.168.71.248
access-list 101 deny ip 192.168.71.0 0.0.0.255 host 192.168.71.249
access-list 101 permit ip 192.168.71.0 0.0.0.255 any
access-list 105 remark INSIDE-OUT
access-list 110 remark Outside Interface Access List
access-list 110 permit udp host 64.59.135.133 eq domain host SHAWPUBLICIP
access-list 110 permit udp host 64.59.135.135 eq domain host SHAWPUBLICIP
access-list 110 permit ahp any host SHAWPUBLICIP
access-list 110 permit esp any host SHAWPUBLICIP
access-list 110 permit udp any host SHAWPUBLICIP eq isakmp
access-list 110 permit udp any host SHAWPUBLICIP eq non500-isakmp
access-list 110 permit ip host 192.168.71.249 192.168.71.0 0.0.0.255
access-list 110 permit ip host 192.168.71.248 192.168.71.0 0.0.0.255
access-list 110 permit ip host 192.168.71.247 192.168.71.0 0.0.0.255
access-list 110 permit ip host 192.168.71.246 192.168.71.0 0.0.0.255
access-list 110 permit ip host 192.168.71.245 192.168.71.0 0.0.0.255
access-list 110 deny ip 192.168.71.0 0.0.0.255 any
access-list 110 permit icmp any host SHAWPUBLICIP echo-reply
access-list 110 permit icmp any host SHAWPUBLICIP time-exceeded
access-list 110 permit icmp any host SHAWPUBLICIP unreachable
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip host 255.255.255.255 any
access-list 110 deny ip host 0.0.0.0 any
access-list 110 deny ip any any
access-list 115 remark OUTSIDE-OUT
access-list 123 remark Split Tunneling
access-list 123 permit ip 192.168.71.0 0.0.0.255 any
!
route-map NONATFORVPN permit 1
match ip address 101
!
!
control-plane
!
banner motd ^C
****************************
* Property of *
* %CUSTOMER% *
* No Unauthorized Access *
* Device Maintained by *
* ------------------------------- *
* 1(403)555-5555 *
****************************^C
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end
C871#
04-25-2007 10:21 AM
hello, i checked the webpage i appears that you solve the problem, can u post the solution? it was related to the IOS firewall?
thank you
Juan Manuel Garcia
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: