Solved

Cisco 5505 firewall

Posted on 2011-09-08
14
403 Views
Last Modified: 2012-05-12
We have this firewall in our network and I think it is blocking certain web pages from doing things. I have checked every machine to make sure it wasn't any issue with flash, java or IE. All are updated to current versions.
What settings, if any, would be blocking certain web pages to load? and please give the directions on how to get to the settings.
The one I know all time doesn't work is the web site for the radisson.com when searching for hotels. the results page is never able to be displayed. When I am out of the network, it works fine.
0
Comment
Question by:raffie613
14 Comments
 
LVL 2

Expert Comment

by:genie4all
ID: 36506606
Do you have any proxy on your network? If so check that out. If you don't have proxy check for regex statements in your firewall. Regex are used to filter websites.
0
 
LVL 15

Expert Comment

by:The_Warlock
ID: 36507407
And then again a sanitized copy of the asa config would be even more helpful in helping us better help you in providing a solution.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 36507828
You can also check the logs to look for messages saying "mss excceded"
You can change the mss size, or you can upgrade the ASA OS image to a newer release
0
 

Author Comment

by:raffie613
ID: 36508187
there is no proxy

how do I get the config log to a file?

Where do I check a log file to look for the mss exceeded?

Thanks.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36508295
You can connect to ASA through a console port using HyperTerminal or any other program, like Putty

When you are connected, isshue this command

sh run



You will see your running config. You can now copy and paste it into text file
0
 
LVL 2

Expert Comment

by:genie4all
ID: 36511482
To get logs from your firewall:

1) Get a SYSLOG tool - suggestion Kiwicat Syslog (Freeware) and install / configure on your machine or another networked PC.

2) on ASA, Global config mode execute below:

logging trap informational
logging host Inside <IP address of syslog system>

3) On the syslog application console you will start seeing all the logs of the firewall

to remove the logging entries use the following:

no logging trap informational
no logging host Inside <IP address of syslog system>

If you have ASDM:
 
logging asdm informational

your ASDM should start showing you the logs


0
 

Author Comment

by:raffie613
ID: 36512538
Result of the command: "sh run"
: Saved
:
ASA Version 7.2(4)
!
hostname secsignalsfw
domain-name secsignals.local
enable password JVLqJVmxcyY5oUTI encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.13.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group SS
 ip address pppoe setroute
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
ftp mode passive
dns server-group DefaultDNS
 domain-name secsignals.local
object-group service websense tcp
 port-object eq 15868
access-list inside_access_in extended permit tcp any any object-group websense
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.13.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
url-server (inside) vendor websense host 192.168.13.2 timeout 30 protocol TCP version 4 connections 15
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 75.151.223.121
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group SS request dialout pppoe
vpdn group SS localname sgk1@bellsouth.net
vpdn group SS ppp authentication pap
vpdn username sgk1@bellsouth.net password *********
dhcpd auto_config outside
!
dhcpd address 192.168.13.100-192.168.13.130 inside
dhcpd dns 192.168.13.2 interface inside
dhcpd domain secsignals.local interface inside
dhcpd enable inside
!
username ssicor password mUAe4Hu9uZEBUrD8 encrypted privilege 15
username securas password Qx2vIbDWqaPDJl5O encrypted privilege 15
username super1 password nQHcyCkd1aqdRpso encrypted privilege 15
tunnel-group 75.151.223.121 type ipsec-l2l
tunnel-group 75.151.223.121 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e74aed4b3a32b8f2066cc92e8c0eee2c
: end
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 2

Expert Comment

by:genie4all
ID: 36512836
Raffie,

You've got websense application which does URL filtering. Your websense is in-path of your network. It means you don't need explicit proxy settings but still the websites will be filtered by websense.

Look into websense configuration for rules /  settings that might block the web browsing.

I will go through your config again and let you know if there's anything suspicious.

Regards,
0
 
LVL 2

Expert Comment

by:genie4all
ID: 36512886
I don't see any issues with your configuration just now...

Try applying exception for your system and browse to the websites that were getting blocked / dropped earlier. This will prove whether the issue is with your firewall or websense

To apply exception:

filter url except local_ip local_mask foreign_ip foreign_mask]

To remove exception:

no filter url except local_ip local_mask foreign_ip foreign_mask]
0
 

Author Comment

by:raffie613
ID: 36517931
how do I get to the websense utility?
Thanks.
0
 

Author Comment

by:raffie613
ID: 36520482
ok, I see you meant a program called websense. I opened it and saw the ip of my server and when I right click and nothing. I don't need the program so I am just going to remove it completely from the server. That won't affect the ASA at will it?
0
 
LVL 2

Accepted Solution

by:
genie4all earned 500 total points
ID: 36523322
If you are not using websense you can remove those lines. ASA will not be affected by that. But there will be no webfiltering on your network (provided you have one now):

to remove, login into your ASA via SSH / Telnet and in Global config mode issue the below commands:

no filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
no filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
no url-server (inside) vendor websense host 192.168.13.2 timeout 30 protocol TCP version 4 connections 15


0
 

Author Comment

by:raffie613
ID: 36532661
If I just remove Websense and do not remove those lines in the ASA, will my web filtering still stop? I just want it off at this point.
0
 
LVL 2

Expert Comment

by:genie4all
ID: 36532752
Raffie613, If you have a webfilter in your network, you might to reconsider your decision of removing it totally. If there is no webfiltering users can access any websites they want including porn and other blacklisted ones. So try and get the websense part sorted out and re-enable this rule in your ASA.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now