PIX 515 TCP connections halted for HTTP based traffic

Unanswered Question
Aug 7th, 2003
User Badges:

I have a PIX 515 with three interfaces. Outside, Inside, and DMZ. I have had no problems accessing or browsing the internet from inside to the outside. I have recently setup a DMZ to host a mail server, and communication is working fine inside and outside to the DMZ. The problem came when I added a MS portal server on the inside network and an HTTP server in the DMZ. They will communicate perfectly for an Hour or so and then fail with a transmission error almost as thought the PIX denied there requests. I have added the following fixup protocol commands thinking it might be having an intermittent problem on this other port, but had no luck. I am running version 6.2(2). I couldn't find any know bugs or field bulletins relating to this problem and am totally stumped. Anyone have any IDEAS? Oh yeah, I temporarily moved the two servers in the DMZ to bypass the firewall and they work without a problem. Move them back and it works for awhile and then suddenly stops



fixup protocol http 9080

fixup protocol http 80


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
yusuff Sun, 08/10/2003 - 16:59
User Badges:
  • Cisco Employee,

2 things that you can try;


- remvoe the fixup and see if that helps;

no fixup protocol http 9080

no fixup protocol http 80


- PIX by default randomizes TCP sequence numbers. Maybe your application doesn't like that or it is expecting something... you can disable randomization as follows;


see the following link for using the "norandomseq" option on static statements.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#1026694

static [(internal_if_name, external_if_name)] {global_ip | interface} local_ip [dns] [netmask

mask][max_conns [emb_limit [norandomseq]]]


Here is the definition of what it does: "Do not randomize the TCP/IP packet's sequence number. Only

use this option if another inline firewall is also randomizing sequence numbers and the result is

scrambling the data. Use of this option opens a security hole in the PIX Firewall."


The same command can also be used on NAT commands:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1032129

nat [(if_name)] nat_id local_ip [mask [dns] [outside] [max_conns [emb_limit [norandomseq]]]]


Definition: "Disables TCP Initial Sequence Number (ISN) randomization protection. Only use this

option if another in-line firewall is also randomizing sequence numbers and the result is scrambling

the data. Without this protection, inside hosts with weak self-ISN protection become more vulnerable

to TCP connection hijacking."


Hope that helps.

Regards

Yusuf

aun.raza Sat, 08/23/2003 - 05:55
User Badges:

Yusuf:


I am having a similar problem. My situation is such that I have two machines behind the PIX on the inside interface. One of them is a RedHat 9.0 box (dual-homed) and the other is an MS Proxy 2.0 box (dual-homed). The issue is that I can not seem to get to HTTP sites from the Redhat machine, however, I can get to FTP sites, and DNS works as well.


The MS Proxy works just fine - http, ftp, dns, etc.


I have the following on the PIX:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0 norandomseq


I see translations for both machines when I do a sh xlate, but the Redhat box still has problems.


Any suggestions!? I'm kinda stumped!


Regards,

Aun.

Actions

This Discussion