Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Cisco 881 k9 Router Blocks Access to Website

Dear Support team i have a Cisco 881 k9 box that does not allow access to a particular Website.

how could i address this issue.

I have the following Access-list on the router:

ip nat inside source list 110 interfa                                  

ip route 0.0.0.0 0.0.0.0 197.255.52.89                                    

!

access-list 23 permit 10.10.10.0 0.0.0.7                                       

access-list 110 deny   ip 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255                                                                        

access-list 110 permit ip 192.168.1.0 0.0.0.255 any                                                 

no cdp run        

!

18 REPLIES
Hall of Fame Super Gold

Cisco 881 k9 Router Blocks Access to Website

Are you telling us that you have successful access to other web sites and that one web site does not work? Would you post the output of an attempt to ping to that web site? Would you post the output of nslookup for the name of the website?

HTH

Rick

New Member

Cisco 881 k9 Router Blocks Access to Website

Yes i have access to other websites.

A ping to the said site timed out

Hall of Fame Super Gold

Cisco 881 k9 Router Blocks Access to Website

Part of the questions that I asked was to try to determine whether the problem is with DNS name resolution or is about IP connectivity. Your response gives me no information about that. Please post the outputs that I requested.

HTH

Rick

New Member

Cisco 881 k9 Router Blocks Access to Website

CADD#ping www.caddcentreng.com

Translating "www.caddcentreng.com"

% Unrecognized host or address, or protocol not running.

The above is a response from a ping to the website

below is the Ip address of the website

CADD#ping 192.64.112.59

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.64.112.59, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 196/208/224 ms

CADD#

p forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 110 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 197.255.52.89

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 110 deny   ip 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 permit ip 192.64.112.0 0.0.0.255 any

no cdp run

ip cef     

no ip domain lookup                  

ip domain name www.caddcentreng.com                                  

no ipv6 cef          

New Member

Cisco 881 k9 Router Blocks Access to Website

THIS IS THE ERROR MESSAGE DISPLAYED WHEN ONE TRIES TO OPEN THE WEBSITE FROM WINDOWS

XML Parsing Error: unexpected parser state Location: jar:file:///C:/Program%20Files/Mozilla%20Firefox/omni.ja!/chrome/toolkit/content/global/netError.xhtml Line Number 311, Column 58:

&netInterrupt.longDesc;
---------------------------------------------------------^

New Member

Cisco 881 k9 Router Blocks Access to Website

That would appear to be a browser issue rather than the router blocking access to the website. Try opening Firefox in safemode and access the website then.

Hall of Fame Super Gold

Cisco 881 k9 Router Blocks Access to Website

Thank you for the outputs that I requested. This one is quite helpful and does demonstrate that the problem is a failure with DNS

CADD#ping www.caddcentreng.com

Translating "www.caddcentreng.com"

% Unrecognized host or address, or protocol not running.

If you can not resolve the name then your browser will not be able to access the web server..

HTH

Rick

Purple

Cisco 881 k9 Router Blocks Access to Website

Hi,

you've got no ip domain lookup   configured so it will never try to translate the name to IP.

You can try with a site that is working and see that the ping for the name fails on the router too.

So this doesn't demonstrate that your problem with accessing the site is a DNS problem.

You should ping the name from the host and if it fails but the pinging the IP succeeds then it is a DNS problem.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Cisco 881 k9 Router Blocks Access to Website

Ok how best do i resolve this issue ?

what do i need to configure on the Router ?

Purple

Cisco 881 k9 Router Blocks Access to Website

Hi,

Can you ping the IP from your host but fail to ping the FQDN ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Cisco 881 k9 Router Blocks Access to Website

Yes i can ping the IP.  But FQDN failed to Ping

Purple

Cisco 881 k9 Router Blocks Access to Website

Hi,

Can you tell us which DNS servers your host is using ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Re: Cisco 881 k9 Router Blocks Access to Website

The DNS SERVER IS : 80.89.176.10 & 80.89.176.11

which is the DNS from the internet service provider.

Hall of Fame Super Gold

Cisco 881 k9 Router Blocks Access to Website

In reading through this thread again I see that we talked about access list used for address translation but have not talked about the possibility of an access list applied to interfaces. So let me ask the question whether you have any access lists that are doing packet filtering on interfaces? If so please give us the details of this. I am wondering about the possibility that DNS traffic might be denied by access lists.

And if it is not an access list issue I wonder what else might be in the config that could impact DNS. So perhaps it would be helpful to post the complete config, masking out public addresses, passwords, and anything else that is sensitive.

HTH

Rick

New Member

Re: Cisco 881 k9 Router Blocks Access to Website

Thanks Richard.

Below is the sh run from the router:

CADD#sh run          

Building configuration...                        

Current configuration : 5577 bytes                                

!

! No configuration change since last restart                                          

version 15.1          

no service pad            

service timestamps debug datetime msec                                    

service timestamps log datetime msec                                  

no service password-encryption                            

!

hostname CADD            

!

boot-start-marker                

boot-end-marker              

!

!

logging buffered 51200 warnings                              

!

no aaa new-model              

memory-size iomem 10                  

crypto pki token default removal timeout 0                                        

!

crypto pki trustpoint TP-self-signed-2894833554                                              

enrollment selfsigned                    

subject-name cn=IOS-Self-Signed-Certificate-2894833554                                                      

revocation-check none                    

rsakeypair TP-self-signed-2894833554                                    

!

!

crypto pki certificate chain TP-self-signed-2894833554                                                    

certificate self-signed 01                          

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030                                                                        

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274                                                                       

69666963 6174652D 32383934 38333335 3534301E 170D3132 31313035 31313537                                                                        

35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649                                                                       

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38393438                                                                        

33333535 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281                                                                        

8100F637 402332A2 8BF12546 60372AF1 8E615D5B 89118B76 417848D7 F258FA4C                                                                       

947C166F 36FAADD7 ADBF58EF DB5007DC D7BF4BE8 A05C8A85 886CB822 51C06C                                                                    

5903F329 FD9E3566 87B26DA9 8BC4B23D 944F14ED F4511649 728699C7 D5CB0A20                                                                       

C8E1DFFE DDF33B71 6D0B8BB3 14E599C1 EB531F8C 1764DBA6 D42BE811 782B91DD                                                                        

441F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603                                                                        

551D2304 18301680 14E1227C 362D6F7D E3EC6AEF 14599717 9459F4E3 CB301D06                                                                        

03551D0E 04160414 E1227C36 2D6F7DE3 EC6AEF14 59971794 59F4E3CB 300D0609                                                                        

2A864886 F70D0101 05050003 8181009A 672189B2 D212FBBD 73F21893 39B1D83E                                                                       

7C296FAA 814D4E4F F0D6DADB F4EBB692 7A4B550F F7DFCC29 6FBA67DF 88B816                                                                    

328FEC89 CE5AB267 B0454114 6B96EEFF 560D89B5 A91F3442 78868E9B BC92E32A                                                                       

F617BDD6 E0FDE132 654039E5 2D436D2E 5AA6FE20 DCC8281F C1BD4E62 D6FE673C                                                                        

F502BBB4 0418C766 9D25C66E 623E09                                 

       quit          

ip source-route              

!

!

!

ip dhcp excluded-address 192.168.1.1                                  

!

ip dhcp pool inside DHCP                      

network 192.168.1.0 255.255.255.0                                

default-router 192.168.1.1                          

dns-server 80.89.176.10 80.89.176.11                                    

!

!

ip cef    

no ip domain lookup                  

ip domain name www.caddcentreng.com                                  

no ipv6 cef          

!

!

license udi pid CISCO881-K9 sn FCZ1639C0R7                                        

!

!

!

interface FastEthernet0                      

description LAN              

switchport access vlan 10                        

no ip address            

!

interface FastEthernet1                      

description LAN              

switchport access vlan 10                        

no ip address            

!

interface FastEthernet2                      

description LAN              

switchport access vlan 10                        

no ip address            

!

interface FastEthernet3                      

description LAN              

switchport access vlan 10                        

no ip address            

!

interface FastEthernet4                      

description WAN              

ip address 197.255.x.x 255.255.x.x                              

ip nat outside              

ip virtual-reassembly in                        

duplex auto          

speed auto          

!

interface Vlan1              

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$                                                

ip address 10.10.10.1 255.255.255.248                                    

ip tcp adjust-mss 1452                      

!

interface Vlan10              

description LAN              

ip address 192.168.1.1 255.255.255.0                                    

ip nat inside            

ip virtual-reassembly in                        

!

ip forward-protocol nd                    

ip http server            

ip http access-class 23                      

ip http authentication local                         

ip http secure-server                    

ip http timeout-policy idle 60 life 86400 requests 10000                                                      

!

ip nat inside source list 110 interfa                                  

ip route 0.0.0.0 0.0.0.0 197.255.x .x                                    

!

access-list 23 permit 10.10.10.0 0.0.0.7                                      

access-list 110 deny   ip 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255                                                                       

access-list 110 permit ip 192.168.1.0 0.0.0.255 any                                                  

access-list 110 permit ip 192.64.112.0 0.0.0.255 any                                                  

no cdp run         

!

!

Hall of Fame Super Gold

Cisco 881 k9 Router Blocks Access to Website

Thank you for the additional information. The posted config does show that there are not access lists applied to interfaces which might have caused this issue.

Based on the posted config I do have these comments:

- as Alain has already pointed out the router has no ip domain-lookup configured. This will prevent ping (or any other access) from the router using names and would allow access using IP addresses.

- if you want the router to be able to access anything using names then you need to have ip domain-lookup enabled and you need to configure names servers for the router to use. My personal opinion is that it helpful to have name lookup enabled on the router - especially because it helps in troubleshooting issues such as the one raised in this thread.

- There are 2 IP subnets mentioned in the config. Obviously the one most in use is 192.168.1.0/24. But there is also 10.10.10.0/28. Is this second subnet in use at all?

- access list 110 mentions 2 networks. There is 192.168.1.0/24 which we know about and there is also 192.64.112.0/24. What is this second network and is it used somewhere?

I am also a bit uncertain about what the current question really is. The original post raised a question about problems with access to a specific site. The discussion has kind of shifted to questions about whether DNS is working. Do we have one question here or do we have two questions?

HTH

Rick

New Member

Re: Cisco 881 k9 Router Blocks Access to Website

Thanks Rick,

Please noet the following about your comment on the config posted above:

10.10.10.0/28. Is this second subnet in use at all? ----------this is the management IP for Vlan 1

access-list 110 permit ip 192.64.112.0 0.0.0.255 ---------- this is used to permit traffic going to the DNS server

The DNS has IP Add of : 192.64.112.59

What is the syntax for setting up the nslookup

Purple

Cisco 881 k9 Router Blocks Access to Website

Hi,

ACL 110 is a NAT ACL so it is for matching source traffic entering nat inside interface that is to be natted out the nat outside interface, this is not an ACL for traffic filtering and this line

access-list 110 permit ip 192.64.112.0 0.0.0.255   is not needed and will never be matched as the DNS servers are these ones

80.89.176.10 80.89.176.11     

and will never appear as src address on the inside interface.

If you want to communicate with hostnames on the router itself then just  configure ip domain-lookup and  add this too:

ip name-server 80.89.176.10

ip name-server 80.89.176.11

For nslookup:  open command line window and enter this nslookup  followed by the fqdn

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
1232
Views
0
Helpful
18
Replies
CreatePlease to create content