General discussion

  • Creator
    Topic
  • #2226403

    Cisco 877 blocking yahoo sites

    Locked

    by edwinang9 ·

    I have just setup a cisco 877 router, it was working fine untill I applied the ACL control, then all Yahoo are not accessible but other sites are fine. Can it be my Cisco firewall policy or my new DNS setup on Windows 2003?

All Comments

  • Author
    Replies
    • #2635052

      Cisco ACL

      by mjfera ·

      In reply to Cisco 877 blocking yahoo sites

      Please post the access-list line items, the access-group command used to apply the ACL, and specify the interface the ACL was applied to.

    • #2635747

      Config file

      by edwinang9 ·

      In reply to Cisco 877 blocking yahoo sites

      Now even MSN Messenger doesn’t work

      Building configuration…

      Current configuration : 7618 bytes
      !
      version 12.4
      no service pad
      service timestamps debug datetime msec
      service timestamps log datetime msec
      no service password-encryption
      !
      hostname yourname
      !
      boot-start-marker
      boot-end-marker
      !
      logging buffered 51200 warnings
      !
      no aaa new-model
      !
      resource policy
      !
      ip subnet-zero
      ip cef
      no ip dhcp use vrf connected
      ip dhcp excluded-address 10.10.10.1
      !
      ip dhcp pool sdm-pool
      import all
      network 10.10.10.0 255.255.255.248
      default-router 10.10.10.1
      lease 0 2
      !
      !
      ip inspect log drop-pkt
      ip inspect name SDM_HIGH appfw SDM_HIGH
      ip inspect name SDM_HIGH icmp
      ip inspect name SDM_HIGH dns
      ip inspect name SDM_HIGH esmtp
      ip inspect name SDM_HIGH https
      ip inspect name SDM_HIGH imap reset
      ip inspect name SDM_HIGH pop3 reset
      ip inspect name SDM_HIGH tcp
      ip inspect name SDM_HIGH udp
      ip domain name yourdomain.com
      ip name-server 165.21.83.88
      ip name-server 165.21.100.88
      !
      appfw policy-name SDM_HIGH
      application im aol
      service default action allow alarm
      service text-chat action allow alarm
      server permit name login.oscar.aol.com
      server permit name toc.oscar.aol.com
      server permit name oam-d09a.blue.aol.com
      audit-trail on
      application im msn
      service default action allow alarm
      service text-chat action allow alarm
      server permit name messenger.hotmail.com
      server permit name gateway.messenger.hotmail.com
      server permit name webmessenger.msn.com
      audit-trail on
      application http
      strict-http action reset alarm
      port-misuse im action reset alarm
      port-misuse p2p action reset alarm
      port-misuse tunneling action reset alarm
      application im yahoo
      service default action allow alarm
      service text-chat action allow alarm
      server permit name scs.msg.yahoo.com
      server permit name scsa.msg.yahoo.com
      server permit name scsb.msg.yahoo.com
      server permit name scsc.msg.yahoo.com
      server permit name scsd.msg.yahoo.com
      server permit name cs16.msg.dcn.yahoo.com
      server permit name cs19.msg.dcn.yahoo.com
      server permit name cs42.msg.dcn.yahoo.com
      server permit name cs53.msg.dcn.yahoo.com
      server permit name cs54.msg.dcn.yahoo.com
      server permit name ads1.vip.scd.yahoo.com
      server permit name radio1.launch.vip.dal.yahoo.com
      server permit name in1.msg.vip.re2.yahoo.com
      server permit name data1.my.vip.sc5.yahoo.com
      server permit name address1.pim.vip.mud.yahoo.com
      server permit name edit.messenger.yahoo.com
      server permit name messenger.yahoo.com
      server permit name http.pager.yahoo.com
      server permit name privacy.yahoo.com
      server permit name csa.yahoo.com
      server permit name csb.yahoo.com
      server permit name csc.yahoo.com
      audit-trail on
      !
      !
      crypto pki trustpoint TP-self-signed-2192079205
      enrollment selfsigned
      subject-name cn=IOS-Self-Signed-Certificate-2192079205
      revocation-check none
      rsakeypair TP-self-signed-2192079205
      !
      !
      crypto pki certificate chain TP-self-signed-2192079205
      certificate self-signed 01
      3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 32313932 30373932 3035301E 170D3032 30333031 30303035
      32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31393230
      37393230 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100A5E1 DD29DB29 DAC0F7B9 DEDF8670 8B5C14D7 BC5F0177 DD33BF5B 3989244B
      1978D66B E9BAC34C 2B18E953 5F78BD14 2A63CE79 38B2D191 9E34FA5A B0D54E3A
      CE2E417B 457F49AA 9F002951 6382649F 19C12838 CF0BA78A 478B22C2 07B36224
      78EA85D2 AC7E212B E266041B 7F0B5D20 6EE54F9A C8F6331F 1F1C2592 9A155549
      28470203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
      551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
      301F0603 551D2304 18301680 14F2C67F 1BCDB7DB 654F02F9 A3291A70 067DE684
      3F301D06 03551D0E 04160414 F2C67F1B CDB7DB65 4F02F9A3 291A7006 7DE6843F
      300D0609 2A864886 F70D0101 04050003 81810047 14B19CFA E3EE4CE4 40140C7B
      BBA2FB49 ACDAA25D D05A7400 B57162E3 BB139658 AD01D29A B7FE751D C396465D
      7213AEC9 DB993F9B DE61F6B8 F2223587 31AB0C96 BFF8C768 EB93E8AB 415BB920
      1EC5CCC5 850F0576 403186A0 A43A3676 3841A8F9 BD0AF414 18572310 167AD010
      5770858A 6C9CA1FE 27454AA8 EC0618AF 705CDE
      quit
      username admin privilege 15 secret 5 $1$/Epu$UPjomMDf.Z4H9pkJqPMPN1
      !
      !
      !
      !
      !
      interface ATM0
      no ip address
      no atm ilmi-keepalive
      dsl operating-mode auto
      !
      interface ATM0.2 point-to-point
      description $FW_OUTSIDE$
      ip address 58.185.225.94 255.255.255.252
      ip access-group 101 in
      ip verify unicast reverse-path
      ip nat outside
      ip virtual-reassembly
      pvc 8/35
      protocol ip 58.185.225.93 broadcast
      encapsulation aal5snap
      !
      !
      interface FastEthernet0
      !
      interface FastEthernet1
      !
      interface FastEthernet2
      !
      interface FastEthernet3
      !
      interface Vlan1
      description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
      ip address 192.168.80.254 255.255.255.0
      ip access-group 100 in
      ip inspect SDM_HIGH in
      ip nat inside
      ip virtual-reassembly
      ip tcp adjust-mss 1452
      !
      ip classless
      ip route 0.0.0.0 0.0.0.0 58.185.225.93
      !
      ip http server
      ip http authentication local
      ip http secure-server
      ip http timeout-policy idle 60 life 86400 requests 10000
      ip nat inside source list 1 interface ATM0.2 overload
      ip nat inside source static 192.168.80.254 116.12.139.129
      ip nat inside source static 192.168.80.11 116.12.139.130
      !
      access-list 1 remark INSIDE_IF=Vlan1
      access-list 1 remark SDM_ACL Category=2
      access-list 1 permit 192.168.80.0 0.0.0.255
      access-list 100 remark auto generated by SDM firewall configuration
      access-list 100 remark SDM_ACL Category=1
      access-list 100 permit ip any any
      access-list 100 permit tcp any any
      access-list 100 permit udp any any
      access-list 100 permit icmp any any
      access-list 100 permit tcp any eq 1863 any eq 1863
      access-list 101 remark auto generated by SDM firewall configuration
      access-list 101 remark SDM_ACL Category=1
      access-list 101 remark exch smtp traffic
      access-list 101 permit tcp host 116.12.139.130 eq smtp host 192.168.80.11 eq smtp
      access-list 101 permit udp any host 116.12.139.130
      access-list 101 permit tcp any host 116.12.139.130 eq www
      access-list 101 permit udp any host 116.12.139.129
      access-list 101 permit tcp any host 116.12.139.129
      access-list 101 permit icmp any host 58.185.225.94 echo-reply
      access-list 101 permit icmp any host 58.185.225.94 time-exceeded
      access-list 101 permit icmp any host 58.185.225.94 unreachable
      access-list 101 permit icmp any host 116.12.139.129 echo-reply
      no cdp run
      !
      control-plane
      !
      banner login ^C
      ———————————————————————–
      Cisco Router and Security Device Manager (SDM) is installed on this device.
      This feature requires the one-time use of the username “cisco”
      with the password “cisco”. The default username and password have a privilege level of 15.

      Please change these publicly known initial credentials using SDM or the IOS CLI.
      Here are the Cisco IOS commands.

      username privilege 15 secret 0
      no username cisco

      Replace and with the username and password you want to use.

      For more information about SDM please follow the instructions in the QUICK START
      GUIDE for your router or go to http://www.cisco.com/go/sdm
      ———————————————————————–
      ^C
      !
      line con 0
      login local
      no modem enable
      line aux 0
      line vty 0 4
      privilege level 15
      login local
      transport input telnet ssh
      !
      scheduler max-task-time 5000
      end

Viewing 1 reply thread