We help IT Professionals succeed at work.
Get Started
Issue ".Exe" in URL through PIX Firewall
Hi Team,
Does PIX perform any higher layer packet inspectio nby default to block *.exe" in URLs. I have a web site http://jr.chemwatch.net/chemgold3/ that include some executables in its code. You can also check by going into view-> source.
I have allowed my server full access to internet through PIX and it can go to any site on internet, except the site above. Checking the debugs indicate the Packet reset is from Inside, and i suspect that it could be due to PIX blockes ".exe" in URLs.
Can any one pl assist how do we anable this in PIX. it is some where in Traffic Class Inspection perhaps but how to enable it , i wonder if some one can assits
below is the Config from PIX. It is sanitised config, may not show Nat and ACL but. Server has complete access to internet through ACL
--------------------------
interface Ethernet0
description Outside Interface
nameif Outside
security-level 0
ip address a.a.a.a 255.255.255.248
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address b.b.b.253 255.255.255.0
!
no ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns retries 2
dns timeout 2
dns domain-lookup inside
dns name-server FS
dns name-server MA
same-security-traffic permit intra-interface
object-group service FTP tcp
port-object eq ftp-data
port-object eq ftp
object-group network Name_Servers
network-object FS 255.255.255.255
network-object MA 255.255.255.255
no pager
logging enable
logging console critical
logging buffered critical
logging trap warnings
logging asdm critical
logging mail notifications
logging flash-bufferwrap
mtu Outside 1500
mtu inside 1500
ip verify reverse-path interface Outside
monitor-interface Outside
monitor-interface inside
icmp permit any Outside
icmp permit any inside
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
rip inside passive version 2
rip inside default version 2
route Outside 0.0.0.0 0.0.0.0 a.a.a.57 1
route inside 10.10.10.0 255.255.255.0 b.b.b.254 1
route inside 10.102.101.0 255.255.255.0 b.b.b.254 1
route inside 10.201.1.0 255.255.255.0 b.b.b.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Radius protocol radius
aaa-server Radius host FS
key secretkey
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp enable
re-xauth enable
group-lock value DefaultRAGroup
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
http 0.0.0.0 0.0.0.0 inside
snmp-server enable traps snmp
telnet ABCD_Net 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh ABCD_Net 255.255.255.0 inside
ssh timeout 5
console timeout 0
no tunnel-group-map enable ike-id
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server c.c.c.c source Outside prefer
ssl encryption des-sha1 rc4-md5
smtp-server b.b.b.21
management-access inside
--------------------------
Thanks Team,
Does PIX perform any higher layer packet inspectio nby default to block *.exe" in URLs. I have a web site http://jr.chemwatch.net/chemgold3/ that include some executables in its code. You can also check by going into view-> source.
I have allowed my server full access to internet through PIX and it can go to any site on internet, except the site above. Checking the debugs indicate the Packet reset is from Inside, and i suspect that it could be due to PIX blockes ".exe" in URLs.
Can any one pl assist how do we anable this in PIX. it is some where in Traffic Class Inspection perhaps but how to enable it , i wonder if some one can assits
below is the Config from PIX. It is sanitised config, may not show Nat and ACL but. Server has complete access to internet through ACL
--------------------------
interface Ethernet0
description Outside Interface
nameif Outside
security-level 0
ip address a.a.a.a 255.255.255.248
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address b.b.b.253 255.255.255.0
!
no ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns retries 2
dns timeout 2
dns domain-lookup inside
dns name-server FS
dns name-server MA
same-security-traffic permit intra-interface
object-group service FTP tcp
port-object eq ftp-data
port-object eq ftp
object-group network Name_Servers
network-object FS 255.255.255.255
network-object MA 255.255.255.255
no pager
logging enable
logging console critical
logging buffered critical
logging trap warnings
logging asdm critical
logging mail notifications
logging flash-bufferwrap
mtu Outside 1500
mtu inside 1500
ip verify reverse-path interface Outside
monitor-interface Outside
monitor-interface inside
icmp permit any Outside
icmp permit any inside
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
rip inside passive version 2
rip inside default version 2
route Outside 0.0.0.0 0.0.0.0 a.a.a.57 1
route inside 10.10.10.0 255.255.255.0 b.b.b.254 1
route inside 10.102.101.0 255.255.255.0 b.b.b.254 1
route inside 10.201.1.0 255.255.255.0 b.b.b.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Radius protocol radius
aaa-server Radius host FS
key secretkey
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp enable
re-xauth enable
group-lock value DefaultRAGroup
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
http 0.0.0.0 0.0.0.0 inside
snmp-server enable traps snmp
telnet ABCD_Net 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh ABCD_Net 255.255.255.0 inside
ssh timeout 5
console timeout 0
no tunnel-group-map enable ike-id
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server c.c.c.c source Outside prefer
ssl encryption des-sha1 rc4-md5
smtp-server b.b.b.21
management-access inside
--------------------------
Thanks Team,
Why Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE