Solved: Cannot access certain websites behind Pix 501

Tiziana Cassar · ‎10-10-2012

Hi,

I have a PIX 501 with 6.2 FW. The firewall inside network is connected to a Windows server (Mailserver). I can get access to most websites on all clients as well as on the server. However, there are some particular websites, such as facebook.com that the server and all but one client cannot access. I get a "cannot display the webpage" in internet explorer.

I have disabled the Windows firewall and AV. I have also scanned for any malware and no malware was found.

Could this be a problem from the PIX? I found on the forums a "fixup protocol dns" solution, but my PIX version does not support it.

Any ideas?

Below is my config:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password df.GtQet9.guB18T encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX

domain-name xxx.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

no fixup protocol http 80

names

name 192.168.1.2 MailServer

object-group service Mail tcp-udp

description Mail utility ports

port-object eq 25

port-object eq 3389

access-list outside_access_in permit tcp any host 10.0.0.10 eq smtp

access-list outside_access_in permit tcp any host 10.0.0.10 eq 3389

access-list outside_access_in permit tcp any host 10.0.0.10 eq 8080

access-list outside_access_in permit tcp any host 10.0.0.10 eq 32001

access-list outside_access_in permit tcp any host 10.0.0.10 eq https

access-list outside_access_in permit tcp any host 10.0.0.10 eq www

pager lines 24

logging on

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 10.0.0.10 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location MailServer 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.255 inside

pdm location 192.168.1.21 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp MailServer smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 MailServer 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8080 MailServer 8080 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 32001 MailServer 32001 netmask 255.255.255.255 0 0 norandomseq

static (inside,outside) tcp interface https MailServer netmask 255.255.255.2.255 0 0

static (inside,outside) tcp interface www MailServer www netmask 255.255.255.0 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.138 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.21 255.255.255.255 inside

http MailServer 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

dhcpd address MailServer-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:fa4e4f01595a9e0fbc3f8a6110d1de8c

Thanks,

Tiziana

uranusdemilo · ‎11-11-2012

I've got a PIX 501, and I'm having the same problem. Secondly, it's DEFINATELY the PIX. I have three systems (two win 7, one G5 MAC running Leopard) that can't connect to Facebook, Wikipedia, or a number of other odd urls, regardless of which browser you use. Only one other sysrem (Old P4 running XP Pro) connects to Wiki and FB with no problems. Put any of the other systems on a static outside the firewall and the problems vanish.

Until last month, I was running a spit-and-bailing wire PIX 515. Everything was runninjg smooth as a swiss watch. Then the 515 died a horrid death (power supply fried, cap on the mainboard phyisically burned). All these problems surfaced the minute I put the old PIX 501 back into service.

I've searched far and wide for a fix, and I'm confident that THERE ISN'T A FIX. This unit and the 506 had limited memory....they got left out of IOS updates after V6.x (I think...correct me if I'm wrong). Mine was made during the late 90's, and (from a support standpoint) it was dropped like a hot potato a LONG time ago.

If you want to save yourself some serious hassles, apply the following work-around:

1.) Go on Ebay and spend $40-$50 USD (as low as $20 if you fish around) on a used PIX 515 or 515E. While you're there, note that 501's are selling for slightly less than a six-back of cheap beer.

2.) Update the 515 to the latest IOS package it'll take (it's 8 point something...I forget)

3). Copy-and-paste the major parts of the config from the 501 to the 515.

4). Verify everything is working, then consign the 501 to the scrap heap.

View solution in original post

Harish Balakrishnan · ‎10-10-2012

Hello Tiziana,

You are facing the issue only with server PC right ? can you check whether you are able to resolve the IP for facebook.com

with teh help of nslookup on the server.. I dont really find a reason to blame your PIX as the same website is working from other client PC's

Regards

Harish.

Tiziana Cassar · ‎10-10-2012

Hi Harish,

No it's not just the server. We have a total of 4 clients and one server. The server and 3 clients have a problem with accessing certain websites. Another client has no problems accessing these same websites.

I can resolve the IP for facebook.com and nslookup s ok as well.

Tiziana

Harish Balakrishnan · ‎10-10-2012

Hello Tiziana,

Little tricky to troubleshoot .. Can we bypass the ASA and test with a client PC where we have issue seen

Basically you can place the client PC in the same VLAN of outside network and give an IP from outside range with a gateway of 10.0.0.138.. just to confirm the issue lies with the PIX!

regards

harish.

Tiziana Cassar · ‎10-10-2012

Already tried that and client PC can connect ok when not connected to the firewall.

Yes very tricky to troubleshoot! I was thinking it was something related to the server/Windows but I have exhausted all options now and thought it may be a firewall issue.

Tiziana

jedavis · ‎10-10-2012

Is there anything in the Pix log that indicates that connections are being dropped?
Does "show asp drop" tell you anything? (it has been a while - I think 6.3 supports this)

If all else fails I would set up some packet captures the inside and outside interface simultaneously. Attempt the connection. Copy the packet captures somewhere you can get at them with a protocol analyzer and compare.

At least, that would be my troubleshooting course.

Tiziana Cassar · ‎10-11-2012

I tried some debugging, but I saw no output when trying to access these websites/

Show asp drop command was not find (this PIX is 6.2).

I will try and install Wireshark and see if I find some useful info. This is at my client's side, so I need to set a day to do this.

Thanks,

Tiziana

Tiziana Cassar · ‎10-11-2012

I cannot ping from inside interface (to any website). How do I allow ICMP replies so I can troubleshoot?

Thanks,

Tiziana

Harish Balakrishnan · ‎10-11-2012

Hello Tiziana,

you can give

fixup protocol icmp

Hope this helps

Harish

andrewsmith159 · ‎10-16-2012

Hi Tiziana,

I have exactly the same issue. Facebook hasn't worked on any of the machines on my inside network for around a year, I am using a PIX501 with 6.2.

After all my troubleshooting so far it appears to be a TCP checksum related issue. I compared a session in wireshark going to both facebook and google and only facebook reports the issues. Everything works great behind my firewall except for facebook which works about 1/100 times. I know it's my firewall because when I bypass the firewall it works straight away and I can access facebook.

There must be a command I can use on my PIX that will fix the issue? anyone?

Cheers,

Andrew

Tiziana Cassar · ‎10-16-2012

Hi Andrew,

Yes I am pretty sure it's from my PIX as well because I can connect to these websites once I bypass it.

I also ran wireshark and noticed the TCP checksum errors. I am not sure this is the cause of the problem however, as from what I read from the wireshark support forums, this is usually from the network drivers.

I also noticed a lot of "TCP Previous Segment Lost: TCP DUP ACK" only for facebook.com (no such errors were noticed for other websites).

Hope there is some PIX fix!

uranusdemilo · ‎11-11-2012