I tried this, but the problem continues. I asked a friend who has the same router and he has the same problem. I read somewhere that apparently is a issue with java and security in the router and there is some sort of setting that needs to be changed to reverse this...

You need a line like the following in your firewall config.

ip inspect name {your firewall name} http java-list 10

Then create acl 10 with the following, permitting each site IP that causes problems.

access-list 10 permit x.x.x.x

access-list 10 permit y.y.y.y

I had the same problem with my 827 and this cured it.

HTH

Thanx, I'll try that, but one quick question....how can I find out what my default firewall name is? I haven't touched the firewall so whatever name it brings is the name it has, since I have to enter my firewall name on the first command. I've seen some sites have it as myfw btu that might have been put there by someone....

Hi, the default name is myfw.

If you type "show ip inspect all" from the Router# prompt you will see the firewall config and the firewall name is listed as inspection name.

Also, when you create acl 10, finish with

access-list 10 deny any log

This will let you see the IP address that needs permitting if you have console access to the router when you visit one of the problem sites.

If you have trouble, post the output of your "show running" with any passwords and confidential information removed and I'll try to show you how to proceed.

Good Luck

Thank you, that worked well, now this forum page loads much quicker more like all the others. I'm having a bit of trouble still with the mynetscape.com page because I keep getting different IP's for it, but that one isnt as important. I also unblocked the site dsl reports since I noticed it was blocking the java applet for the port scan test and I usually like to run it to make sure all ports are ok.

Im pasting my running config regardless, since I've made so many little changes I might have some useless command lying around that I can live without....feel free to comment on anything you think I should add or disable from the config. Once again thanx for the help!!

Building configuration...

Current configuration : 2898 bytes

!

version 12.2

no parser cache

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encr

!

hostname Clandestine

!

enable secret 5 $1$LzJO$ZKQn4oa7rbh/l1pEwLWqX0

!

username Clandestine password

ip subnet-zero

ip name-server 205.152.144.235

ip name-server 205.152.132.235

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool CLIENT

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

!

ip cef

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw http java-list 10 timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 3600

ip inspect name myfw h323 timeout 3600

ip audit notify log

ip audit po max-events 100

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

!

!

!

!

interface Ethernet0

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip tcp adjust-mss 1452

no cdp enable

hold-queue 32 in

hold-queue 100 out

!

interface Ethernet1

no ip address

ip tcp adjust-mss 1452

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

!

interface Dialer1

ip address negotiated

ip access-group 111 in

ip mtu 1492

ip nat outside

ip inspect myfw out

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname

ppp chap password

ppp pap sent-username password

ppp ipcp dns request

ppp ipcp wins request

!

ip nat inside source list 102 interface Di

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

!

!

access-list 10 permit 204.69.199.39

access-list 10 permit 209.191.132.40

access-list 10 deny any log

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit udp any any eq isakmp

access-list 111 deny ip any any

dialer-list 1 protocol ip permit

banner motd ^C

AUTHORIZED USERS ONLY.

^C

!

line con 0

exec-timeout 120 0

password 7 104D000A0618405A

login

stopbits 1

line vty 0

exec-timeout 0 0

password

login local

length 0

line vty 1 4

exec-timeout 0 0

login local

length 0

!

scheduler max-task-time 5000

end

Hi, glad to hear that worked.

A few things you may want to consider including in your config to improve security.

In global config

service tcp keepalives in

service tcp keepalives out

no ip http server - unless you really need it.

no ip source-route

no ip finger

no ip bootp server

In each interface config.

no ip redirects

no ip unreachables

no cdp enable - or no cdp run in global

Also, try to avoid using PAP. CHAP is more secure.

For NAT use

ip nat inside source list 102 interface dialer 1 overload

If your netscape IP's all fall within a range then try to permit that range of IP's using wildcard bits. eg.

access-list 10 permit 217.223.125.16 0.0.0.15

This will permit addresses in tthe range 217.223.125.16 to 31.

Other than that, if it works and you are happy with it, cool! :o)

Or if you want to carry on experimenting with it, always a good way to learn, then save a copy of your working config before applying each change and verify expected router behaviour after.

Cheers

Thanx, I will add these, anything that will help the router work smoother. If you have some time I'd appreciate if you could tell me what the commands you specified do. Since I'm fairly new with IOS, I have not seen these specific commands and it would help to know what each one does. If its too much trouble don't worry, I've been trying google to find what each does but not much luck there.

Thank you

Louis

Hi Louis, they mostly deal with limiting the effectiveness of DoS attacks. The commands are used to disable functions that tend to be used more maliciously than they are legitimately. You won't see any personal benefit from the introduction of them with the possible exception of the TCP keepalive, denying the http server (both directly more secure for you) and the overload switch on NAT - this will allow you multiple hosts on your inside network to share a single outside address dynamically through port translation.

If you search for the commands from the cisco home page you will get a more detailed description.

Happy Routing

Ross

Thanks Ross, appreciate all the help!

Louis

Glad I could help Louis. Always good to have speedy access to this forum! :o)

Ross