Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
650
Views
0
Helpful
2
Replies

Ok to delete default service policy rules?

adcoMCCisco
Level 1
Level 1

‎01-08-2013 08:03 AM - edited ‎03-11-2019 05:44 PM

Hello

We have a problem with some websites being blocked every now and then. Everyone inside can access this external website for weeks, and then suddenly it's not available for a few hours, and then it comes back. All without me making any changes to the firewall, ASA5510. The external website that has nothing to do with us can be accessed from anywhere outside our network, example on my iphone through Verizon.

We have not set up any rules about blocking websites, all I found was the Default Service Policy. After backing up and then deleting the rule we are able to access all sites.

So, is it ok to not have a Default Service Policy?

Thank you

/Mats

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎01-08-2013 08:12 AM

Hi,

Do you mean that you have "inspect http" configured and then remove it to avoid the problem accessing the site?

While its enabled have you tried to use the command "show service-policy inspect http" to see if there are any drops/reset-drops?

Here are some links related to the "inspect http" (ASA 8.2)

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1514315

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1735782

Atleast in some software version the "inspect http" is disabled by default.

- Jouni

0 Helpful

Karsten Iwen
VIP
VIP

‎01-08-2013 08:13 AM

Deleting this service-policy will break other functionality and is not the way to solve that problem. Better investigate why from time to time these problems arise. If you think your firewall is involved, start with an ASA-Update to a mre recent software.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card