Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
472
Views
0
Helpful
4
Replies

Cisco PIX 525 & Hotmail issues

bindikitty
Level 1
Level 1

‎06-02-2008 01:58 PM - edited ‎03-11-2019 05:54 AM

Greetings. This is a very strange problem. I installed a Cisco PIX 525 two months ago, and it is working great. However, a customer came in this morning and reported he is unable to create new Hotmail accounts. Apparently, this has been going on for some time. We can create them successfully when we bypass the PIX, but we cannot create them successfully when we go through the PIX. We can do everything else, it seems, including online banking, VPN, etc. We can even log into existing Hotmail accounts. However, we cannot create new ones. I ran WireShark, and the packets come back marked "TCP Checksum Incorrect." What could be causing this? Here is my config:

PIX Version 8.0(3)

!

hostname pix525

domain-name **********

enable password ************* encrypted

names

!

interface Ethernet0

description To Cisco 2821 fa0/3/0

speed 100

duplex full

nameif outside

security-level 0

ip address ***.***.***.*** 255.255.255.248

!

interface Ethernet1

description To Outside Switch fa0/7

speed 100

duplex full

nameif inside

security-level 100

ip address ***.***.***.*** 255.255.0.0

!

passwd ********* encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name ***********

access-list acl_outbound remark BLOCK OUTBOUND PORT 25

access-list acl_outbound extended permit tcp any host ***.***.***.*** eq smtp

access-list acl_outbound extended deny tcp any any eq smtp

access-list acl_outbound extended permit ip any any

pager lines 24

logging buffer-size 10000

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit host ***.***.***.*** outside

icmp deny any outside

icmp permit host ***.***.***.*** inside

icmp deny any inside

no asdm history enable

arp timeout 14400

global (outside) 1 ***.***.***.*** netmask 255.255.255.255

nat (inside) 1 ***.***.***.*** 255.255.0.0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

route outside 0.0.0.0 0.0.0.0 ***.***.***.*** 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

dhcprelay server ***.***.***.*** inside

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect xdmcp

inspect pptp

inspect mgcp

!

service-policy global_policy global

prompt hostname context

I have searched the Internet and found other folks complaining of the same problem, but they were all endusers, and did not have a resolution.

Ideas? Comments? Suggestions? Helpful criticism?

Thank you for your time.

Labels:
0 Helpful
4 Replies 4

bindikitty
Level 1
Level 1

‎06-02-2008 02:04 PM

I forgot to mention we previously used a Cisco 515 IOS 6.x. We did not have any problems creating new Hotmail accounts with it as it was in place for about five years. Also, the new PIX has a different IP address and is PATting to a different IP address than the old appliance.

Of course, we emptied browser caches, deleted cookies, tried several different OS's and computers, etc. Same issue regardless of OS and platform (Windows, Mac).

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to bindikitty

‎06-02-2008 03:17 PM

Hi,

Could it be that the router 2821 you are using for Internet access might be preventing it ? you might want to check whether it is using some Access control lists ACL. Just a thought !!

interface Ethernet0

description To Cisco 2821 fa0/3/0

Please rate helpful posts

0 Helpful

bindikitty
Level 1
Level 1
In response to Fernando_Meza

‎06-02-2008 03:29 PM

Good suggestion, but I can create Hotmail sites using a static IP address, which goes through the same router. There are no ACLs specific to the PIX on the router or its connecting interface.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to bindikitty

‎06-02-2008 06:08 PM

You might need to tweak one the following parameters from their default value(s), I have to admit this seems to be a pretty interesting issue :)

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/protect.html#wp1064582

Even tough this is not directly related, but might help you with the appropriate fixes:

http://www.cisco.com/warp/public/707/cisco-sr-20051128-pix.shtml

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card