tariqmansoor
asked on
Issue ".Exe" in URL through PIX Firewall
Hi Team,
Does PIX perform any higher layer packet inspectio nby default to block *.exe" in URLs. I have a web site http://jr.chemwatch.net/chemgold3/ that include some executables in its code. You can also check by going into view-> source.
I have allowed my server full access to internet through PIX and it can go to any site on internet, except the site above. Checking the debugs indicate the Packet reset is from Inside, and i suspect that it could be due to PIX blockes ".exe" in URLs.
Can any one pl assist how do we anable this in PIX. it is some where in Traffic Class Inspection perhaps but how to enable it , i wonder if some one can assits
below is the Config from PIX. It is sanitised config, may not show Nat and ACL but. Server has complete access to internet through ACL
--------------------------
interface Ethernet0
description Outside Interface
nameif Outside
security-level 0
ip address a.a.a.a 255.255.255.248
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address b.b.b.253 255.255.255.0
!
no ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns retries 2
dns timeout 2
dns domain-lookup inside
dns name-server FS
dns name-server MA
same-security-traffic permit intra-interface
object-group service FTP tcp
port-object eq ftp-data
port-object eq ftp
object-group network Name_Servers
network-object FS 255.255.255.255
network-object MA 255.255.255.255
no pager
logging enable
logging console critical
logging buffered critical
logging trap warnings
logging asdm critical
logging mail notifications
logging flash-bufferwrap
mtu Outside 1500
mtu inside 1500
ip verify reverse-path interface Outside
monitor-interface Outside
monitor-interface inside
icmp permit any Outside
icmp permit any inside
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
rip inside passive version 2
rip inside default version 2
route Outside 0.0.0.0 0.0.0.0 a.a.a.57 1
route inside 10.10.10.0 255.255.255.0 b.b.b.254 1
route inside 10.102.101.0 255.255.255.0 b.b.b.254 1
route inside 10.201.1.0 255.255.255.0 b.b.b.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Radius protocol radius
aaa-server Radius host FS
key secretkey
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp enable
re-xauth enable
group-lock value DefaultRAGroup
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
http 0.0.0.0 0.0.0.0 inside
snmp-server enable traps snmp
telnet ABCD_Net 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh ABCD_Net 255.255.255.0 inside
ssh timeout 5
console timeout 0
no tunnel-group-map enable ike-id
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server c.c.c.c source Outside prefer
ssl encryption des-sha1 rc4-md5
smtp-server b.b.b.21
management-access inside
--------------------------
Thanks Team,
Does PIX perform any higher layer packet inspectio nby default to block *.exe" in URLs. I have a web site http://jr.chemwatch.net/chemgold3/ that include some executables in its code. You can also check by going into view-> source.
I have allowed my server full access to internet through PIX and it can go to any site on internet, except the site above. Checking the debugs indicate the Packet reset is from Inside, and i suspect that it could be due to PIX blockes ".exe" in URLs.
Can any one pl assist how do we anable this in PIX. it is some where in Traffic Class Inspection perhaps but how to enable it , i wonder if some one can assits
below is the Config from PIX. It is sanitised config, may not show Nat and ACL but. Server has complete access to internet through ACL
--------------------------
interface Ethernet0
description Outside Interface
nameif Outside
security-level 0
ip address a.a.a.a 255.255.255.248
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address b.b.b.253 255.255.255.0
!
no ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns retries 2
dns timeout 2
dns domain-lookup inside
dns name-server FS
dns name-server MA
same-security-traffic permit intra-interface
object-group service FTP tcp
port-object eq ftp-data
port-object eq ftp
object-group network Name_Servers
network-object FS 255.255.255.255
network-object MA 255.255.255.255
no pager
logging enable
logging console critical
logging buffered critical
logging trap warnings
logging asdm critical
logging mail notifications
logging flash-bufferwrap
mtu Outside 1500
mtu inside 1500
ip verify reverse-path interface Outside
monitor-interface Outside
monitor-interface inside
icmp permit any Outside
icmp permit any inside
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
rip inside passive version 2
rip inside default version 2
route Outside 0.0.0.0 0.0.0.0 a.a.a.57 1
route inside 10.10.10.0 255.255.255.0 b.b.b.254 1
route inside 10.102.101.0 255.255.255.0 b.b.b.254 1
route inside 10.201.1.0 255.255.255.0 b.b.b.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Radius protocol radius
aaa-server Radius host FS
key secretkey
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp enable
re-xauth enable
group-lock value DefaultRAGroup
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
http 0.0.0.0 0.0.0.0 inside
snmp-server enable traps snmp
telnet ABCD_Net 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh ABCD_Net 255.255.255.0 inside
ssh timeout 5
console timeout 0
no tunnel-group-map enable ike-id
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server c.c.c.c source Outside prefer
ssl encryption des-sha1 rc4-md5
smtp-server b.b.b.21
management-access inside
--------------------------
Thanks Team,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The reason we are focusing on PIX is that Entire inside network ( LAN) is unable to load this page.
and some workstations , if directly go to internet, can load the webpage. But can not load if go through PIX.
and some workstations , if directly go to internet, can load the webpage. But can not load if go through PIX.
ASKER
Hi, I also checked the doco you suggested http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
This shows how to include URLs for blocking in PIX / ASA.
In my case URL DOES get loaded, It just doen not load completely and does not provide login box. and that is due to Execuatable in the website code.
Question is whether PIX checks for any Executable in Http Packets? If Yes is there any way to allow that.
Thanks,
This shows how to include URLs for blocking in PIX / ASA.
In my case URL DOES get loaded, It just doen not load completely and does not provide login box. and that is due to Execuatable in the website code.
Question is whether PIX checks for any Executable in Http Packets? If Yes is there any way to allow that.
Thanks,
tariq are you using ISA on ur lan as a proxy or firewall?.. if its operating as a proxy (1 interface) then you might want to nat your ip directly on ur nat device ... the router my guess..
and see how it goes
-simo
and see how it goes
-simo
ASKER
We were using ISA as proxy, but for Testing have BYPASSED ISA completelly.
i have bypassed ISA and now Server we are trying can Directly go to Internet through PIX firewall.
NAT and ACL work correctly and Server Can go to whole Internet except that website containing ".exe" in the java script of the code.
DOES Pix checks for any ".exe" kind of things in http packets ? if yes how do we configure to ignore such INSPECTION ?
Thanks in advance.
Other issues can cause the pages not to load, MTU size mismatch on the PIX, router, or workstations are an examples..
Did you try bypassing the pix to test?
And while your config doesn't describe any such matches, unless they are excluded in your dump, it shouldn't be filtering exe's..
And while the page does have a reference to an exe, it is a server side request and not run locally..
Did you try bypassing the pix to test?
And while your config doesn't describe any such matches, unless they are excluded in your dump, it shouldn't be filtering exe's..
And while the page does have a reference to an exe, it is a server side request and not run locally..
i completely agree with debuggerau, try bypassing the pix, nat your server on the router through a separate physical connection if you can.
have you tried opening the link form another server/workstation?
-simo
have you tried opening the link form another server/workstation?
-simo
ASKER
HI Guys,
Sorry for delay, but tomorrow i am going to test the server with a direct internet connection. Was bit of struggle to get a separate internet link for testing.
But in the mean time i was just wondering if it could be related to MTU size at all ? i.e. MTU Size at PIX stopping the Website to load. Is there any way to set the adjustabel MTU size on PIX with out breaking any thing.
Thanks,
Sorry for delay, but tomorrow i am going to test the server with a direct internet connection. Was bit of struggle to get a separate internet link for testing.
But in the mean time i was just wondering if it could be related to MTU size at all ? i.e. MTU Size at PIX stopping the Website to load. Is there any way to set the adjustabel MTU size on PIX with out breaking any thing.
Thanks,
ASKER
Hi debuggerau and Simo471,
I have tried bypassing PIX with the same Server and was able to load the page with logon prompt.
Tried with PIX and could not load the page with logon prompt ?
ANy thoughts on MTU ? or any other thoughts...
I have tried bypassing PIX with the same Server and was able to load the page with logon prompt.
Tried with PIX and could not load the page with logon prompt ?
ANy thoughts on MTU ? or any other thoughts...
ok, check the router MTU settings and ensure it is matched on the PIX.
The MTU setting change will reset that interface, only briefly, but so you might not want to do this in production time..
I usually only change the outside interface, allowing the PIX to repackage the frames for the clients, which I leave as standard..
Say, for instance, you have a ADSL PPPOA connection, you might want to have something like this:
mtu outside 1400
mtu inside 1500
The MTU setting change will reset that interface, only briefly, but so you might not want to do this in production time..
I usually only change the outside interface, allowing the PIX to repackage the frames for the clients, which I leave as standard..
Say, for instance, you have a ADSL PPPOA connection, you might want to have something like this:
mtu outside 1400
mtu inside 1500
ASKER
It is an Internet through Ethernet Service, and MTU is already set as
mtu Outside 1500
mtu inside 1500
I also checked in another ASA with same MTU size and was able to load the web site. I have run out of ideas and only thinking that Upgrading the IOS woud fix this ? currently it is running 7.(02).
i can further send you the current running config and debug messages that i get with this web site and those debug message suggest that packet is getting rest from Inside INterface.
Debug message was :
302014: Teardown TCP connection xxxxxx for outside 129.1.2.226/80 to inside FS/xxxx duration 0:00:26 bytes 5883 TCP Reset-I
mtu Outside 1500
mtu inside 1500
I also checked in another ASA with same MTU size and was able to load the web site. I have run out of ideas and only thinking that Upgrading the IOS woud fix this ? currently it is running 7.(02).
i can further send you the current running config and debug messages that i get with this web site and those debug message suggest that packet is getting rest from Inside INterface.
Debug message was :
302014: Teardown TCP connection xxxxxx for outside 129.1.2.226/80 to inside FS/xxxx duration 0:00:26 bytes 5883 TCP Reset-I
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, i will send you more debugs but can you please tell me how to disable IDS function in PIX and how to check if it is enabled already ?
Also is this command, as you suggested, can safely be applied to PIX and it wont disrupt its operation ?
" ip verify reverse-path interface Outside" Thanks fo ryour help so far!!
Also is this command, as you suggested, can safely be applied to PIX and it wont disrupt its operation ?
" ip verify reverse-path interface Outside" Thanks fo ryour help so far!!
That should be in your service-policy:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008085283d.shtml
And while it did not disrupt my system, I always recommend that it may..
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008085283d.shtml
And while it did not disrupt my system, I always recommend that it may..
ASKER
Hi Debuggerau,
sorry but i did not have any luck so far. :(
i did add the traffic inspection policy, which is fixup protocol http in PIX and that did not solve the problem.
I am looking at fixing this issue with out haveing to upgrade the IOS and swaping PIX with another one.
i also checked the mtus size of the website by -f and 0l switch and mtu size behavious was exactly like other websites when compared.
I get the below debugs, may that can can help you indetify the issue. 98.129.12.226 is the IP address of the culprit website http://jr.chemwatch.net/chemgold3/
and FS1 is the inside server that has access to every thing on the planet butthis web site.
6|Dec 14 2009 10:38:01|302014: Teardown TCP connection 252298 for Outside:98.129.12.226/80 to inside:FS1/38849 duration 0:01:15 bytes 37140 TCP Reset-I
6|Dec 14 2009 10:37:45|302013: Built outbound TCP connection 252629 for Outside:98.129.12.226/80 (98.129.12.226/80) to inside:FS1/38905 (EXT_IA/1033)
Cna you please help fixing this in the light of above.
sorry but i did not have any luck so far. :(
i did add the traffic inspection policy, which is fixup protocol http in PIX and that did not solve the problem.
I am looking at fixing this issue with out haveing to upgrade the IOS and swaping PIX with another one.
i also checked the mtus size of the website by -f and 0l switch and mtu size behavious was exactly like other websites when compared.
I get the below debugs, may that can can help you indetify the issue. 98.129.12.226 is the IP address of the culprit website http://jr.chemwatch.net/chemgold3/
and FS1 is the inside server that has access to every thing on the planet butthis web site.
6|Dec 14 2009 10:38:01|302014: Teardown TCP connection 252298 for Outside:98.129.12.226/80 to inside:FS1/38849 duration 0:01:15 bytes 37140 TCP Reset-I
6|Dec 14 2009 10:37:45|302013: Built outbound TCP connection 252629 for Outside:98.129.12.226/80 (98.129.12.226/80) to inside:FS1/38905 (EXT_IA/1033)
Cna you please help fixing this in the light of above.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi debuggerau,
i have tried caputuring stats using smsniff and i am attaching the file with results of smsniff,
The reason it is not the Client Issue is that, i had tested the same Server wih Direct Internet connection and it was able to load the web page Fine.
and only happend when server goes through PIX.
i also tried capturing the debugs, but only get the above entries in the debugs that i already sent you.
--------------------------
HTTP/1.1 200 OK
Content-Length: 1670
Content-Type: text/html
Content-Location: http://jr.chemwatch.net/chemgold3/Default.htm
Last-Modified: Wed, 17 Dec 2008 08:35:42 GMT
Accept-Ranges: bytes
ETag: "08353722260c91:11965"
Server: Microsoft-IIS/6.0
From: JR
X-Powered-By: ASP.NET
Date: Mon, 14 Dec 2009 01:30:14 GMT
rest is in the attacehd file
--------------------------
Server-smsniff-results.txt
i have tried caputuring stats using smsniff and i am attaching the file with results of smsniff,
The reason it is not the Client Issue is that, i had tested the same Server wih Direct Internet connection and it was able to load the web page Fine.
and only happend when server goes through PIX.
i also tried capturing the debugs, but only get the above entries in the debugs that i already sent you.
--------------------------
HTTP/1.1 200 OK
Content-Length: 1670
Content-Type: text/html
Content-Location: http://jr.chemwatch.net/chemgold3/Default.htm
Last-Modified: Wed, 17 Dec 2008 08:35:42 GMT
Accept-Ranges: bytes
ETag: "08353722260c91:11965"
Server: Microsoft-IIS/6.0
From: JR
X-Powered-By: ASP.NET
Date: Mon, 14 Dec 2009 01:30:14 GMT
rest is in the attacehd file
--------------------------
Server-smsniff-results.txt
ASKER
Hi Debuggerau,
I had installed Wireshark too on the server and attached is the screen shot of Capture that might help you to determmine what is causing the issue. It shows that Checksum in IP header is not correct.
But please do note that same server could go to the this website Ok by passing pix. and it only has problem with pix. I think with this Capture screen shot we should be v close to teh cause and resolution if the issue.
In previous update form me , i have also provided stats from smsniff.
Looking forward to update from you.
Regards,
FSCapture.JPG
I had installed Wireshark too on the server and attached is the screen shot of Capture that might help you to determmine what is causing the issue. It shows that Checksum in IP header is not correct.
But please do note that same server could go to the this website Ok by passing pix. and it only has problem with pix. I think with this Capture screen shot we should be v close to teh cause and resolution if the issue.
In previous update form me , i have also provided stats from smsniff.
Looking forward to update from you.
Regards,
FSCapture.JPG
ASKER
Thanks for your help through out!!! but it was one of those wiered ones..
New PIX with latest IOS also had the same issue. and It turned out that, the particualr IP ( of the Service Provider) we were using at PIX outside interface was cause of the problem.
We plugged our lap top directly into the Internet port and could browse inet but not that web site.
either the public IP or the switch port of Service provide being the casue of the issue.
Have escaletd it with the service provider..
Thanks ,
New PIX with latest IOS also had the same issue. and It turned out that, the particualr IP ( of the Service Provider) we were using at PIX outside interface was cause of the problem.
We plugged our lap top directly into the Internet port and could browse inet but not that web site.
either the public IP or the switch port of Service provide being the casue of the issue.
Have escaletd it with the service provider..
Thanks ,
BTW, I have a similar config and the page loads for me, obviously I can't login though..