PIX 501 Outbound ASP FORM Site Acess Problem **Updated**
**** UPDATED This was originally posted under PIX 501 Breaks Access To Net Banking but has been updated with more recent findings **** UPDATEDHi all
I'm fairly new to the PIX and just installed a PIX 501 at a SMB client running a windows SBS 2003.
Out of the box the PIX pretty much worked for the outbound traffic. Inbound required replication of existing port forwarding rules but these are now up and running. (My access lists and statics are below)
However I have a remaining issue with external ASP form sites and I need to get them solved as they are effecting web banking, on line supplier ordering and government tax sites.
All problems are with internal clients accessing external ASP sites requesting form data. When the form data is posted the sites all timeout
However after adding my port forwarding rules we can now use these troublesome sites from the server but still not the clients
Examples are below and then the network topology after if you need it.
The only outbound rule is the default factory implicit one ie src:any dest:any interface:inside(Outbound) Service:ip
The inbound rules to allow access to the OWA & OMA server (80/443) and also VNC (5800/5900) (Server IP is 192.168.1.2) These seems to be working ok. They are as follows :-
static (inside,outside) tcp interface 80 192.168.1.2 80 netmask 255.255.255.255
0 0 static (inside,outside) tcp interface 443 192.168.1.2 443 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5800 192.168.1.2 5800 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5900 192.168.1.2 5900 netmask 255.255.255.255 0 0 static (inside,outside) udp interface 500 192.168.1.2 500 netmask 255.255.255.255 0 0 static (inside,outside) udp interface 4500 192.168.1.2 4500 netmask 255.255.255.255 0 0 static (inside,outside) udp interface 1701 192.168.1.2 1701 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 1723 192.168.1.2 1723 netmask 255.255.255.255 0 0access-list out2in permit tcp any any eq 80 access-list out2in permit tcp any any eq 443 access-list out2in permit tcp any any eq 5800 access-list out2in permit tcp any any eq 5900 access-list out2in permit udp any any eq 500 access-list out2in permit udp any any eq 4500 access-list out2in permit udp any any eq 1701 access-list out2in permit tcp any any eq 1723 access-list out2in permit gre any any access-list out2in permit esp any any access-list out2in permit ah any any access-list out2in deny ip any any
access-group out2in in interface outside
I've also installed a syslog server and captured the logs from one of our failed sessions but am having trouble seeing a cause.
Example 1: Natwest Web Banking The client is able to surf to
Example 2: Peugeot "Build a car" site Client can Navigate to
I set the PIX logs on Debugging and captured the output from Example 1 : (it's also mixed with some server traffic ie dns lookups). I am having trouble deciphering any root cause.
Any help or pointers would be appreciated
Network Topology
BT Voyager 205 ADSL Modem - Cisco PIX 501 - Internal Lan Inc SBS2003
BT Voyager 205 Modem External IP : Dynamic Internal IP : 192.168.0.1 DHCP : ON
Cisco PIX 501 (6.3) Outside IP : 192.168.0.2 Inside IP : 192.168.1.1 DHCP : Off Using PAT
Small Business Server 2003 IP : 192.168.1.2 DNS : ON DHCP : ON WINS : ON Gateway : 192.168.1.1
Clients IP : 192.168.1.10 - onward (DHCP Assigned) DNS / WINS : SBS Server (192.168.1.2) Gateway : PIX (192.168.1.1)
If you need to see the logs or my config file drop me a reply
If you want to e-mail me remove NOSPAM from the address
Many thanks
Mark