Web Access Thru PIX not working

Unanswered Question
Feb 9th, 2009
User Badges:

I am able to get some websites to come up, but after a long time loading. Here is my config. What am I missing? I am able to RDP inside to the server named xxx-SQL01 and use ASDM and telnet to manage the firewall. The connection stays up fine, I can ping anywhere from the outside interface of the PIX, but web traffic does not go outbound, if it does it takes several minutes for google.com to pop up (this is outbound web traffic) Any help would be appreciated.

xxx-pix> en

Password: ********

xxx-pix# sh run

: Saved

:

PIX Version 7.2(1)

!

hostname pix

domain-name domain.com

enable password xxxxxxxxxxxxxx encrypted

names

name 999.999.999.122 xxx-APP01-Ext description Outside

name 10.0.0.101 xxx-APP01-Int description Inside

name 999.999.999.123 xxx-SQL01-Ext description Outside

name 10.0.0.51 xxx-SQL01-Int description Inside

!

interface Ethernet0

speed 100

duplex full

nameif Outside

security-level 0

ip address 999.999.999.121 255.255.255.248

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.0.0.254 255.255.255.0

!

interface Ethernet2

description Management and Backup

nameif Management

security-level 100

ip address 10.100.100.241 255.255.255.0

!

passwd xxxxxxxxxxxxxx encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name domain.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list Outside_access_in extended permit tcp any host xxx-APP01-Ex 3389

access-list Outside_access_in extended permit tcp any host xxx-SQL01-Ex 3389

pager lines 24

mtu Outside 1500

mtu inside 1500

mtu Management 1500

asdm image flash:/asdm-521.bin

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

static (inside,Outside) xxx-APP01-Ext xxx-APP01-Int netmask 255.255.255.255

static (inside,Outside) xxx-SQL01-Ext xxx-SQL01-Int netmask 255.255.255.255

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 999.999.999.126 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02

timeout uauth 0:05:00 absolute

http server enable

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection tcpmss 0

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect http

!

service-policy global_policy global

prompt hostname context

: end

Thanks!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bmcginn Mon, 02/09/2009 - 19:19
User Badges:
  • Bronze, 100 points or more

Hi there,


I think you'll need a NAT statement.


ie


nat (inside) 1 0.0.0.0 0.0.0.0

Assuming you want to allow all hosts to access the Internet through the Outside from the inside.


If you want the management network to be able to access the networks on the Outside interface you can use:


nat (Management) 1 0.0.0.0 0.0.0.0


I hope that helps!


Brad

d2business Mon, 02/09/2009 - 19:37
User Badges:

Sorry, let me expand on my question. currently there are only the 2 hosts (internal) listed in the PIX config. Both of them have static NATs, and a Security Policy that allows inbound RDP. I can RDP to these hosts fine, but I cannot surf the web from the hosts. I hope that clears it up. thanks again for all your help in advance.

andyjames Wed, 02/11/2009 - 06:46
User Badges:

I would be inclined to look at the dns for the hosts on the network. Could be the dns server they are resolving from has been retired and are waiting for timeouts before loading cached pages - google but not getting any new sites.


Andy.

Actions

This Discussion