SA 520 blocking some URLs and IM

Unanswered Question
Jun 10th, 2010
User Badges:

I have an SA520 that is configured with 3 NAT rules in firewall. These rules allow a local server to be exposed for 3 specific services. Everything else is disabled. There is no content filtering for example.


The problem: None of our users are able to use Windows Live Messenger or access certain sites such as www.hotmail.com.


I suspect the device is blocking URLs that redirect. I see that hotmail.com is redirected to a mail.live.com.


Any ideas?


Thanks very much.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hyeh Thu, 06/10/2010 - 17:48
User Badges:

Hi Krishnan

Since you are not using content filtering, the device won't block your URL automatically.

Can you verify whether this device can reach www.hotmail.com by using diagnostic ping

in Aministration->Diagnostics

Thanks

hyeh Thu, 06/10/2010 - 20:57
User Badges:

That imply this problem is outside the SA500.

Maybe you want to check with your service provider to see why

this URL is unreachable.

menongroup Fri, 06/11/2010 - 09:20
User Badges:

But I have another network going through the same T1 modem to the same ISP using a SnapGear firewall that has no problems at all.

hyeh Fri, 06/11/2010 - 10:00
User Badges:

Do you have a switch between SA500 and the T1 Modem?

Use a laptop to replace the SA500 in the same switch port,

and ping the URL from there. Then we can double confirm

whether the problem is inside SA500 or not.

menongroup Fri, 06/11/2010 - 10:18
User Badges:

The SA500 is directly connected to the T1 modem. I am not concerned so much about getting to hotmail. It is just symptomatic of the whole issue. Not being able to use IM is a problem however.


Instead of going to hotmail if I try to go to "login.live.com", there is no problem. What I am finding is any website that serves up some parts from URLs other than the main one entered in the browser seems to have a problem. Even Cisco.com takes for ever to load up.

hyeh Fri, 06/11/2010 - 11:41
User Badges:

Hi

We are not seeing this problem in our lab.

However, please try to uncheck "Block Fragmented Packets"

in Firewall->Attacks->ICSA settings to see whether it helps or not.

By the way what version of the firmware you are using now?

Are you using protectlink anyway? /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:PMingLiU; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} We saw similar issue with

protectlink during earlier times – some times,not all times

Thanks


menongroup Fri, 06/11/2010 - 12:09
User Badges:

I am on version 1.1.42 and not using ProtectLink, IPS or VPN. My settings on the Attack tab are:


1. WAN Security Checks: All checked

2. LAN: Block UDP flood checked

3. ICSA: "Block ICMP Notification" checked, rest unchecked.

4. DoS: Values of 128, 15 and 100 (default values)


Do any changes to setting require a reboot?

hyeh Fri, 06/11/2010 - 13:35
User Badges:

You just need to click "Apply".

No reboot is needed.

menongroup Fri, 06/11/2010 - 15:14
User Badges:

Status Update:


I re-installed the latest version which resets the configuration to factory defaults. In this state I was able to get to hotmail.com. When I loaded my config, it stopped working again.


I then disabled the 3 firewall rules. Still, no dice. The only thing left now were the WAN and LAN configuration and one WAN IP Alias.


I modified the disabled rules to not use the WAN Alias and deleted the Alias. I am now able to get to any site without issues.


So, the culprit is the WAN IP Alias.


Why?

hyeh Fri, 06/11/2010 - 15:25
User Badges:

I think the problem should be on the firewall rules.

Would you like to share your firewall rules so that we might know

what's wrong with them

hyeh Fri, 06/11/2010 - 15:54
User Badges:

You can post them here if they are not very sensitive.

Otherwise, you can send a private message to me

menongroup Fri, 06/11/2010 - 16:22
User Badges:

1. INSECURE WAN -> SECURE LAN -> FTP -> ALLOW always -> Source Hosts (Any) -> Internal IP Address: 192.168.1.5 -> External IP Address: Dedicated WAN (Alias IP)


2. INSECURE WAN -> SECURE LAN -> Custom Service: 7777-7780 -> ALLOW always -> Source  Hosts (Any) -> Internal IP Address: 192.168.1.5 -> External IP  Address: Dedicated WAN (Alias IP)


3. INSECURE WAN -> SECURE LAN -> Custom Service: 22222-22230 -> ALLOW always -> Source  Hosts (Any) -> Internal IP Address: 192.168.1.5 -> External IP  Address: Dedicated WAN (Alias IP)


One question for the Alias IP: should its Netmask be the same as that of the primary WAN static address or something else.


Thanks.

hyeh Fri, 06/11/2010 - 17:05
User Badges:

I think you are trying to expose some services in the LAN to the outside world

If that is the case, instead of creating FW rules from " /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} INSECURE WAN -> SECURE LAN"

you should create FW rules from " /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} SECURE LAN ->INSECURE WAN"

Otherwise, you will block some traffic from the outside world to the LAN

menongroup Fri, 06/11/2010 - 17:58
User Badges:

I am confused.


According to the SA 500 Administration Guide, you need to set the From Zone to the source of the traffic. Since I am exposing a device behind my firewall to the outside world, isn't the source of the traffic coming from the Internet (WAN) and the To Zone as the recipient or the local server which would therefore be LAN?


Does the document have it backwards or am I not reading it right?

Actions

This Discussion