Have a question or want to start a discussion? Post it! No Registration Necessary. 
Now with pictures!
- Mark Moran
November 27, 2007, 4:31 pm
Reply
Save
Print
PIX 501 Outbound ASP FORM Site Acess Problem **Updated**
**** UPDATED
This was originally posted under PIX 501 Breaks Access To Net Banking but has
been updated with more
recent findings
**** UPDATED
Hi all
I'm fairly new to the PIX and just installed a PIX 501 at a SMB client running a
windows SBS 2003.
Out of the box the PIX pretty much worked for the outbound traffic.
Inbound required replication of existing port forwarding rules but these are now
up and running. (My
access lists and statics are below)
However I have a remaining issue with external ASP form sites and I need to get
them solved as they
are effecting web banking, on line supplier ordering and government tax sites.
All problems are with internal clients accessing external ASP sites requesting
form data. When the
form data is posted the sites all timeout
However after adding my port forwarding rules we can now use these troublesome
sites from the server
but still not the clients
Examples are below and then the network topology after if you need it.
The only outbound rule is the default factory implicit one
ie src:any dest:any interface:inside(Outbound) Service:ip
The inbound rules to allow access to the OWA & OMA server (80/443) and also VNC
(5800/5900) (Server
IP is 192.168.1.2)
These seems to be working ok. They are as follows :-
static (inside,outside) tcp interface 80 192.168.1.2 80 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 443 192.168.1.2 443 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 5800 192.168.1.2 5800 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 5900 192.168.1.2 5900 netmask
255.255.255.255 0 0
static (inside,outside) udp interface 500 192.168.1.2 500 netmask
255.255.255.255 0 0
static (inside,outside) udp interface 4500 192.168.1.2 4500 netmask
255.255.255.255 0 0
static (inside,outside) udp interface 1701 192.168.1.2 1701 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 1723 192.168.1.2 1723 netmask
255.255.255.255 0 0
access-list out2in permit tcp any any eq 80
access-list out2in permit tcp any any eq 443
access-list out2in permit tcp any any eq 5800
access-list out2in permit tcp any any eq 5900
access-list out2in permit udp any any eq 500
access-list out2in permit udp any any eq 4500
access-list out2in permit udp any any eq 1701
access-list out2in permit tcp any any eq 1723
access-list out2in permit gre any any
access-list out2in permit esp any any
access-list out2in permit ah any any
access-list out2in deny ip any any
access-group out2in in interface outside
I've also installed a syslog server and captured the logs from one of our failed
sessions but am
having trouble seeing a cause.
Example 1: Natwest Web Banking
The client is able to surf to http://www.natwest.com , they then click on the
login button and are
taken to the ASP SSL site https://www.nwolb.com . (They can also navigate
directly to here if
necessary)
When they put in their banking number and hit the login button to submit the
form it just times out
eventually.
Unfortunately Natwest's "Technical Team" are of no help.
Example 2: Peugeot "Build a car" site
Client can Navigate to http://www.peugeot.co.uk . From the Showroom menu
dropdown, select "Build your
own car"
Client is then taken to the ASP form at http://mynewcar.peugeot.com . When they
select anything from
the 1st dropdown, the form tries to auto submit and eventually times out as in
the banking example
above
I set the PIX logs on Debugging and captured the output from Example 1
: (it's also mixed with some server traffic ie dns lookups).
I am having trouble deciphering any root cause.
Any help or pointers would be appreciated
Network Topology
BT Voyager 205 ADSL Modem - Cisco PIX 501 - Internal Lan Inc SBS2003
BT Voyager 205 Modem
External IP : Dynamic
Internal IP : 192.168.0.1
DHCP : ON
Cisco PIX 501 (6.3)
Outside IP : 192.168.0.2
Inside IP : 192.168.1.1
DHCP : Off
Using PAT
Small Business Server 2003
IP : 192.168.1.2
DNS : ON
DHCP : ON
WINS : ON
Gateway : 192.168.1.1
Clients
IP : 192.168.1.10 - onward (DHCP Assigned)
DNS / WINS : SBS Server (192.168.1.2)
Gateway : PIX (192.168.1.1)
If you need to see the logs or my config file drop me a reply
If you want to e-mail me remove NOSPAM from the address
Many thanks
Mark
**** UPDATED
This was originally posted under PIX 501 Breaks Access To Net Banking but has
been updated with more
recent findings
**** UPDATED
Hi all
I'm fairly new to the PIX and just installed a PIX 501 at a SMB client running a
windows SBS 2003.
Out of the box the PIX pretty much worked for the outbound traffic.
Inbound required replication of existing port forwarding rules but these are now
up and running. (My
access lists and statics are below)
However I have a remaining issue with external ASP form sites and I need to get
them solved as they
are effecting web banking, on line supplier ordering and government tax sites.
All problems are with internal clients accessing external ASP sites requesting
form data. When the
form data is posted the sites all timeout
However after adding my port forwarding rules we can now use these troublesome
sites from the server
but still not the clients
Examples are below and then the network topology after if you need it.
The only outbound rule is the default factory implicit one
ie src:any dest:any interface:inside(Outbound) Service:ip
The inbound rules to allow access to the OWA & OMA server (80/443) and also VNC
(5800/5900) (Server
IP is 192.168.1.2)
These seems to be working ok. They are as follows :-
static (inside,outside) tcp interface 80 192.168.1.2 80 netmask 255.255.255.255
0 0
static (inside,outside) tcp interface 443 192.168.1.2 443 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 5800 192.168.1.2 5800 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 5900 192.168.1.2 5900 netmask
255.255.255.255 0 0
static (inside,outside) udp interface 500 192.168.1.2 500 netmask
255.255.255.255 0 0
static (inside,outside) udp interface 4500 192.168.1.2 4500 netmask
255.255.255.255 0 0
static (inside,outside) udp interface 1701 192.168.1.2 1701 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 1723 192.168.1.2 1723 netmask
255.255.255.255 0 0
access-list out2in permit tcp any any eq 80
access-list out2in permit tcp any any eq 443
access-list out2in permit tcp any any eq 5800
access-list out2in permit tcp any any eq 5900
access-list out2in permit udp any any eq 500
access-list out2in permit udp any any eq 4500
access-list out2in permit udp any any eq 1701
access-list out2in permit tcp any any eq 1723
access-list out2in permit gre any any
access-list out2in permit esp any any
access-list out2in permit ah any any
access-list out2in deny ip any any
access-group out2in in interface outside
I've also installed a syslog server and captured the logs from one of our failed
sessions but am
having trouble seeing a cause.
Example 1: Natwest Web Banking
The client is able to surf to http://www.natwest.com , they then click on the
login button and are
taken to the ASP SSL site https://www.nwolb.com . (They can also navigate
directly to here if
necessary)
When they put in their banking number and hit the login button to submit the
form it just times out
eventually.
Unfortunately Natwest's "Technical Team" are of no help.
Example 2: Peugeot "Build a car" site
Client can Navigate to http://www.peugeot.co.uk . From the Showroom menu
dropdown, select "Build your
own car"
Client is then taken to the ASP form at http://mynewcar.peugeot.com . When they
select anything from
the 1st dropdown, the form tries to auto submit and eventually times out as in
the banking example
above
I set the PIX logs on Debugging and captured the output from Example 1
: (it's also mixed with some server traffic ie dns lookups).
I am having trouble deciphering any root cause.
Any help or pointers would be appreciated
Network Topology
BT Voyager 205 ADSL Modem - Cisco PIX 501 - Internal Lan Inc SBS2003
BT Voyager 205 Modem
External IP : Dynamic
Internal IP : 192.168.0.1
DHCP : ON
Cisco PIX 501 (6.3)
Outside IP : 192.168.0.2
Inside IP : 192.168.1.1
DHCP : Off
Using PAT
Small Business Server 2003
IP : 192.168.1.2
DNS : ON
DHCP : ON
WINS : ON
Gateway : 192.168.1.1
Clients
IP : 192.168.1.10 - onward (DHCP Assigned)
DNS / WINS : SBS Server (192.168.1.2)
Gateway : PIX (192.168.1.1)
If you need to see the logs or my config file drop me a reply
If you want to e-mail me remove NOSPAM from the address
Many thanks
Mark
Site Timeline
- » permit same-security-traffic
- — Next thread in » Cisco Systems
-
- » have 2 enable passwords?
- — Previous thread in » Cisco Systems
-
- » Cisco CP 2.7
- — Newest thread in » Cisco Systems
-
- » Verizon Direct Marketing [telecom]
- — The site's Newest Thread. Posted in » General Telecommunications Forum
-
- » [telecom] Chips in credit cards
- — The site's Last Updated Thread. Posted in » General Telecommunications Forum
-
XML Sitemap