Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6232
Views
0
Helpful
10
Replies

Router blocking *some* secure sites

Steve Cripps
Level 1
Level 1

‎01-06-2011 03:21 AM - edited ‎03-04-2019 10:58 AM

Hi, all

I'm new to both this community and Cisco in general.  We've just put in an 887 router/firewall appliance to protect our Win SBS network.  All seemed well - we've used Cisco Config Pro to set up the firewall zones, NAT and ACLs.  I've got a server inside that provides Exchange, SharePoint, CRM and remote access to desktops - that's all accessible inside and out.  Also, outside mail servers (POP and IMAP) and web sites (normal and secure - ie ports 80 and 443) are all reachable.

However, the problem we have is access to just some websites, relating to logged-in functions.  If I can explain what I mean:  I can browse a supplier website, that I need to log in to, plus add items to the shopping basket, etc.  However, if I try to save or preview a quote, I get a 'page cannot be displayed' error.  Another example, I can access webmail from my 1and1 personal server, sending and receiving as normal, but another person can't get their AOL webmail; they get AOL's site, but log-on fails with page cannot be displayed.  Other supplier's sites are similar: some we can browse but not log in, others seem fine but try and run a search and it fails - always with Internet Explorer cannot display the Web Page.  I can't see that there is anything in common in what works and what doesn't, such as aspx pages, secure pages, etc.

I've swapped back to our old router and everything works fine, so it's definately the 887.

Any advice and troubleshooting tips would be most appreciated.  I know it's something I've missed (or mis-set) in the configuration, but I'm not sure where to even start looking!  If it was all secure sites, then I'd go check that port 443 wasn't being blocked, but some do work so I'm kinda stumped!

Many thanks,

Steve C

Cisco newbie!

Labels:
0 Helpful
10 Replies 10

Glenn Quesenberry
Cisco Employee
Cisco Employee

‎01-06-2011 08:10 AM

Steve,

     Unfortunately this discussion group is specific to all of the Cisco Small Business router products (RV0 series for example) not for the 8XX series.  Since the 8XX series is a "traditional" Cisco router product the best place for you to pose your questions would be in the "WAN Routing & Switching" section of the larger Cisco Support Community located here.

0 Helpful

Steve Cripps
Level 1
Level 1

‎01-07-2011 04:51 AM

I've just been advised to move this to the WAN, routing and switching group, rather than

Small Business which is where it started life.  So, over to you guys

if anyone can help.

Thanks,

Steve C

0 Helpful

hobbe
Level 7
Level 7
In response to Steve Cripps

‎01-07-2011 05:02 AM

Ok first of all

Have you set up syslog ?

If you have what does it say when you are going to pages that you have problems with?

any nat going wrong, any acl that fires off ?

If you have not set up syslog, start with setting up that.

it will give you a start.

Good luck

HTH

0 Helpful

Steve Cripps
Level 1
Level 1
In response to hobbe

‎01-23-2011 05:44 AM

Sorry it's taken a long while to get back on this - it has been low priorty while sorting other issues out.  I

've been monitoring the syslog and every time a web site is blocked I get the following:

DateTimePriorityHostname Message
01-23-201113:34:28Local7.Warning192.168.1.25434911: 034957: *Jan 23 13:33:50.566 UTC: %APPFW-4-HTTP_DEOBFUSCATION: Deobfuscation signature (15) detected - resetting session 192.168.1.1:56207 92.122.126.121:80 on zone-pair ccp-zp-in-out class ccp-protocol-http appl-class ccp-http-blockparam

Any explanation on this would be much appreciated.  I've Googled a bit and some folks say this is an attack, yet it is happening while already securely logged in to a site I trust, while accessing a certain function.  It happens on quite a few sites, all of which are generally respected (hotel booking sites, stationary suppliers, etc)

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Steve Cripps

‎01-23-2011 09:58 AM

Hi,

can you post output of following:

sh access-list

sh run | in int

sh run | in zone

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Steve Cripps
Level 1
Level 1
In response to cadet alain

‎01-23-2011 12:50 PM

Thanks for the quick response, Alain.

Running the access list from a terminal session I get:

887>sh access-list
Standard IP access list 1
    10 permit 192.168.1.0, wildcard bits 0.0.0.255
Standard IP access list 2
    10 permit 192.168.1.0, wildcard bits 0.0.0.255 (4483796 matches)
Standard IP access list 23
    10 permit 192.168.1.0, wildcard bits 0.0.0.255 (6092 matches)
Standard IP access list 24
    10 permit 79.externalIPaddress
Extended IP access list 100
    10 permit ip host 255.255.255.255 any
    20 permit ip 127.0.0.0 0.255.255.255 any
    30 permit ip 79.externalMask.0 0.0.0.255 any
Extended IP access list 101
    10 permit ip any host 192.168.1.1 (66047 matches)
Extended IP access list 105
    10 permit ip 192.168.1.0 0.0.0.255 any (2 matches)
Extended IP access list Inside_inbound
    10 permit ip any any (4793764 matches)
Extended IP access list Inside_outbound
    10 permit ip any any (5979865 matches)
Extended IP access list Outside_inbound
    10 permit udp host 109.169.51.136 eq ntp host 79.externalIPaddress eq ntp
    20 permit udp host 82.219.4.31 eq ntp host 79.externalIPaddress eq ntp

    30 permit tcp any host 192.168.1.1 eq 4443
    40 permit tcp any host 192.168.1.1 eq 9675
    50 permit tcp any host 192.168.1.1 eq 3389
    60 permit tcp any host 192.168.1.1 eq 1723
    70 permit tcp any host 192.168.1.1 eq 987
    80 permit tcp any host 192.168.1.1 eq 443
    90 permit udp any host 192.168.1.1 eq domain
    100 permit tcp any host 192.168.1.1 eq smtp
    110 permit tcp any host 192.168.1.1 eq www
    120 permit udp any host 192.168.1.1 eq isakmp
    130 permit udp any host 192.168.1.1 eq non500-isakmp
    140 permit ip any any (6748997 matches)
Extended IP access list Outside_outbound
    10 permit ip any any (4549323 matches)
Extended IP access list SDM_GRE
    10 permit gre any any
887>                                                                        

When I try to run

sh run | in int

sh run | in ext

I get an error saying invalid input at run

887>sh run | in int
        ^
% Invalid input detected at '^' marker.

Any further help appreciated, thanks.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Steve Cripps

‎01-23-2011 01:33 PM

Hi,

ok so just do a sh run and post here

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Steve Cripps
Level 1
Level 1
In response to cadet alain

‎01-31-2011 04:33 AM

Hi Alain,

It was my fault it wouldn't run - I had not gone in to 'enable'.

Here are the results:

Router#sh run | in int
crypto pki trustpoint TP-self-signed-288785562
interface Null0
interface BRI0
interface ATM0
interface ATM0.1 point-to-point
description ADSL interface$ES_WAN$
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2

interface FastEthernet3
interface Virtual-Template1 type tunnel
interface Vlan1
interface Dialer0
ip nat inside source static tcp 192.168.1.1 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.1 25 interface Dialer0 25
ip nat inside source static udp 192.168.1.1 53 interface Dialer0 53
ip nat inside source static tcp 192.168.1.1 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.1 987 interface Dialer0 987
ip nat inside source static tcp 192.168.1.1 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.1.1 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.1.1 9675 interface Dialer0 9675
ip nat inside source static tcp 192.168.1.1 4443 interface Dialer0 4443
ip nat inside source list 2 interface Dialer0 overload
remark Control outside interface
ip radius source-interface Vlan1
scheduler interval 500

and

Router#sh run | in zone
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
zone security Inside
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
zone-pair security ccp-zp-in-out source in-zone destination out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
zone-member security in-zone
zone-member security out-zone

Hope that tells you something about this problem!

Thanks,

Steve C

0 Helpful

hobbe
Level 7
Level 7
In response to Steve Cripps

‎01-23-2011 02:10 PM

Hi

Perfect!

That syslog actually tells you what the "problem" is.

If i do not misinterpret it i would say that you are using a ids/ips engine in the 877 fw and that in the url you are trying to use there is a "forbidden" character.

Most likely this is a so called "false positive", ie a false alarm.

http://www.cisco.com/en/US/docs/ios/system/messages/guide/sm_cn01.html#wp615418

However you need to solve the issue that it reacts to the websites,.

to do that i think you need to disable the signature.

I am not shure but i think it is done something like this

ip audit signature 34911 disable

ip audit signature 34957 disable

Good luck

HTH

0 Helpful

Steve Cripps
Level 1
Level 1
In response to hobbe

‎01-31-2011 04:15 AM

Hi.  Thanks for the response.

I tried the command you suggested but got an error:

Router(config)#ip audit signature 34911 disable

                    ^

% Invalid input detected at '^' marker.
I got this both in 'enable' mode and configuration mode.  Any further ideas?

Thanks

Steve C

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card