01-06-2011 03:21 AM - edited 03-04-2019 10:58 AM
Hi, all
I'm new to both this community and Cisco in general. We've just put in an 887 router/firewall appliance to protect our Win SBS network. All seemed well - we've used Cisco Config Pro to set up the firewall zones, NAT and ACLs. I've got a server inside that provides Exchange, SharePoint, CRM and remote access to desktops - that's all accessible inside and out. Also, outside mail servers (POP and IMAP) and web sites (normal and secure - ie ports 80 and 443) are all reachable.
However, the problem we have is access to just some websites, relating to logged-in functions. If I can explain what I mean: I can browse a supplier website, that I need to log in to, plus add items to the shopping basket, etc. However, if I try to save or preview a quote, I get a 'page cannot be displayed' error. Another example, I can access webmail from my 1and1 personal server, sending and receiving as normal, but another person can't get their AOL webmail; they get AOL's site, but log-on fails with page cannot be displayed. Other supplier's sites are similar: some we can browse but not log in, others seem fine but try and run a search and it fails - always with Internet Explorer cannot display the Web Page. I can't see that there is anything in common in what works and what doesn't, such as aspx pages, secure pages, etc.
I've swapped back to our old router and everything works fine, so it's definately the 887.
Any advice and troubleshooting tips would be most appreciated. I know it's something I've missed (or mis-set) in the configuration, but I'm not sure where to even start looking! If it was all secure sites, then I'd go check that port 443 wasn't being blocked, but some do work so I'm kinda stumped!
Many thanks,
Steve C
Cisco newbie!
01-06-2011 08:10 AM
Steve,
Unfortunately this discussion group is specific to all of the Cisco Small Business router products (RV0 series for example) not for the 8XX series. Since the 8XX series is a "traditional" Cisco router product the best place for you to pose your questions would be in the "WAN Routing & Switching" section of the larger Cisco Support Community located here.
01-07-2011 04:51 AM
I've just been advised to move this to the WAN, routing and switching group, rather than
Small Business which is where it started life. So, over to you guys
if anyone can help.
Thanks,
Steve C
01-07-2011 05:02 AM
Ok first of all
Have you set up syslog ?
If you have what does it say when you are going to pages that you have problems with?
any nat going wrong, any acl that fires off ?
If you have not set up syslog, start with setting up that.
it will give you a start.
Good luck
HTH
01-23-2011 05:44 AM
Sorry it's taken a long while to get back on this - it has been low priorty while sorting other issues out. I
've been monitoring the syslog and every time a web site is blocked I get the following:
Date | Time | Priority | Hostname | Message |
01-23-2011 | 13:34:28 | Local7.Warning | 192.168.1.254 | 34911: 034957: *Jan 23 13:33:50.566 UTC: %APPFW-4-HTTP_DEOBFUSCATION: Deobfuscation signature (15) detected - resetting session 192.168.1.1:56207 92.122.126.121:80 on zone-pair ccp-zp-in-out class ccp-protocol-http appl-class ccp-http-blockparam |
Any explanation on this would be much appreciated. I've Googled a bit and some folks say this is an attack, yet it is happening while already securely logged in to a site I trust, while accessing a certain function. It happens on quite a few sites, all of which are generally respected (hotel booking sites, stationary suppliers, etc)
01-23-2011 09:58 AM
Hi,
can you post output of following:
sh access-list
sh run | in int
sh run | in zone
Regards.
Alain.
01-23-2011 12:50 PM
Thanks for the quick response, Alain.
Running the access list from a terminal session I get:
887>sh access-list
Standard IP access list 1
10 permit 192.168.1.0, wildcard bits 0.0.0.255
Standard IP access list 2
10 permit 192.168.1.0, wildcard bits 0.0.0.255 (4483796 matches)
Standard IP access list 23
10 permit 192.168.1.0, wildcard bits 0.0.0.255 (6092 matches)
Standard IP access list 24
10 permit 79.externalIPaddress
Extended IP access list 100
10 permit ip host 255.255.255.255 any
20 permit ip 127.0.0.0 0.255.255.255 any
30 permit ip 79.externalMask.0 0.0.0.255 any
Extended IP access list 101
10 permit ip any host 192.168.1.1 (66047 matches)
Extended IP access list 105
10 permit ip 192.168.1.0 0.0.0.255 any (2 matches)
Extended IP access list Inside_inbound
10 permit ip any any (4793764 matches)
Extended IP access list Inside_outbound
10 permit ip any any (5979865 matches)
Extended IP access list Outside_inbound
10 permit udp host 109.169.51.136 eq ntp host 79.externalIPaddress eq ntp
20 permit udp host 82.219.4.31 eq ntp host 79.externalIPaddress eq ntp
30 permit tcp any host 192.168.1.1 eq 4443
40 permit tcp any host 192.168.1.1 eq 9675
50 permit tcp any host 192.168.1.1 eq 3389
60 permit tcp any host 192.168.1.1 eq 1723
70 permit tcp any host 192.168.1.1 eq 987
80 permit tcp any host 192.168.1.1 eq 443
90 permit udp any host 192.168.1.1 eq domain
100 permit tcp any host 192.168.1.1 eq smtp
110 permit tcp any host 192.168.1.1 eq www
120 permit udp any host 192.168.1.1 eq isakmp
130 permit udp any host 192.168.1.1 eq non500-isakmp
140 permit ip any any (6748997 matches)
Extended IP access list Outside_outbound
10 permit ip any any (4549323 matches)
Extended IP access list SDM_GRE
10 permit gre any any
887>
When I try to run
sh run | in int
sh run | in ext
I get an error saying invalid input at run
887>sh run | in int
^
% Invalid input detected at '^' marker.
Any further help appreciated, thanks.
01-23-2011 01:33 PM
Hi,
ok so just do a sh run and post here
Regards.
Alain.
01-31-2011 04:33 AM
Hi Alain,
It was my fault it wouldn't run - I had not gone in to 'enable'.
Here are the results:
Router#sh run | in int
crypto pki trustpoint TP-self-signed-288785562
interface Null0
interface BRI0
interface ATM0
interface ATM0.1 point-to-point
description ADSL interface$ES_WAN$
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Virtual-Template1 type tunnel
interface Vlan1
interface Dialer0
ip nat inside source static tcp 192.168.1.1 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.1 25 interface Dialer0 25
ip nat inside source static udp 192.168.1.1 53 interface Dialer0 53
ip nat inside source static tcp 192.168.1.1 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.1 987 interface Dialer0 987
ip nat inside source static tcp 192.168.1.1 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.1.1 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.1.1 9675 interface Dialer0 9675
ip nat inside source static tcp 192.168.1.1 4443 interface Dialer0 4443
ip nat inside source list 2 interface Dialer0 overload
remark Control outside interface
ip radius source-interface Vlan1
scheduler interval 500
and
Router#sh run | in zone
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
zone security Inside
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
zone-pair security ccp-zp-in-out source in-zone destination out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
zone-member security in-zone
zone-member security out-zone
Hope that tells you something about this problem!
Thanks,
Steve C
01-23-2011 02:10 PM
Hi
Perfect!
That syslog actually tells you what the "problem" is.
If i do not misinterpret it i would say that you are using a ids/ips engine in the 877 fw and that in the url you are trying to use there is a "forbidden" character.
Most likely this is a so called "false positive", ie a false alarm.
http://www.cisco.com/en/US/docs/ios/system/messages/guide/sm_cn01.html#wp615418
However you need to solve the issue that it reacts to the websites,.
to do that i think you need to disable the signature.
I am not shure but i think it is done something like this
ip audit signature 34911 disable
ip audit signature 34957 disable
Good luck
HTH
01-31-2011 04:15 AM
Hi. Thanks for the response.
I tried the command you suggested but got an error:
Router(config)#ip audit signature 34911 disable
^
% Invalid input detected at '^' marker.
I got this both in 'enable' mode and configuration mode. Any further ideas?
Thanks
Steve C
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide