Solved

PIX 506e - unable to browse internet

Posted on 2010-09-22
17
464 Views
Last Modified: 2012-05-10
having a small problem with my pix and looking for a quick resolution :)

i am able to ping devices from the inside and outside i.e. i can ping 10.10.11.21 and google.com respectively.

but when i am on the server i can not get out of the internet.

please help
Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password iMJCYSF9e3ba/od. encrypted

passwd iMJCYSF9e3ba/od. encrypted

hostname Vinduvin

domain-name vinduvin.local

clock timezone PST -8

clock summer-time PDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group icmp-type icmp-grp 

  description ICMP Types allowed into the PIX

  icmp-object echo-reply 

  icmp-object unreachable 

  icmp-object time-exceeded 

access-list outside_in permit icmp any any object-group icmp-grp 

access-list inside_in deny ip any any 

access-list inside_in deny icmp any any 

access-list outside_access_in remark 

access-list outside_access_in permit tcp any host 70.182.183.129 eq 3389 

access-list outside_access_in remark 

access-list outside_access_in permit tcp any host 70.182.183.130 eq 3389 

access-list outside_access_in remark 

access-list outside_access_in permit tcp any host 70.182.183.131 eq 3389 

access-list outside_access_in permit tcp any host 70.182.183.131 eq smtp 

access-list outside_access_in permit tcp any host 70.182.183.131 eq www 

access-list outside_access_in permit tcp any host 70.182.183.131 eq https 

access-list outside_access_in permit tcp any host 70.182.183.131 eq 6001 

access-list outside_access_in permit tcp any host 70.182.183.131 eq 6002 

access-list outside_access_in permit tcp any host 70.182.183.131 eq 6003 

access-list inside_access_in permit tcp interface inside interface outside 

pager lines 24

logging on

logging timestamp

logging standby

logging console notifications

logging monitor notifications

logging buffered notifications

logging history emergencies

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 70.182.140.119 255.255.255.0

ip address inside 10.10.11.1 255.255.255.0

ip audit info action

ip audit attack action

pdm location 10.10.11.0 255.255.255.0 inside

pdm location 10.0.0.0 255.0.0.0 inside

pdm location 10.10.11.21 255.255.255.255 inside

pdm location 10.10.11.22 255.255.255.255 inside

pdm location 10.10.11.23 255.255.255.255 inside

pdm location 10.10.11.25 255.255.255.255 inside

pdm location 10.10.11.26 255.255.255.255 inside

pdm location 10.10.11.27 255.255.255.255 inside

pdm location 10.10.11.28 255.255.255.255 inside

pdm location 10.10.11.29 255.255.255.255 inside

pdm location 10.10.11.30 255.255.255.255 inside

pdm location 10.10.11.31 255.255.255.255 inside

pdm location 10.10.11.32 255.255.255.255 inside

pdm location 10.10.11.33 255.255.255.255 inside

pdm location 70.182.183.128 255.255.255.240 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 70.182.183.129 3389 10.10.11.21 3389 netmask 255.255.255.255 0 0 

static (inside,outside) tcp 70.182.183.130 3389 10.10.11.22 3389 netmask 255.255.255.255 0 0 

static (inside,outside) tcp 70.182.183.131 3389 10.10.11.23 3389 netmask 255.255.255.255 0 0 

static (inside,outside) tcp 70.182.183.131 smtp 10.10.11.23 smtp netmask 255.255.255.255 0 0 

static (inside,outside) tcp 70.182.183.131 www 10.10.11.23 www netmask 255.255.255.255 0 0 

static (inside,outside) tcp 70.182.183.131 https 10.10.11.23 https netmask 255.255.255.255 0 0 

static (inside,outside) tcp 70.182.183.131 6001 10.10.11.23 6001 netmask 255.255.255.255 0 0 

static (inside,outside) tcp 70.182.183.131 6002 10.10.11.23 6002 netmask 255.255.255.255 0 0 

static (inside,outside) tcp 70.182.183.131 6003 10.10.11.23 6003 netmask 255.255.255.255 0 0 

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 70.182.140.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server LOCAL protocol local 

http server enable

http 70.182.140.0 255.255.255.0 outside

http 0.0.0.0 0.0.0.0 outside

http 10.10.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

isakmp enable outside

telnet 0.0.0.0 0.0.0.0 outside

telnet 70.182.140.0 255.255.255.0 outside

telnet 10.10.11.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

username jkesoglou password .ExjueaZAJawM9ir encrypted privilege 15

terminal width 80

Cryptochecksum:6b5a89c2dbddf5787b68dfcf9615cac7

: end

[OK]

Open in new window

0
Comment
Question by:johnkesoglou
  • 7
  • 6
  • 4
17 Comments
 
LVL 16

Expert Comment

by:InteraX
ID: 33739141
You only have one ACE on the inside

access-list inside_access_in permit tcp interface inside interface outside

Is DNS resolving?

Try adding the following?

access-list inside_access_in permit udp host <dns server ip> any 53
access-list inside_access_in permit tcp any any 80
access-list inside_access_in permit tcp any any 443

This should then allow the basic protocols to allow DNS resolution and access to http & https
0
 

Author Comment

by:johnkesoglou
ID: 33739202
i receive the follwing error when i place the first line command


PIX(config)# access-list inside_access_in permit udp host 68.6.16.30 any $
ERROR: extra command argument(s)
Usage:  [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> object-group-search
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
        <protocol>|object-group <protocol_obj_grp_id>
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<icmp_type> | object-group <icmp_type_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
PIX(config)#






0
 
LVL 16

Expert Comment

by:InteraX
ID: 33739266
Are you using an interal or external dns serverfor your hosts/servers?
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33739297
Try changing the first line to

access-list inside_access_in permit udp host any any 53
0
 

Author Comment

by:johnkesoglou
ID: 33739382
sorry - no go.

is there anything else i should remove?  this is a fairly new build and will have no impact

thanks again

John
0
 
LVL 19

Accepted Solution

by:
nodisco earned 250 total points
ID: 33740190
hey

You are not using your inside-in ACL for anything in particular and icmp is already allowed from the outside in.

If you want to block egress connections, you can create an inside-in acl and apply it to the inside interface of the PIX stipulating what you want to block and allow.  Remove the acl group inside as its not doing anything for you at present:

no access-group inside_access_in in interface inside


hth
0
 

Author Comment

by:johnkesoglou
ID: 33740970
nodisco

saw that too and removed it already....but thanks!
0
 
LVL 19

Expert Comment

by:nodisco
ID: 33740981
can you post an updated config?

Just to clarify - you can ping outside and resolve DNS but cannot browse from your server?
Can you browse from other machines - what ip address is your server?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:johnkesoglou
ID: 33741031
yes, i can ping from the pix out but my servers are unable to browse out.

so from the pix, i can pin the inside

from the pix i can ping the outside.

and now is appears to be working!  crazy stuff.

lets wait a day
Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password iMJCYSF9e3ba/od. encrypted

passwd iMJCYSF9e3ba/od. encrypted

hostname Vinduvin

domain-name vinduvin.local

clock timezone PST -8

clock summer-time PDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group icmp-type icmp-grp 

  description ICMP Types allowed into the PIX

  icmp-object echo-reply 

  icmp-object unreachable 

  icmp-object time-exceeded 

access-list outside_access_in remark 

access-list outside_access_in permit tcp any host xxx.xxx.183.129 eq 3389 

access-list outside_access_in remark 

access-list outside_access_in permit tcp any host xxx.xxx.183.130 eq 3389 

access-list outside_access_in remark 

access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 3389 

access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq smtp 

access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq www 

access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq https 

access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6001 

access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6002 

access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6003 

access-list inside_access_in permit tcp interface inside interface outside 

pager lines 24

logging on

logging timestamp

logging standby

logging console notifications

logging monitor notifications

logging buffered notifications

logging history emergencies

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.140.119 255.255.255.0

ip address inside 10.10.11.1 255.255.255.0

ip audit info action

ip audit attack action

pdm location 10.10.11.0 255.255.255.0 inside

pdm location 10.0.0.0 255.0.0.0 inside

pdm location 10.10.11.21 255.255.255.255 inside

pdm location 10.10.11.22 255.255.255.255 inside

pdm location 10.10.11.23 255.255.255.255 inside

pdm location 10.10.11.25 255.255.255.255 inside

pdm location 10.10.11.26 255.255.255.255 inside

pdm location 10.10.11.27 255.255.255.255 inside

pdm location 10.10.11.28 255.255.255.255 inside

pdm location 10.10.11.29 255.255.255.255 inside

pdm location 10.10.11.30 255.255.255.255 inside

pdm location 10.10.11.31 255.255.255.255 inside

pdm location 10.10.11.32 255.255.255.255 inside

pdm location 10.10.11.33 255.255.255.255 inside

pdm location xxx.xxx.183.128 255.255.255.240 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp xxx.xxx.183.129 3389 10.10.11.21 3389 netmask 255.255.255.255 0 0 

static (inside,outside) tcp xxx.xxx.183.130 3389 10.10.11.22 3389 netmask 255.255.255.255 0 0 

static (inside,outside) tcp xxx.xxx.183.131 3389 10.10.11.23 3389 netmask 255.255.255.255 0 0 

static (inside,outside) tcp xxx.xxx.183.131 smtp 10.10.11.23 smtp netmask 255.255.255.255 0 0 

static (inside,outside) tcp xxx.xxx.183.131 www 10.10.11.23 www netmask 255.255.255.255 0 0 

static (inside,outside) tcp xxx.xxx.183.131 https 10.10.11.23 https netmask 255.255.255.255 0 0 

static (inside,outside) tcp xxx.xxx.183.131 6001 10.10.11.23 6001 netmask 255.255.255.255 0 0 

static (inside,outside) tcp xxx.xxx.183.131 6002 10.10.11.23 6002 netmask 255.255.255.255 0 0 

static (inside,outside) tcp xxx.xxx.183.131 6003 10.10.11.23 6003 netmask 255.255.255.255 0 0 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.140.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server LOCAL protocol local 

http server enable

http xxx.xxx.140.0 255.255.255.0 outside

http 0.0.0.0 0.0.0.0 outside

http 10.10.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

isakmp enable outside

telnet 0.0.0.0 0.0.0.0 outside

telnet xxx.xxx.140.0 255.255.255.0 outside

telnet 10.10.11.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

username jkesoglou password .ExjueaZAJawM9ir encrypted privilege 15

terminal width 80

Cryptochecksum:58239142cc03def6607fbce0fc4659e1

: end

[OK]

Open in new window

0
 
LVL 19

Expert Comment

by:nodisco
ID: 33741063
To show the nat translations going through the firewall type sh xlate

As an fyi

I would remove
http 0.0.0.0 0.0.0.0 outside
and
telnet 0.0.0.0 0.0.0.0 outside

Just to maintain security

cheers
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33741841
With the current config, everythign originating from the inside should be abel to reach the outside. You also have dns & http application inspection enabled.

Have you tried checking the real time logs in asdm of via a syslog server to see what might be going wrong? Unless you need to manage the firewall from the outside LAn, I would also remove the following.

telnet xxx.xxx.140.0 255.255.255.0 outside
http xxx.xxx.140.0 255.255.255.0 outside

Also on the same note, I would recommend enabling management via SSH and removing telnet as telnet is unencrypted. HTTP management will automatically redirect to an HTTPS session.
0
 

Author Comment

by:johnkesoglou
ID: 33744746
hi guys


i appreciate the feedback, this PIX seems to have some sort of issue outside of the configuration.  the only thing i did outside of the config was upgrade the firewall pdm software.  The other line items regarding http .0.0.0.0 and telnet 0.0.0.0  :)  i was unable to hit the pdm from the outside (assuming i could use telnet on ethernet0 - and that we must use SSH on the public interface.)  

so once i get everything cleared up, i will remove these and take care of everything internally from one of the servers using rdp.

i really appreciate the feedback.

i did notice that each time i put a command in place it takes the firewall several minutes to "turn on" or "turn off" ... i.e. i add a NAT rule and it is inaccessible for several minutes.  i know the device is old but i am using this in the interim until i can get myself a decent ASA 5505
0
 
LVL 16

Assisted Solution

by:InteraX
InteraX earned 250 total points
ID: 33745566
Have you tried a reboot? Sometimes, as good as the PIX's were there were memory leaks and other bugs. At least you have the latest 6.3 build I think.
0
 

Author Closing Comment

by:johnkesoglou
ID: 33745633
just a quick note: the Pix 506 does not support DNS unless it is using a DHCP server.  

i appreciate everyones feed back
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33745726
Were you trying to use the PIX as a DNS server? Ah, this would explain the problem. PIX/ASA devices cannot be used as a DNS server. They can be used as a DHCP server, but can only pass out teh DNS server IP's you put in or the addresses they recieve from DHCP on another interface, eg PPPoE connection.
0
 

Author Comment

by:johnkesoglou
ID: 33745895
No not at all, i was simply trying to get traffic from the inside to the outside.  i have my own dns servers which is what was making me go batty!  but it looks like it is working now

thanks
0
 
LVL 19

Expert Comment

by:nodisco
ID: 33748085
hey John

The issue with time taken is due to xlate timeout.

When you change anything nat related, be it add/remove statics or nat statements, you should clear the xlate translation table.  Otherwise, the xlate stays in place until the timer expires.

From your config:
timeout xlate 0:05:00


For immediate action, make the change and then type
clear xlate

Just be aware that when you do this, you will close all connections inside and out - they reestablish, but it can cause a blip in traffic flow.

glad to see you are working.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now