06-02-2008 01:58 PM - edited 03-11-2019 05:54 AM
Greetings. This is a very strange problem. I installed a Cisco PIX 525 two months ago, and it is working great. However, a customer came in this morning and reported he is unable to create new Hotmail accounts. Apparently, this has been going on for some time. We can create them successfully when we bypass the PIX, but we cannot create them successfully when we go through the PIX. We can do everything else, it seems, including online banking, VPN, etc. We can even log into existing Hotmail accounts. However, we cannot create new ones. I ran WireShark, and the packets come back marked "TCP Checksum Incorrect." What could be causing this? Here is my config:
PIX Version 8.0(3)
!
hostname pix525
domain-name **********
enable password ************* encrypted
names
!
interface Ethernet0
description To Cisco 2821 fa0/3/0
speed 100
duplex full
nameif outside
security-level 0
ip address ***.***.***.*** 255.255.255.248
!
interface Ethernet1
description To Outside Switch fa0/7
speed 100
duplex full
nameif inside
security-level 100
ip address ***.***.***.*** 255.255.0.0
!
passwd ********* encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name ***********
access-list acl_outbound remark BLOCK OUTBOUND PORT 25
access-list acl_outbound extended permit tcp any host ***.***.***.*** eq smtp
access-list acl_outbound extended deny tcp any any eq smtp
access-list acl_outbound extended permit ip any any
pager lines 24
logging buffer-size 10000
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit host ***.***.***.*** outside
icmp deny any outside
icmp permit host ***.***.***.*** inside
icmp deny any inside
no asdm history enable
arp timeout 14400
global (outside) 1 ***.***.***.*** netmask 255.255.255.255
nat (inside) 1 ***.***.***.*** 255.255.0.0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 ***.***.***.*** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
dhcprelay server ***.***.***.*** inside
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect pptp
inspect mgcp
!
service-policy global_policy global
prompt hostname context
I have searched the Internet and found other folks complaining of the same problem, but they were all endusers, and did not have a resolution.
Ideas? Comments? Suggestions? Helpful criticism?
Thank you for your time.
06-02-2008 02:04 PM
I forgot to mention we previously used a Cisco 515 IOS 6.x. We did not have any problems creating new Hotmail accounts with it as it was in place for about five years. Also, the new PIX has a different IP address and is PATting to a different IP address than the old appliance.
Of course, we emptied browser caches, deleted cookies, tried several different OS's and computers, etc. Same issue regardless of OS and platform (Windows, Mac).
06-02-2008 03:17 PM
Hi,
Could it be that the router 2821 you are using for Internet access might be preventing it ? you might want to check whether it is using some Access control lists ACL. Just a thought !!
interface Ethernet0
description To Cisco 2821 fa0/3/0
Please rate helpful posts
06-02-2008 03:29 PM
Good suggestion, but I can create Hotmail sites using a static IP address, which goes through the same router. There are no ACLs specific to the PIX on the router or its connecting interface.
06-02-2008 06:08 PM
You might need to tweak one the following parameters from their default value(s), I have to admit this seems to be a pretty interesting issue :)
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/protect.html#wp1064582
Even tough this is not directly related, but might help you with the appropriate fixes:
http://www.cisco.com/warp/public/707/cisco-sr-20051128-pix.shtml
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: