One of my PIX units (525 fail-over pair) on 6.3(5) is having trouble browsing certain web sites - for example
TIA
Path MTU Discovery (PMTUD).
Ensure that you specifically permit icmp unreachable inward.
I pretty much have all ICMP open right now but still nothing on those sites ...
access-list inside_access_in permit ip any any access-list inside_access_in permit icmp any any access-list outside_access_in permit icmp any any echo-reply access-list outside_access_in permit icmp any any source-quench access-list outside_access_in permit icmp any any unreachable access-list outside_access_in permit icmp any any time-exceeded access-list outside_access_in permit icmp any any
icmp permit any unreachable outside icmp permit any source-quench outside icmp permit any time-exceeded outside icmp permit any outside icmp permit any inside
Do you happen to be on DSL? If so then reduce your outside MTU to 1492 (most providers; as low as 1398 for some providers!!)
No - it's in a CoLo with a 10mb burstable to 100mb feed
Update - a system on the DMZ can browse these sites - it's the inside hosts that can't browse these websites. I'll try to post the configuration if I don't find the problem today.
Thanks for your help.
Here's my configuration below - the DMZ (DNSWEB) can browse all of the sites while the "inside" hosts are the ones having problems with getting to "
icctrade-pix# sh run : Saved : PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full interface gb-ethernet0 1000full interface gb-ethernet1 1000auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif gb-ethernet0 dnsweb security4 nameif gb-ethernet1 intf3 security6 enable password xxx encrypted passwd xxx encrypted hostname xxx-pix domain-name xxx.net fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 no fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list inside_access_in permit ip any any access-list inside_access_in permit icmp any any access-list outside_access_in permit icmp any any echo-reply access-list outside_access_in permit icmp any any source-quench access-list outside_access_in permit icmp any any unreachable access-list outside_access_in permit icmp any any time-exceeded access-list outside_access_in permit tcp any host 1.2.3.200 eq ftp access-list outside_access_in permit tcp any host 1.2.3.232 eq domain access-list outside_access_in permit udp any host 1.2.3.232 eq domain access-list outside_access_in permit icmp any host 1.2.3.232 unreachable access-list outside_access_in permit icmp any any access-list outside_access_in permit icmp any host 1.2.3.200 unreachable access-list dnsweb_access_in permit ip any any access-list dnsweb_access_in permit icmp any any echo-reply access-list dnsweb_access_in permit icmp any any source-quench access-list dnsweb_access_in permit icmp any any unreachable access-list dnsweb_access_in permit icmp any any time-exceeded access-list woodward2icc permit ip any any pager lines 24 icmp permit any unreachable outside icmp permit any echo-reply outside icmp permit any outside icmp permit any source-quench outside icmp permit any time-exceeded outside icmp permit any inside mtu outside 1500 mtu inside 1500 mtu dnsweb 1500 mtu intf3 1500 ip address outside 1.2.3.150 255.255.255.128 ip address inside 10.202.0.2 255.255.255.0 ip address dnsweb 10.203.0.1 255.255.255.0 no ip address intf3 ip audit info action alarm ip audit attack action alarm failover failover timeout 0:00:00 failover poll 15 failover ip address outside 1.2.3.151 failover ip address inside 10.202.0.3 failover ip address dnsweb 10.203.0.2 no failover ip address intf3 pdm logging errors 200 pdm history enable arp timeout 14400 global (outside) 10 1.2.3.201-1.2.3.215 global (outside) 10 1.2.3.216 global (dnsweb) 10 10.203.0.80-10.203.0.100 nat (inside) 10 10.202.0.0 255.255.255.0 0 0 nat (dnsweb) 10 10.203.0.0 255.255.255.0 0 0 nat (dnsweb) 10 0.0.0.0 0.0.0.0 0 0 static (dnsweb,outside) 1.2.3.232 10.203.0.232 netmask 255.255.255.255
0 0 static (inside,outside) 1.2.3.200 10.202.0.81 netmask 255.255.255.255 0 0 static (inside,dnsweb) 10.201.0.0 10.201.0.0 netmask 255.255.255.0 0 0 static (inside,dnsweb) 10.200.0.0 10.200.0.0 netmask 255.255.255.0 0 0 static (inside,dnsweb) 10.16.61.0 10.16.61.0 netmask 255.255.255.0 0 0 static (inside,dnsweb) 10.202.0.0 10.202.0.0 netmask 255.255.255.0 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside access-group dnsweb_access_in in interface dnsweb rip inside default version 1 route outside 0.0.0.0 0.0.0.0 1.2.3.129 1 route inside 10.10.2.0 255.255.255.252 10.202.0.1 1 route inside 10.10.20.0 255.255.255.252 10.202.0.1 1 route inside 10.10.21.0 255.255.255.252 10.202.0.1 1 route inside 10.16.61.0 255.255.255.0 10.202.0.1 1 route inside 10.200.0.0 255.255.255.0 10.202.0.1 1 route inside 10.201.0.0 255.255.255.0 10.202.0.1 1 route inside 172.16.2.0 255.255.254.0 10.202.0.1 1 route inside 172.16.4.0 255.255.254.0 10.202.0.1 1 route inside 172.16.8.0 255.255.254.0 10.202.0.1 1 route inside 172.16.10.0 255.255.254.0 10.202.0.1 1 route inside 172.16.12.0 255.255.254.0 10.202.0.1 1 route inside 172.16.61.0 255.255.255.0 10.202.0.1 1 timeout xlate 3:00:00 timeout conn 24:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute http server enable floodguard enable sysopt connection permit-ipsec ssh timeout 60 console timeout 0 terminal width 80Issue resolved ...
I used Ethereal on one of the hosts and saw that the default router couldn't find the hosts that were having this issue. I compared this default router with another default router behind another PIX and found the only difference was that the unit on the working segment had "ip classless" while the unit non working segment had "no ip classless"
I replaced "no ip classless" with "ip classless" on the default router for the "Inside" network hosts and everything is working.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.