cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
754
Views
0
Helpful
9
Replies

PIX Firewall

Rudy.Lim
Level 1
Level 1

Can somebody please tell me the reason one web site cannot be accessed by any PCs inside the PIX-Firewall and what configuration needs to be changed? Other web sites are fine. Does this have something to do with SSL or any encryption used? Thanks.

9 Replies 9

colin.higgins
Level 1
Level 1

Rudy,

do you have URL filtering enabled on the PIX? (ex. filter url http...) and a Web Sense Server on your network?

also, do you have java blocking enabled? This may cause a problem as well.

If your outbound access permits everything, you should not have this problem, even if it is SSL.

Thanks for your response. I don't have URL filtering nor Java blocking enabled. A web server is in DMZ and can access this one site without any problem and the other sites as well. But any other PCs inside a firewall can't access only this web site but the other web sites are okay. Hope more ideas from you. Thanks.

colin.higgins
Level 1
Level 1

what are your security levels set at on your DMZ and LAN interfaces?

Security level for LAN interfaces is 100 while the DMZ is 50. Thanks.

Do you have any outbound access-lists configured limiting SSL, or is everything permitted?

You can access the website from your DMZ? What is the error message you get at the client -a simple timeout?

No outbound access-lists limiting SSL. Everything is permitted. Yes, I can access the web site from DMZ. Error message is a simple time-out, "Page cannot be displayed..."

Any ideas are appreciated. Thanks.

On a workstation from within the LAN, go out to the command prompt (if it is NT or UNIX) and do a

nslookup

make sure you get the same ip address returned as the webserver on the DMZ gets. What could be happening is a name-resolution problem rather than a firewall blocking issue.

Then do a tracert to make sure the packets are getting forwarded to the correct destination. You can also issue a trace from the PIX and see if it matches.

Thanks for your suggestions. You know, what I discovered recently, any web sites that are formatted in cfn can't be accessed by our PCs inside the firewall as against those in html format. Do you know how to modify the PIX to allow cfn formatted web sites to get in? The newer version of I.E. (I.E. 5.5 or 6.0) doesn't help.

Do you know how to allow any web pages with .cfml tag to get in, in the PIX-Firewall? It looks like the PIX is not allowing such format as compared to the regular html format. Thanks.

Review Cisco Networking for a $25 gift card