06-16-2008 05:54 AM - edited 03-11-2019 05:59 AM
Hi,
I config the cisco 1811 with firewall feature. I can block the IM traffic. However, I find that the tcp port 80 is block also.
If I remove the SDM from the interface, tcp port 80 is enabled again. the problem is SDM but I do not know what setting I need to change. any idea?
FW router
!
p inspect name sdm_ins_in_162 appfw sdm_ins_in_162
ip inspect name sdm_ins_in_162 https
ip inspect name sdm_ins_in_162 dns
!
appfw policy-name sdm_ins_in_162
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
application http
port-misuse p2p action reset alarm
port-misuse im action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name messenger.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_sdm_ins_in_162
class sdm_p2p_edonkey
drop
class sdm_p2p_gnutella
drop
class sdm_p2p_kazaa
drop
class sdm_p2p_bittorrent
drop
interface FastEthernet0
ip inspect sdm_ins_in_162 out
!
06-16-2008 02:37 PM
Hi,
Is FastEthernet0 the inside or outside interface?
Thanks
John
06-16-2008 03:22 PM
I think you should be applying inspection "inbound" on the "internal" interface for the purpose of provisioning the return path (temporary dynamic holes in the firewall).
You might also want to introduce some HTTP specific policy.
e.g.:
appfw policy-name sdm_ins_in_162
application http
strict-http action allow alarm
content-type-verification match-req-rsp action allow alarm
port-misuse default action reset alarm
request-method rfc put action reset alarm
Currently, you are not doing any conformance checks on HTTP, and not taking advantage of features that can protect client and server.
You will find many sites (incl. portions of Cisco.com) don't conform with "strict-http", so you'll probably have to settle for "action allow alarm", vs. "action reset alarm".
The same "may" be true of "content-type-verification", depending on which browser you use (e.g.: Firefox).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: