Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1619
Views
0
Helpful
7
Replies

Cisco IOS firewall SDM rules issues

paulc6512
Level 1
Level 1

‎05-07-2010 07:32 AM - edited ‎03-11-2019 10:42 AM

Someone out there mu st have had this issue before. we have just configured our 3825 router with the IOS firewall application using the SDM defaults to start with but have hit a few issuses with being able to access webmail applications. we are using NAT to get from a private to public network. All applications are getting through and returning as they should. However we are having issues with webmail ie Yahoo google and hotmail.

if we use the SDM_Medium, Yahoo mail works but hotmail and googlemail fail. if we use SDM_high then hotmail and googlemail work and Yahoo mail fail. i must not be the first person to encounter this. does any ideas on how to resolve our issue

rgds PaulC

Labels:
0 Helpful
7 Replies 7

Panos Kampanakis
Cisco Employee
Cisco Employee

‎05-07-2010 08:15 AM

I would suggest using "ip inspect log drop" and checking the logs to see the dropped packets reason for your lost email traffic.

Also, posting your config would helps us check if there is something wrong with it right off the bat.

PK

0 Helpful

paulc6512
Level 1
Level 1
In response to Panos Kampanakis

‎05-07-2010 08:31 AM

thanks for the reply. we are not loosing any emails at the moment.

the issue is we are not able to get to see the logon page for the webmail applications.

Paulc

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to paulc6512

‎05-07-2010 08:33 AM

I see. Still if the firewall is causing that to fail you should see drop logs and the reason which could help getting close to the root.

PK

0 Helpful

paulc6512
Level 1
Level 1
In response to Panos Kampanakis

‎05-07-2010 08:45 AM

Here is the output from the router.

still looking into the firewall log.

!This is the running config of the router:
!----------------------------------------------------------------------------
!version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service dhcp
!
!
boot-start-marker
boot system flash c3825-adventerprisek9-mz.124-9.T1.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 5
logging buffered 32000 debugging
enable secret 5 $1$1.dE$PFMCY../kcK8CZhZypXDx0
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
!
aaa session-id common
!
resource policy
!
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip cef
ip tcp synwait-time 10
!
!
!
!
no ip bootp server
ip domain name cappella.net
ip name-server 8.8.8.8
ip name-server 195.184.228.7
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip inspect name SDM_MEDIUM tacacs
ip ips notify SDEE
!
appfw policy-name SDM_MEDIUM
  application im aol
    service default action reset alarm
    service text-chat action reset alarm
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action reset alarm
    service text-chat action reset alarm
    server deny name messenger.hotmail.com
    server deny name gateway.messenger.hotmail.com
    server deny name webmessenger.msn.com
    audit-trail on
  application http
    strict-http action allow alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action allow alarm
    audit-trail on
  application im yahoo
    service default action reset alarm
    service text-chat action reset alarm
    server deny name scs.msg.yahoo.com
    server deny name scsa.msg.yahoo.com
    server deny name scsb.msg.yahoo.com
    server deny name scsc.msg.yahoo.com
    server deny name scsd.msg.yahoo.com
    server deny name messenger.yahoo.com
    server deny name cs16.msg.dcn.yahoo.com
    server deny name cs19.msg.dcn.yahoo.com
    server deny name cs42.msg.dcn.yahoo.com
    server deny name cs53.msg.dcn.yahoo.com
    server deny name cs54.msg.dcn.yahoo.com
    server deny name ads1.vip.scd.yahoo.com
    server deny name radio1.launch.vip.dal.yahoo.com
    server deny name in1.msg.vip.re2.yahoo.com
    server deny name data1.my.vip.sc5.yahoo.com
    server deny name address1.pim.vip.mud.yahoo.com
    server deny name edit.messenger.yahoo.com
    server deny name http.pager.yahoo.com
    server deny name privacy.yahoo.com
    server deny name csa.yahoo.com
    server deny name csb.yahoo.com
    server deny name csc.yahoo.com
    audit-trail on
!
!
voice-card 0
no dspfarm
!
!
!
key chain capella
key 10101010
  key-string 7 0508071F244042080C0E
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2280701403
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2280701403
revocation-check none
rsakeypair TP-self-signed-2280701403
!
!
crypto pki certificate chain TP-self-signed-2280701403
certificate self-signed 01
  30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32323830 37303134 3033301E 170D3130 30343136 31343330
  31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32383037
  30313430 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CAC6 5832BDE4 37431250 CD80A402 F752F245 28403353 1B71614A 02BF57B1
  C47B620C 0CC883DE 42CA8D42 74E8AA0D 28A896A2 DABC330E 886F0B6E A16B0598
  CC946390 87916614 86443A21 8B1F004D 6D268A25 4E9D3C1D 91D54B44 4645A3C7
  1BCBBDEA 73C7FBAE AD1BE130 338BAE21 A989AF73 0E999849 53E52FC1 76F2D9A9
  8B6B0203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603
  551D1104 1E301C82 1A52435F 706F7041 5F626C61 636B2E63 61707065 6C6C612E
  6E657430 1F060355 1D230418 30168014 D35F92EA 5986B7F8 1E630DA3 188A1B99
  683CDE85 301D0603 551D0E04 160414D3 5F92EA59 86B7F81E 630DA318 8A1B9968
  3CDE8530 0D06092A 864886F7 0D010104 05000381 81009969 A927A388 39C3D79B
  BD2287D9 84E41B21 C71D9DFB D3E66D37 659C52B4 8E13E504 F5C5C1F2 E345E585
  2FAB5007 F0FEFE93 0C8DD881 03D509CA FB8EE244 09BFF3D2 DE024D45 2B69DCCF
  D88ACB0A F0421724 B076862C A4642878 7A5E0356 FE2D5773 C323ACD4 6704E894
  2F795B1B CF8ACE8E 2D0A4EBD B3F8CD2B A5A4C9EB 6E08
  quit
username sdm privilege 15 password 7 02050D480809
username flaksdm privilege 15 secret 5 $1$WRnW$.NSDX8qqCRUDX3vTLY47l1
username saic password 7 0822455D0A16
!
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_MEDIUM
class sdm_p2p_gnutella
   drop
class sdm_p2p_bittorrent
   drop
class sdm_p2p_edonkey
   drop
class sdm_p2p_kazaa
   drop
!
!
!
crypto isakmp policy 15
hash md5
authentication pre-share
lifetime 28800
crypto isakmp key MY-SECRET-PASSCODE address 0.0.0.0 0.0.0.0
!
crypto ipsec security-association idle-time 600
!
crypto ipsec transform-set aes-sha esp-aes esp-md5-hmac
crypto ipsec transform-set new esp-des esp-md5-hmac
!
crypto dynamic-map dyn_internet 15
set transform-set new
match address Crypto-list
!
crypto dynamic-map dyn_private_network 15
set transform-set aes-sha
match address Crypto-list
!
!
crypto map internet 10 ipsec-isakmp dynamic dyn_internet
!
crypto map private_network 10 ipsec-isakmp dynamic dyn_private_network
!
!
!
!
!
interface GigabitEthernet0/0
description Uplink to Black Core Sw$FW_INSIDE$
ip address 10.12.5.250 255.255.255.0
ip access-group 2007 in
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 capella
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip split-horizon eigrp 10
duplex auto
speed auto
media-type rj45
crypto map private_network
!
interface GigabitEthernet0/1
description Uplink to Internet$FW_OUTSIDE$
ip address 212.56.55.189 255.255.255.248
ip access-group 100 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_MEDIUM out
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
media-type rj45
crypto map internet
service-policy input sdmappfwp2p_SDM_MEDIUM
service-policy output sdmappfwp2p_SDM_MEDIUM
!
interface FastEthernet0/1/0
description link to Fixed Site Type-1 encryptor (vlan10)
switchport access vlan 10
shutdown
!
interface FastEthernet0/1/1
switchport access vlan 10
shutdown
!
interface FastEthernet0/1/2
switchport access vlan 10
shutdown
!
interface FastEthernet0/1/3
switchport access vlan 10
shutdown
!
interface FastEthernet0/1/4
switchport access vlan 10
shutdown
!
interface FastEthernet0/1/5
switchport access vlan 10
shutdown
!
interface FastEthernet0/1/6
switchport access vlan 10
shutdown
!
interface FastEthernet0/1/7
switchport access vlan 100
shutdown
!
interface FastEthernet0/1/8
switchport access vlan 100
shutdown
!
interface Serial0/2/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2/1
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
no ip address
!
interface Vlan10
description
no ip address
no ip route-cache cef
no ip route-cache
shutdown
!
interface Vlan11
no ip address
shutdown
!
interface Vlan100
description
ip address 10.10.10.1 255.255.255.248
no ip route-cache cef
no ip route-cache
shutdown
!
router eigrp 10
redistribute connected
passive-interface GigabitEthernet0/1
network 10.0.0.0
no auto-summary
eigrp log-neighbor-warnings 300
!
ip route 0.0.0.0 0.0.0.0 212.56.55.185
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 199 interface GigabitEthernet0/1 overload
!
ip access-list extended Crypto-list
permit ip 10.10.5.0 0.0.0.63 192.168.208.0 0.0.0.7
permit ip 10.10.5.0 0.0.0.63 192.168.208.8 0.0.0.7
permit icmp any 192.168.208.0 0.0.0.7 log
permit ip any 192.168.208.0 0.0.0.7 log
!
access-list 9 permit 10.10.5.253 log
access-list 12 remark Used for SNMP access
access-list 12 permit 10.10.5.253 log
access-list 12 permit 10.10.7.253 log
access-list 12 permit 10.10.6.253 log
access-list 12 deny   any log
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 195.184.228.7 eq domain host 212.56.55.189
access-list 100 permit udp host 8.8.8.8 eq domain host 212.56.55.189
access-list 100 permit ahp any host 212.56.55.189
access-list 100 permit esp any host 212.56.55.189
access-list 100 permit udp any host 212.56.55.189 eq isakmp
access-list 100 permit udp any host 212.56.55.189 eq non500-isakmp
access-list 100 permit ip 192.168.208.0 0.0.0.7 10.10.5.0 0.0.0.63
access-list 100 permit ip 192.168.208.8 0.0.0.7 10.10.5.0 0.0.0.63
access-list 100 permit icmp 192.168.208.0 0.0.0.7 any log
access-list 100 deny   ip 10.12.5.0 0.0.0.255 any
access-list 100 permit icmp any host 212.56.55.189 echo-reply
access-list 100 permit icmp any host 212.56.55.189 time-exceeded
access-list 100 permit icmp any host 212.56.55.189 unreachable
access-list 100 deny   ip 10.0.0.0 0.255.255.255 any
access-list 100 deny   ip 172.16.0.0 0.15.255.255 any
access-list 100 deny   ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip host 0.0.0.0 any
access-list 100 deny   ip any any log
access-list 100 permit ip 192.168.208.0 0.0.0.7 any log
access-list 102 remark Permit In-Band Mgt SSH access
access-list 102 remark **FLAK NMS and NMSVs(Site A,B,C)**
access-list 102 permit tcp host 10.10.5.253 any log
access-list 102 remark ** HSRP Lan Access **
access-list 102 permit tcp host 10.12.5.254 any log
access-list 102 permit tcp host 10.12.5.252 any log
access-list 102 permit tcp host 10.12.5.251 any log
access-list 102 deny   ip any any log
access-list 150 permit esp any 212.56.55.184 0.0.0.7 log
access-list 150 permit udp any 212.56.55.184 0.0.0.7 eq isakmp log
access-list 150 permit icmp any any log
access-list 150 deny   ip any any log
access-list 160 permit esp any 10.0.0.0 0.0.0.255 log
access-list 160 permit udp any 10.0.0.0 0.0.0.255 eq isakmp log
access-list 160 permit icmp any any log
access-list 160 deny   ip any any log
access-list 199 permit ip host 10.10.5.250 any log
access-list 199 permit 53 host 10.10.5.250 any log
access-list 199 permit ip host 10.10.5.253 any log
access-list 199 permit ip host 10.10.5.249 any log
access-list 199 permit udp host 10.10.5.253 any log
access-list 2007 remark LAN Restrictions
access-list 2007 remark SDM_ACL Category=17
access-list 2007 permit ahp any host 10.12.5.250
access-list 2007 permit esp any host 10.12.5.250
access-list 2007 permit udp any host 10.12.5.250 eq isakmp
access-list 2007 permit udp any host 10.12.5.250 eq non500-isakmp
access-list 2007 permit ip 192.168.208.0 0.0.0.7 10.10.5.0 0.0.0.63
access-list 2007 permit ip 192.168.208.8 0.0.0.7 10.10.5.0 0.0.0.63
access-list 2007 permit icmp 192.168.208.0 0.0.0.7 any log
access-list 2007 permit ip 192.168.208.0 0.0.0.7 any log
access-list 2007 deny   ip 212.56.55.184 0.0.0.7 any
access-list 2007 deny   ip host 255.255.255.255 any
access-list 2007 deny   ip 127.0.0.0 0.255.255.255 any
access-list 2007 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 2007 deny   ip 169.254.0.0 0.0.255.255 any log
access-list 2007 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 2007 deny   ip 192.0.2.0 0.0.0.255 any log
access-list 2007 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 2007 deny   ip 224.0.0.0 15.255.255.255 any log
access-list 2007 deny   ip 240.0.0.0 7.255.255.255 any log
access-list 2007 remark ****
access-list 2007 permit esp any 10.0.0.0 0.0.0.255 log
access-list 2007 permit udp any 10.0.0.0 0.0.0.255 eq isakmp log
access-list 2007 remark ** Local Nets **
access-list 2007 permit icmp 10.12.5.0 0.0.0.255 any echo log
access-list 2007 permit icmp 10.12.5.0 0.0.0.255 any parameter-problem log
access-list 2007 permit icmp 10.12.5.0 0.0.0.255 any source-quench log
access-list 2007 permit icmp 10.12.5.0 0.0.0.255 any echo-reply log
access-list 2007 permit icmp 10.12.5.0 0.0.0.255 any time-exceeded log
access-list 2007 permit icmp 10.12.5.0 0.0.0.255 any unreachable log
access-list 2007 permit icmp 10.10.5.0 0.0.0.255 any echo log
access-list 2007 permit icmp 10.10.5.0 0.0.0.255 any parameter-problem log
access-list 2007 permit icmp 10.10.5.0 0.0.0.255 any source-quench log
access-list 2007 permit icmp 10.10.5.0 0.0.0.255 any echo-reply log
access-list 2007 permit icmp 10.10.5.0 0.0.0.255 any time-exceeded log
access-list 2007 permit icmp 10.10.5.0 0.0.0.255 any unreachable log
access-list 2007 remark **  **
access-list 2007 permit icmp 10.12.6.0 0.0.0.255 any echo-reply log
access-list 2007 permit icmp 10.12.6.0 0.0.0.255 any time-exceeded log
access-list 2007 permit icmp 10.12.6.0 0.0.0.255 any unreachable log
access-list 2007 permit icmp 10.12.6.0 0.0.0.255 any echo log
access-list 2007 permit icmp 10.12.6.0 0.0.0.255 any parameter-problem log
access-list 2007 permit icmp 10.12.6.0 0.0.0.255 any source-quench log
access-list 2007 remark **  **
access-list 2007 permit icmp 10.10.6.0 0.0.0.255 any echo-reply log
access-list 2007 permit icmp 10.10.6.0 0.0.0.255 any time-exceeded log
access-list 2007 permit icmp 10.10.6.0 0.0.0.255 any unreachable log
access-list 2007 permit icmp 10.10.6.0 0.0.0.255 any echo log
access-list 2007 permit icmp 10.10.6.0 0.0.0.255 any parameter-problem log
access-list 2007 permit icmp 10.10.6.0 0.0.0.255 any source-quench log
access-list 2007 remark ****
access-list 2007 permit eigrp 10.12.5.0 0.0.0.255 any log
access-list 2007 remark ** Switch Uplink **
access-list 2007 permit tcp 10.12.5.0 0.0.0.255 any log
access-list 2007 permit udp 10.12.5.0 0.0.0.255 any log
access-list 2007 permit ip 10.12.5.0 0.0.0.255 any log
access-list 2007 remark ** Hosts (NMS,SW,Rtr,IPP,NMSV) **
access-list 2007 permit ip host 10.12.5.250 any log
access-list 2007 permit udp host 10.12.5.250 any log
access-list 2007 permit tcp host 10.12.5.250 any log
access-list 2007 permit ip host 10.12.5.251 any log
access-list 2007 permit tcp host 10.12.5.251 any log
access-list 2007 permit udp host 10.12.5.251 any log
access-list 2007 permit tcp host 10.12.5.252 any log
access-list 2007 permit ip host 10.12.5.252 any log
access-list 2007 permit udp host 10.12.5.252 any log
access-list 2007 permit tcp host 10.12.5.253 any log
access-list 2007 permit ip host 10.12.5.253 any log
access-list 2007 permit udp host 10.12.5.253 any log
access-list 2007 permit tcp host 10.12.5.254 any log
access-list 2007 permit ip host 10.12.5.254 any log
access-list 2007 permit udp host 10.12.5.254 any log
access-list 2007 permit tcp host 10.10.5.250 any log
access-list 2007 permit ip host 10.10.5.250 any log
access-list 2007 permit udp host 10.10.5.250 any log
access-list 2007 permit tcp host 10.10.5.253 any log
access-list 2007 permit ip host 10.10.5.253 any log
access-list 2007 permit udp host 10.10.5.253 any log
access-list 2007 permit tcp host 10.10.5.254 any log
access-list 2007 permit ip host 10.10.5.254 any log
access-list 2007 permit udp host 10.10.5.254 any log
access-list 2007 permit ip host 10.12.6.250 any log
access-list 2007 permit tcp host 10.12.6.250 any log
access-list 2007 permit udp host 10.12.6.250 any log
access-list 2007 permit tcp host 10.12.6.251 any log
access-list 2007 permit ip host 10.12.6.251 any log
access-list 2007 permit udp host 10.12.6.251 any log
access-list 2007 permit tcp host 10.12.6.252 any log
access-list 2007 permit ip host 10.12.6.252 any log
access-list 2007 permit udp host 10.12.6.252 any log
access-list 2007 permit tcp host 10.12.6.253 any log
access-list 2007 permit ip host 10.12.6.253 any log
access-list 2007 permit udp host 10.12.6.253 any log
access-list 2007 permit tcp host 10.12.6.254 any log
access-list 2007 permit ip host 10.12.6.254 any log
access-list 2007 permit udp host 10.12.6.254 any log
access-list 2007 remark **  **
access-list 2007 permit tcp host 10.10.5.60 any log
access-list 2007 permit udp host 10.10.5.60 any log
access-list 2007 permit ip host 10.10.5.60 any log
access-list 2007 permit tcp host 10.10.5.62 any log
access-list 2007 permit udp host 10.10.5.62 any log
access-list 2007 permit ip host 10.10.5.62 any log
access-list 2007 remark ** **
access-list 2007 permit tcp host 10.10.5.189 any log
access-list 2007 permit udp host 10.10.5.189 any log
access-list 2007 permit ip host 10.10.5.189 any log
access-list 2007 permit tcp host 10.10.5.190 any log
access-list 2007 permit udp host 10.10.5.190 any log
access-list 2007 permit ip host 10.10.5.190 any log
access-list 2007 permit tcp host 10.10.6.189 any log
access-list 2007 permit udp host 10.10.6.189 any log
access-list 2007 permit ip host 10.10.6.189 any log
access-list 2007 permit tcp host 10.10.6.190 any log
access-list 2007 permit udp host 10.10.6.190 any log
access-list 2007 permit ip host 10.10.6.190 any log
access-list 2007 deny   icmp any any log
access-list 2007 deny   udp any any range 33400 34400 log

no cdp run
!
!
!
!
!
tacacs-server host 10.10.5.253
tacacs-server host 10.10.6.253
tacacs-server timeout 30
tacacs-server directed-request
tacacs-server key 7 110F15041C
!
control-plane
!
!
!
!
!
!
!
!
!
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level

of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------

0 Helpful

mikael.dautrey
Spotlight
Spotlight

‎04-25-2012 11:46 AM

webmail and other web application (search engine, etc) are potentially unsecure

or

cisco security is too restrictive

Check the right answer ...

To let users access yahoo webmail and so on, you must disable ccp-action-app-http as shown in the picture below

IT Infrastructure deployer
Security practicioner
Spare time devops
0 Helpful

Henrik Grankvist
Level 4
Level 4
In response to mikael.dautrey

‎04-25-2012 02:43 PM

He have CBAC configured, not ZFW.

What version of SDM do you have? SDM v2.5 should install ZFW which is much more powerfull. Or you could use Cisco's new CCP which is the replacement of SDM.

Anyway, I think if you remove these lines everything should work.

no appfw policy-name SDM_MEDIUM

no application im msn

no application http

no application im yahoo

Maybe not the ultimate solution, but it needs testing if you don't want to remove to much.

0 Helpful

mikael.dautrey
Spotlight
Spotlight
In response to Henrik Grankvist

‎04-25-2012 11:38 PM

You're right. Implementation differs but principles are the same as in ZFW : deactivate http application layer filtering.

IT Infrastructure deployer
Security practicioner
Spare time devops
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card