FWSM behind PIX

Unanswered Question
Dec 5th, 2007

I have an FWSM context that we use to secure our Network Management vlan. Vlan 900 is level 100 and vlan 200 is level 0. We use static NAT translations for all devices behind the FWSM. The outside of the FWSM via VLAN 200 connectes to the the rest of our Internetwork. I am able to access everything on our network just fine including all of our Intranet web servers.

Our main firewall is a PIX 515E. THis PIX is the main egress point to the Internet.

My problem is that when I try to get to certain web sites from devices behind the FWSM I have problems getting all of the content and other times I don't get there at all. If I wait a little while I can try again and will usually get the site up. It seems to be worse on highly dynamic websites almost like things are timing out.

Does anyone have any experience running through two firewalls and possible issues?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Wed, 12/05/2007 - 13:48

Hi, first I would assume that you have ruled out any physical issues such as interfaces check on both firewalls as well as both firewalls overall cpu performance and your outbound internet utilization etc..

Was this working fine and began having these symptoms indicated, or is it an on going issue that has not been resolved?

I wander if your problem may be related to DNS inspection, I have seen similar issues but not like yours traversing two firewalls and have found that by either disabling no fixup protocol dns or increasing dns length size have resolved the problem.. have you gone through this path in either trying to increase default length size of 512 for example to 1500 on both firewalls ? or disabling it with " no fixup protocol dns " and see if that makes a difference.. you can always place back defaults entries if it does not resolve the problem and we may then look into other alternatives.

HTH

Jorge

kevin.jones1 Wed, 12/05/2007 - 15:23

I would like to say that you're not designing

your network correctly by having multi-tier

firewalls architecture from a single vendor.

This is simply not a good design.

What I would do is using the Pix firewall

as the layer of defense at the first tier and

have either checkpoint or Juniper firewall

at the 2nd tier.

Do you have the ability to capture any of the traffic with a sniffer? Take a look at traces taken on both sides of the PIX to see if traffic is getting all the way through.

Also do a show conn proto tcp local (ip address of your local host)

You also might need to do a static nat for your box you are testing with so you don't get a PAT address.

Here is a list of PIX flags when using sh conn.

Hope this helps

Connection Flag Description (5.2x)

Flag Description

a awaiting outside ACK to SYN

A awaiting inside ACK to SYN

B initial SYN from outside

d Dump, clean up connection.

D DNS

E outside back connection

f FIN seen in inbound packet.

F FIN seen in outbound packet.

G group

H HTTP get. If a UDP connection, H can also mean H.323.

I Data in.

J Java applets are not permitted on connection.

m SMTP data

M SMTP data.

n nailed connection (no support)

O Data out.

p replicated (unused)

P inside back connection

q SQL*Net data fixup.

r inside acknowledged FIN, r can also mean in use (Pre5.2x code)

R outside acknowledged FIN

R RPC

s awaiting outside SYN

S awaiting inside SYN

U Connection is up.

Actions

This Discussion