Solved

CISCO PIX 506 Unable to connect to secure websites

Posted on 2003-10-23
6
259 Views
Last Modified: 2013-11-16
I have a Cisco Pix 506 and have only ever configured it with PDM. NAT configured to Interface IP.
Users can access web ok but not secure sites.
Currently any TCP protocol allowed out, but nothing set from the outside in, I suspect I need to configure a path back to
the user via the access screen. When I try permitting say "https" back to any network etc, it makes no
difference.
Guessing it might be something to do with the difference between PAT & NAT ??

Some help would be very much appreciated...

Thanks
0
Comment
Question by:gcz
  • 3
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
All outbound is permitted by default - along with the requisit replies, unless you put in a permit outbound.

Example:

No access-lists at all = everyone get's out, all protocols, and all replies

Access-list outbound pemit any any eq 80
access-group outbound in interface inside

Now only http access from internal users. No https, no ftp, no ping, no traceroute, no ftp, no telnet....

You'll have to post your complete config for review. Don't forget to change real IP addresses and passwords..


0
 
LVL 1

Author Comment

by:gcz
Comment Utility
Thanks for the reply:-)

Here's the config...

PIX Version 6.1(1)                  
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password **************** encrypted                                          
passwd **************** encrypted                                
hostname ******                
domain-name                      
fixup protocol ftp 21                    
fixup protocol http 80                      
fixup protocol h323 1720                        
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol sip 5060                      
fixup protocol skinny 2000                          
fixup protocol smtp 119                      
names    
name xxx.xxx.xxx.xxx Firewall                            
access-list inside_access_in permit tcp any any                                              
access-list inside_access_in permit ip any any                                              
pager lines 24              
interface ethernet0 auto                        
interface ethernet1 auto                        
mtu outside 1500                
mtu inside 1500              
ip address outside Firewall xxx.xxx.xxx.xxx                                          
ip address inside xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx                                              
ip audit info action alarm drop                              
ip audit attack action alarm drop                                
pdm location xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                                  
pdm location firewallname xxx.xxx.xxx.xxx outside                                            
pdm location xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                                  
pdm location xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                                
pdm location xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                                
pdm location xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                                
pdm history enable                  
arp timeout 14400                
global (outside) 2 xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx                                                                        
global (outside) 1 interface                            
nat (inside) 1 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 0 0                                            
access-group inside_access_in in interface inside                                                
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:                                                            
p 0:30:00 sip_media 0:02:00                          
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server Group1 protocol tacacs+                                  
http server enable                  
http xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                        
http xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside                                      
http xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
auth-prompt prompt enter key
auth-prompt accept key accepted
auth-prompt reject key refused
telnet xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside
telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:********************************
: end
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
Comment Utility
Remove this line
>access-group inside_access_in in interface inside    

It is not necessary.
The access-list permits everything anyway. There is a "hidden" default outbound permit ip any any

What is your upstream connection? Is it DSL? You might need to change the MTU setting on the outside interface
Change
>mtu outside 1500        
to
mtu outside 1492
If it makes no difference, or breaks anything else, change it back and try chaning the mtu on the INside interface.
If it still does not make any difference, try changing the MTU on the client. http://www.dslreports.com/front/drtcp.html
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Are you still working on this? Can you update us with your status?

Thanks!
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

 --> ACCEPT:lrmoore

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

 
tim_holman
EE Cleanup Volunteer
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now