Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


CISCO PIX 506 Unable to connect to secure websites

Posted on 2003-10-23
Medium Priority
Last Modified: 2013-11-16
I have a Cisco Pix 506 and have only ever configured it with PDM. NAT configured to Interface IP.
Users can access web ok but not secure sites.
Currently any TCP protocol allowed out, but nothing set from the outside in, I suspect I need to configure a path back to
the user via the access screen. When I try permitting say "https" back to any network etc, it makes no
Guessing it might be something to do with the difference between PAT & NAT ??

Some help would be very much appreciated...

Question by:gcz
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 79

Expert Comment

ID: 9609242
All outbound is permitted by default - along with the requisit replies, unless you put in a permit outbound.


No access-lists at all = everyone get's out, all protocols, and all replies

Access-list outbound pemit any any eq 80
access-group outbound in interface inside

Now only http access from internal users. No https, no ftp, no ping, no traceroute, no ftp, no telnet....

You'll have to post your complete config for review. Don't forget to change real IP addresses and passwords..


Author Comment

ID: 9612828
Thanks for the reply:-)

Here's the config...

PIX Version 6.1(1)                  
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password **************** encrypted                                          
passwd **************** encrypted                                
hostname ******                
fixup protocol ftp 21                    
fixup protocol http 80                      
fixup protocol h323 1720                        
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol sip 5060                      
fixup protocol skinny 2000                          
fixup protocol smtp 119                      
name Firewall                            
access-list inside_access_in permit tcp any any                                              
access-list inside_access_in permit ip any any                                              
pager lines 24              
interface ethernet0 auto                        
interface ethernet1 auto                        
mtu outside 1500                
mtu inside 1500              
ip address outside Firewall                                          
ip address inside                                              
ip audit info action alarm drop                              
ip audit attack action alarm drop                                
pdm location inside                                                  
pdm location firewallname outside                                            
pdm location inside                                                  
pdm location inside                                                
pdm location inside                                                
pdm location inside                                                
pdm history enable                  
arp timeout 14400                
global (outside) 2 netmask                                                                        
global (outside) 1 interface                            
nat (inside) 1 0 0                                            
access-group inside_access_in in interface inside                                                
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:                                                            
p 0:30:00 sip_media 0:02:00                          
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server Group1 protocol tacacs+                                  
http server enable                  
http inside                                        
http inside                                      
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
auth-prompt prompt enter key
auth-prompt accept key accepted
auth-prompt reject key refused
telnet inside
telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
: end
LVL 79

Accepted Solution

lrmoore earned 500 total points
ID: 9613585
Remove this line
>access-group inside_access_in in interface inside    

It is not necessary.
The access-list permits everything anyway. There is a "hidden" default outbound permit ip any any

What is your upstream connection? Is it DSL? You might need to change the MTU setting on the outside interface
>mtu outside 1500        
mtu outside 1492
If it makes no difference, or breaks anything else, change it back and try chaning the mtu on the INside interface.
If it still does not make any difference, try changing the MTU on the client.
LVL 79

Expert Comment

ID: 9774442
Are you still working on this? Can you update us with your status?

LVL 23

Expert Comment

by:Tim Holman
ID: 10906883
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

 --> ACCEPT:lrmoore

Please leave any comments here within the next seven days.

EE Cleanup Volunteer

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question