FPCS
asked on
Website access problem Pix ver 7
After upgrading to version 7.1(2) today (from 6.3) we are having problems with
accessing some websites.
example on mail.yahoo.com you cannot delete or read mail.
Also when I attempted to post my config here it failed. I am remotely connected
to my home pc for this post.
Not sure if I have to tweak my MTU settings or if there my be another issue on ver 7.
: Saved
: Written by enable_15 at 03:28:07.880 CDT Wed May 3 2006
!
PIX Version 7.1(2)
!
hostname pixfirewall
domain-name PixFirewall
enable password encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 11.222.333.50 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.0.243 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/image.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name hiltoninc
same-security-traffic permit intra-interface
access-list PixFirewall_splitTunnelAcl
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.7.0 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip any 192.168.7.0 255.255.255.224
access-list PixFirewall_splitTunnelAcl
pager lines 24
logging enable
logging console emergencies
logging asdm errors
mtu outside 1500
mtu inside 1500
ip local pool VPN 192.168.7.2-192.168.7.22
asdm image flash:/asdm-512.bin
asdm location 10.0.0.242 255.255.255.255 inside
asdm location 192.168.7.0 255.255.255.224 outside
asdm location 10.0.0.0 255.0.0.0 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 11.222.333.49 1
route inside 10.174.14.0 255.255.255.0 10.0.0.240 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy PixFirewall internal
group-policy PixFirewall attributes
wins-server value 10.0.0.7
dns-server value 10.0.0.7 10.0.0.3
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PixFirewall_splitTunnelAcl
default-domain value PixFirewall
group-policy PixFirewall internal
group-policy PixFirewall attributes
wins-server value 10.0.0.7
dns-server value 10.0.0.7 10.0.0.3
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PixFirewall_splitTunnelAcl
default-domain value PixFirewall
http server enable
http 10.0.0.242 255.255.255.255 inside
http 10.0.0.103 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
authentication-server-grou
tunnel-group PixFirewall type ipsec-ra
tunnel-group PixFirewall general-attributes
address-pool VPN
default-group-policy PixFirewall
tunnel-group PixFirewall ipsec-attributes
pre-shared-key hilton445866
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:
: end
accessing some websites.
example on mail.yahoo.com you cannot delete or read mail.
Also when I attempted to post my config here it failed. I am remotely connected
to my home pc for this post.
Not sure if I have to tweak my MTU settings or if there my be another issue on ver 7.
: Saved
: Written by enable_15 at 03:28:07.880 CDT Wed May 3 2006
!
PIX Version 7.1(2)
!
hostname pixfirewall
domain-name PixFirewall
enable password encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 11.222.333.50 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.0.243 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/image.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name hiltoninc
same-security-traffic permit intra-interface
access-list PixFirewall_splitTunnelAcl
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.7.0 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip any 192.168.7.0 255.255.255.224
access-list PixFirewall_splitTunnelAcl
pager lines 24
logging enable
logging console emergencies
logging asdm errors
mtu outside 1500
mtu inside 1500
ip local pool VPN 192.168.7.2-192.168.7.22
asdm image flash:/asdm-512.bin
asdm location 10.0.0.242 255.255.255.255 inside
asdm location 192.168.7.0 255.255.255.224 outside
asdm location 10.0.0.0 255.0.0.0 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 11.222.333.49 1
route inside 10.174.14.0 255.255.255.0 10.0.0.240 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy PixFirewall internal
group-policy PixFirewall attributes
wins-server value 10.0.0.7
dns-server value 10.0.0.7 10.0.0.3
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PixFirewall_splitTunnelAcl
default-domain value PixFirewall
group-policy PixFirewall internal
group-policy PixFirewall attributes
wins-server value 10.0.0.7
dns-server value 10.0.0.7 10.0.0.3
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PixFirewall_splitTunnelAcl
default-domain value PixFirewall
http server enable
http 10.0.0.242 255.255.255.255 inside
http 10.0.0.103 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
authentication-server-grou
tunnel-group PixFirewall type ipsec-ra
tunnel-group PixFirewall general-attributes
address-pool VPN
default-group-policy PixFirewall
tunnel-group PixFirewall ipsec-attributes
pre-shared-key hilton445866
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
After reading the problem description included in the ticket, I understand that you are having troubles with the access to some web sites. According to the description I thing you are hitting a bug related with ?inspect HTTP? and the work around for it is to disable the inspect HTTP feature if you do not have an ?http-map? linked to the http inspection command.
Here are the commands you should type to disable HTTP inspection:
policy-map global_policy
class inspection_default
no inspect http
Note: disabling "inspect http" should be considered a relatively benign configuration change as it only disables logging of URL GET requests.