Just setting up and testing a Cisco 891-K9 router. Used CCP for basic setup, figure I'll tweak any settings needed later.

For the firewall, I chose the default "medium" security setting in CCP, then added some holes (already setup in NAT) for outside access in.

Now on to the real question:

I noticed that I am now unable to click through google search results. On any borwser. Clicking on any search result simply loops back around to the same google search page. If I disable Javascript on the browser, everything works as expected. So it appears that the firewall is preventing something in google's scripts from redirecting and "clicking through" to the final destination page.

I'm familiar with our old Pix firewall commands, but still a relative newcomer to the zone based firewall and commands for this new 891, so any help would be appreciated! (relevant Config pasted below) (Gi0 is the WAN interface)

!

!

multilink bundle-name authenticated

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

!

!

class-map type inspect match-all sdm-nat-user-protocol--2-4

match access-group 105

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--2-5

match access-group 106

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--2-6

match access-group 107

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--2-7

match access-group 108

match protocol user-protocol--2

class-map type inspect imap match-any ccp-app-imap

match  invalid-command

class-map type inspect match-all sdm-nat-user-protocol--2-1

match access-group 102

match protocol user-protocol--2

class-map type inspect match-any ccp-cls-protocol-p2p

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

class-map type inspect match-all sdm-nat-user-protocol--2-2

match access-group 103

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--1-1

match access-group 101

match protocol user-protocol--1

class-map type inspect match-all sdm-nat-user-protocol--2-3

match access-group 104

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--2-8

match access-group 109

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--2-9

match access-group 110

match protocol user-protocol--2

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect gnutella match-any ccp-app-gnutella

match  file-transfer

class-map type inspect msnmsgr match-any ccp-app-msn-otherservices

match  service any

class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices

match  service any

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-all sdm-nat-user-protocol--2-15

match access-group 116

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--2-14

match access-group 115

match protocol user-protocol--2

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-nat-user-protocol--2-16

match access-group 117

match protocol user-protocol--2

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect match-all sdm-nat-user-protocol--2-11

match access-group 112

match protocol user-protocol--2

class-map type inspect aol match-any ccp-app-aol-otherservices

match  service any

class-map type inspect match-all sdm-nat-user-protocol--2-10

match access-group 111

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--2-13

match access-group 114

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--2-12

match access-group 113

match protocol user-protocol--2

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect pop3 match-any ccp-app-pop3

match  invalid-command

class-map type inspect kazaa2 match-any ccp-app-kazaa2

match  file-transfer

class-map type inspect match-all ccp-protocol-p2p

match class-map ccp-cls-protocol-p2p

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect msnmsgr match-any ccp-app-msn

match  service text-chat

class-map type inspect ymsgr match-any ccp-app-yahoo

match  service text-chat

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect http match-any ccp-app-httpmethods

match  request method bcopy

match  request method bdelete

match  request method bmove

match  request method bpropfind

match  request method bproppatch

match  request method connect

match  request method copy

match  request method delete

match  request method edit

match  request method getattribute

match  request method getattributenames

match  request method getproperties

match  request method index

match  request method lock

match  request method mkcol

match  request method mkdir

match  request method move

match  request method notify

match  request method options

match  request method poll

match  request method propfind

match  request method proppatch

match  request method put

match  request method revadd

match  request method revlabel

match  request method revlog

match  request method revnum

match  request method save

match  request method search

match  request method setattribute

match  request method startrev

match  request method stoprev

match  request method subscribe

match  request method trace

match  request method unedit

match  request method unlock

match  request method unsubscribe

class-map type inspect edonkey match-any ccp-app-edonkey

match  file-transfer

match  text-chat

match  search-file-name

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect http match-any ccp-http-blockparam

match  request port-misuse im

match  request port-misuse p2p

match  req-resp protocol-violation

class-map type inspect edonkey match-any ccp-app-edonkeydownload

match  file-transfer

class-map type inspect match-all ccp-protocol-imap

match protocol imap

class-map type inspect aol match-any ccp-app-aol

match  service text-chat

class-map type inspect edonkey match-any ccp-app-edonkeychat

match  search-file-name

match  text-chat

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect http match-any ccp-http-allowparam

match  request port-misuse tunneling

class-map type inspect fasttrack match-any ccp-app-fasttrack

match  file-transfer

class-map type inspect match-all sdm-nat-ftp-1

match access-group 101

match protocol ftp

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect p2p ccp-action-app-p2p

class type inspect edonkey ccp-app-edonkeychat

  log

  allow

class type inspect edonkey ccp-app-edonkeydownload

  log

  allow

class type inspect fasttrack ccp-app-fasttrack

  log

  allow

class type inspect gnutella ccp-app-gnutella

  log

  allow

class type inspect kazaa2 ccp-app-kazaa2

  log

  allow

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-user-protocol--1-1

  inspect

class type inspect sdm-nat-ftp-1

  inspect

class type inspect sdm-nat-user-protocol--2-1

  inspect

class type inspect sdm-nat-user-protocol--2-2

  inspect

class type inspect sdm-nat-user-protocol--2-3

  inspect

class type inspect sdm-nat-user-protocol--2-4

  inspect

class type inspect sdm-nat-user-protocol--2-5

  inspect

class type inspect sdm-nat-user-protocol--2-6

  inspect

class type inspect sdm-nat-user-protocol--2-7

  inspect

class type inspect sdm-nat-user-protocol--2-8

  inspect

class type inspect sdm-nat-user-protocol--2-9

  inspect

class type inspect sdm-nat-user-protocol--2-10

  inspect

class type inspect sdm-nat-user-protocol--2-11

  inspect

class type inspect sdm-nat-user-protocol--2-12

  inspect

class type inspect sdm-nat-user-protocol--2-13

  inspect

class type inspect sdm-nat-user-protocol--2-14

  inspect

class type inspect sdm-nat-user-protocol--2-15

  inspect

class type inspect sdm-nat-user-protocol--2-16

  inspect

class class-default

  drop

policy-map type inspect im ccp-action-app-im

class type inspect aol ccp-app-aol

  log

  allow

class type inspect msnmsgr ccp-app-msn

  log

  allow

class type inspect ymsgr ccp-app-yahoo

  log

  allow

class type inspect aol ccp-app-aol-otherservices

  log

  reset

class type inspect msnmsgr ccp-app-msn-otherservices

  log

  reset

class type inspect ymsgr ccp-app-yahoo-otherservices

  log

  reset

policy-map type inspect http ccp-action-app-http

class type inspect http ccp-http-blockparam

  log

  reset

class type inspect http ccp-app-httpmethods

  log

  reset

class type inspect http ccp-http-allowparam

  log

  allow

policy-map type inspect imap ccp-action-imap

class type inspect imap ccp-app-imap

  log

policy-map type inspect pop3 ccp-action-pop3

class type inspect pop3 ccp-app-pop3

  log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

  service-policy http ccp-action-app-http

class type inspect ccp-protocol-imap

  inspect

  service-policy imap ccp-action-imap

class type inspect ccp-protocol-pop3

  inspect

  service-policy pop3 ccp-action-pop3

class type inspect ccp-protocol-p2p

  inspect

  service-policy p2p ccp-action-app-p2p

class type inspect ccp-protocol-im

  inspect

  service-policy im ccp-action-app-im

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class class-default

  drop

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

!

interface GigabitEthernet0

description SuddenLink$ETH-WAN$$FW_OUTSIDE$

ip address 173.219.xxx.xxx 255.255.255.xxx

no ip redirects

no ip unreachables

no ip proxy-arp

ip verify unicast reverse-path

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

!