cisco 1811 fw router, cannot browse http

Unanswered Question
Jun 16th, 2008

Hi,

I config the cisco 1811 with firewall feature. I can block the IM traffic. However, I find that the tcp port 80 is block also.

If I remove the SDM from the interface, tcp port 80 is enabled again. the problem is SDM but I do not know what setting I need to change. any idea?

FW router

!

p inspect name sdm_ins_in_162 appfw sdm_ins_in_162

ip inspect name sdm_ins_in_162 https

ip inspect name sdm_ins_in_162 dns

!

appfw policy-name sdm_ins_in_162

application im aol

service default action reset alarm

service text-chat action reset alarm

server deny name login.oscar.aol.com

server deny name toc.oscar.aol.com

server deny name oam-d09a.blue.aol.com

audit-trail on

application im msn

service default action reset alarm

service text-chat action reset alarm

server deny name messenger.hotmail.com

server deny name gateway.messenger.hotmail.com

server deny name webmessenger.msn.com

audit-trail on

application http

port-misuse p2p action reset alarm

port-misuse im action reset alarm

application im yahoo

service default action reset alarm

service text-chat action reset alarm

server deny name scs.msg.yahoo.com

server deny name scsa.msg.yahoo.com

server deny name scsb.msg.yahoo.com

server deny name scsc.msg.yahoo.com

server deny name scsd.msg.yahoo.com

server deny name messenger.yahoo.com

server deny name cs16.msg.dcn.yahoo.com

server deny name cs19.msg.dcn.yahoo.com

server deny name cs42.msg.dcn.yahoo.com

server deny name cs53.msg.dcn.yahoo.com

server deny name cs54.msg.dcn.yahoo.com

server deny name ads1.vip.scd.yahoo.com

server deny name radio1.launch.vip.dal.yahoo.com

server deny name in1.msg.vip.re2.yahoo.com

server deny name data1.my.vip.sc5.yahoo.com

server deny name address1.pim.vip.mud.yahoo.com

server deny name edit.messenger.yahoo.com

server deny name http.pager.yahoo.com

server deny name privacy.yahoo.com

server deny name csa.yahoo.com

server deny name csb.yahoo.com

server deny name csc.yahoo.com

audit-trail on

class-map match-any sdm_p2p_kazaa

match protocol fasttrack

match protocol kazaa2

class-map match-any sdm_p2p_edonkey

match protocol edonkey

class-map match-any sdm_p2p_gnutella

match protocol gnutella

class-map match-any sdm_p2p_bittorrent

match protocol bittorrent

!

!

policy-map sdmappfwp2p_sdm_ins_in_162

class sdm_p2p_edonkey

drop

class sdm_p2p_gnutella

drop

class sdm_p2p_kazaa

drop

class sdm_p2p_bittorrent

drop

interface FastEthernet0

ip inspect sdm_ins_in_162 out

!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
johnd2310 Mon, 06/16/2008 - 14:37

Hi,

Is FastEthernet0 the inside or outside interface?

Thanks

John

michael.leblanc Mon, 06/16/2008 - 15:22

I think you should be applying inspection "inbound" on the "internal" interface for the purpose of provisioning the return path (temporary dynamic holes in the firewall).

You might also want to introduce some HTTP specific policy.

e.g.:

appfw policy-name sdm_ins_in_162

application http

strict-http action allow alarm

content-type-verification match-req-rsp action allow alarm

port-misuse default action reset alarm

request-method rfc put action reset alarm

Currently, you are not doing any conformance checks on HTTP, and not taking advantage of features that can protect client and server.

You will find many sites (incl. portions of Cisco.com) don't conform with "strict-http", so you'll probably have to settle for "action allow alarm", vs. "action reset alarm".

The same "may" be true of "content-type-verification", depending on which browser you use (e.g.: Firefox).

Actions

This Discussion