Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cannot access some website

Hi all

I got in trouble when I can access google search, but cannot access gmail site. Additionally, I cannot access any site related to Microsoft or sometime it is too slow. I think it maybe relate to my DNS server or Cisco router configuration.

Please any advice.

Thanks

Here is the configuration:

Router#show run

Building configuration...

Current configuration : 1981 bytes

!

! Last configuration change at 20:06:06 UTC Thu Nov 14 2013

! NVRAM config last updated at 15:04:59 UTC Tue Nov 5 2013

! NVRAM config last updated at 15:04:59 UTC Tue Nov 5 2013

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

enable secret 5 xxxxx

!

no aaa new-model

memory-size iomem 20

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

crypto pki token default removal timeout 0

!

!

license udi pid CISCO2911/K9 sn FTX1603AH9C

!

!

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

!

interface GigabitEthernet0/0

description internal-LAN

ip address 172.x.x.x 255.255.0.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/1.1

encapsulation dot1Q 11

ip address 172.16.x.x 255.255.240.0

!

interface GigabitEthernet0/2

description internet

ip address 50.240.x.x 255.255.255.240

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list 100 interface GigabitEthernet0/2 overload

ip route profile

ip route 0.0.0.0 0.0.0.0 50.240.x.x

ip route 0.0.0.0 0.0.0.0 172.10.0.30 name ROUTE-VPN-REMOTE

ip route 172.16.240.0 255.255.254.0 172.10.x.x

!

access-list 100 permit ip 172.10.0.0 0.0.255.255 any

access-list 100 permit ip 172.16.240.0 0.0.0.255 any

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

login

transport input all

!

scheduler allocate 20000 1000

end

4 REPLIES
Hall of Fame Super Blue

Re: Cannot access some website

Why do you have 2 entries here -

ip route 0.0.0.0 0.0.0.0 50.240.x.x

ip route 0.0.0.0 0.0.0.0 172.10.0.30 name ROUTE-VPN-REMOTE

looking at the rest of your config it looks like the first entry is the one you need., What is the second entry meant to be doing ?

If you do a "sh ip route" do you see both entries in the route table ?

Jon

New Member

Cannot access some website

I use 172.10.0.30 for one ASA VPN interface to connect with my current network. That why I need that route for any PC connect directly to ASA can access internet. I can remove it if can fix the problem. But I think it is not because it works well before.

After, I attached my IP PbX to network, and configure some ACL to allow ports for calls. The problem occured, but there are still problems even though I deleted those ACLs

Thanks

New Member

Cannot access some website

Hi

Thanks a lot. It is my fault. I delete that route and it works fine. That is the problem. But Can you expain it for me?

Hall of Fame Super Blue

Re: Cannot access some website

When you have multiple routes to the same destination as long as the cost is the same (and it is for those 2 routes) the router will use both routes. It will basically switch between those routes. But in your case only one of the routes (the first entry)  actually sent traffic out to the internet. So sometimes it would use the correct one ie. the first entry and sometimes it would use the wrong one. When it used the wrong one the packets would not be sent out to the internet and so they never reach their destination.

This is why some sites where unreachable ie. the initial packet used the wrong route and so never got to the server. And it also explains why some other sites were slow ie. part of the connection was using the right route but another part was using the wrong route eg. if a DNS lookup was needed and the wrong route was used then there would be a delay while the client waited for an answer. It might then reissue the request and this time the correct route was used.

Jon

149
Views
0
Helpful
4
Replies
CreatePlease login to create content