Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
0
Helpful
16
Replies

Trouble Banking

mrrlg
Level 1
Level 1

‎06-28-2006 12:34 PM - edited ‎03-09-2019 03:26 PM

I am having trouble reaching a https bank site behind a PIX running 6.3.5. I can reach the first page without any difficulty. http://dsrefw03.hsbc.com.mx/aptrix/internetpub.nsf/Content/HomePersonas The problem is when I try to connect to the next page by clicking on ENTRAR. This resolves to https://conexion.bital.com.mx/conper/default.htm. This pages eventually times out. If I remove the pix, I can connect to this page and access the bsnking information. Using a packet sniffer, I see that I am able to send a SSLv2 Client Hello to the https page (200.16.50.21) and it stops there. In the pix log I see one attempt to build a outbound TCP connection 728 for outside:200.16.50.21/443 and nothing more. What within the configuration of the pix could be stopping this traffic?

Labels:
0 Helpful
16 Replies 16

sachinraja
Level 9
Level 9

‎06-28-2006 11:07 PM

i hope you have the statics configured for the server IP on the PIX. have you given access to TCP 443 from outside to inside? Please check this, as the first site is a http access but the second (which fails) is a https access.

see if you have the fixup command configured for 443.

Hope this helps..

Raj

0 Helpful

mrrlg
Level 1
Level 1
In response to sachinraja

‎06-29-2006 07:15 AM

I have posted my configuration below. I can reach other https sites without any problem, it is only this site that is causing problems. I cannot add fixup protocol https 443, I receive an invalid protocol error.

0 Helpful

jmia
Level 7
Level 7

‎06-29-2006 04:46 AM

Rich

I have just tried the URLs that you posted and it works fine for me (http ->https), I'm behind a PIX running 6.3(5) too.

Would it possible if you could post your PIX config, taking out any sensitive information.

Jay

0 Helpful

mrrlg
Level 1
Level 1
In response to jmia

‎06-29-2006 07:13 AM

Here is my configuration:

show run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password encrypted

passwd encrypted

hostname xxxxxxx

domain-name xxxxx.com

clock timezone PST -8

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside permit icmp any any

access-list outside permit tcp any any

access-list inside permit ip any any

access-list inside permit tcp any any

access-list 101 permit ip 11.xxx.xx.xxx 255.255.255.240 10.xxx.xx.x 255.255.255.0

access-list 101 permit ip 10.xxx.xx.x 255.255.255.0 11.xxx.xx.xxx 255.255.255.240

pager lines 24

logging on

logging monitor errors

logging buffered debugging

logging host inside 11.xxx.xx.xxx 6/1470

mtu outside 1500

mtu inside 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 70.xxx.xx.xxx 255.255.255.0

ip address inside 11.xxx.xx.xxx 255.255.255.240

no ip address intf2

no ip address intf3

no ip address intf4

no ip address intf5

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm location 11.xxx.xx.xxx 255.255.255.255 inside

pdm location 192.xxx.x.x 255.255.255.0 outside

pdm history enable

arp timeout 14400

global (outside) 1 70.xxx.xx.xxx-70.xxx.xx.xxx

nat (inside) 1 11.xxx.xx.xxx 255.255.255.240 0 0

access-group inside in interface outside

route outside 0.0.0.0 0.0.0.0 70.xxx.xx.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 11.xxx.xx.xxx 255.255.255.255 inside

http 11.xxx.xx.xxx 255.255.255.255 inside

no snmp-server location

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto map toCanada 20 ipsec-isakmp

crypto map toCanada 20 set pfs group2

crypto map toCanada 20 set peer xxx.xxx.xxx.xxx

crypto map toCanada 20 set transform-set strong

crypto map toCanada 20 set security-association lifetime seconds 3600 kilobytes 8192

crypto map toCanada interface outside

isakmp enable outside

isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255

isakmp identity address

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption 3des

isakmp policy 9 hash sha

isakmp policy 9 group 2

isakmp policy 9 lifetime 86400

telnet 11.xxx.xx.xxx 255.255.255.240 inside

telnet timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxx

: end

0 Helpful

grant.maynard
Level 4
Level 4
In response to mrrlg

‎06-29-2006 07:23 AM

It may not be relevant but I noticed:

"crypto map toCanada 20" has no "match address..." line, though I expect it's acl101.

and your ACL on the outside interface has:

access-list inside permit ip any any

access-list inside permit tcp any any

Nothing else is obvious.

Can you check that crypto map line is there?

0 Helpful

mrrlg
Level 1
Level 1
In response to grant.maynard

‎06-29-2006 09:40 AM

Yes, I did repair the incomplete crypto map after posted this. This is a test configuration, whatever solution I come up with here will be applied to the production firewalls.

0 Helpful

mrrlg
Level 1
Level 1
In response to grant.maynard

‎06-29-2006 10:29 AM

I did notice that when I type show access-list in the pix I get this line.

access-list inside line 2 permit tcp any any (hitcnt=0)

When I do a packet capture from the https site outside of the pix I notice that all the communication from the site is tcp.

0 Helpful

jmia
Level 7
Level 7
In response to mrrlg

‎06-30-2006 12:25 AM

Rich

For the sake of sanity, let's start afresh with your configuration and then add other services that are required i.e. L2L VPNs etc.

So, if you change your current configuration to the following and test:

ip address outside 70.xxx.xx.xxx 255.255.255.0

ip address inside 11.xxx.xx.xxx 255.255.255.240

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 70.xxx.xx.x 1

Don't add any ACL's or Static's. I have tested using my lab PIX running 6.3(5) and I can access the site and the site is communicating using SSL v3 !!!

Let me know your results.

Jay

0 Helpful

jmia
Level 7
Level 7
In response to jmia

‎06-30-2006 12:44 AM

Oops slight typo on my other post:

This:

ip address outside 70.xxx.xx.xxx 255.255.255.0

ip address inside 11.xxx.xx.xxx 255.255.255.240

Should be:

ip address outside 70.xxx.xx.xxx 255.255.255.240

ip address inside 11.xxx.xx.xxx 255.255.255.0

0 Helpful

mrrlg
Level 1
Level 1
In response to jmia

‎06-30-2006 04:07 PM

I have stripped out the acl's and the vpn tunnel configuration. My current configuration is below. I can get to the internet, I still cannot get to the https page referenced above.

show run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password xxxxxxxxxxx encrypted

passwd xxxxxxxxxxx encrypted

hostname sdsnafw1

domain-name xxxxx.com

clock timezone PST -8

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

logging host inside 11.xxx.xx.xxx 6/1470

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 70.xxx.xx.xxx 255.255.255.0

ip address inside 11.xxx.xx.xxx 255.255.255.240

no ip address intf2

no ip address intf3

no ip address intf4

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm location 11.xxx.xx.xxx 255.255.255.255 inside

pdm location 11.xxx.xx.xxx 255.255.255.255 inside

pdm location 192.xxx.x.x 255.255.255.0 outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 70.xxx.xx.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 11.xxx.xx.xxx 255.255.255.255 inside

http 11.xxx.xx.xxx 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 11.xxx.xx.xxx /

floodguard enable

telnet 11.xxx.xx.xxx 255.255.255.240 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

: end

0 Helpful

jmia
Level 7
Level 7
In response to mrrlg

‎07-01-2006 02:10 AM

Rich,

Now that's interesting! Ok let's try some troubleshooting.

Can you actually connect to tcp port 443 from behind the PIX i.e. telnet from an internal device:

telnet 200.16.50.21 443

Do you get a clean connection? If this don't work then enable logging on the PIX to see what the PIX see's.

Can you enable debug on the PIX please and post the output here (change any sensitive info before posting)

Logging on

Logging buffer debug

Show log

To disable issue no logging on.

Also, you could use a packet sniffer such as ethereal (free from http://www.ethereal.com), and run it on an internal device/PC, if you do use ethereal then use the filter option on ethereal to capture only tcp port 443.

Run ethereal on your PC (with the filter applied for SSL) and open up your browser and go to the https site. What does ethereal show when you try to access the site??

Let me know the results of the above, also I notice that you have on your PIX:

ip address outside 70.xxx.xx.xxx 255.255.255.0

ip address inside 11.xxx.xx.xxx 255.255.255.240

Has your ISP assigned you a large range of public IP's? Or should this be:

ip address outside 70.xxx.xx.xxx 255.255.255.240

ip address inside 11.xxx.xx.xxx 255.255.255.0

Anyway let me know....

Jay

0 Helpful

mrrlg
Level 1
Level 1
In response to jmia

‎07-01-2006 05:24 AM

Jay, I won't be able to test this until Monday but I can reach other ssl sites without any problem from behind this firewall.

When I did a packet trace from ethereal behind the pix the communication stops with a ssl v2 Client Hello from the internal pc to the external web site. Without the pix etheral shows incoming tcp packets from the external site (not ssl) to random ports. I do not have the traces with me at the momment. The connection is completed and as was indicated earlier it is via sslv3. I can attach screen prints if necessary.

Yes our isp has provided us with a class c range.

0 Helpful

a.kiprawih
Level 7
Level 7

‎07-01-2006 05:00 AM

Hi,

We all know that the 'ip verify reverse-path' is used for anti-spoofing. But one of my customer experienced more or less similar problem, it works by removing the "ip verify reverse-path interface " parameter.

It may sounds weird, but certain apps COULD respond differently in certain situation. No harm trying. Like what Jay has suggested, start again from clean config without any restriction.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a008042c8c6.html#wp1053009

Rgds,

AK

0 Helpful

mrrlg
Level 1
Level 1
In response to a.kiprawih

‎07-01-2006 05:27 AM

I won't be able to try this until Monday. If indeed this is the case, is there a way to "exempt" this particular site from the ip verify reverse-path parameter?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents