Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
687
Views
0
Helpful
2
Replies

PIX 515 blocking outbound traffic to certain sites

daytooner
Level 1
Level 1

‎10-15-2012 07:05 PM - edited ‎03-11-2019 05:09 PM

The problem, in a nutshell:

I have a LAN with several linux boxes (Fedora 17, both 32 and 64 bits),  as well a a WInXP box. All of these are connected to the same switch,  which is connected to the inside port of my PIX 515.

For a few sites (mozilla.org happens to be one of them), for http access, the tcp connection is established, but the "GET" request - or anything else for that  matter - will not go through the PIX (from inside to wan). I have  verified this by first, using wireshark to watch the packets being sent  out from the client box, then by using the trace function in the PIX to  see that the packets ARE arriving at the inside interface, but ARE NOT  sent out of the wan interface.

This is for the linux boxes ONLY. When I do the same thing with my WinXP  box, all works: in the PIX trace, I see the packets arrive at the  inside interface, and leave the wan interace. And access to these sites  are okay.

(What's a bit weird, although somewhat expected, when I connect my android phone to my LAN via WiFi, it too is unable to reach those sites - but then again, android is linux, right?)

In addition to the tracing, I have narrowed this problem down by connecting a linux box directly to my DSL router, then replacing the PIX with a simple router/gateway. Both of those solutions work.

Some background:

I have been using this PIX for about 10 years now, with the same  configuration (except IP addresses). Only in the last several months has  this problem started to show up.

I got this pix from a dead company at a really great price (free), so I'd like to keep it, and not have to spend money on something  else. I don't have any support license, and have not been able to get  any software upgrades. Here is its version info:

taz(config)# sho ver

Cisco PIX Firewall Version 6.2(2)

Cisco PIX Device Manager Version 2.0(2)

Compiled on Fri 07-Jun-02 17:49 by morlee

taz up 1 day 8 hours

Hardware

:   PIX-515, 64 MB RAM, CPU Pentium 200 MHz

Flash i28F640J5 @ 0x300, 16MB

BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0005.3290.06d2, irq 11

1: ethernet1: address is 0005.3290.06d3, irq 10

2: ethernet2: address is 0002.b3d5.2fea, irq 9

3: ethernet3: address is 00d0.b792.2fc5, irq 7

Licensed Features:

Failover:           Enabled

VPN-DES:            Enabled

VPN-3DES:           Enabled

Maximum Interfaces: 6

Cut-through Proxy:  Enabled

Guards:             Enabled

URL-filtering:      Enabled

Inside Hosts:       Unlimited

Throughput:         Unlimited

IKE peers:          Unlimited

Serial Number: 405200362 (0x1826ddea)

Running Activation Key: 0x38ac31f3 0x0630df47 0x9a77b805 0x8bc39a60

I can provide the full configuration if desired, as well as trace outputs.

Please, anyone with any idea of what's going on, PLEASE help. This is driving me nucking futs

.

TIA

ken

PS: Since this PIX is at its end of life, I was wondering if any of the  software upgrades would be now available without a license?

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-15-2012 10:08 PM

Unfortunately from your description, it sounds more like a software bug rather than a configuration issue.

If it is a configuration issue, it would not work at all, but in your case, it works for XP but not for Linux.

And yes, version 6.2.2 is very OLD as PIX is now up to version 8.x. But as PIX is EOL and you don't have SmartNet for it, you won't be able to upgrade the software unless you can source the software from somewhere else.

0 Helpful

daytooner
Level 1
Level 1
In response to Jennifer Halim

‎10-16-2012 10:32 AM

First, thanks for the reply.

I agree that this must be a software bug - a hardware fault would probably be much more obvious. But, I am not sure that the problem is with the PIX.

Since this has worked for a decade, and I have had no problems with access to these sites before, I am a bit dubious about placing the (full) blame on the PIX. I'm thinking that something with linux networking has changed recently. One of the non-accessible sites was working until a few months ago, when I did an upgrade. Also, since WinXP works fine, it seems it must be something between linux tcp and the PIX's tcp.

I was (am) hoping that there would be some config option in either the PIX or linux that would work around this. Not knowing the inner workings of either, I was (am) hoping that someone would have some ideas of things to look at (I do have traces), and maybe some tweaks to try.

As for getting upgrades: I thought I saw something - while googling - that upgrades for some EOL products were available without a license.

As always, any help is greatly appreciated.

ken

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card