Solved

CISCO PIX 506 Unable to connect to secure websites

Posted on 2003-10-23
6
260 Views
Last Modified: 2013-11-16
I have a Cisco Pix 506 and have only ever configured it with PDM. NAT configured to Interface IP.
Users can access web ok but not secure sites.
Currently any TCP protocol allowed out, but nothing set from the outside in, I suspect I need to configure a path back to
the user via the access screen. When I try permitting say "https" back to any network etc, it makes no
difference.
Guessing it might be something to do with the difference between PAT & NAT ??

Some help would be very much appreciated...

Thanks
0
Comment
Question by:gcz
  • 3
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9609242
All outbound is permitted by default - along with the requisit replies, unless you put in a permit outbound.

Example:

No access-lists at all = everyone get's out, all protocols, and all replies

Access-list outbound pemit any any eq 80
access-group outbound in interface inside

Now only http access from internal users. No https, no ftp, no ping, no traceroute, no ftp, no telnet....

You'll have to post your complete config for review. Don't forget to change real IP addresses and passwords..


0
 
LVL 1

Author Comment

by:gcz
ID: 9612828
Thanks for the reply:-)

Here's the config...

PIX Version 6.1(1)                  
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password **************** encrypted                                          
passwd **************** encrypted                                
hostname ******                
domain-name                      
fixup protocol ftp 21                    
fixup protocol http 80                      
fixup protocol h323 1720                        
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol sip 5060                      
fixup protocol skinny 2000                          
fixup protocol smtp 119                      
names    
name xxx.xxx.xxx.xxx Firewall                            
access-list inside_access_in permit tcp any any                                              
access-list inside_access_in permit ip any any                                              
pager lines 24              
interface ethernet0 auto                        
interface ethernet1 auto                        
mtu outside 1500                
mtu inside 1500              
ip address outside Firewall xxx.xxx.xxx.xxx                                          
ip address inside xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx                                              
ip audit info action alarm drop                              
ip audit attack action alarm drop                                
pdm location xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                                  
pdm location firewallname xxx.xxx.xxx.xxx outside                                            
pdm location xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                                  
pdm location xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                                
pdm location xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                                
pdm location xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                                
pdm history enable                  
arp timeout 14400                
global (outside) 2 xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx                                                                        
global (outside) 1 interface                            
nat (inside) 1 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 0 0                                            
access-group inside_access_in in interface inside                                                
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:                                                            
p 0:30:00 sip_media 0:02:00                          
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server Group1 protocol tacacs+                                  
http server enable                  
http xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                        
http xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                      
http xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
auth-prompt prompt enter key
auth-prompt accept key accepted
auth-prompt reject key refused
telnet xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside
telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:********************************
: end
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 9613585
Remove this line
>access-group inside_access_in in interface inside    

It is not necessary.
The access-list permits everything anyway. There is a "hidden" default outbound permit ip any any

What is your upstream connection? Is it DSL? You might need to change the MTU setting on the outside interface
Change
>mtu outside 1500        
to
mtu outside 1492
If it makes no difference, or breaks anything else, change it back and try chaning the mtu on the INside interface.
If it still does not make any difference, try changing the MTU on the client. http://www.dslreports.com/front/drtcp.html
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9774442
Are you still working on this? Can you update us with your status?

Thanks!
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10906883
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

 --> ACCEPT:lrmoore

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

 
tim_holman
EE Cleanup Volunteer
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now