Solved

Pix 501 block Web Page

Posted on 2013-05-15
5
550 Views
Last Modified: 2013-06-01
Dear Expert,

I have a problem, my pix 501 don´t show me web page, not all only facebook, whatapp and other stupid page...


I don´t know what happen.... help


configuration:


PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname XXXX
domain-name XXXX.XX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside_access_in permit ip any any
access-list outside_access_in permit ip any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 190.X.X.X 255.255.255.252
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 190.X.X.X 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 190.X.X.0 255.255.255.0 outside
http 190.X.X.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 190.X.X.0 255.255.255.0 outside
ssh 190.X.X.0 255.255.255.0 outside
ssh timeout 5
dhcpd address 192.168.0.2-192.168.0.128 inside
dhcpd dns 200.91.X.X 200.91.X.X
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain cognis
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:70479e977ae1b0b66f41caa27d03a9f1
: end


I dont have proxy.... and DNS it´s OK... I have ping at facebook but dont see web page
0
Comment
Question by:sleick
  • 3
  • 2
5 Comments
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 39171096
Here is a cleansed, working config.  The problems appear to be with the access lists and groups.  Compare them and make required changes.

interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname WHATEVER
domain-name eWHATEVER.local
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside XXX.XXX.XXX.XXX 255.255.255.0
ip address inside 192.168.0.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.10 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 YYY.YYY.YYY.YYY
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 190.X.X.0 255.255.255.0 outside
http 190.X.X.0 255.255.255.0 outside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 192.168.0.0 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.11-192.168.0.42 inside
dhcpd dns 192.168.0.150
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
0
 

Author Comment

by:sleick
ID: 39174726
Sorry for not responding before,

I drop this line and dont have connection with facebook and google.

access-list inside_access_in permit ip any any
access-list outside_access_in permit ip any any

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside

And add this line:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 39175379
Add your access list lines back in and leave the nat the way it is.  I just noticed you are running IOS 6.2(2)  the cleaned up config is IOS 6.3(5)

The other option is to upgrade your firmware, which I would definitely recommend.
0
 

Accepted Solution

by:
sleick earned 0 total points
ID: 39199098
PIx 501 have a bug and thas is solucion :D

https://supportforums.cisco.com/thread/2175982
0
 

Author Closing Comment

by:sleick
ID: 39212583
PLease Close!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question