We help IT Professionals succeed at work.
Get Started

Issue  ".Exe" in URL through PIX Firewall

tariqmansoor
tariqmansoor asked
on
721 Views
Last Modified: 2012-05-08
Hi Team,
Does PIX perform any higher layer packet inspectio nby default to block *.exe" in URLs. I have a web site http://jr.chemwatch.net/chemgold3/ that include some executables in its code. You can also check by going into view-> source.
I have allowed my server full access to internet through PIX and it can go to any site on internet, except the site above. Checking the debugs indicate the Packet reset is from Inside, and i suspect that it could be due to PIX blockes ".exe" in URLs.
Can any one pl assist how do we anable this in PIX. it is some where in Traffic Class Inspection  perhaps but how to enable it , i wonder if some one can assits
below is the Config from PIX. It is sanitised config, may not show Nat and ACL but. Server has complete access to internet through ACL
--------------------------------------------------------------------
interface Ethernet0
 description Outside Interface
 nameif Outside
 security-level 0
 ip address a.a.a.a 255.255.255.248
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address b.b.b.253 255.255.255.0
!

no ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns retries 2
dns timeout 2
dns domain-lookup inside
dns name-server FS
dns name-server MA
same-security-traffic permit intra-interface
object-group service FTP tcp
 port-object eq ftp-data
 port-object eq ftp
object-group network Name_Servers
 network-object FS 255.255.255.255
 network-object MA 255.255.255.255
no pager
logging enable
logging console critical
logging buffered critical
logging trap warnings
logging asdm critical
logging mail notifications
logging flash-bufferwrap
mtu Outside 1500
mtu inside 1500
ip verify reverse-path interface Outside
monitor-interface Outside
monitor-interface inside
icmp permit any Outside
icmp permit any inside
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
rip inside passive version 2
rip inside default version 2
route Outside 0.0.0.0 0.0.0.0 a.a.a.57 1
route inside 10.10.10.0 255.255.255.0 b.b.b.254 1
route inside 10.102.101.0 255.255.255.0 b.b.b.254 1
route inside 10.201.1.0 255.255.255.0 b.b.b.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Radius protocol radius
aaa-server Radius host FS
 key secretkey
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp enable
 re-xauth enable
 group-lock value DefaultRAGroup
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
http 0.0.0.0 0.0.0.0 inside
snmp-server enable traps snmp

telnet ABCD_Net 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh ABCD_Net 255.255.255.0 inside
ssh timeout 5
console timeout 0
no tunnel-group-map enable ike-id
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
ntp server c.c.c.c source Outside prefer
ssl encryption des-sha1 rc4-md5
smtp-server b.b.b.21
management-access inside
--------------------------------------

Thanks Team,
Comment
Watch Question
This problem has been solved!
Unlock 3 Answers and 20 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE