Firewall Problem

Unanswered Question
Nov 17th, 2008

Am running a Cisco 871 Ethernet Access Router. Recently used SDM to configure a simple firewall. The firewall was totally configured by SDM and using only SDM defaults. The security level is set to high. Since the firewall was installed, the hosts on the LAN have trouble accessing lower level pages on websites, ie; can log on to a website, can receive the home page, but have trouble accessing a sub-page of the website by clicking on a url button on the web page. The page is initially sent to the host and then deleted with a "cannot connect the page" error. This occurs on all the hosts on the LAN. This is quite obviously a Firewall problem but I don't know what it is. Can someone enlighten me?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rmcarthur Tue, 11/18/2008 - 03:52

Try these commands in global config mode

ip inspect name myfw http java-list 10 alert on timeout 3600

!

access-list 10 permit any any

You can tighten list 10 up as required.

Hope this helps.

dbdickson Tue, 11/18/2008 - 14:14

Your reply has helped greatly. It has narrowed down the problem area. I did, however,have problems entering the commands that you provided (see attachment). The IOS CLI would not accept the complete ip inspect command, it would only accept "ip inspect name SDM_HIGH http" Wouldn't accept "java-list (100 or 101)alert on timeout 3600" So I entered what I could (see attach). The "access-list 100 permit any any" was already entered. This helped the problem and I was able to browse deeper into the web site before getting the "cannot connect" error. I started looking on the console port and saw that the "can not connect" error was associated with "%APPFW-4-HTTP_STRICT_PROTOCOL: Sig:15 HTTP protocol violation" I don't know exactly what that means but when I deleted the "strict-http action reset alarm" in the application http, THAT problem went away. I don't know if I cleared up one problem but set myself up for another one???

rmcarthur Wed, 11/19/2008 - 04:56

Would it take the java-list keyword? It's only looking for source-dest ip add so will only take a standard access list (1-99). 100 or 101 would be out of range.

ip inspect name SDM_HIGH http and ? for options.

If java-list is there use

ip inspect name SDM_HIGH http java-list 10

then create

access-list 10 permit any any

Let me know how it goes. I'll try to check back but having a central heating problem! Wet and messy...

Actions

This Discussion