Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
559
Views
0
Helpful
3
Replies

Firewall Problem

dbdickson
Level 1
Level 1

‎11-17-2008 10:37 AM - edited ‎03-06-2019 02:31 AM

Am running a Cisco 871 Ethernet Access Router. Recently used SDM to configure a simple firewall. The firewall was totally configured by SDM and using only SDM defaults. The security level is set to high. Since the firewall was installed, the hosts on the LAN have trouble accessing lower level pages on websites, ie; can log on to a website, can receive the home page, but have trouble accessing a sub-page of the website by clicking on a url button on the web page. The page is initially sent to the host and then deleted with a "cannot connect the page" error. This occurs on all the hosts on the LAN. This is quite obviously a Firewall problem but I don't know what it is. Can someone enlighten me?

Labels:
0 Helpful
3 Replies 3

rmcarthur
Level 1
Level 1

‎11-18-2008 03:52 AM

Try these commands in global config mode

ip inspect name myfw http java-list 10 alert on timeout 3600

!

access-list 10 permit any any

You can tighten list 10 up as required.

Hope this helps.

0 Helpful

dbdickson
Level 1
Level 1
In response to rmcarthur

‎11-18-2008 02:14 PM

Your reply has helped greatly. It has narrowed down the problem area. I did, however,have problems entering the commands that you provided (see attachment). The IOS CLI would not accept the complete ip inspect command, it would only accept "ip inspect name SDM_HIGH http" Wouldn't accept "java-list (100 or 101)alert on timeout 3600" So I entered what I could (see attach). The "access-list 100 permit any any" was already entered. This helped the problem and I was able to browse deeper into the web site before getting the "cannot connect" error. I started looking on the console port and saw that the "can not connect" error was associated with "%APPFW-4-HTTP_STRICT_PROTOCOL: Sig:15 HTTP protocol violation" I don't know exactly what that means but when I deleted the "strict-http action reset alarm" in the application http, THAT problem went away. I don't know if I cleared up one problem but set myself up for another one???

Preview file
22 KB
0 Helpful

rmcarthur
Level 1
Level 1
In response to dbdickson

‎11-19-2008 04:56 AM

Would it take the java-list keyword? It's only looking for source-dest ip add so will only take a standard access list (1-99). 100 or 101 would be out of range.

ip inspect name SDM_HIGH http and ? for options.

If java-list is there use

ip inspect name SDM_HIGH http java-list 10

then create

access-list 10 permit any any

Let me know how it goes. I'll try to check back but having a central heating problem! Wet and messy...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card