1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cisco 877 Gremlins

Discussion in 'Routing & Switching' started by ThomasMc, Mar 7, 2008.

  1. ThomasMc

    ThomasMc Gigabyte Poster

    1,507
    49
    111
    Hi Guy's, feels a bit strange posting in this section :) but i took the pludge and got a cisco 877 with the security bundle. After 2 days of trying to setup my connection up (firmware was incompatible with my providers DSLAMs) it seems that something has gone a little wrong, my router seems to be blocking some webpages(www.certforums.co.uk in paticular)

    eg.

    www.certforums.co.uk - IE Cannot display the website
    www.certforums.com - Status bar say's done but page is blank
    www.certforums.co.uk/forums - work perfect

    i have posted my config minus certain thing

    Code:
      application http
        strict-http action reset alarm
        port-misuse im action reset alarm
        port-misuse p2p action reset alarm
        port-misuse tunneling action reset alarm
     
    Would anyone be so kind and poke me in the right direction

    Thanks

    [Edit]
    removed most of the config apart from the problem part :)
     
    Certifications: MCDST|FtOCC
    WIP: MCSA(70-270|70-290|70-291)
  2. ThomasMc

    ThomasMc Gigabyte Poster

    1,507
    49
    111
    I seem to be getting this error in the log when i request www.certforums.co.uk

    Maximum of 10 unanswered HTTP requests exceeded from a.b.c.d:5647 to 209.200.235.89:80


    Error Message
    %PIX|ASA-4-415014:internal_sig_id Maximum of 10 unanswered HTTP requests
    exceeded from source_address to dest_address

    Explanation
    This message is issued when the http-map strict-http command is configured and a more than unanswered 10 HTTP requests have been seen on a single connection.
    internal_sig_id-This an internal "policy number" that can be used by developers to identify the specific policy that triggered the alert.
    action-This can contain either: "Reset -" or "Drop -" depending upon the user-configured action. If the action is "log" then the null string "" is passed.
    source_address-The source address of the packet in which the final unanswered request was detected.
    dest_address-The destination address of the packet in which the final unanswered request was detected.

    Recommended Action
    Someone has sent multiple HTTP request messages that are not being answered. This may indicate an attack of that there is not an HTTP server on the server-side of the connection.
     
    Certifications: MCDST|FtOCC
    WIP: MCSA(70-270|70-290|70-291)
  3. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Your application firewall policy is inspecting http traffic as follows:

    application http
    strict-http action reset alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action reset alarm

    Currently you are blocking http used for instant messaging, and p2p such as edonkey, gnutella, etc., and http tunneling such as firethru, gnu httptunnel, httpport, etc. You are also enforcing strict compliance for http traffic, which is likely the cause of the problems with various websites. Try changing the following line:

    strict-http action reset alarm

    - to:

    strict-http action allow alarm

    - and see if that clears up the problem. There are lots of options available to control http traffic through the 877; hopefully the above change will help. If not there are some other things that can be tried.

    As well I'd suggest access-lists to restrict management of the router. Although access-list 101 blocks telnet, ssh and http/s inbound, it is a good idea to protect your router's vty, http and https access with an acl to restrict access.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  4. ThomasMc

    ThomasMc Gigabyte Poster

    1,507
    49
    111
    Thanks spicey your a star :D problem resolved, would this be ok for the vty's

    access-list 30 permit 10.10.10.0 0.0.0.7
    access-list 30 deny ip any any log

    line vty 0 4
    access-class 30 in
    privilege level 15
    login local
    transport input telnet ssh

    And this for http/s

    access-list 101 deny <outside ip> 80 any log
    access-list 101 deny <outside ip> 443 any log


    [added]
    Spice do you know if this router supports Annex M
     
    Certifications: MCDST|FtOCC
    WIP: MCSA(70-270|70-290|70-291)
  5. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Thanks, glad to help!

    The 877 supports annex m, I think from release 12.4(11)XJ.

    The access-l 30 looks good, I would just add logging to the first line as well, it is always nice to track successful logins. To control http/s use a seperate access-list; acl 101 already blocks 80 and 443.
    e.g.:
    ip http access-class <access-list>


    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  6. ThomasMc

    ThomasMc Gigabyte Poster

    1,507
    49
    111
    Ah gotcha, thanks again Spice_Weasel for all your help(rep added). Now am off to try and find out whats so easy about Cisco Easy VPN :blink
     
    Certifications: MCDST|FtOCC
    WIP: MCSA(70-270|70-290|70-291)

Share This Page

Loading...