Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problems accessing ASP pages after PIX OS upgrade

I recently upgraded a PIX from 6.3(3) to 6.3(5) for a client a couple of Fridays ago. Their network is flat, and consists of Win2K, WinXP, and MACs (running AppleTalk and IP). They have a single internal L2 3Com switch. The configuration is straightfoward - there are not LAN-to-LAN VPN tunnels, but there is configuration for the IPSec VPN client. The person managing the firewall before me had set the tunnel encryption to DES, so during the upgrade I increased the encryption level and added the following commands:

icmp permit any echo-reply outside

icmp permit any unreachable outside

icmp permit any time-exceeded outside

I can't imaging how these would have impacted anything.

After the upgrade, all workstations are having problems accessing ASP web pages. The ASP pages either don't load or are very slow. You can move the machine outside the firewall, and things work as expected. Given a flat L2 internal network or the PIX, I'd lean toward the PIX, but I'm at a loss.

Thank you.

I disabled fixup for http, but this didn't help.

  • Other Security Subjects
4 REPLIES
Silver

Re: Problems accessing ASP pages after PIX OS upgrade

The issue may be due to activation key that you may not have upgraded.

There are a couple of reasons that you may need to upgrade the activation key on your PIX.

Your PIX does not currently have VPN-DES or VPN-3DES encryption enabled.

Note: VPN-DES encryption must be enabled for you to manage your PIX with the use of PDM. Registered users can obtain a free 56-bit VPN-DES activation key when they complete the PIX 56-bit License Upgrade Key form. VPN-3DES activation keys must be purchased through your local reseller or Cisco sales representative.

Your PIX currently does not have failover activated.

You upgrade from a connection-based license to a feature-based license

New Member

Re: Problems accessing ASP pages after PIX OS upgrade

I just tracked the problem down a couple days ago and forgot about this post as no one had replied until yours. The problem was not necessarily with secure web pages - it happened on both secure and nonsecure pages. The problem was with switchport 1 of the PIX-501, which decided to flake out. I noticed that when I plugged in my laptop into another PIX switch port, I could access web pages that were not available for other users, i.e. links on msn.com. I ended up plugging the 48-port core switch into another PIX-501 switch port, and EVERYTHING now works. I have no idea what the problem is with the first switch port, and I have no idea why it decided to fail when it did. Given that the 4 port internal switch on the PIX is a L2 device and no errors were showing up on the interface counters, I didn't think of trying a different switchport at first.

Re: Problems accessing ASP pages after PIX OS upgrade

hi

I am interested in knowing a bit more onto what could be the possible cause for the problem with port1 which basically blocked the access to secure/nonsecure pages,is it possible for you to post out the config of with public ip and the passwds masked so that it can be verified for any notable difference on the config part.

regds

New Member

Re: Problems accessing ASP pages after PIX OS upgrade

I can only guess there is a hardware problem, as there aren't any switchport settings on the PIX-501. After I moved the corporate switch over to the new switch port, there have been some intermittent problems accessing web sites. These blips are temporary, but enough to call Cisco and get it replaced with smartnet. I had to remove a few lines from config because of too many characters...

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password password2

passwd password2

hostname PIX

domain-name domain.local

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

no fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list NONAT permit ip 192.168.100.0 255.255.255.0 192.168.10.96 255.255.255.224

access-list OUTSIDE permit tcp any host public0 eq smtp

access-list OUTSIDE permit tcp any host public0 eq www

access-list OUTSIDE permit tcp any host public0 eq ftp

access-list OUTSIDE permit tcp any host public0 eq ftp-data

access-list INSIDE remark Permit all traffic to VPN users

access-list INSIDE permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list INSIDE remark Restrict insecure protocols

access-list INSIDE deny udp any any range 135 139

access-list INSIDE deny udp any range 135 139 any

access-list INSIDE deny tcp any any range 135 netbios-ssn

access-list INSIDE deny tcp any range 135 netbios-ssn any

access-list INSIDE deny tcp any any eq 445

access-list INSIDE deny tcp any eq 445 any

access-list INSIDE deny udp any any eq tftp

access-list INSIDE deny udp any eq tftp any

access-list INSIDE remark Permit all other traffic

access-list INSIDE permit ip any any

access-list INSIDE permit icmp any any

access-list SPLITTUNNEL permit ip 192.168.100.0 255.255.255.0 192.168.10.96 255.255.255.224

pager lines 24

icmp permit any echo-reply outside

icmp permit any unreachable outside

icmp permit any time-exceeded outside

mtu outside 1500

mtu inside 1500

ip address outside public0 255.255.254.0

ip address inside 192.168.100.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNPool 192.168.10.101-192.168.10.120

pdm logging informational 100

no pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) public1 192.168.100.254 netmask 255.255.255.255 0 0

access-group OUTSIDE in interface outside

access-group INSIDE in interface inside

route outside 0.0.0.0 0.0.0.0 68.15.114.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 timeout uauth 0:05:00 absolute

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community W3don'tLik3puBL1c

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-AES-MD5 esp-aes-256 esp-md5-hmac

crypto dynamic-map DYN_MAP 10 set transform-set ESP-AES-MD5

crypto map outside_map 100 ipsec-isakmp dynamic DYN_MAP

crypto map outside_map interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup ClientVPN address-pool VPNPool

vpngroup ClientVPN split-tunnel SPLITTUNNEL

vpngroup ClientVPN idle-time 1800

vpngroup ClientVPN password ********

telnet timeout 5

ssh RmtMgmt1 255.255.255.255 outside

ssh timeout 30

console timeout 30

111
Views
0
Helpful
4
Replies
This widget could not be displayed.