11-17-2008 10:37 AM - edited 03-06-2019 02:31 AM
Am running a Cisco 871 Ethernet Access Router. Recently used SDM to configure a simple firewall. The firewall was totally configured by SDM and using only SDM defaults. The security level is set to high. Since the firewall was installed, the hosts on the LAN have trouble accessing lower level pages on websites, ie; can log on to a website, can receive the home page, but have trouble accessing a sub-page of the website by clicking on a url button on the web page. The page is initially sent to the host and then deleted with a "cannot connect the page" error. This occurs on all the hosts on the LAN. This is quite obviously a Firewall problem but I don't know what it is. Can someone enlighten me?
11-18-2008 03:52 AM
Try these commands in global config mode
ip inspect name myfw http java-list 10 alert on timeout 3600
!
access-list 10 permit any any
You can tighten list 10 up as required.
Hope this helps.
11-18-2008 02:14 PM
Your reply has helped greatly. It has narrowed down the problem area. I did, however,have problems entering the commands that you provided (see attachment). The IOS CLI would not accept the complete ip inspect command, it would only accept "ip inspect name SDM_HIGH http" Wouldn't accept "java-list (100 or 101)alert on timeout 3600" So I entered what I could (see attach). The "access-list 100 permit any any" was already entered. This helped the problem and I was able to browse deeper into the web site before getting the "cannot connect" error. I started looking on the console port and saw that the "can not connect" error was associated with "%APPFW-4-HTTP_STRICT_PROTOCOL: Sig:15 HTTP protocol violation" I don't know exactly what that means but when I deleted the "strict-http action reset alarm" in the application http, THAT problem went away. I don't know if I cleared up one problem but set myself up for another one???
11-19-2008 04:56 AM
Would it take the java-list keyword? It's only looking for source-dest ip add so will only take a standard access list (1-99). 100 or 101 would be out of range.
ip inspect name SDM_HIGH http and ? for options.
If java-list is there use
ip inspect name SDM_HIGH http java-list 10
then create
access-list 10 permit any any
Let me know how it goes. I'll try to check back but having a central heating problem! Wet and messy...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: