| |||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Hello and welcome to CertForums.co.uk, here we host free active certification forums with links to the best free resources for Microsoft's MCSA MCSE MCDBA Cisco's CCNA CCDA and CCNP, and CompTIA's A+ Network+ i-NET+ and Security+ certifications in the UK. If you wish to post or use other advanced features you will need to register first. Registration is absolutely free and takes only a few minutes to complete so sign up today! If you have any problems with the registration process or your account login, please contact support |
|
|||||||
| Home | Forums | Community | Register | Search | Today's Posts | Mark Forums Read |
|
|
|
Cisco 877 Gremlins |
  |
|
|
Thread Tools | Display Modes |
|
#1
07-Mar-2008, 04:46 PM
|
|||||
|
|||||
|
Cisco 877 Gremlins
Hi Guy's, feels a bit strange posting in this section
 but i took the pludge and got a cisco 877 with the security bundle. After 2 days of trying to setup my connection up (firmware was incompatible with my providers DSLAMs) it seems that something has gone a little wrong, my router seems to be blocking some webpages(www.certforums.co.uk in paticular)eg. www.certforums.co.uk - IE Cannot display the website www.certforums.com - Status bar say's done but page is blank www.certforums.co.uk/forums - work perfect i have posted my config minus certain thing Code:
application http
strict-http action reset alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
Thanks [Edit] removed most of the config apart from the problem part   
|
|
|
|
#2
08-Mar-2008, 12:11 AM
|
|||||
|
|||||
|
I seem to be getting this error in the log when i request www.certforums.co.uk
Maximum of 10 unanswered HTTP requests exceeded from a.b.c.d:5647 to 209.200.235.89:80 Error Message %PIX|ASA-4-415014:internal_sig_id Maximum of 10 unanswered HTTP requests exceeded from source_address to dest_address Explanation This message is issued when the http-map strict-http command is configured and a more than unanswered 10 HTTP requests have been seen on a single connection. internal_sig_id—This an internal "policy number" that can be used by developers to identify the specific policy that triggered the alert. action—This can contain either: "Reset -" or "Drop -" depending upon the user-configured action. If the action is "log" then the null string "" is passed. source_address—The source address of the packet in which the final unanswered request was detected. dest_address—The destination address of the packet in which the final unanswered request was detected. Recommended Action Someone has sent multiple HTTP request messages that are not being answered. This may indicate an attack of that there is not an HTTP server on the server-side of the connection.
|
|
#3
08-Mar-2008, 02:45 AM
|
|||||
|
|||||
|
Your application firewall policy is inspecting http traffic as follows:
application http strict-http action reset alarm port-misuse im action reset alarm port-misuse p2p action reset alarm port-misuse tunneling action reset alarm Currently you are blocking http used for instant messaging, and p2p such as edonkey, gnutella, etc., and http tunneling such as firethru, gnu httptunnel, httpport, etc. You are also enforcing strict compliance for http traffic, which is likely the cause of the problems with various websites. Try changing the following line: strict-http action reset alarm - to: strict-http action allow alarm - and see if that clears up the problem. There are lots of options available to control http traffic through the 877; hopefully the above change will help. If not there are some other things that can be tried. As well I'd suggest access-lists to restrict management of the router. Although access-list 101 blocks telnet, ssh and http/s inbound, it is a good idea to protect your router's vty, http and https access with an acl to restrict access. Spice_Weasel Oh as I was young and easy in the mercy of his means, Time held me green and dying Though I sang in my chains like the sea.
|
|
#4
08-Mar-2008, 01:28 PM
|
|||||
|
|||||
|
Thanks spicey your a star
 problem resolved, would this be ok for the vty'saccess-list 30 permit 10.10.10.0 0.0.0.7 access-list 30 deny ip any any log line vty 0 4 access-class 30 in privilege level 15 login local transport input telnet ssh And this for http/s access-list 101 deny <outside ip> 80 any log access-list 101 deny <outside ip> 443 any log [added] Spice do you know if this router supports Annex M
|
|
#5
10-Mar-2008, 12:23 AM
|
|||||
|
|||||
|
Thanks, glad to help!
The 877 supports annex m, I think from release 12.4(11)XJ. The access-l 30 looks good, I would just add logging to the first line as well, it is always nice to track successful logins. To control http/s use a seperate access-list; acl 101 already blocks 80 and 443. e.g.: ip http access-class <access-list> Spice_Weasel Oh as I was young and easy in the mercy of his means, Time held me green and dying Though I sang in my chains like the sea.
|
Spread this thread:
|
|
|
|
||||||
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Cisco 1841 - Update ? | mke | Routing & Switching | 4 | 05-Feb-2008 02:14 PM |
| Cisco Announces New Expert-Level Cert for Design: CCDE | zimbo | News | 8 | 02-Feb-2008 03:09 AM |
| Confirmation from Cisco: Use of the Cisco IOS in Dynamips is against Cisco licensing | BosonMichael | General | 2 | 05-Nov-2007 04:14 PM |
| Cisco confirms design cert track may reach CCIE level | jackson | Design | 0 | 25-Jul-2007 04:55 PM |
All times are GMT. The time now is 10:01 PM.