Website access problem Pix ver 7

Posted on 2006-05-03
Medium Priority
Last Modified: 2008-01-09
After upgrading to version 7.1(2) today (from 6.3) we are having problems with
accessing some websites.

example on mail.yahoo.com you cannot delete or read mail.

Also when I attempted to post my config here it failed. I am remotely connected
to my home pc for this post.

Not sure if I have to tweak my MTU settings or if there my be another issue on ver 7.

: Saved
: Written by enable_15 at 03:28:07.880 CDT Wed May 3 2006
PIX Version 7.1(2)
hostname pixfirewall
domain-name PixFirewall
enable password  encrypted
interface Ethernet0
 nameif outside
 security-level 0
 ip address 11.222.333.50
interface Ethernet1
 nameif inside
 security-level 100
 ip address
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/image.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name hiltoninc
same-security-traffic permit intra-interface
access-list PixFirewall_splitTunnelAcl extended permit ip any
access-list outside_cryptomap_dyn_20 extended permit ip any
access-list inside_outbound_nat0_acl extended permit ip any
access-list PixFirewall_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging console emergencies
logging asdm errors
mtu outside 1500
mtu inside 1500
ip local pool VPN
asdm image flash:/asdm-512.bin
asdm location inside
asdm location outside
asdm location inside
asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10
route outside 11.222.333.49 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy PixFirewall internal
group-policy PixFirewall attributes
 wins-server value
 dns-server value
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value PixFirewall_splitTunnelAcl
 default-domain value PixFirewall
group-policy PixFirewall internal
group-policy PixFirewall attributes
 wins-server value
 dns-server value
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value PixFirewall_splitTunnelAcl
 default-domain value PixFirewall
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal  20
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group (outside) none
tunnel-group PixFirewall type ipsec-ra
tunnel-group PixFirewall general-attributes
 address-pool VPN
 default-group-policy PixFirewall
tunnel-group PixFirewall ipsec-attributes
 pre-shared-key hilton445866
telnet inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
management-access inside
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
: end
Question by:FPCS

Author Comment

ID: 16597651
Reply from Cisco that did fix this issue.

After reading the problem description included in the ticket, I understand that you are having troubles with the access to some web sites. According to the description I thing you are hitting a bug related with ?inspect HTTP? and the work around for it is to disable the inspect HTTP feature if you do not have an ?http-map? linked to the http inspection command.

Here are the commands you should type to disable HTTP inspection:

policy-map global_policy
class inspection_default
no inspect http

Note: disabling "inspect http" should be considered a relatively benign configuration change as it only disables logging of URL GET requests.
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 16598805
There is another bug in 7.x that pertains to how PIX handles mss data and causes same symptoms.

This document explains it quite well and provides a different workaround.


Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question