1. Home
  2. Cisco Systems
  3. PIX 501 Breaks Access To Net Banking

PIX 501 Breaks Access To Net Banking

PIX 501 Outbound Site Acess Problem

Hi all

I'm fairly new to the PIX so be patient with me! I've just installed a PIX 501 at a SMB client running a windows SBS 2003.

Out of the box the PIX pretty much worked for the outbound traffic and inbound was sorted after few weeks of research and a bit of trial and error ;-)

However I have a few remaining problems (which are probably related) and I need to get them solved.

All problems are with OUTBOUND trafic (or the return of), ie the client behind the firewall is having problems accessing specific external website and services,

Examples are below and then the network topology after if you need it.

The only outbound rule is the default factory implicit one ie src:any dest:any interface:inside(Outbound) Service:ip

There are a number of inbound rules to allow access to the OWA & OMA server (80/443) and also VNC (5800/5900) The final incoming rule being a deny any any ip one. This seems to be working ok.

I've also installed a syslog server and captured the logs from one of our failed sessions but am having trouble seeing a cause.

Example 1: Natwest Web Banking The client is able to surf to

formatting link
they then click on the login button and are taken to the SSL site
formatting link
So far so good: However when they put in their banking number and hit the login button it just times out eventually. Unfortunately when we spoke to Natwest's "Technical Team" and explained we were behind a Cisco pix firewall they said "Cisco? how do you spell that? Nope, never heard of it! Sorry Can't help" I know. Unbelieveable!!

Example 2: RemotelyAnywhere on Remote machine They have a remote salesman who has Remotelyanywhere on his machine, The client accesses it via https://externalip:3000They are able to see the dashboard, able to use file transfer but when remote accesss part starts you see the remote desktop but have no control.

I set the PIX logs on Debugging and captured the output from Example 1 : (it's also mixed with some server traffic ie dns lookups). I see lots of "Built Outbound", "Built Dynamic","Accessed URL" and "Teardown" lines but am having trouble deciphering any root cause.

Any help or pointers would be appreciated

Network Topology

BT Voyager 205 ADSL Modem - Cisco PIX 501 - Internal Lan Inc SBS2003

BT Voyager 205 Modem External IP : Dynamic Internal IP : 192.168.0.1 DHCP : ON

Cisco PIX 501 (6.3) Outside IP : 192.168.0.2 Inside IP : 192.168.1.1 DHCP : Off Using PAT

Small Business Server 2003 IP : 192.168.1.2 DNS : ON DHCP : ON WINS : ON Gateway : 192.168.1.1

Clients IP : 192.168.1.10 - onward (DHCP Assigned) DNS / WINS : SBS Server (192.168.1.2) Gateway : PIX (192.168.1.1)

If you need to see the logs or my config file drop me a reply

If you want to e-mail me remove NOSPAM from the address

Many thanks

Mark

Reply to
Mark Moran
Loading thread data ...

so good: However when they put in their

what happens if you access the site "

formatting link
" directly ?

Reply to
Merv

far so good: However when they put in their

Same behaviour. The customer is able to get the site no problems but gets a time out after trying to log in.

As an update to this problem, we have found that we CAN log on to the banking site if we use the server making me suspect something to do with the port forwards I had to put in to the firewall.

My only issue with this is that the port forwards are actually working fine and allowing outside access to this clients IIS server (had OWA & OMA) and other services (ie RRAS / VNC)

The server's ip address is 192.168.1.2

The access control list and static routes I have added to replicate the old routers port forwards are..

static (inside,outside) tcp interface 80 192.168.1.2 80 netmask 255.255.255.255

0 0 static (inside,outside) tcp interface 443 192.168.1.2 443 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5800 192.168.1.2 5800 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5900 192.168.1.2 5900 netmask 255.255.255.255 0 0 static (inside,outside) udp interface 500 192.168.1.2 500 netmask 255.255.255.255 0 0 static (inside,outside) udp interface 4500 192.168.1.2 4500 netmask 255.255.255.255 0 0 static (inside,outside) udp interface 1701 192.168.1.2 1701 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 1723 192.168.1.2 1723 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 6881 192.168.1.11 6881 netmask 255.255.255.255 0 0

access-list out2in permit tcp any any eq 80 access-list out2in permit tcp any any eq 443 access-list out2in permit tcp any any eq 5800 access-list out2in permit tcp any any eq 5900 access-list out2in permit udp any any eq 500 access-list out2in permit udp any any eq 4500 access-list out2in permit udp any any eq 1701 access-list out2in permit tcp any any eq 1723 access-list out2in permit gre any any access-list out2in permit esp any any access-list out2in permit ah any any access-list out2in deny ip any any

access-group out2in in interface outside

As you can see, we've created an access list allowing inbound http, https, vnc, pptp & ipsec (MS RRAS) traffic. Then have created static routes to route the inbound traffic to the server

192.168.1.2 where these services exist

Again, this seems to be ok as we now have outside access to these services on the server which was the intended goal.

Many Thanks

Mark

Reply to
Markie Mark

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.