10-10-2012 05:41 AM - edited 03-11-2019 05:07 PM
Hi,
I have a PIX 501 with 6.2 FW. The firewall inside network is connected to a Windows server (Mailserver). I can get access to most websites on all clients as well as on the server. However, there are some particular websites, such as facebook.com that the server and all but one client cannot access. I get a "cannot display the webpage" in internet explorer.
I have disabled the Windows firewall and AV. I have also scanned for any malware and no malware was found.
Could this be a problem from the PIX? I found on the forums a "fixup protocol dns" solution, but my PIX version does not support it.
Any ideas?
Below is my config:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password df.GtQet9.guB18T encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
domain-name xxx.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol http 80
names
name 192.168.1.2 MailServer
object-group service Mail tcp-udp
description Mail utility ports
port-object eq 25
port-object eq 3389
access-list outside_access_in permit tcp any host 10.0.0.10 eq smtp
access-list outside_access_in permit tcp any host 10.0.0.10 eq 3389
access-list outside_access_in permit tcp any host 10.0.0.10 eq 8080
access-list outside_access_in permit tcp any host 10.0.0.10 eq 32001
access-list outside_access_in permit tcp any host 10.0.0.10 eq https
access-list outside_access_in permit tcp any host 10.0.0.10 eq www
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.10 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location MailServer 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 192.168.1.21 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp MailServer smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 MailServer 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8080 MailServer 8080 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 32001 MailServer 32001 netmask 255.255.255.255 0 0 norandomseq
static (inside,outside) tcp interface https MailServer netmask 255.255.255.2.255 0 0
static (inside,outside) tcp interface www MailServer www netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.138 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.21 255.255.255.255 inside
http MailServer 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd address MailServer-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:fa4e4f01595a9e0fbc3f8a6110d1de8c
Thanks,
Tiziana
Solved! Go to Solution.
11-11-2012 08:36 PM
I've got a PIX 501, and I'm having the same problem. Secondly, it's DEFINATELY the PIX. I have three systems (two win 7, one G5 MAC running Leopard) that can't connect to Facebook, Wikipedia, or a number of other odd urls, regardless of which browser you use. Only one other sysrem (Old P4 running XP Pro) connects to Wiki and FB with no problems. Put any of the other systems on a static outside the firewall and the problems vanish.
Until last month, I was running a spit-and-bailing wire PIX 515. Everything was runninjg smooth as a swiss watch. Then the 515 died a horrid death (power supply fried, cap on the mainboard phyisically burned). All these problems surfaced the minute I put the old PIX 501 back into service.
I've searched far and wide for a fix, and I'm confident that THERE ISN'T A FIX. This unit and the 506 had limited memory....they got left out of IOS updates after V6.x (I think...correct me if I'm wrong). Mine was made during the late 90's, and (from a support standpoint) it was dropped like a hot potato a LONG time ago.
If you want to save yourself some serious hassles, apply the following work-around:
1.) Go on Ebay and spend $40-$50 USD (as low as $20 if you fish around) on a used PIX 515 or 515E. While you're there, note that 501's are selling for slightly less than a six-back of cheap beer.
2.) Update the 515 to the latest IOS package it'll take (it's 8 point something...I forget)
3). Copy-and-paste the major parts of the config from the 501 to the 515.
4). Verify everything is working, then consign the 501 to the scrap heap.
10-10-2012 05:47 AM
Hello Tiziana,
You are facing the issue only with server PC right ? can you check whether you are able to resolve the IP for facebook.com
with teh help of nslookup on the server.. I dont really find a reason to blame your PIX as the same website is working from other client PC's
Regards
Harish.
10-10-2012 07:11 AM
Hi Harish,
No it's not just the server. We have a total of 4 clients and one server. The server and 3 clients have a problem with accessing certain websites. Another client has no problems accessing these same websites.
I can resolve the IP for facebook.com and nslookup s ok as well.
Tiziana
10-10-2012 07:16 AM
Hello Tiziana,
Little tricky to troubleshoot .. Can we bypass the ASA and test with a client PC where we have issue seen
Basically you can place the client PC in the same VLAN of outside network and give an IP from outside range with a gateway of 10.0.0.138.. just to confirm the issue lies with the PIX!
regards
harish.
10-10-2012 07:31 AM
Already tried that and client PC can connect ok when not connected to the firewall.
Yes very tricky to troubleshoot! I was thinking it was something related to the server/Windows but I have exhausted all options now and thought it may be a firewall issue.
Tiziana
10-10-2012 07:57 AM
If all else fails I would set up some packet captures the inside and outside interface simultaneously. Attempt the connection. Copy the packet captures somewhere you can get at them with a protocol analyzer and compare.
At least, that would be my troubleshooting course.
10-11-2012 04:57 AM
I tried some debugging, but I saw no output when trying to access these websites/
Show asp drop command was not find (this PIX is 6.2).
I will try and install Wireshark and see if I find some useful info. This is at my client's side, so I need to set a day to do this.
Thanks,
Tiziana
10-11-2012 05:03 AM
I cannot ping from inside interface (to any website). How do I allow ICMP replies so I can troubleshoot?
Thanks,
Tiziana
10-11-2012 05:23 AM
Hello Tiziana,
you can give
fixup protocol icmp
Hope this helps
Harish
10-16-2012 05:14 AM
Hi Tiziana,
I have exactly the same issue. Facebook hasn't worked on any of the machines on my inside network for around a year, I am using a PIX501 with 6.2.
After all my troubleshooting so far it appears to be a TCP checksum related issue. I compared a session in wireshark going to both facebook and google and only facebook reports the issues. Everything works great behind my firewall except for facebook which works about 1/100 times. I know it's my firewall because when I bypass the firewall it works straight away and I can access facebook.
There must be a command I can use on my PIX that will fix the issue? anyone?
Cheers,
Andrew
10-16-2012 05:45 AM
Hi Andrew,
Yes I am pretty sure it's from my PIX as well because I can connect to these websites once I bypass it.
I also ran wireshark and noticed the TCP checksum errors. I am not sure this is the cause of the problem however, as from what I read from the wireshark support forums, this is usually from the network drivers.
I also noticed a lot of "TCP Previous Segment Lost: TCP DUP ACK" only for facebook.com (no such errors were noticed for other websites).
Hope there is some PIX fix!
11-11-2012 08:36 PM
I've got a PIX 501, and I'm having the same problem. Secondly, it's DEFINATELY the PIX. I have three systems (two win 7, one G5 MAC running Leopard) that can't connect to Facebook, Wikipedia, or a number of other odd urls, regardless of which browser you use. Only one other sysrem (Old P4 running XP Pro) connects to Wiki and FB with no problems. Put any of the other systems on a static outside the firewall and the problems vanish.
Until last month, I was running a spit-and-bailing wire PIX 515. Everything was runninjg smooth as a swiss watch. Then the 515 died a horrid death (power supply fried, cap on the mainboard phyisically burned). All these problems surfaced the minute I put the old PIX 501 back into service.
I've searched far and wide for a fix, and I'm confident that THERE ISN'T A FIX. This unit and the 506 had limited memory....they got left out of IOS updates after V6.x (I think...correct me if I'm wrong). Mine was made during the late 90's, and (from a support standpoint) it was dropped like a hot potato a LONG time ago.
If you want to save yourself some serious hassles, apply the following work-around:
1.) Go on Ebay and spend $40-$50 USD (as low as $20 if you fish around) on a used PIX 515 or 515E. While you're there, note that 501's are selling for slightly less than a six-back of cheap beer.
2.) Update the 515 to the latest IOS package it'll take (it's 8 point something...I forget)
3). Copy-and-paste the major parts of the config from the 501 to the 515.
4). Verify everything is working, then consign the 501 to the scrap heap.
11-11-2012 11:49 PM
Hi Michael,
Yes, it was the PIX. I had managed to get the XP and Windows 7 to access the websites by changing the MTU size on the end stations and the PIX to 1492. But when I tried the same with the MACs, I still could not access these websites. What I did was buy an ASA5505 and now all websites can be accessed!
Tiziana
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide