Problem with HTTPS through PIX for OWA

Hi,

I am trying to configure one of our customer'sPIX firewall's to allow SSL OWA (they are currently using http, not https). For some reason the commands we have added to other customers PIX firewalls aren't working to accomplish this.

I know the first thing you will all suggest is going to be to upgrade the IOS (we are on version 6.3(1)), but this is not an option at this point. We can only make configuration changes on this PIX that won't interfere with anything else or could break anything.

Does anyone know what changes I can make to this PIX to allow SSL OWA traffic? By the way, ssl is working internally.

Here is the current config:

PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password vAzMma1Gux3.wkTP encrypted passwd lwJM7e5kzPHBQwNf encrypted hostname TSPIX fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list bypassingnat permit ip 192.168.1.0 255.255.255.0

192.168.10.0 255.25 5.255.0 access-list bypassingnat permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255 .255.0 access-list KirkResidence permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.2 55.255.0 pager lines 24 logging on logging trap notifications logging history notifications logging facility 0 logging host inside 192.168.1.13 mtu outside 1500 mtu inside 1500 ip address outside xx.xx.xx.34 255.255.255.240 ip address inside 192.168.1.5 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool clientpool 192.168.6.210-192.168.6.220 pdm history enable arp timeout 14400 global (outside) 1 xx.xx.xx.43 nat (inside) 0 access-list bypassingnat nat (inside) 1 172.16.100.0 255.255.255.0 0 0 nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (inside,outside) tcp xx.xx.xx.35smtp 192.168.1.19 smtp netmask 255.255. 255.255 0 0 static (inside,outside) tcp xx.xx.xx.35https 192.168.1.19 https netmask 255.25 5.255.255 0 0 static (inside,outside) tcp xx.xx.xx.35www 192.168.1.19 www netmask 255.255.2 55.255 0 0 static (inside,outside) tcp xx.xx.xx.35domain 192.168.1.19 domain netmask 255 .255.255.255 0 0 static (inside,outside) xx.xx.xx.37 192.168.1.20 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.45 192.168.1.84 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.39 172.16.100.25 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.46 172.16.100.30 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.40 172.16.100.34 netmask 255.255.255.255 0 0 conduit permit tcp any eq 8060 host yy.yy.yy.11 conduit permit tcp any eq 9000 host yy.yy.yy.33 conduit permit tcp any eq 1040 host yy.yy.yy.61 conduit permit tcp host xx.xx.xx.35eq smtp any conduit permit tcp host xx.xx.xx.35eq www any conduit permit tcp host xx.xx.xx.35eq https any conduit permit ip host xx.xx.xx.45 host 66.207.66.14 conduit permit icmp any any echo-reply conduit permit tcp host xx.xx.xx.40 eq citrix-ica any conduit permit udp host xx.xx.xx.40 eq 1604 any conduit permit tcp host xx.xx.xx.35 eq domain any route outside 0.0.0.0 0.0.0.0 xx.xx.xx.33 1 route inside 172.16.100.0 255.255.255.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps no floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 30 set transform-set myset crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address KirkResidence crypto map newmap 20 set peer xx.xx.xx.50 crypto map newmap 20 set transform-set myset crypto map newmap 30 ipsec-isakmp dynamic dynmap crypto map newmap interface outside isakmp enable outside isakmp key ******** address xx.xx.xx.50 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 14400 isakmp policy 15 authentication pre-share isakmp policy 15 encryption des isakmp policy 15 hash md5 isakmp policy 15 group 2 isakmp policy 15 lifetime 14400
Reply to
Exclusive
Loading thread data ...

For future reference: PIX does not use IOS; it uses an operating system called Finesse, but more commonly known as "PIX OS".

And yes, I would recommend upgrading to 6.3(6) as soon as that becomes available.

Ah, well, you are trying to use conduits, anything can happen. cisco converted to access-list / access-group in PIX 5.0(1) . There was a big rewrite of PIX internals for 6.1, and Cisco "Won't Fix" any 6.2 or later conduit bug unless it is a major repeatable crash. I don't believe in trying to debug any 6.x configuration that uses conduits

Put the group 2 before (lower policy number) the group 1 so that it will be chosen first if the other side supports it. You want to have the highest available security negotiated.

Reply to
Walter Roberson

Walter thanks for your replay!

I got permission to replace conduit commands with ACL. I'm still not able to access OWA through SSL. And this is my configuration now:

interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password vAzMma1Gux3.wkTP encrypted passwd lwJM7e5kzPHBQwNf encrypted hostname TSPIX fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list bypassingnat permit ip 192.168.1.0 255.255.255.0

192.168.10.0 255.25 5.255.0 access-list bypassingnat permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255 .255.0 access-list KirkResidence permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.2 55.255.0 access-list out_in permit tcp any any eq smtp access-list out_in permit tcp any any eq domain access-list out_in permit tcp any any eq https access-list out_in permit tcp any any eq www access-list out_in permit tcp host xxx.yy.97.40 any eq citrix-ica access-list out_in permit udp host xxx.yy.97.40 any eq 1604 access-list out_in permit tcp any host zz.yy.176.11 eq 8060 access-list out_in permit tcp any host zz.yy.176.33 eq 9000 access-list out_in permit tcp any host zz.yy.176.61 eq 1040 access-list out_in permit tcp any host zz.yy.178.2 eq 1007 access-list out_in permit tcp any host zz.yy.178.2 eq 2007 access-list out_in permit tcp host xxx.yy.97.45 host 66.207.66.14 pager lines 24 logging on logging trap notifications logging history notifications logging facility 0 logging host inside 192.168.1.13 mtu outside 1500 mtu inside 1500 ip address outside xxx.yy.97.34 255.255.255.240 ip address inside 192.168.1.5 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool clientpool 192.168.6.210-192.168.6.220 pdm history enable arp timeout 14400 global (outside) 1 xxx.yy.97.43 nat (inside) 0 access-list bypassingnat nat (inside) 1 172.16.100.0 255.255.255.0 0 0 nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (inside,outside) tcp xxx.yy.97.35 www 192.168.1.19 www netmask 255.255.2 55.255 0 0 static (inside,outside) tcp xxx.yy.97.35 smtp 192.168.1.19 smtp netmask 255.255 .255.255 0 0 static (inside,outside) tcp xxx.yy.97.35 domain 192.168.1.19 domain netmask 255 .255.255.255 0 0 static (inside,outside) udp xxx.yy.97.35 domain 192.168.1.19 domain netmask 255 .255.255.255 0 0 static (inside,outside) tcp xxx.yy.97.35 https 192.168.1.19 https netmask 255.2 55.255.255 0 0 static (inside,outside) xxx.yy.97.37 192.168.1.20 netmask 255.255.255.255 0 0 static (inside,outside) xxx.yy.97.45 192.168.1.84 netmask 255.255.255.255 0 0 static (inside,outside) xxx.yy.97.39 172.16.100.25 netmask 255.255.255.255 0 0 static (inside,outside) xxx.yy.97.46 172.16.100.30 netmask 255.255.255.255 0 0 static (inside,outside) xxx.yy.97.40 172.16.100.34 netmask 255.255.255.255 0 0 access-group out_in in interface outside route outside 0.0.0.0 0.0.0.0 xxx.yy.97.33 1 route inside 172.16.100.0 255.255.255.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
Reply to
Exclusive

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.