1. Home
  2. Cisco Systems
  3. PIX browsing sites error

PIX browsing sites error

Hi all,

I have a Cisco PIX 501 firewall OS ver 6.3.5 - the configuration is simple. I have one webserver and a 2 clients behind the inside interface. For my webserver I assigned a static outside inside command so I can allow www access to it from coming into it on the outside interface (this works by the way). My clients are accessing the Internet via PAT using the global (outside) 1 interface nat (inside) 1 10.1.1.0 255.255.255 commands (this works well too). The problem though is as follows:

From my webserver I can ping and resolve websites like

formatting link
and can even browse to it but then some other websites I cannot, namely these are
formatting link
and
formatting link
and even
formatting link
- if I browse to the latter websites from any one of the clients the websites work fine. If I remove the static outside inside rule for the webserver and its access list then the problem does not occur; this leads to imply that there is some configuration error on my behalf with the static and access-lists for the server, below the output of my PIX. Any suggestions.

Thanks - Jamie

PIX# sh run : Saved : PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxxxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxxx encrypted hostname PIX domain-name somethingnet.org clock timezone GMT/BDT 0 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside_access_in permit tcp any host A.B.C.D eq www access-list outside_access_in permit tcp any host A.B.C.D eq 3395 access-list outside_access_in permit icmp any any echo-reply access-list outside_access_in permit icmp any any echo access-list outside_access_in permit icmp any any source-quench access-list outside_access_in permit icmp any any unreachable access-list outside_access_in permit icmp any any time-exceeded pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside X.Y.Z.W 255.255.255.248 ip address inside 10.1.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 10.1.1.2 255.255.255.255 inside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 10.1.1.0 255.255.255.0 0 0 static (inside,outside) A.B.C.D 10.1.1.2 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 E.F.G.H 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.1.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet 10.1.1.0 255.255.255.0 inside telnet timeout 10 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:c80d27094430147d0a4b880c90e62422 : end
Reply to
jamie
Loading thread data ...

Perhaps your global IP pool range is conflicting with your static (inside,outside) mapping. Can you not select a different external IP address for the static (inside,outside) A.B.C.D part?

Matt

Reply to
Matty M

That's precisely what I am thinking. I am reporting this to my ISP as we speak and see if the range of IP addresses I have from them are the cause. Will give more feedback later.

J
Reply to
jamie

What is the relationship between X.Y.Z.W, A.B.C.D, and E.F.G.H ? Same subnets or different subnets?

Reply to
Walter Roberson

Not unless A.B.C.D is the same as the outside IP! But the config we were shown had the outside IP as X.Y.Z.W so unless the OP has been inconsistant, that isn't the case.

Question to the OP: have you done a "clear xlate" ?

Reply to
Walter Roberson

since it is a 501: What license type do you have ? (show version) and are there any loggings telling you that the limit are exceeded ?

Is this an issue that has been introduced after upgrade to 6.3.5 ?

you could also do the same in a slightly different way: access-list outside_access_in permit tcp any interface outside eq www access-list outside_access_in permit tcp any interface outside eq 3395 no static (inside,outside) A.B.C.D 10.1.1.2 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 80 10.1.1.2 80 netmask

255.255.255.255 static (inside,outside) tcp interface 3395 10.1.1.2 3395 netmask 255.255.255.255

this way you are sure that the server doesnt use the A.B.C.D IP when doing outside connections. Also verify things on the server, such as gateway IP, routing, filters of any kind fx personalfirewalls etc

HTH Martin Bilgrav

Reply to
Martin Bilgrav

"Walter Roberson" wrote in

Hi Walter,

Yes I have done a clear xlate and have also issued a reload.

IP addresses X.Y.Z.W and A.B.C.D are on the same subnet ID (basically they are a block range given to me by the ISP) - E.F.G.H is the outside address of the router not the pix is also a different subnet. So the case is as follows:

PIX Ethernet0: X.Y.Z.154 /29 (outside) PIX Ethernet1: 10.1.1.1 /29 (inside)

Router ATM0: E.F.G.86 /24 (WAN outside) Router VLAN1: X.Y.Z.193 /29 (WAN inside)

Server IP address: 10.1.1.2 /24 Server IP Virtual IP: X.Y.Z.155 /29

As I said, if the server is going to these unreachable sites via PAT no problem, once I assign the static command some of the websites do not work, namely Cisco and Microsoft etc.

ISP is in the process of looking whether they can give me a new range but they are adamant nothing is wrong with them. Quite frankly I am inclined to believe them because the sites work using PAT so I am thinking it is a PIX issue.

Any suggestions would be welcomed! Thanks.

James

Reply to
jamie

I do not know if you have read my other post, but q nice and easy way to try an other IP is to set it up with the interface command instead of IP, both in static and ACL.

Reply to
Martin Bilgrav

"Martin Bilgrav" wrote

Hi Martin,

Yes I did read the other post and I just finished implementing it but didn't seem to work at all (i.e. can't connect to the server on port 3395, 80 etc)....I will try it again and will let you know in case I did something wrong.

Thank you.

Jamie

Reply to
jamie

Then your "route outside" statement needs to refer to X.Y.Z.193 not to E.F.G.86 .

:As I said, if the server is going to these unreachable sites via PAT no :problem, once I assign the static command some of the websites do not work, :namely Cisco and Microsoft etc.

Selective ability to get somewhere most often is an issue with MTU, but that wouldn't explain your situation.

Having connections work for PAT to "interface" but not for other IPs would usually indicate that the WAN router is not routing the PIX outside IP subnet to the PIX outside IP address and that proxy arp isn't happening to do the job for you. But that would normally fail for everything non-local, not for selected sites.

I'd be interested to see if there are any messages in the logs when the failure occurs.

Reply to
Walter Roberson

"Walter Roberson" wrote

That is correct - sorry I have mistyped that.

Correct again, MTU is default 1500 on all interfaces.

However I have just returned from my ISP with a new block and implemented those just now and bingo everything works, I can get to Cisco MS etc without problems. I did not change anything else other than the block of IPs handed down to me through my ISP. Still would have been nice to know what was wrong with the old range.

Thanks to all for the responses - will keep a close eye on the forum to return the favour when possible.

Jamie

Reply to
jamie

Just a WAG since you never disclosed the public IPs but was your original allocation from a reciently released range?

It could be that it was on a bogon list that hasn't been updated yet.

Reply to
Rod Dorman

Hm, not sure to be honest. The old range was 62.24.231.192 /29. I've had them for over 3-4 weeks now and to be honest I have had problems from day one but nowhere near as severe as the last 2-3 days...

Jamie

Reply to
jamie

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.