CISCO PIX 506 Unable to connect to secure websites

Posted on 2003-10-23
Last Modified: 2013-11-16
I have a Cisco Pix 506 and have only ever configured it with PDM. NAT configured to Interface IP.
Users can access web ok but not secure sites.
Currently any TCP protocol allowed out, but nothing set from the outside in, I suspect I need to configure a path back to
the user via the access screen. When I try permitting say "https" back to any network etc, it makes no
Guessing it might be something to do with the difference between PAT & NAT ??

Some help would be very much appreciated...

Question by:gcz
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 79

Expert Comment

ID: 9609242
All outbound is permitted by default - along with the requisit replies, unless you put in a permit outbound.


No access-lists at all = everyone get's out, all protocols, and all replies

Access-list outbound pemit any any eq 80
access-group outbound in interface inside

Now only http access from internal users. No https, no ftp, no ping, no traceroute, no ftp, no telnet....

You'll have to post your complete config for review. Don't forget to change real IP addresses and passwords..


Author Comment

ID: 9612828
Thanks for the reply:-)

Here's the config...

PIX Version 6.1(1)                  
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password **************** encrypted                                          
passwd **************** encrypted                                
hostname ******                
fixup protocol ftp 21                    
fixup protocol http 80                      
fixup protocol h323 1720                        
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol sip 5060                      
fixup protocol skinny 2000                          
fixup protocol smtp 119                      
name Firewall                            
access-list inside_access_in permit tcp any any                                              
access-list inside_access_in permit ip any any                                              
pager lines 24              
interface ethernet0 auto                        
interface ethernet1 auto                        
mtu outside 1500                
mtu inside 1500              
ip address outside Firewall                                          
ip address inside                                              
ip audit info action alarm drop                              
ip audit attack action alarm drop                                
pdm location inside                                                  
pdm location firewallname outside                                            
pdm location inside                                                  
pdm location inside                                                
pdm location inside                                                
pdm location inside                                                
pdm history enable                  
arp timeout 14400                
global (outside) 2 netmask                                                                        
global (outside) 1 interface                            
nat (inside) 1 0 0                                            
access-group inside_access_in in interface inside                                                
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:                                                            
p 0:30:00 sip_media 0:02:00                          
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server Group1 protocol tacacs+                                  
http server enable                  
http inside                                        
http inside                                      
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
auth-prompt prompt enter key
auth-prompt accept key accepted
auth-prompt reject key refused
telnet inside
telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
: end
LVL 79

Accepted Solution

lrmoore earned 125 total points
ID: 9613585
Remove this line
>access-group inside_access_in in interface inside    

It is not necessary.
The access-list permits everything anyway. There is a "hidden" default outbound permit ip any any

What is your upstream connection? Is it DSL? You might need to change the MTU setting on the outside interface
>mtu outside 1500        
mtu outside 1492
If it makes no difference, or breaks anything else, change it back and try chaning the mtu on the INside interface.
If it still does not make any difference, try changing the MTU on the client.
LVL 79

Expert Comment

ID: 9774442
Are you still working on this? Can you update us with your status?

LVL 23

Expert Comment

by:Tim Holman
ID: 10906883
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

 --> ACCEPT:lrmoore

Please leave any comments here within the next seven days.

EE Cleanup Volunteer

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
BGP recommended setup with failover 2 105
AnyConnect VPN endpoint authentication/validation 4 61
What's API gateway/firewall & how it's used 10 81
HP Storage and Cisco Nexus 4 73
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question