Solved

Cisco PiX Firewall config - can't access certain web sites.

Posted on 2014-02-28
5
769 Views
Last Modified: 2014-03-10
I am the I.T. Manager for a solicitors

We can't seems to access several web sites such as Facebook, Wikipedia, HKH solicitors and Eurostar plus several others mainly https:\\ site but some do open

We have nothing in place to block these site and it only happens on new Windows 7 installs not the on our old XP machines, or if we connect iphone ipad via the firms wifi.

I got a copy of the Pix firewall config and was hoping a expert could take a look and tell me if I am missing something its posted below.

Thanks
Ian.

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lDQ1e86P2tr0BHxt encrypted
passwd RT97Q1q4kvGhHIRQ encrypted
hostname manorpark
domain-name wiseman.co.uk
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
no fixup protocol h323 1720
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sqlnet 1521
no fixup protocol sip 5060
no fixup protocol skinny 2000
names
access-list mail permit tcp any host 77.73.11.54 eq smtp
access-list mail permit tcp any host 77.73.11.52 eq www
access-list mail permit tcp any host 77.73.11.52 eq 443
pager lines 24
logging on
logging buffered errors
logging trap notifications
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 77.73.11.52 255.255.255.240
ip address inside 192.168.6.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pool2 10.44.0.181-10.44.0.187
no pdm history enable
arp timeout 14400
global (outside) 1 77.73.11.55
nat (inside) 1 172.18.0.0 255.255.255.0 0 0
nat (inside) 1 172.18.5.0 255.255.255.0 0 0
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
nat (inside) 1 192.168.6.0 255.255.255.0 0 0
nat (inside) 1 192.168.216.0 255.255.255.0 0 0
static (inside,outside) 77.73.11.54 192.168.2.239 netmask 255.255.255.255 0 0
static (inside,outside) 77.73.11.52 192.168.2.250 netmask 255.255.255.255 0 0
access-group mail in interface outside
route outside 0.0.0.0 0.0.0.0 77.73.11.51 1
route inside 172.18.0.0 255.255.255.0 192.168.6.2 1
route inside 172.18.5.0 255.255.255.0 192.168.6.2 1
route inside 192.168.0.0 255.255.255.0 192.168.6.2 1
route inside 192.168.2.0 255.255.255.0 192.168.6.2 1
route inside 192.168.3.0 255.255.255.0 192.168.6.2 1
route inside 192.168.5.0 255.255.255.0 192.168.6.2 1
route inside 192.168.216.0 255.255.255.0 192.168.6.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
telnet 192.168.6.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.3.0 255.255.255.0 inside
telnet 192.168.5.0 255.255.255.0 inside
telnet timeout 5
ssh 205.243.102.0 255.255.255.0 inside
ssh timeout 5
terminal width 80
Cryptochecksum:b7202158dfba66d172f6a98572d95cfe
manorpark#
0
Comment
Question by:ise438
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 9

Accepted Solution

by:
ffleisma earned 500 total points
ID: 39894894
looking at the configuration i don't see access-group in place for the inside interface. so what this basically means, by default, all traffic is permitted from higher security interface to lower security interface:

nameif ethernet0 outside security0
nameif ethernet1 inside security100

so inside to outside, there is nothing blocking your traffic in terms of the firewall.

what you can do to check is do a telnet from a host

telnet www.facebook.com 443

ensure that www.facebook.com resolves to correct IP, it is doesn't then its a name resolution issue and you might want to check your DHCP/hostfile.

also do test using IP of facebook

telnet 173.252.110.27 443

if it connects then the firewall is not the issue.

hope this gives you insights
0
 

Author Comment

by:ise438
ID: 39895026
Hi,

Facebook now seems to work sorry bad choice but www.gov.uk doesn't that one resolves to 185.31.19.144 on my system

How do I know if Telnet is successful? Should the screen go blank with a little white cursor flashing in the top left hand corner? if so I can telnet to...

I can telnet to www.gov.uk 443 and 80
and
185.31.19.144 443 and 80

Just looking to confirm it's not the firewall really...

Thanks
Ian.
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39895264
yes if it goes blank it seems connection is going through, and not a firewall issue.


Pinging www-gov-uk.map.fastly.net [199.27.73.144] with 32 bytes of data:

is 185.31.19.144 the IP where www.gov.uk resolving on your end?

Next is that we test if this is DNS/name resolution issue. Try doing static IP configuration and just replace the DNS to something public DNS (8.8.8.8 - Google public DNS).

let me know how it goes
0
 

Author Comment

by:ise438
ID: 39906016
Hey,

OK I get 185.31.19.144 even if I set static IP address and use google DNS 8.8.8.8 - Also this only seems to be effecting windows 7 computers and mobile devices - I've a couple on XP computer which still resolve to 185.31.19.144 but www.gov.uk open up fine...

Any ideas?

Ian.
0
 

Author Comment

by:ise438
ID: 39909581
Any ideas?
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Unable to access VM console from vSphere ? 2 106
GBIC "Gi0/25 notconnect 1auto auto unknown" 3 78
Well known ports and optimal ports scanning range 12 132
SSH setup on ASA 5505 17 126
Large and small networks have one same need, Service monitoring. Service monitoring consists of watch services of the several servers in the network. To monitor means that the administrator will receive an alert when a service is down or it's state …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question