[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 640
  • Last Modified:

Websites loading slow (if not at all) through PIX 501

I put in a pix 501 at a client's office and now some websites are loading slow if not at all.  For instance ebay.com is loading extremely slow.  some other websites like parts of mapquest aren't loading well either.  And it appears to be affecting more than just one workstation and affects it in both firefox & IE...  any suggestions?  i'll paste the config.

PIX Version 6.3(4)                  
interface ethernet0 10baset                          
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password KN3A75zFuR0Rm.a/ encrypted                                          
passwd KN3A75zFuR0Rm.a/ encrypted                                
hostname pix1            
domain-name pix1.growthgroupinc.internal                                        
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
access-list out_in permit tcp any any                                    
pager lines 24              
icmp permit any echo outside                            
icmp permit any echo inside                          
mtu outside 1500                
mtu inside 1500              
ip address outside dhcp set                          
ip address inside 10.8.1.1 255.255.255.0                                        
ip audit info action alarm                          
ip audit attack action alarm                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
access-group out_in in interface outside                                        
timeout xlate 0:05:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.8.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:9c9e4bdd683dc077fa900cf41ded7e93

0
NickUA
Asked:
NickUA
  • 10
  • 7
1 Solution
 
lrmooreCommented:
Change your acl to "icmp" vs "tcp"

no access-list out_in permit tcp any any  
access-list out_in permit icmp any any    
access-group out_in in interface outside

Also, look at result of "show interface" and look for error counts on the outside interface. You might need to change it from 10baset to auto
                                                               
0
 
NickUAAuthor Commented:
okay i'll try it and get back to you - have to be tomorrow.  any other suggestions?
0
 
lrmooreCommented:
Duplex mismatch on the outside interface is probably #1 issue in slow performance.
#2 would be incorrect dns settings..
#3 would be MTU issues. Possibly DSL interface? Allowing icmp unreachables let's Windows utilize PathMTU and automagically adjust itself. Else, you can try changing the MTU of the outside interface to 1492
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
NickUAAuthor Commented:
but it's just on certain webpages - like ebay.com some parts  of mapquest - it's really strange - i take out the pix and everything is fine.  it's a cox cable modem interface.
0
 
lrmooreCommented:
Sounds just like a MTU problem, but I've never seen that on a cable connection, only DSL..
If there are no errors reistering on the outside interface, I'd wager that simply allowing icmp will solve it..
0
 
NickUAAuthor Commented:
okay - i'll make these changes tomorrow when i'm infront of the unit.  i'll let you know.  thanks.
0
 
NickUAAuthor Commented:
i changed the MTU to 1492, i changed the outside interface to auto, and i did the acl config you wanted... ebay.com pulls up fairly nice now on most of the computers, however, mapquest.com seems to be having issues while loading the images on it's main page on all the computers here - and they're still saying "some of the computers are loading slow" but they have no website address other than the ones i told you about....  any other idaes?
0
 
lrmooreCommented:
How many are we talking about here? Do they plug in directly to the 501, or is the 501 connected to another switch? I'd start looking at the switch interfaces for error counts pointing to duplex mismatches...

Try putting the MTU back to default 1500 Just doing one thing at a time and evaluate the results makes it easier to troubleshoot..

Good luck!
0
 
NickUAAuthor Commented:
i changed the mtu to 1492 and the connection just died - i changed it back to 1500 and it seems to be better...  this almost is starting to seem like a server issue ... i have them on a windows domain - and the server (DNS server internally, as well as domain, dhcp, etc) can hit webpages just fine - the clients behind it seem to be able to half way get webpages...  it's strange.
0
 
NickUAAuthor Commented:
okay i've narrowed it down to it must be a DNS issue somewhere ... i put the cox DNS servers on one of the machines rather than the IP of the internal DNS server, and everythign works fine...  i have the DNS forwarding set up correctly i believe, no different than any other time i've done this network setup...  it's weird too becuase the machines can resolve say 75% of the domains, and the other 25% they can't get to at all...  any ideas?
0
 
lrmooreCommented:
Are you using forwarders on the Windows box, or just using the root hints? I suggest you remove the forwarders and just use root hints..
http://support.microsoft.com/default.aspx?scid=kb;en-us;300202&sd=tech#8
0
 
NickUAAuthor Commented:
it's using forwarders right now - and all the other setups i've done always have .. i'll remove the forwarders and see what happens.
0
 
NickUAAuthor Commented:
if i take the forwarders out - nothing works at all...  this is weird too - the workstations can resolve most of the domain names i throw at it now - however, the ones that still won't load aren't getting ping responses... even though using ping and nslookup it resolves names...
0
 
NickUAAuthor Commented:
found it - how obscure is this?!  check this out:

http://www.jsifaq.com/subN/tip6900/rh6967.htm 

i found a "Cisco Specific Link" somewhere to fix this on the firewall - but the link was broken...  any clues for cisco specific?  This is a handy little bit of info.

lrmoore - you still get the points man, thanks for your help.
0
 
lrmooreCommented:
Yep. You can change the max-length on the fixup:
 >fixup protocol dns maximum-length 512  <==
Or disable the fixup if you don't have a publicly accessible dns server
  no fixup protocol dns
       
                           
0
 
NickUAAuthor Commented:
wasn't the issue something about the packets being bigger than 512?  would you want to do fixup protocol dns maximum-length 1024 or something? if you disable it, what does that do?  (i know disable, but to disable what does the pix do, less secure?)
0
 
lrmooreCommented:
Yes, you can change the fixup to "fixup protocol dns maximum-length 1024 "
As long as you don't have any dns servers that are accessed by the general public, and you don't have a primary/secondary server outside the firewall that you need to do zone transfers with, the fixup probably isn't doing much anyway.
If you do have either situation, then the fixup is important to prevent dns exploits..
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 10
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now