Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 503 blocking certain sites

I have a strange porblem that I believe is related to the PIX firewall we are using.

Certain websites are being blocked and they seem random. uplinkearth.com, techguy.org and ohers. I can access these sites by byepassing the PIX and going straight to the modem.

We do have websense running and for testing purposes, we turned off the websense server. This did not help, so we can rule out the websense software. We have no other filtering progrmas installed.

Oddly enough, this all started after a internet service outage in our area. Internet was down for half a day. I talked with comcast in length because it seemed logical that this was a residual problem from the outage. However, since I can access all sites without the PIX, I had to give up that persuit.

I'm not very familair with the cisco pix, so looking at the current config does not lead to any clues for me. I just know that, nothing changed except the internet outage.

I have recycled all equipment, modem, pix, servers. Just to make sure.

15 REPLIES

Re: PIX 503 blocking certain sites

Jeremy, it is strange.. when loading these sites through IE what error messgase are you getting?

can you try in pix "fixup protocol dns maximum-length 1024 " it could be the firewall is dropping DNS packets that are larger than the default configured in pix which is 512 bytes from these sites.. you could check the current fixup dns setting by issuing" show fixup " .. if this does not resolves the issue it could be something else then but you could rule out DNS packets beeing droped due to their size being received through pix from these particular sites.

New Member

Re: PIX 503 blocking certain sites

Thank you for the reply. I increased the size, but the issue remains. Also after running "show fixup", it did show the list of protocols and their ports.

Also forgot to mention that I did flush the DNS on the server.

The message I get is, Page cannot be displayed.

Re: PIX 503 blocking certain sites

check the ethernet inside/outside interfaces to see if they are clean or dropping packets on either interface to rule out any physical issues.. "show interfaces"

can you get any logs from firewall to see when you hit those sites?

New Member

Re: PIX 503 blocking certain sites

Here are the results from the "show interface". With my un-trained eye, it does not look like packets are being dropped on either interface. But you would be able to tell better. I'm working on the logs now. I have to be honest this is the first time working with the PIX.

Result of firewall command: "show interface"

interface ethernet0 "outside" is up, line protocol is up

Hardware is i82559 ethernet, address is ************

IP address **********, subnet mask 255.255.255.240

MTU 1500 bytes, BW 100000 Kbit full duplex

11241172 packets input, 2462917359 bytes, 0 no buffer

Received 4772544 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

4776631 packets output, 1701047838 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/61)

output queue (curr/max blocks): hardware (0/24) software (0/1)

interface ethernet1 "inside" is up, line protocol is up

Hardware is i82559 ethernet, address is *************

IP address 192.168.1.1, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

5319967 packets input, 1736987323 bytes, 0 no buffer

Received 155530 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

6817244 packets output, 2207032055 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/29)

output queue (curr/max blocks): hardware (4/66) software (0/1)

New Member

Re: PIX 503 blocking certain sites

I do have to say that when I was on Tech Support with websense, they were looking at the requests while I tried reaching the sites that I cannot get to. They said that the requests were not even hitting the websense server and that they were being stopped by the PIX before being sent to the websense server.

Re: PIX 503 blocking certain sites

from your browser can you hit address http://208.255.91.47 instead of by name this is uplinkearth.com , if you can there must be some kind of dns issue internally within your DNS server.

New Member

Re: PIX 503 blocking certain sites

I get the same results using the IP address. Do you think that the internet going down is just a coincident to my issues? It is odd timing, but I cannot see any link to the two.

Re: PIX 503 blocking certain sites

can you get to any sites at all? sounds as you are not routing outbound..

[edit]

from inside can you ping 69.147.114.210 http://www.yahoo.com that allows icmp to see if you are routing outbound .

or

from pix do " show route | inc 0.0.0.0 "

post output stripout public IP.

if you can post pix config to look at it will be great, strip out public IP info..

New Member

Re: PIX 503 blocking certain sites

Yes we can access other sites just find. It's just a some sites that we cannot, and it's seems random. Also, smtp will not go through to uplinkearth as well.

So I was able to get to Yahoo. However, ping and tracert does not work. Time Out.

-------------------

Result of firewall command: "show route | inc 0.0.0.0"

outside 0.0.0.0 0.0.0.0 **.**.***.*** 1 OTHER static

---------------------------------

Here is the running configuration

---------------------------------

Building configuration...

: Saved

:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname *******

domain-name ***.****

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 1024

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_access_in permit tcp any host **.**.***.*** eq https

access-list outside_access_in permit udp any host **.**.***.*** eq 443

access-list outside_access_in permit tcp any host **.**.***.*** eq smtp

access-list outside_access_in permit udp any host **.**.***.*** eq 25

access-list outside_access_in permit icmp any host **.**.***.*** echo-reply

access-list outside_access_in permit tcp any host **.**.***.*** eq 3389

access-list outside_access_in permit udp any host **.**.***.*** eq 3389

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list VPN_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside **.**.***.*** 255.255.255.240

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool pool 10.1.1.1-10.1.1.254

pdm location 192.168.2.0 255.255.255.0 inside

pdm location **.**.***.*** 255.255.255.255 outside

pdm location 192.168.1.20 255.255.255.255 inside

pdm location 192.168.1.24 255.255.255.255 inside

pdm location 192.168.11.0 255.255.255.0 inside

pdm location 10.1.1.0 255.255.255.0 outside

pdm location 192.168.11.0 255.255.255.0 outside

pdm location 210.23.227.50 255.255.255.255 outside

pdm location 192.168.1.2 255.255.255.255 inside

pdm location 10.1.1.0 255.255.255.0 inside

pdm location **.**.***.*** 255.255.255.255 outside

pdm location **.**.***.*** 255.255.255.255 outside

pdm location **.**.***.*** 255.255.255.255 outside

pdm location 192.168.1.30 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

See next post for the rest. Hit the character limit.

New Member

Re: PIX 503 blocking certain sites

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) **.**.***.*** 192.168.1.20 netmask 255.255.255.255 0 0

static (inside,outside) **.**.***.*** 192.168.1.24 netmask 255.255.255.255 0 0

static (inside,outside) **.**.***.*** 192.168.1.2 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 **.**.***.*** 1

timeout xlate 5:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

url-server (inside) vendor websense host 192.168.1.30 timeout 5 protocol TCP version 4

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

http server enable

http **.**.***.*** 255.255.255.255 outside

http **.**.***.*** 255.255.255.255 outside

http 192.168.1.0 255.255.255.0 inside

http 192.168.11.0 255.255.255.0 inside

http 10.1.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server outside **.**.***.*** /*********.cfg

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 90 set transform-set myset

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 102

crypto map transam 1 set peer **.**.***.***

crypto map transam 1 set transform-set myset

crypto map transam 100 ipsec-isakmp dynamic dynmap

crypto map transam interface outside

isakmp enable outside

isakmp key ******** address **.**.***.*** netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

vpngroup DELRAY address-pool pool

vpngroup DELRAY dns-server 192.168.1.2

vpngroup DELRAY wins-server 192.168.1.2

vpngroup DELRAY default-domain ***.****

vpngroup DELRAY split-tunnel VPN_splitTunnelAcl

vpngroup DELRAY idle-time 1800

vpngroup DELRAY password ********

telnet timeout 5

ssh **.**.***.*** 255.255.255.255 outside

ssh timeout 5

management-access inside

console timeout 0

dhcpd dns **.**.***.*** **.**.***.***

dhcpd wins 192.168.1.2 192.168.1.2

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain ***.****

dhcpd auto_config outside

username ***** password xxx encrypted privilege 15

username ***** password xxxencrypted privilege 15

username ***** password I34SaT8NL2ouP/At encrypted privilege 15

terminal width 80

banner login ***********

Cryptochecksum:xxx

: end

[OK]

Let me know if I stripped out too much info. Thanks.

Re: PIX 503 blocking certain sites

config looks fine.

New Member

Re: PIX 503 blocking certain sites

Even though you've turned off the websense server, if you didn't remove the 'filter url' command, I wouldnt rule it out from being a possible cause of the problem. We had more than a few problems with odd issues of users not being able to access specific sites when going through the PIX, and it was related to some issues in how the PIX sends URLs to the Websense server. I would look into adding some options to the filter url command, or removing it completely and then doing some more tests. Our current filter url command looks like:

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate cgi-truncate

Websense support can help you troubleshoot these issues, if you determine that it's related to Websense.

New Member

Re: PIX 503 blocking certain sites

Thanks for the reply. Websense walked me through on deleting the Filter URL. So both were off at the same time during testing. I also added the longurl and cgi parts to the filter. The problem persists. Is there a IP cache that I can clear. I looked through the documentation but found no command for this. I did find similar commands on other products.

New Member

Re: PIX 503 blocking certain sites

Well,if Websense is ruled out 100% more info I think would help:

1) Did you try disabling fixup protocol http 80 ?

PIX(config) no fixup protocol http 80

2) Try to access the problematic sites and at the same time in PIX issue

#sh local-host

To see if there is connection formed

Also

sh conn local detail

-or-

sh conn global detail

3) As last resort you may try doing capture on PIX as it captures essentially all packets, its usefulness depends on hardware/buffer you have

#capture TEST buffer

#capture TEST interface

To get output of capture to screen:

#sh capture TEST

New Member

Re: PIX 503 blocking certain sites

Well, it just started working last night. After further research I determined that we had a Dynamic IP address assigned to us by acciddent after the local area outage. Comcast failed to pick up on this, and so did we. They switch us back to our static and everything is working fine.

It really upsets me that they did not pick up on this from the start. I had gone through so many techs there and moved up the tech support tree.

Oh well. It's always the little things. I've memorized all of our IP addresses and will always check that they are right from now on.

Thanks for all the help. Atleast I learned a lot about our PIX and even more about networking in general. That's always a plus.

232
Views
0
Helpful
15
Replies
CreatePlease to create content