Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SA 520 blocking some URLs and IM

I have an SA520 that is configured with 3 NAT rules in firewall. These rules allow a local server to be exposed for 3 specific services. Everything else is disabled. There is no content filtering for example.

The problem: None of our users are able to use Windows Live Messenger or access certain sites such as www.hotmail.com.

I suspect the device is blocking URLs that redirect. I see that hotmail.com is redirected to a mail.live.com.

Any ideas?

Thanks very much.

17 REPLIES
New Member

Re: SA 520 blocking some URLs and IM

Hi Krishnan

Since you are not using content filtering, the device won't block your URL automatically.

Can you verify whether this device can reach www.hotmail.com by using diagnostic ping

in Aministration->Diagnostics

Thanks

New Member

Re: SA 520 blocking some URLs and IM

Unfortunately, that URL does not respond to ping.

New Member

Re: SA 520 blocking some URLs and IM

That imply this problem is outside the SA500.

Maybe you want to check with your service provider to see why

this URL is unreachable.

New Member

Re: SA 520 blocking some URLs and IM

But I have another network going through the same T1 modem to the same ISP using a SnapGear firewall that has no problems at all.

New Member

Re: SA 520 blocking some URLs and IM

Do you have a switch between SA500 and the T1 Modem?

Use a laptop to replace the SA500 in the same switch port,

and ping the URL from there. Then we can double confirm

whether the problem is inside SA500 or not.

New Member

Re: SA 520 blocking some URLs and IM

The SA500 is directly connected to the T1 modem. I am not concerned so much about getting to hotmail. It is just symptomatic of the whole issue. Not being able to use IM is a problem however.

Instead of going to hotmail if I try to go to "login.live.com", there is no problem. What I am finding is any website that serves up some parts from URLs other than the main one entered in the browser seems to have a problem. Even Cisco.com takes for ever to load up.

New Member

Re: SA 520 blocking some URLs and IM

Hi

We are not seeing this problem in our lab.

However, please try to uncheck "Block Fragmented Packets"

in Firewall->Attacks->ICSA settings to see whether it helps or not.

By the way what version of the firmware you are using now?

Are you using protectlink anyway? We saw similar issue with

protectlink during earlier times – some times,not all times

Thanks


New Member

Re: SA 520 blocking some URLs and IM

I am on version 1.1.42 and not using ProtectLink, IPS or VPN. My settings on the Attack tab are:

1. WAN Security Checks: All checked

2. LAN: Block UDP flood checked

3. ICSA: "Block ICMP Notification" checked, rest unchecked.

4. DoS: Values of 128, 15 and 100 (default values)

Do any changes to setting require a reboot?

New Member

Re: SA 520 blocking some URLs and IM

You just need to click "Apply".

No reboot is needed.

New Member

Re: SA 520 blocking some URLs and IM

Status Update:

I re-installed the latest version which resets the configuration to factory defaults. In this state I was able to get to hotmail.com. When I loaded my config, it stopped working again.

I then disabled the 3 firewall rules. Still, no dice. The only thing left now were the WAN and LAN configuration and one WAN IP Alias.

I modified the disabled rules to not use the WAN Alias and deleted the Alias. I am now able to get to any site without issues.

So, the culprit is the WAN IP Alias.

Why?

New Member

Re: SA 520 blocking some URLs and IM

I think the problem should be on the firewall rules.

Would you like to share your firewall rules so that we might know

what's wrong with them

New Member

Re: SA 520 blocking some URLs and IM

Sure. How?

New Member

Re: SA 520 blocking some URLs and IM

You can post them here if they are not very sensitive.

Otherwise, you can send a private message to me

New Member

Re: SA 520 blocking some URLs and IM

1. INSECURE WAN -> SECURE LAN -> FTP -> ALLOW always -> Source Hosts (Any) -> Internal IP Address: 192.168.1.5 -> External IP Address: Dedicated WAN (Alias IP)

2. INSECURE WAN -> SECURE LAN -> Custom Service: 7777-7780 -> ALLOW always -> Source  Hosts (Any) -> Internal IP Address: 192.168.1.5 -> External IP  Address: Dedicated WAN (Alias IP)

3. INSECURE WAN -> SECURE LAN -> Custom Service: 22222-22230 -> ALLOW always -> Source  Hosts (Any) -> Internal IP Address: 192.168.1.5 -> External IP  Address: Dedicated WAN (Alias IP)

One question for the Alias IP: should its Netmask be the same as that of the primary WAN static address or something else.

Thanks.

New Member

Re: SA 520 blocking some URLs and IM

I think you are trying to expose some services in the LAN to the outside world

If that is the case, instead of creating FW rules from "INSECURE WAN -> SECURE LAN"

you should create FW rules from "SECURE LAN ->INSECURE WAN"

Otherwise, you will block some traffic from the outside world to the LAN

New Member

Re: SA 520 blocking some URLs and IM

I am confused.

According to the SA 500 Administration Guide, you need to set the From Zone to the source of the traffic. Since I am exposing a device behind my firewall to the outside world, isn't the source of the traffic coming from the Internet (WAN) and the To Zone as the recipient or the local server which would therefore be LAN?

Does the document have it backwards or am I not reading it right?

New Member

Re: SA 520 blocking some URLs and IM

Hi Krishnan

Yes, you are right. It was my mistake.

Can you email your config to me so that we can try it in the lab

hyeh@cisco.com

625
Views
0
Helpful
17
Replies