Discussions

Cisco 877 blocking yahoo sites

+
0 Votes
Locked

Cisco 877 blocking yahoo sites

edwinang9
I have just setup a cisco 877 router, it was working fine untill I applied the ACL control, then all Yahoo are not accessible but other sites are fine. Can it be my Cisco firewall policy or my new DNS setup on Windows 2003?
  • +
    0 Votes
    mjfera

    Please post the access-list line items, the access-group command used to apply the ACL, and specify the interface the ACL was applied to.

    +
    0 Votes
    edwinang9

    Now even MSN Messenger doesn't work


    Building configuration...

    Current configuration : 7618 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname yourname
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    !
    no aaa new-model
    !
    resource policy
    !
    ip subnet-zero
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.10.10.1
    !
    ip dhcp pool sdm-pool
    import all
    network 10.10.10.0 255.255.255.248
    default-router 10.10.10.1
    lease 0 2
    !
    !
    ip inspect log drop-pkt
    ip inspect name SDM_HIGH appfw SDM_HIGH
    ip inspect name SDM_HIGH icmp
    ip inspect name SDM_HIGH dns
    ip inspect name SDM_HIGH esmtp
    ip inspect name SDM_HIGH https
    ip inspect name SDM_HIGH imap reset
    ip inspect name SDM_HIGH pop3 reset
    ip inspect name SDM_HIGH tcp
    ip inspect name SDM_HIGH udp
    ip domain name yourdomain.com
    ip name-server 165.21.83.88
    ip name-server 165.21.100.88
    !
    appfw policy-name SDM_HIGH
    application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
    audit-trail on
    application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    audit-trail on
    application http
    strict-http action reset alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action reset alarm
    application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
    audit-trail on
    !
    !
    crypto pki trustpoint TP-self-signed-2192079205
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-2192079205
    revocation-check none
    rsakeypair TP-self-signed-2192079205
    !
    !
    crypto pki certificate chain TP-self-signed-2192079205
    certificate self-signed 01
    3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 32313932 30373932 3035301E 170D3032 30333031 30303035
    32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31393230
    37393230 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100A5E1 DD29DB29 DAC0F7B9 DEDF8670 8B5C14D7 BC5F0177 DD33BF5B 3989244B
    1978D66B E9BAC34C 2B18E953 5F78BD14 2A63CE79 38B2D191 9E34FA5A B0D54E3A
    CE2E417B 457F49AA 9F002951 6382649F 19C12838 CF0BA78A 478B22C2 07B36224
    78EA85D2 AC7E212B E266041B 7F0B5D20 6EE54F9A C8F6331F 1F1C2592 9A155549
    28470203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
    551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
    301F0603 551D2304 18301680 14F2C67F 1BCDB7DB 654F02F9 A3291A70 067DE684
    3F301D06 03551D0E 04160414 F2C67F1B CDB7DB65 4F02F9A3 291A7006 7DE6843F
    300D0609 2A864886 F70D0101 04050003 81810047 14B19CFA E3EE4CE4 40140C7B
    BBA2FB49 ACDAA25D D05A7400 B57162E3 BB139658 AD01D29A B7FE751D C396465D
    7213AEC9 DB993F9B DE61F6B8 F2223587 31AB0C96 BFF8C768 EB93E8AB 415BB920
    1EC5CCC5 850F0576 403186A0 A43A3676 3841A8F9 BD0AF414 18572310 167AD010
    5770858A 6C9CA1FE 27454AA8 EC0618AF 705CDE
    quit
    username admin privilege 15 secret 5 $1$/Epu$UPjomMDf.Z4H9pkJqPMPN1
    !
    !
    !
    !
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.2 point-to-point
    description $FW_OUTSIDE$
    ip address 58.185.225.94 255.255.255.252
    ip access-group 101 in
    ip verify unicast reverse-path
    ip nat outside
    ip virtual-reassembly
    pvc 8/35
    protocol ip 58.185.225.93 broadcast
    encapsulation aal5snap
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
    ip address 192.168.80.254 255.255.255.0
    ip access-group 100 in
    ip inspect SDM_HIGH in
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 58.185.225.93
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 1 interface ATM0.2 overload
    ip nat inside source static 192.168.80.254 116.12.139.129
    ip nat inside source static 192.168.80.11 116.12.139.130
    !
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.80.0 0.0.0.255
    access-list 100 remark auto generated by SDM firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 permit ip any any
    access-list 100 permit tcp any any
    access-list 100 permit udp any any
    access-list 100 permit icmp any any
    access-list 100 permit tcp any eq 1863 any eq 1863
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 remark exch smtp traffic
    access-list 101 permit tcp host 116.12.139.130 eq smtp host 192.168.80.11 eq smtp
    access-list 101 permit udp any host 116.12.139.130
    access-list 101 permit tcp any host 116.12.139.130 eq www
    access-list 101 permit udp any host 116.12.139.129
    access-list 101 permit tcp any host 116.12.139.129
    access-list 101 permit icmp any host 58.185.225.94 echo-reply
    access-list 101 permit icmp any host 58.185.225.94 time-exceeded
    access-list 101 permit icmp any host 58.185.225.94 unreachable
    access-list 101 permit icmp any host 116.12.139.129 echo-reply
    no cdp run
    !
    control-plane
    !
    banner login ^C
    -----------------------------------------------------------------------
    Cisco Router and Security Device Manager (SDM) is installed on this device.
    This feature requires the one-time use of the username "cisco"
    with the password "cisco". The default username and password have a privilege level of 15.

    Please change these publicly known initial credentials using SDM or the IOS CLI.
    Here are the Cisco IOS commands.

    username <myuser> privilege 15 secret 0 <mypassword>
    no username cisco

    Replace <myuser> and <mypassword> with the username and password you want to use.

    For more information about SDM please follow the instructions in the QUICK START
    GUIDE for your router or go to http://www.cisco.com/go/sdm
    -----------------------------------------------------------------------
    ^C
    !
    line con 0
    login local
    no modem enable
    line aux 0
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    end

  • +
    0 Votes
    mjfera

    Please post the access-list line items, the access-group command used to apply the ACL, and specify the interface the ACL was applied to.

    +
    0 Votes
    edwinang9

    Now even MSN Messenger doesn't work


    Building configuration...

    Current configuration : 7618 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname yourname
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    !
    no aaa new-model
    !
    resource policy
    !
    ip subnet-zero
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.10.10.1
    !
    ip dhcp pool sdm-pool
    import all
    network 10.10.10.0 255.255.255.248
    default-router 10.10.10.1
    lease 0 2
    !
    !
    ip inspect log drop-pkt
    ip inspect name SDM_HIGH appfw SDM_HIGH
    ip inspect name SDM_HIGH icmp
    ip inspect name SDM_HIGH dns
    ip inspect name SDM_HIGH esmtp
    ip inspect name SDM_HIGH https
    ip inspect name SDM_HIGH imap reset
    ip inspect name SDM_HIGH pop3 reset
    ip inspect name SDM_HIGH tcp
    ip inspect name SDM_HIGH udp
    ip domain name yourdomain.com
    ip name-server 165.21.83.88
    ip name-server 165.21.100.88
    !
    appfw policy-name SDM_HIGH
    application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
    audit-trail on
    application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    audit-trail on
    application http
    strict-http action reset alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action reset alarm
    application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
    audit-trail on
    !
    !
    crypto pki trustpoint TP-self-signed-2192079205
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-2192079205
    revocation-check none
    rsakeypair TP-self-signed-2192079205
    !
    !
    crypto pki certificate chain TP-self-signed-2192079205
    certificate self-signed 01
    3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 32313932 30373932 3035301E 170D3032 30333031 30303035
    32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31393230
    37393230 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100A5E1 DD29DB29 DAC0F7B9 DEDF8670 8B5C14D7 BC5F0177 DD33BF5B 3989244B
    1978D66B E9BAC34C 2B18E953 5F78BD14 2A63CE79 38B2D191 9E34FA5A B0D54E3A
    CE2E417B 457F49AA 9F002951 6382649F 19C12838 CF0BA78A 478B22C2 07B36224
    78EA85D2 AC7E212B E266041B 7F0B5D20 6EE54F9A C8F6331F 1F1C2592 9A155549
    28470203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
    551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
    301F0603 551D2304 18301680 14F2C67F 1BCDB7DB 654F02F9 A3291A70 067DE684
    3F301D06 03551D0E 04160414 F2C67F1B CDB7DB65 4F02F9A3 291A7006 7DE6843F
    300D0609 2A864886 F70D0101 04050003 81810047 14B19CFA E3EE4CE4 40140C7B
    BBA2FB49 ACDAA25D D05A7400 B57162E3 BB139658 AD01D29A B7FE751D C396465D
    7213AEC9 DB993F9B DE61F6B8 F2223587 31AB0C96 BFF8C768 EB93E8AB 415BB920
    1EC5CCC5 850F0576 403186A0 A43A3676 3841A8F9 BD0AF414 18572310 167AD010
    5770858A 6C9CA1FE 27454AA8 EC0618AF 705CDE
    quit
    username admin privilege 15 secret 5 $1$/Epu$UPjomMDf.Z4H9pkJqPMPN1
    !
    !
    !
    !
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.2 point-to-point
    description $FW_OUTSIDE$
    ip address 58.185.225.94 255.255.255.252
    ip access-group 101 in
    ip verify unicast reverse-path
    ip nat outside
    ip virtual-reassembly
    pvc 8/35
    protocol ip 58.185.225.93 broadcast
    encapsulation aal5snap
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
    ip address 192.168.80.254 255.255.255.0
    ip access-group 100 in
    ip inspect SDM_HIGH in
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 58.185.225.93
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 1 interface ATM0.2 overload
    ip nat inside source static 192.168.80.254 116.12.139.129
    ip nat inside source static 192.168.80.11 116.12.139.130
    !
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.80.0 0.0.0.255
    access-list 100 remark auto generated by SDM firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 permit ip any any
    access-list 100 permit tcp any any
    access-list 100 permit udp any any
    access-list 100 permit icmp any any
    access-list 100 permit tcp any eq 1863 any eq 1863
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 remark exch smtp traffic
    access-list 101 permit tcp host 116.12.139.130 eq smtp host 192.168.80.11 eq smtp
    access-list 101 permit udp any host 116.12.139.130
    access-list 101 permit tcp any host 116.12.139.130 eq www
    access-list 101 permit udp any host 116.12.139.129
    access-list 101 permit tcp any host 116.12.139.129
    access-list 101 permit icmp any host 58.185.225.94 echo-reply
    access-list 101 permit icmp any host 58.185.225.94 time-exceeded
    access-list 101 permit icmp any host 58.185.225.94 unreachable
    access-list 101 permit icmp any host 116.12.139.129 echo-reply
    no cdp run
    !
    control-plane
    !
    banner login ^C
    -----------------------------------------------------------------------
    Cisco Router and Security Device Manager (SDM) is installed on this device.
    This feature requires the one-time use of the username "cisco"
    with the password "cisco". The default username and password have a privilege level of 15.

    Please change these publicly known initial credentials using SDM or the IOS CLI.
    Here are the Cisco IOS commands.

    username <myuser> privilege 15 secret 0 <mypassword>
    no username cisco

    Replace <myuser> and <mypassword> with the username and password you want to use.

    For more information about SDM please follow the instructions in the QUICK START
    GUIDE for your router or go to http://www.cisco.com/go/sdm
    -----------------------------------------------------------------------
    ^C
    !
    line con 0
    login local
    no modem enable
    line aux 0
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    end