1. Home
  2. Cisco Systems
  3. Help with FW Config on C871

Help with FW Config on C871

Hi there,I have an Issue with my firewall config on a C871 box. If the firewall is enabled I am not able to logon to Live-Messenger. Without Firewall this all works like charm. Following you can find parts of my Config. Any Ideas what I need to configure?Thanks....Andyversion 12.4multilink bundle-name authenticated!parameter-map type protocol-info msn-servers server name messenger.hotmail.com server name gateway.messenger.hotmail.com server name webmessenger.msn.com server name login.live.comparameter-map type protocol-info aol-servers server name login.oscar.aol.com server name toc.oscar.aol.com server name oam-d09a.blue.aol.comparameter-map type protocol-info yahoo-servers server name scs.msg.yahoo.com server name scsa.msg.yahoo.com server name scsb.msg.yahoo.com server name scsc.msg.yahoo.com server name scsd.msg.yahoo.com server name cs16.msg.dcn.yahoo.com server name cs19.msg.dcn.yahoo.com server name cs42.msg.dcn.yahoo.com server name cs53.msg.dcn.yahoo.com server name cs54.msg.dcn.yahoo.com server name ads1.vip.scd.yahoo.com server name radio1.launch.vip.dal.yahoo.com server name in1.msg.vip.re2.yahoo.com server name data1.my.vip.sc5.yahoo.com server name address1.pim.vip.mud.yahoo.com server name edit.messenger.yahoo.com server name messenger.yahoo.com server name http.pager.yahoo.com server name privacy.yahoo.com server name csa.yahoo.com server name csb.yahoo.com server name csc.yahoo.com!!username root privilege 15 secret 5 xxxxxxxxxxx/! !!archive log config hidekeys!!ip tcp synwait-time 10ip ssh time-out 60ip ssh authentication-retries 2!class-map type inspect match-any ECHO match protocol icmpclass-map type inspect match-any SDM_HTTPS match access-group name SDM_HTTPSclass-map type inspect match-any SDM_SSH match access-group name SDM_SSHclass-map type inspect match-any SDM_SHELL match access-group name SDM_SHELLclass-map type inspect match-any sdm-cls-access match class-map SDM_HTTPS match class-map SDM_SSH match class-map SDM_SHELLclass-map type inspect imap match-any ccp-app-imap match invalid-commandclass-map type inspect match-any ccp-cls-protocol-p2pclass-map type inspect match-any CCP-Voice-permit match protocol h323 match protocol skinny match protocol sipclass-map type inspect match-all sdm-cls-sdm-permit-icmpreply-1 match access-group name USENETclass-map type inspect match-any ccp-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udpclass-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-trafficclass-map type inspect ymsgr match-any ccp-app-yahoo-otherservices match service any class-map type inspect msnmsgr match-any ccp-app-msn-otherservices match service any class-map type inspect match-any ccp-cls-icmp-access match protocol icmp match protocol tcp match protocol udpclass-map type inspect match-any ccp-cls-protocol-im match protocol ymsgr yahoo-servers match protocol msnmsgr msn-servers match protocol aol aol-serversclass-map type inspect aol match-any ccp-app-aol-otherservices match service any class-map type inspect match-all ccp-protocol-pop3 match protocol pop3class-map type inspect match-any SSH match protocol sshclass-map type inspect match-any SSL match protocol httpsclass-map type inspect pop3 match-any ccp-app-pop3 match invalid-commandclass-map type inspect match-all sdm-access match class-map sdm-cls-access match access-group 101class-map type inspect match-all ccp-protocol-p2p match class-map ccp-cls-protocol-p2pclass-map type inspect match-all sdm-cls-sdm-permit-3 match class-map SSL match access-group name SSLclass-map type inspect match-all sdm-cls-sdm-permit-2 match class-map ECHO match access-group name ECHOclass-map type inspect match-any ICMPEchoReply match protocol icmpclass-map type inspect match-all sdm-cls-sdm-permit-1 match class-map ICMPEchoReply match access-group name ICMPEchoReplyclass-map type inspect match-all sdm-cls-sdm-permit-4 match class-map SSH match access-group name SSHclass-map type inspect msnmsgr match-any ccp-app-msn match service text-chat class-map type inspect ymsgr match-any ccp-app-yahoo match service text-chat class-map type inspect match-all ccp-protocol-im match class-map ccp-cls-protocol-imclass-map type inspect match-all ccp-invalid-src match access-group 100class-map type inspect match-all ccp-icmp-access match class-map ccp-cls-icmp-accessclass-map type inspect http match-any ccp-app-httpmethods match request method bcopy match request method bdelete match request method bmove match request method bpropfind match request method bproppatch match request method connect match request method copy match request method delete match request method edit match request method getattribute match request method getattributenames match request method getproperties match request method index match request method lock match request method mkcol match request method mkdir match request method move match request method notify match request method options match request method poll match request method propfind match request method proppatch match request method put match request method revadd match request method revlabel match request method revlog match request method revnum match request method save match request method search match request method setattribute match request method startrev match request method stoprev match request method subscribe match request method trace match request method unedit match request method unlock match request method unsubscribeclass-map type inspect http match-any ccp-http-blockparam match request port-misuse im match request port-misuse p2p match req-resp protocol-violationclass-map type inspect aol match-any ccp-app-aol match service text-chat class-map type inspect match-all ccp-protocol-imap match protocol imapclass-map type inspect http match-any ccp-http-allowparam match request port-misuse tunnelingclass-map type inspect match-all ccp-protocol-http match protocol http!!policy-map type inspect ccp-permit-icmpreply class type inspect ccp-icmp-access inspect class class-default passpolicy-map ccp-action-app-p2ppolicy-map type inspect im ccp-action-app-im class type inspect aol ccp-app-aol log allow class type inspect msnmsgr ccp-app-msn log allow class type inspect ymsgr ccp-app-yahoo log allow class type inspect aol ccp-app-aol-otherservices log reset class type inspect msnmsgr ccp-app-msn-otherservices log reset class type inspect ymsgr ccp-app-yahoo-otherservices log resetpolicy-map type inspect http ccp-action-app-http class type inspect http ccp-http-blockparam log allow class type inspect http ccp-app-httpmethods log reset class type inspect http ccp-http-allowparam log allowpolicy-map type inspect imap ccp-action-imap class type inspect imap ccp-app-imap logpolicy-map type inspect pop3 ccp-action-pop3 class type inspect pop3 ccp-app-pop3 logpolicy-map type inspect ccp-inspect class type inspect ccp-invalid-src drop log class type inspect ccp-protocol-http inspect service-policy http ccp-action-app-http class type inspect ccp-protocol-imap inspect service-policy imap ccp-action-imap class type inspect ccp-protocol-pop3 inspect service-policy pop3 ccp-action-pop3 class type inspect ccp-protocol-p2p inspect class type inspect ccp-protocol-im inspect service-policy im ccp-action-app-im class type inspect ccp-insp-traffic inspect class type inspect CCP-Voice-permit inspect class class-default passpolicy-map type inspect sdm-permit class type inspect sdm-cls-sdm-permit-4 pass class type inspect sdm-cls-sdm-permit-3 pass class type inspect sdm-access inspect class type inspect sdm-cls-sdm-permit-2 inspect class class-defaultpolicy-map type inspect ccp-permit class type inspect sdm-access inspect class class-default drop!zone security out-zonezone security in-zonezone-pair security ccp-zp-self-out source self destination out-zone service-policy type inspect ccp-permit-icmpreplyzone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspectzone-pair security ccp-zp-out-self source out-zone destination self service-policy type inspect ccp-permit!bridge irb!!interface Null0 no ip unreachables!interface FastEthernet0!interface FastEthernet1!interface FastEthernet2!interface FastEthernet3!interface FastEthernet4 description $ETH-WAN$ no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress duplex auto speed auto pppoe-client dial-pool-number 1!interface Dot11Radio0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ! encryption mode ciphers aes-ccm ! encryption vlan 1 mode ciphers aes-ccm ! ssid shampoo ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root!interface Dot11Radio0.1 encapsulation dot1Q 1 native ip flow ingress no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding!interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$ no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip virtual-reassembly ip tcp adjust-mss 1412 bridge-group 1!interface Dialer0 description $FW_OUTSIDE$ mtu 1492 ip ddns update hostname xxxxxxxxxxxxxxxxx ip ddns update dyndns ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat outside ip virtual-reassembly zone-member security out-zone encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname XXXXXXXXXXXX ppp chap password 7 xxxxxxxxxxxx ppp pap sent-username xxxxxx@xxxxx password 7 xxxxxxxxx!interface BVI1 description $FW_INSIDE$ ip address 192.168.0.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip virtual-reassembly zone-member security in-zone ip tcp adjust-mss 1452!ip forward-protocol ndip route 0.0.0.0 0.0.0.0 Dialer0no ip http serverip http access-class 2ip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000!ip flow-top-talkers top 10 sort-by bytes cache-timeout 10!ip dns serverip nat inside source list 1 interface Dialer0 overload!ip access-list extended ECHO remark SDM_ACL Category=128 permit ip any anyip access-list extended HTTPS_MANAGEMENT remark SDM_ACL Category=1 permit udp host 194.8.194.60 eq domain any permit udp host 194.8.194.70 eq domain any remark Auto generated by SDM for NTP (123) 80.67.17.101 permit udp host 80.67.17.101 eq ntp any eq ntp remark Auto generated by SDM for NTP (123) 192.53.103.103 permit udp host 192.53.103.103 eq ntp any eq ntp permit tcp any any eq 443 log remark SDM_ACL Category=1 remark Auto generated by SDM for NTP (123) 80.67.17.101 remark Auto generated by SDM for NTP (123) 192.53.103.103ip access-list extended ICMPEchoReply remark SDM_ACL Category=128 permit ip any any remark SDM_ACL Category=128ip access-list extended SDM_HTTPS remark SDM_ACL Category=1 permit tcp any any eq 443 remark SDM_ACL Category=1ip access-list extended SDM_SHELL remark SDM_ACL Category=1 permit tcp any any eq cmd remark SDM_ACL Category=1ip access-list extended SDM_SSH remark SDM_ACL Category=1 remark Auto generated by SDM for NTP (123) 80.67.17.101 permit udp host 80.67.17.101 eq ntp any eq ntp remark Auto generated by SDM for NTP (123) 192.53.103.103 permit udp host 192.53.103.103 eq ntp any eq ntp permit tcp any any eq 22 permit tcp any any eq 443 permit tcp any any remark SDM_ACL Category=1 remark Auto generated by SDM for NTP (123) 80.67.17.101 remark Auto generated by SDM for NTP (123) 192.53.103.103ip access-list extended SSH remark SDM_ACL Category=128 permit ip any anyip access-list extended SSL remark SDM_ACL Category=128 permit ip any anyip access-list extended USENET remark SDM_ACL Category=128 permit ip any any remark SDM_ACL Category=128!logging trap warningsaccess-list 1 remark INSIDE_IF=Vlan1access-list 1 remark SDM_ACL Category=2access-list 1 permit 192.168.0.0 0.0.0.255access-list 2 remark HTTP Access-class listaccess-list 2 remark SDM_ACL Category=1access-list 2 permit any logaccess-list 100 remark CCP_ACL Category=128access-list 100 permit ip host 255.255.255.255 anyaccess-list 100 permit ip 127.0.0.0 0.255.255.255 anyaccess-list 101 remark SDM_ACL Category=128access-list 101 permit ip any anyaccess-list 101 remark SDM_ACL Category=128access-list 102 remark VTY Access-class listaccess-list 102 remark SDM_ACL Category=1access-list 102 permit ip 192.168.0.0 0.0.0.255 anyaccess-list 102 deny ip any anyaccess-list 102 remark VTY Access-class listaccess-list 102 remark SDM_ACL Category=1access-list 103 remark VTY Access-class listaccess-list 103 remark SDM_ACL Category=1access-list 103 permit ip 192.168.0.0 0.0.0.255 anyaccess-list 103 deny ip any anyaccess-list 103 remark VTY Access-class listaccess-list 103 remark SDM_ACL Category=1access-list 104 remark VTY Access-class listaccess-list 104 remark SDM_ACL Category=1access-list 104 permit ip 192.168.0.0 0.0.0.255 anyaccess-list 104 deny ip any anyaccess-list 104 remark VTY Access-class listaccess-list 104 remark SDM_ACL Category=1access-list 105 remark auto generated by SDM firewall configurationaccess-list 105 remark SDM_ACL Category=1access-list 105 permit tcp any eq www anyaccess-list 105 permit udp host 194.8.194.60 eq domain anyaccess-list 105 permit udp host 194.8.194.70 eq domain anyaccess-list 105 remark Auto generated by SDM for NTP (123) 80.67.17.101access-list 105 permit udp host 80.67.17.101 eq ntp any eq ntpaccess-list 105 remark Auto generated by SDM for NTP (123) 192.53.103.103access-list 105 permit udp host 192.53.103.103 eq ntp any eq ntpaccess-list 105 permit tcp any any eq 443access-list 105 permit tcp any any eq 22access-list 105 permit tcp any any eq cmdaccess-list 105 remark auto generated by SDM firewall configurationaccess-list 105 remark SDM_ACL Category=1access-list 105 remark Auto generated by SDM for NTP (123) 80.67.17.101access-list 105 remark Auto generated by SDM for NTP (123) 192.53.103.103access-list 106 remark VTY Access-class listaccess-list 106 remark SDM_ACL Category=1access-list 106 permit ip 192.168.0.0 0.0.0.255 anyaccess-list 106 deny ip any anydialer-list 1 protocol ip permit

Reply to
Andreas Heinzelmann
Loading thread data ...

Line breaks would be helpful.

Reply to
Trendkill

While I wouldn't disagree, this reminds me of something I have seen a few times.

I have noticed that the hotmail login request - the data sent when you press "login" or whatever it is called, does not fit in a single packet and results in one full size segment and a second smaller segment (this was years ago and may have changed).

If path MTU discovery is not working then the first packet can get dropped by your router.

Without fully analysing the config I wonder if changing

interface BVI1 ip tcp adjust-mss 1452 to something significantly smaller just might magically fix it.

I notice that your VLAN 1 adjust-mss is 1412. That seems OK unless you are using ipsec in which case I use 1300.

I see no point is trying to trim it to the last byte.

1452 seems reasonable (1460 - (1500 - 1492) but with many TCP options enabled I suppose you might be running out of that.

Maybe enabling the firewall is breaking Path MTU discovery?

If required please state the exact commands for "disabling/enabling" the firewall.

Reply to
bod43

sorry for the missing Line breaks!

I managed to get the Live-Messenger working. It was the deep inspections of the IOS FW. I disabled deep inspection and voila no more problems.

Thanks for your efforts.

Andy

Reply to
Andreas Heinzelmann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.