Solved

PIX 506e - unable to browse internet

Posted on 2010-09-22
17
468 Views
Last Modified: 2012-05-10
having a small problem with my pix and looking for a quick resolution :)

i am able to ping devices from the inside and outside i.e. i can ping 10.10.11.21 and google.com respectively.

but when i am on the server i can not get out of the internet.

please help
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password iMJCYSF9e3ba/od. encrypted
passwd iMJCYSF9e3ba/od. encrypted
hostname Vinduvin
domain-name vinduvin.local
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type icmp-grp 
  description ICMP Types allowed into the PIX
  icmp-object echo-reply 
  icmp-object unreachable 
  icmp-object time-exceeded 
access-list outside_in permit icmp any any object-group icmp-grp 
access-list inside_in deny ip any any 
access-list inside_in deny icmp any any 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host 70.182.183.129 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host 70.182.183.130 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host 70.182.183.131 eq 3389 
access-list outside_access_in permit tcp any host 70.182.183.131 eq smtp 
access-list outside_access_in permit tcp any host 70.182.183.131 eq www 
access-list outside_access_in permit tcp any host 70.182.183.131 eq https 
access-list outside_access_in permit tcp any host 70.182.183.131 eq 6001 
access-list outside_access_in permit tcp any host 70.182.183.131 eq 6002 
access-list outside_access_in permit tcp any host 70.182.183.131 eq 6003 
access-list inside_access_in permit tcp interface inside interface outside 
pager lines 24
logging on
logging timestamp
logging standby
logging console notifications
logging monitor notifications
logging buffered notifications
logging history emergencies
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 70.182.140.119 255.255.255.0
ip address inside 10.10.11.1 255.255.255.0
ip audit info action
ip audit attack action
pdm location 10.10.11.0 255.255.255.0 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.10.11.21 255.255.255.255 inside
pdm location 10.10.11.22 255.255.255.255 inside
pdm location 10.10.11.23 255.255.255.255 inside
pdm location 10.10.11.25 255.255.255.255 inside
pdm location 10.10.11.26 255.255.255.255 inside
pdm location 10.10.11.27 255.255.255.255 inside
pdm location 10.10.11.28 255.255.255.255 inside
pdm location 10.10.11.29 255.255.255.255 inside
pdm location 10.10.11.30 255.255.255.255 inside
pdm location 10.10.11.31 255.255.255.255 inside
pdm location 10.10.11.32 255.255.255.255 inside
pdm location 10.10.11.33 255.255.255.255 inside
pdm location 70.182.183.128 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 70.182.183.129 3389 10.10.11.21 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp 70.182.183.130 3389 10.10.11.22 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp 70.182.183.131 3389 10.10.11.23 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp 70.182.183.131 smtp 10.10.11.23 smtp netmask 255.255.255.255 0 0 
static (inside,outside) tcp 70.182.183.131 www 10.10.11.23 www netmask 255.255.255.255 0 0 
static (inside,outside) tcp 70.182.183.131 https 10.10.11.23 https netmask 255.255.255.255 0 0 
static (inside,outside) tcp 70.182.183.131 6001 10.10.11.23 6001 netmask 255.255.255.255 0 0 
static (inside,outside) tcp 70.182.183.131 6002 10.10.11.23 6002 netmask 255.255.255.255 0 0 
static (inside,outside) tcp 70.182.183.131 6003 10.10.11.23 6003 netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 70.182.140.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http 70.182.140.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 outside
http 10.10.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
isakmp enable outside
telnet 0.0.0.0 0.0.0.0 outside
telnet 70.182.140.0 255.255.255.0 outside
telnet 10.10.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username jkesoglou password .ExjueaZAJawM9ir encrypted privilege 15
terminal width 80
Cryptochecksum:6b5a89c2dbddf5787b68dfcf9615cac7
: end
[OK]

Open in new window

0
Comment
Question by:johnkesoglou
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 4
17 Comments
 
LVL 16

Expert Comment

by:InteraX
ID: 33739141
You only have one ACE on the inside

access-list inside_access_in permit tcp interface inside interface outside

Is DNS resolving?

Try adding the following?

access-list inside_access_in permit udp host <dns server ip> any 53
access-list inside_access_in permit tcp any any 80
access-list inside_access_in permit tcp any any 443

This should then allow the basic protocols to allow DNS resolution and access to http & https
0
 

Author Comment

by:johnkesoglou
ID: 33739202
i receive the follwing error when i place the first line command


PIX(config)# access-list inside_access_in permit udp host 68.6.16.30 any $
ERROR: extra command argument(s)
Usage:  [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> object-group-search
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
        <protocol>|object-group <protocol_obj_grp_id>
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<icmp_type> | object-group <icmp_type_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
PIX(config)#






0
 
LVL 16

Expert Comment

by:InteraX
ID: 33739266
Are you using an interal or external dns serverfor your hosts/servers?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 16

Expert Comment

by:InteraX
ID: 33739297
Try changing the first line to

access-list inside_access_in permit udp host any any 53
0
 

Author Comment

by:johnkesoglou
ID: 33739382
sorry - no go.

is there anything else i should remove?  this is a fairly new build and will have no impact

thanks again

John
0
 
LVL 19

Accepted Solution

by:
nodisco earned 250 total points
ID: 33740190
hey

You are not using your inside-in ACL for anything in particular and icmp is already allowed from the outside in.

If you want to block egress connections, you can create an inside-in acl and apply it to the inside interface of the PIX stipulating what you want to block and allow.  Remove the acl group inside as its not doing anything for you at present:

no access-group inside_access_in in interface inside


hth
0
 

Author Comment

by:johnkesoglou
ID: 33740970
nodisco

saw that too and removed it already....but thanks!
0
 
LVL 19

Expert Comment

by:nodisco
ID: 33740981
can you post an updated config?

Just to clarify - you can ping outside and resolve DNS but cannot browse from your server?
Can you browse from other machines - what ip address is your server?
0
 

Author Comment

by:johnkesoglou
ID: 33741031
yes, i can ping from the pix out but my servers are unable to browse out.

so from the pix, i can pin the inside

from the pix i can ping the outside.

and now is appears to be working!  crazy stuff.

lets wait a day
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password iMJCYSF9e3ba/od. encrypted
passwd iMJCYSF9e3ba/od. encrypted
hostname Vinduvin
domain-name vinduvin.local
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type icmp-grp 
  description ICMP Types allowed into the PIX
  icmp-object echo-reply 
  icmp-object unreachable 
  icmp-object time-exceeded 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host xxx.xxx.183.129 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host xxx.xxx.183.130 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 3389 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq smtp 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq www 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq https 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6001 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6002 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6003 
access-list inside_access_in permit tcp interface inside interface outside 
pager lines 24
logging on
logging timestamp
logging standby
logging console notifications
logging monitor notifications
logging buffered notifications
logging history emergencies
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.140.119 255.255.255.0
ip address inside 10.10.11.1 255.255.255.0
ip audit info action
ip audit attack action
pdm location 10.10.11.0 255.255.255.0 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.10.11.21 255.255.255.255 inside
pdm location 10.10.11.22 255.255.255.255 inside
pdm location 10.10.11.23 255.255.255.255 inside
pdm location 10.10.11.25 255.255.255.255 inside
pdm location 10.10.11.26 255.255.255.255 inside
pdm location 10.10.11.27 255.255.255.255 inside
pdm location 10.10.11.28 255.255.255.255 inside
pdm location 10.10.11.29 255.255.255.255 inside
pdm location 10.10.11.30 255.255.255.255 inside
pdm location 10.10.11.31 255.255.255.255 inside
pdm location 10.10.11.32 255.255.255.255 inside
pdm location 10.10.11.33 255.255.255.255 inside
pdm location xxx.xxx.183.128 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.183.129 3389 10.10.11.21 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.130 3389 10.10.11.22 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 3389 10.10.11.23 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 smtp 10.10.11.23 smtp netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 www 10.10.11.23 www netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 https 10.10.11.23 https netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 6001 10.10.11.23 6001 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 6002 10.10.11.23 6002 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 6003 10.10.11.23 6003 netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.140.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http xxx.xxx.140.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 outside
http 10.10.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
isakmp enable outside
telnet 0.0.0.0 0.0.0.0 outside
telnet xxx.xxx.140.0 255.255.255.0 outside
telnet 10.10.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username jkesoglou password .ExjueaZAJawM9ir encrypted privilege 15
terminal width 80
Cryptochecksum:58239142cc03def6607fbce0fc4659e1
: end
[OK]

Open in new window

0
 
LVL 19

Expert Comment

by:nodisco
ID: 33741063
To show the nat translations going through the firewall type sh xlate

As an fyi

I would remove
http 0.0.0.0 0.0.0.0 outside
and
telnet 0.0.0.0 0.0.0.0 outside

Just to maintain security

cheers
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33741841
With the current config, everythign originating from the inside should be abel to reach the outside. You also have dns & http application inspection enabled.

Have you tried checking the real time logs in asdm of via a syslog server to see what might be going wrong? Unless you need to manage the firewall from the outside LAn, I would also remove the following.

telnet xxx.xxx.140.0 255.255.255.0 outside
http xxx.xxx.140.0 255.255.255.0 outside

Also on the same note, I would recommend enabling management via SSH and removing telnet as telnet is unencrypted. HTTP management will automatically redirect to an HTTPS session.
0
 

Author Comment

by:johnkesoglou
ID: 33744746
hi guys


i appreciate the feedback, this PIX seems to have some sort of issue outside of the configuration.  the only thing i did outside of the config was upgrade the firewall pdm software.  The other line items regarding http .0.0.0.0 and telnet 0.0.0.0  :)  i was unable to hit the pdm from the outside (assuming i could use telnet on ethernet0 - and that we must use SSH on the public interface.)  

so once i get everything cleared up, i will remove these and take care of everything internally from one of the servers using rdp.

i really appreciate the feedback.

i did notice that each time i put a command in place it takes the firewall several minutes to "turn on" or "turn off" ... i.e. i add a NAT rule and it is inaccessible for several minutes.  i know the device is old but i am using this in the interim until i can get myself a decent ASA 5505
0
 
LVL 16

Assisted Solution

by:InteraX
InteraX earned 250 total points
ID: 33745566
Have you tried a reboot? Sometimes, as good as the PIX's were there were memory leaks and other bugs. At least you have the latest 6.3 build I think.
0
 

Author Closing Comment

by:johnkesoglou
ID: 33745633
just a quick note: the Pix 506 does not support DNS unless it is using a DHCP server.  

i appreciate everyones feed back
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33745726
Were you trying to use the PIX as a DNS server? Ah, this would explain the problem. PIX/ASA devices cannot be used as a DNS server. They can be used as a DHCP server, but can only pass out teh DNS server IP's you put in or the addresses they recieve from DHCP on another interface, eg PPPoE connection.
0
 

Author Comment

by:johnkesoglou
ID: 33745895
No not at all, i was simply trying to get traffic from the inside to the outside.  i have my own dns servers which is what was making me go batty!  but it looks like it is working now

thanks
0
 
LVL 19

Expert Comment

by:nodisco
ID: 33748085
hey John

The issue with time taken is due to xlate timeout.

When you change anything nat related, be it add/remove statics or nat statements, you should clear the xlate translation table.  Otherwise, the xlate stays in place until the timer expires.

From your config:
timeout xlate 0:05:00


For immediate action, make the change and then type
clear xlate

Just be aware that when you do this, you will close all connections inside and out - they reestablish, but it can cause a blip in traffic flow.

glad to see you are working.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VLAN Overused monitor 4 51
Cisco 3750E not able to SSH after removing from port channel 2 23
VOIP gateways - feedback 23 71
Cisco Wireless Access Controller 3 35
There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question