PIX 506e - unable to browse internet

having a small problem with my pix and looking for a quick resolution :)

i am able to ping devices from the inside and outside i.e. i can ping 10.10.11.21 and google.com respectively.

but when i am on the server i can not get out of the internet.

please help
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password iMJCYSF9e3ba/od. encrypted
passwd iMJCYSF9e3ba/od. encrypted
hostname Vinduvin
domain-name vinduvin.local
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type icmp-grp 
  description ICMP Types allowed into the PIX
  icmp-object echo-reply 
  icmp-object unreachable 
  icmp-object time-exceeded 
access-list outside_in permit icmp any any object-group icmp-grp 
access-list inside_in deny ip any any 
access-list inside_in deny icmp any any 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host 70.182.183.129 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host 70.182.183.130 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host 70.182.183.131 eq 3389 
access-list outside_access_in permit tcp any host 70.182.183.131 eq smtp 
access-list outside_access_in permit tcp any host 70.182.183.131 eq www 
access-list outside_access_in permit tcp any host 70.182.183.131 eq https 
access-list outside_access_in permit tcp any host 70.182.183.131 eq 6001 
access-list outside_access_in permit tcp any host 70.182.183.131 eq 6002 
access-list outside_access_in permit tcp any host 70.182.183.131 eq 6003 
access-list inside_access_in permit tcp interface inside interface outside 
pager lines 24
logging on
logging timestamp
logging standby
logging console notifications
logging monitor notifications
logging buffered notifications
logging history emergencies
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 70.182.140.119 255.255.255.0
ip address inside 10.10.11.1 255.255.255.0
ip audit info action
ip audit attack action
pdm location 10.10.11.0 255.255.255.0 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.10.11.21 255.255.255.255 inside
pdm location 10.10.11.22 255.255.255.255 inside
pdm location 10.10.11.23 255.255.255.255 inside
pdm location 10.10.11.25 255.255.255.255 inside
pdm location 10.10.11.26 255.255.255.255 inside
pdm location 10.10.11.27 255.255.255.255 inside
pdm location 10.10.11.28 255.255.255.255 inside
pdm location 10.10.11.29 255.255.255.255 inside
pdm location 10.10.11.30 255.255.255.255 inside
pdm location 10.10.11.31 255.255.255.255 inside
pdm location 10.10.11.32 255.255.255.255 inside
pdm location 10.10.11.33 255.255.255.255 inside
pdm location 70.182.183.128 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 70.182.183.129 3389 10.10.11.21 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp 70.182.183.130 3389 10.10.11.22 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp 70.182.183.131 3389 10.10.11.23 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp 70.182.183.131 smtp 10.10.11.23 smtp netmask 255.255.255.255 0 0 
static (inside,outside) tcp 70.182.183.131 www 10.10.11.23 www netmask 255.255.255.255 0 0 
static (inside,outside) tcp 70.182.183.131 https 10.10.11.23 https netmask 255.255.255.255 0 0 
static (inside,outside) tcp 70.182.183.131 6001 10.10.11.23 6001 netmask 255.255.255.255 0 0 
static (inside,outside) tcp 70.182.183.131 6002 10.10.11.23 6002 netmask 255.255.255.255 0 0 
static (inside,outside) tcp 70.182.183.131 6003 10.10.11.23 6003 netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 70.182.140.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http 70.182.140.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 outside
http 10.10.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
isakmp enable outside
telnet 0.0.0.0 0.0.0.0 outside
telnet 70.182.140.0 255.255.255.0 outside
telnet 10.10.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username jkesoglou password .ExjueaZAJawM9ir encrypted privilege 15
terminal width 80
Cryptochecksum:6b5a89c2dbddf5787b68dfcf9615cac7
: end
[OK]

Open in new window

johnkesoglouAsked:
Who is Participating?
 
nodiscoCommented:
hey

You are not using your inside-in ACL for anything in particular and icmp is already allowed from the outside in.

If you want to block egress connections, you can create an inside-in acl and apply it to the inside interface of the PIX stipulating what you want to block and allow.  Remove the acl group inside as its not doing anything for you at present:

no access-group inside_access_in in interface inside


hth
0
 
InteraXCommented:
You only have one ACE on the inside

access-list inside_access_in permit tcp interface inside interface outside

Is DNS resolving?

Try adding the following?

access-list inside_access_in permit udp host <dns server ip> any 53
access-list inside_access_in permit tcp any any 80
access-list inside_access_in permit tcp any any 443

This should then allow the basic protocols to allow DNS resolution and access to http & https
0
 
johnkesoglouAuthor Commented:
i receive the follwing error when i place the first line command


PIX(config)# access-list inside_access_in permit udp host 68.6.16.30 any $
ERROR: extra command argument(s)
Usage:  [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> object-group-search
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
        <protocol>|object-group <protocol_obj_grp_id>
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
        <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
        <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
        [<icmp_type> | object-group <icmp_type_obj_grp_id>]
        [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
PIX(config)#






0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
InteraXCommented:
Are you using an interal or external dns serverfor your hosts/servers?
0
 
InteraXCommented:
Try changing the first line to

access-list inside_access_in permit udp host any any 53
0
 
johnkesoglouAuthor Commented:
sorry - no go.

is there anything else i should remove?  this is a fairly new build and will have no impact

thanks again

John
0
 
johnkesoglouAuthor Commented:
nodisco

saw that too and removed it already....but thanks!
0
 
nodiscoCommented:
can you post an updated config?

Just to clarify - you can ping outside and resolve DNS but cannot browse from your server?
Can you browse from other machines - what ip address is your server?
0
 
johnkesoglouAuthor Commented:
yes, i can ping from the pix out but my servers are unable to browse out.

so from the pix, i can pin the inside

from the pix i can ping the outside.

and now is appears to be working!  crazy stuff.

lets wait a day
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password iMJCYSF9e3ba/od. encrypted
passwd iMJCYSF9e3ba/od. encrypted
hostname Vinduvin
domain-name vinduvin.local
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type icmp-grp 
  description ICMP Types allowed into the PIX
  icmp-object echo-reply 
  icmp-object unreachable 
  icmp-object time-exceeded 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host xxx.xxx.183.129 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host xxx.xxx.183.130 eq 3389 
access-list outside_access_in remark 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 3389 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq smtp 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq www 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq https 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6001 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6002 
access-list outside_access_in permit tcp any host xxx.xxx.183.131 eq 6003 
access-list inside_access_in permit tcp interface inside interface outside 
pager lines 24
logging on
logging timestamp
logging standby
logging console notifications
logging monitor notifications
logging buffered notifications
logging history emergencies
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.140.119 255.255.255.0
ip address inside 10.10.11.1 255.255.255.0
ip audit info action
ip audit attack action
pdm location 10.10.11.0 255.255.255.0 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.10.11.21 255.255.255.255 inside
pdm location 10.10.11.22 255.255.255.255 inside
pdm location 10.10.11.23 255.255.255.255 inside
pdm location 10.10.11.25 255.255.255.255 inside
pdm location 10.10.11.26 255.255.255.255 inside
pdm location 10.10.11.27 255.255.255.255 inside
pdm location 10.10.11.28 255.255.255.255 inside
pdm location 10.10.11.29 255.255.255.255 inside
pdm location 10.10.11.30 255.255.255.255 inside
pdm location 10.10.11.31 255.255.255.255 inside
pdm location 10.10.11.32 255.255.255.255 inside
pdm location 10.10.11.33 255.255.255.255 inside
pdm location xxx.xxx.183.128 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.183.129 3389 10.10.11.21 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.130 3389 10.10.11.22 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 3389 10.10.11.23 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 smtp 10.10.11.23 smtp netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 www 10.10.11.23 www netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 https 10.10.11.23 https netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 6001 10.10.11.23 6001 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 6002 10.10.11.23 6002 netmask 255.255.255.255 0 0 
static (inside,outside) tcp xxx.xxx.183.131 6003 10.10.11.23 6003 netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.140.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http xxx.xxx.140.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 outside
http 10.10.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
isakmp enable outside
telnet 0.0.0.0 0.0.0.0 outside
telnet xxx.xxx.140.0 255.255.255.0 outside
telnet 10.10.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username jkesoglou password .ExjueaZAJawM9ir encrypted privilege 15
terminal width 80
Cryptochecksum:58239142cc03def6607fbce0fc4659e1
: end
[OK]

Open in new window

0
 
nodiscoCommented:
To show the nat translations going through the firewall type sh xlate

As an fyi

I would remove
http 0.0.0.0 0.0.0.0 outside
and
telnet 0.0.0.0 0.0.0.0 outside

Just to maintain security

cheers
0
 
InteraXCommented:
With the current config, everythign originating from the inside should be abel to reach the outside. You also have dns & http application inspection enabled.

Have you tried checking the real time logs in asdm of via a syslog server to see what might be going wrong? Unless you need to manage the firewall from the outside LAn, I would also remove the following.

telnet xxx.xxx.140.0 255.255.255.0 outside
http xxx.xxx.140.0 255.255.255.0 outside

Also on the same note, I would recommend enabling management via SSH and removing telnet as telnet is unencrypted. HTTP management will automatically redirect to an HTTPS session.
0
 
johnkesoglouAuthor Commented:
hi guys


i appreciate the feedback, this PIX seems to have some sort of issue outside of the configuration.  the only thing i did outside of the config was upgrade the firewall pdm software.  The other line items regarding http .0.0.0.0 and telnet 0.0.0.0  :)  i was unable to hit the pdm from the outside (assuming i could use telnet on ethernet0 - and that we must use SSH on the public interface.)  

so once i get everything cleared up, i will remove these and take care of everything internally from one of the servers using rdp.

i really appreciate the feedback.

i did notice that each time i put a command in place it takes the firewall several minutes to "turn on" or "turn off" ... i.e. i add a NAT rule and it is inaccessible for several minutes.  i know the device is old but i am using this in the interim until i can get myself a decent ASA 5505
0
 
InteraXCommented:
Have you tried a reboot? Sometimes, as good as the PIX's were there were memory leaks and other bugs. At least you have the latest 6.3 build I think.
0
 
johnkesoglouAuthor Commented:
just a quick note: the Pix 506 does not support DNS unless it is using a DHCP server.  

i appreciate everyones feed back
0
 
InteraXCommented:
Were you trying to use the PIX as a DNS server? Ah, this would explain the problem. PIX/ASA devices cannot be used as a DNS server. They can be used as a DHCP server, but can only pass out teh DNS server IP's you put in or the addresses they recieve from DHCP on another interface, eg PPPoE connection.
0
 
johnkesoglouAuthor Commented:
No not at all, i was simply trying to get traffic from the inside to the outside.  i have my own dns servers which is what was making me go batty!  but it looks like it is working now

thanks
0
 
nodiscoCommented:
hey John

The issue with time taken is due to xlate timeout.

When you change anything nat related, be it add/remove statics or nat statements, you should clear the xlate translation table.  Otherwise, the xlate stays in place until the timer expires.

From your config:
timeout xlate 0:05:00


For immediate action, make the change and then type
clear xlate

Just be aware that when you do this, you will close all connections inside and out - they reestablish, but it can cause a blip in traffic flow.

glad to see you are working.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.