CISCO PIX 506 Unable to connect to secure websites

I have a Cisco Pix 506 and have only ever configured it with PDM. NAT configured to Interface IP.
Users can access web ok but not secure sites.
Currently any TCP protocol allowed out, but nothing set from the outside in, I suspect I need to configure a path back to
the user via the access screen. When I try permitting say "https" back to any network etc, it makes no
difference.
Guessing it might be something to do with the difference between PAT & NAT ??

Some help would be very much appreciated...

Thanks
LVL 1
gczAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
All outbound is permitted by default - along with the requisit replies, unless you put in a permit outbound.

Example:

No access-lists at all = everyone get's out, all protocols, and all replies

Access-list outbound pemit any any eq 80
access-group outbound in interface inside

Now only http access from internal users. No https, no ftp, no ping, no traceroute, no ftp, no telnet....

You'll have to post your complete config for review. Don't forget to change real IP addresses and passwords..


0
gczAuthor Commented:
Thanks for the reply:-)

Here's the config...

PIX Version 6.1(1)                  
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password **************** encrypted                                          
passwd **************** encrypted                                
hostname ******                
domain-name                      
fixup protocol ftp 21                    
fixup protocol http 80                      
fixup protocol h323 1720                        
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol sip 5060                      
fixup protocol skinny 2000                          
fixup protocol smtp 119                      
names    
name xxx.xxx.xxx.xxx Firewall                            
access-list inside_access_in permit tcp any any                                              
access-list inside_access_in permit ip any any                                              
pager lines 24              
interface ethernet0 auto                        
interface ethernet1 auto                        
mtu outside 1500                
mtu inside 1500              
ip address outside Firewall xxx.xxx.xxx.xxx                                          
ip address inside xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx                                              
ip audit info action alarm drop                              
ip audit attack action alarm drop                                
pdm location xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                                  
pdm location firewallname xxx.xxx.xxx.xxx outside                                            
pdm location xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                                  
pdm location xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                                
pdm location xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                                
pdm location xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                                
pdm history enable                  
arp timeout 14400                
global (outside) 2 xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx                                                                        
global (outside) 1 interface                            
nat (inside) 1 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 0 0                                            
access-group inside_access_in in interface inside                                                
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:                                                            
p 0:30:00 sip_media 0:02:00                          
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server Group1 protocol tacacs+                                  
http server enable                  
http xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                        
http xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                      
http xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
auth-prompt prompt enter key
auth-prompt accept key accepted
auth-prompt reject key refused
telnet xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside
telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:********************************
: end
0
lrmooreCommented:
Remove this line
>access-group inside_access_in in interface inside    

It is not necessary.
The access-list permits everything anyway. There is a "hidden" default outbound permit ip any any

What is your upstream connection? Is it DSL? You might need to change the MTU setting on the outside interface
Change
>mtu outside 1500        
to
mtu outside 1492
If it makes no difference, or breaks anything else, change it back and try chaning the mtu on the INside interface.
If it still does not make any difference, try changing the MTU on the client. http://www.dslreports.com/front/drtcp.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lrmooreCommented:
Are you still working on this? Can you update us with your status?

Thanks!
0
Tim HolmanCommented:
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

 --> ACCEPT:lrmoore

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

 
tim_holman
EE Cleanup Volunteer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.