Solved

PIX 506e - unable to browse internet

Posted on 2010-09-22
17
465 Views
Last Modified: 2012-05-10
having a small problem with my pix and looking for a quick resolution :)

i am able to ping devices from the inside and outside i.e. i can ping 10.10.11.21 and google.com respectively.

but when i am on the server i can not get out of the internet.

please help
Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password iMJCYSF9e3ba/od. encrypted

passwd iMJCYSF9e3ba/od. encrypted

hostname Vinduvin

domain-name vinduvin.local

clock timezone PST -8

clock summer-time PDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group icmp-type icmp-grp 

  description ICMP Types allowed into the PIX

  icmp-object echo-reply 

  icmp-object unreachable 

  icmp-object time-exceeded 

access-list outside_in permit icmp any any object-group icmp-grp 

access-list inside_in deny ip any any 

access-list inside_in deny icmp any any 

access-list outside_access_in remark 

access-list outside_access_in permit tcp any host 70.182.183.129 eq 3389 

access-list outside_access_in remark 

access-list outside_access_in permit tcp any host 70.182.183.130 eq 3389 

access-list outside_access_in remark 

access-list outside_access_in permit tcp any host 70.182.183.131 eq 3389 

access-list outside_access_in permit tcp any host 70.182.183.131 eq smtp 

access-list outside_access_in permit tcp any host 70.182.183.131 eq www 

access-list outside_access_in permit tcp any host 70.182.183.131 eq https 

access-list outside_access_in permit tcp any host 70.182.183.131 eq 6001 

access-list outside_access_in permit tcp any host 70.182.183.131 eq 6002 

access-list outside_access_in permit tcp any host 70.182.183.131 eq 6003 

access-list inside_access_in permit tcp interface inside interface outside 

pager lines 24

logging on

logging timestamp

logging standby

logging console notifications

logging monitor notifications

logging buffered notifications

logging history emergencies

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 70.182.140.119 255.255.255.0

ip address inside 10.10.11.1 255.255.255.0

ip audit info action

ip audit attack action

pdm location 10.10.11.0 255.255.255.0 inside

pdm location 10.0.0.0 255.0.0.0 inside

pdm location 10.10.11.21 255.255.255.255 inside

pdm location 10.10.11.22 255.255.255.255 inside

pdm location 10.10.11.23 255.255.255.255 inside

pdm location 10.10.11.25 255.255.255.255 inside

pdm location 10.10.11.26 255.255.255.255 inside

pdm location 10.10.11.27 255.255.255.255 inside

pdm location 10.10.11.28 255.255.255.255 inside

pdm location 10.10.11.29 255.255.255.255 inside

pdm location 10.10.11.30 255.255.255.255 inside

pdm location 10.10.11.31 255.255.255.255 inside

pdm location 10.10.11.32 255.255.255.255 inside

pdm location 10.10.11.33 255.255.255.255 inside

pdm location 70.182.183.128 255.255.255.240 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 70.182.183.129 3389 10.10.11.21 3389 netmask 255.255.255.255 0 0 

static (inside,outside) tcp 70.182.183.130 3389 10.10.11.22 3389 netmask 255.255.255.255 0 0 

static (inside,outside) tcp 70.182.183.131 3389 10.10.11.23 3389 netmask 255.255.255.255 0 0 

static (inside,outside) tcp 70.182.183.131 smtp 10.10.11.23 smtp netmask 255.255.255.255 0 0 

static (inside,outside) tcp 70.182.183.131 www 10.10.11.23 www netmask 255.255.255.255 0 0 

static (inside,outside) tcp 70.182.183.131 https 10.10.11.23 https netmask 255.255.255.255 0 0 

static (inside,outside) tcp 70.182.183.131 6001 10.10.11.23 6001 netmask 255.255.255.255 0 0 

static (inside,outside) tcp 70.182.183.131 6002 10.10.11.23 6002 netmask 255.255.255.255 0 0 

static (inside,outside) tcp 70.182.183.131 6003 10.10.11.23 6003 netmask 255.255.255.255 0 0 

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 70.182.140.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server LOCAL protocol local 

http server enable

http 70.182.140.0 255.255.255.0 outside

http 0.0.0.0 0.0.0.0 outside

http 10.10.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

isakmp enable outside

telnet 0.0.0.0 0.0.0.0 outside

telnet 70.182.140.0 255.255.255.0 outside

telnet 10.10.11.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

username jkesoglou password .ExjueaZAJawM9ir encrypted privilege 15

terminal width 80

Cryptochecksum:6b5a89c2dbddf5787b68dfcf9615cac7

: end

[OK]

Open in new window

0
Comment
Question by:johnkesoglou
  • 7
  • 6
  • 4
17 Comments
 
LVL 16

Expert Comment

by:InteraX
ID: 33739141
You only have one ACE on the inside

access-list inside_access_in permit tcp interface inside interface outside

Is DNS resolving?

Try adding the following?

access-list inside_access_in permit udp host <dns server ip> any 53
access-list inside_access_in permit tcp any any 80
access-list inside_access_in permit tcp any any 443

This should then allow the basic protocols to allow DNS resolution and access to http & https
0
 

Author Comment

by:johnkesoglou
ID: 33739202
i receive the follwing error when i place the first line command


PIX(config)# access-list inside_access_in permit udp host 68.6.16.30 any $
ERROR: extra command argument(s)
Usage:  [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> object-group-search
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
        <protocol>|object-group <protocol_obj_grp_id>
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<icmp_type> | object-group <icmp_type_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
PIX(config)#






0
 
LVL 16

Expert Comment

by:InteraX
ID: 33739266
Are you using an interal or external dns serverfor your hosts/servers?
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33739297
Try changing the first line to

access-list inside_access_in permit udp host any any 53
0
 

Author Comment

by:johnkesoglou
ID: 33739382
sorry - no go.

is there anything else i should remove?  this is a fairly new build and will have no impact

thanks again

John
0
 
LVL 19

Accepted Solution

by:
nodisco earned 250 total points
ID: 33740190
hey

You are not using your inside-in ACL for anything in particular and icmp is already allowed from the outside in.

If you want to block egress connections, you can create an inside-in acl and apply it to the inside interface of the PIX stipulating what you want to block and allow.  Remove the acl group inside as its not doing anything for you at present:

no access-group inside_access_in in interface inside


hth
0
 

Author Comment

by:johnkesoglou
ID: 33740970
nodisco

saw that too and removed it already....but thanks!
0
 
LVL 19

Expert Comment

by:nodisco
ID: 33740981
can you post an updated config?

Just to clarify - you can ping outside and resolve DNS but cannot browse from your server?
Can you browse from other machines - what ip address is your server?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:johnkesoglou
ID: 33741031
yes, i can ping from the pix out but my servers are unable to browse out.

so from the pix, i can pin the inside

from the pix i can ping the outside.

and now is appears to be working!  crazy stuff.

lets wait a day
Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password iMJCYSF9e3ba/od. encrypted

passwd iMJCYSF9e3ba/od. encrypted

hostname Vinduvin

domain-name vinduvin.local

clock timezone PST -8

clock summer-time PDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group icmp-type icmp-grp 

  description ICMP Types allowed into the PIX

  icmp-object echo-reply 

  icmp-object unreachable 

  icmp-object time-exceeded 

access-list outside_access_in remark 

access-list outside_access_in permit tcp any host xxx.xxx.183.129 eq 3389 

access-list outside_access_in remark 

access-list outside_access_in permit tcp any host xxx.xxx.183.130 eq 3389 

access-list outside_access_in remark 

access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 3389 

access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq smtp 

access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq www 

access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq https 

access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6001 

access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6002 

access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6003 

access-list inside_access_in permit tcp interface inside interface outside 

pager lines 24

logging on

logging timestamp

logging standby

logging console notifications

logging monitor notifications

logging buffered notifications

logging history emergencies

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.140.119 255.255.255.0

ip address inside 10.10.11.1 255.255.255.0

ip audit info action

ip audit attack action

pdm location 10.10.11.0 255.255.255.0 inside

pdm location 10.0.0.0 255.0.0.0 inside

pdm location 10.10.11.21 255.255.255.255 inside

pdm location 10.10.11.22 255.255.255.255 inside

pdm location 10.10.11.23 255.255.255.255 inside

pdm location 10.10.11.25 255.255.255.255 inside

pdm location 10.10.11.26 255.255.255.255 inside

pdm location 10.10.11.27 255.255.255.255 inside

pdm location 10.10.11.28 255.255.255.255 inside

pdm location 10.10.11.29 255.255.255.255 inside

pdm location 10.10.11.30 255.255.255.255 inside

pdm location 10.10.11.31 255.255.255.255 inside

pdm location 10.10.11.32 255.255.255.255 inside

pdm location 10.10.11.33 255.255.255.255 inside

pdm location xxx.xxx.183.128 255.255.255.240 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp xxx.xxx.183.129 3389 10.10.11.21 3389 netmask 255.255.255.255 0 0 

static (inside,outside) tcp xxx.xxx.183.130 3389 10.10.11.22 3389 netmask 255.255.255.255 0 0 

static (inside,outside) tcp xxx.xxx.183.131 3389 10.10.11.23 3389 netmask 255.255.255.255 0 0 

static (inside,outside) tcp xxx.xxx.183.131 smtp 10.10.11.23 smtp netmask 255.255.255.255 0 0 

static (inside,outside) tcp xxx.xxx.183.131 www 10.10.11.23 www netmask 255.255.255.255 0 0 

static (inside,outside) tcp xxx.xxx.183.131 https 10.10.11.23 https netmask 255.255.255.255 0 0 

static (inside,outside) tcp xxx.xxx.183.131 6001 10.10.11.23 6001 netmask 255.255.255.255 0 0 

static (inside,outside) tcp xxx.xxx.183.131 6002 10.10.11.23 6002 netmask 255.255.255.255 0 0 

static (inside,outside) tcp xxx.xxx.183.131 6003 10.10.11.23 6003 netmask 255.255.255.255 0 0 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.140.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server LOCAL protocol local 

http server enable

http xxx.xxx.140.0 255.255.255.0 outside

http 0.0.0.0 0.0.0.0 outside

http 10.10.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

isakmp enable outside

telnet 0.0.0.0 0.0.0.0 outside

telnet xxx.xxx.140.0 255.255.255.0 outside

telnet 10.10.11.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

username jkesoglou password .ExjueaZAJawM9ir encrypted privilege 15

terminal width 80

Cryptochecksum:58239142cc03def6607fbce0fc4659e1

: end

[OK]

Open in new window

0
 
LVL 19

Expert Comment

by:nodisco
ID: 33741063
To show the nat translations going through the firewall type sh xlate

As an fyi

I would remove
http 0.0.0.0 0.0.0.0 outside
and
telnet 0.0.0.0 0.0.0.0 outside

Just to maintain security

cheers
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33741841
With the current config, everythign originating from the inside should be abel to reach the outside. You also have dns & http application inspection enabled.

Have you tried checking the real time logs in asdm of via a syslog server to see what might be going wrong? Unless you need to manage the firewall from the outside LAn, I would also remove the following.

telnet xxx.xxx.140.0 255.255.255.0 outside
http xxx.xxx.140.0 255.255.255.0 outside

Also on the same note, I would recommend enabling management via SSH and removing telnet as telnet is unencrypted. HTTP management will automatically redirect to an HTTPS session.
0
 

Author Comment

by:johnkesoglou
ID: 33744746
hi guys


i appreciate the feedback, this PIX seems to have some sort of issue outside of the configuration.  the only thing i did outside of the config was upgrade the firewall pdm software.  The other line items regarding http .0.0.0.0 and telnet 0.0.0.0  :)  i was unable to hit the pdm from the outside (assuming i could use telnet on ethernet0 - and that we must use SSH on the public interface.)  

so once i get everything cleared up, i will remove these and take care of everything internally from one of the servers using rdp.

i really appreciate the feedback.

i did notice that each time i put a command in place it takes the firewall several minutes to "turn on" or "turn off" ... i.e. i add a NAT rule and it is inaccessible for several minutes.  i know the device is old but i am using this in the interim until i can get myself a decent ASA 5505
0
 
LVL 16

Assisted Solution

by:InteraX
InteraX earned 250 total points
ID: 33745566
Have you tried a reboot? Sometimes, as good as the PIX's were there were memory leaks and other bugs. At least you have the latest 6.3 build I think.
0
 

Author Closing Comment

by:johnkesoglou
ID: 33745633
just a quick note: the Pix 506 does not support DNS unless it is using a DHCP server.  

i appreciate everyones feed back
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33745726
Were you trying to use the PIX as a DNS server? Ah, this would explain the problem. PIX/ASA devices cannot be used as a DNS server. They can be used as a DHCP server, but can only pass out teh DNS server IP's you put in or the addresses they recieve from DHCP on another interface, eg PPPoE connection.
0
 

Author Comment

by:johnkesoglou
ID: 33745895
No not at all, i was simply trying to get traffic from the inside to the outside.  i have my own dns servers which is what was making me go batty!  but it looks like it is working now

thanks
0
 
LVL 19

Expert Comment

by:nodisco
ID: 33748085
hey John

The issue with time taken is due to xlate timeout.

When you change anything nat related, be it add/remove statics or nat statements, you should clear the xlate translation table.  Otherwise, the xlate stays in place until the timer expires.

From your config:
timeout xlate 0:05:00


For immediate action, make the change and then type
clear xlate

Just be aware that when you do this, you will close all connections inside and out - they reestablish, but it can cause a blip in traffic flow.

glad to see you are working.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
startup config modification 2 45
Cisco ASDM migration 2 19
Turn off SIP ALG - Cisco ASA 5505 1 28
CISCO ATA 190 using PRI DID number 6 25
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now