06-28-2006 12:34 PM - edited 03-09-2019 03:26 PM
I am having trouble reaching a https bank site behind a PIX running 6.3.5. I can reach the first page without any difficulty. http://dsrefw03.hsbc.com.mx/aptrix/internetpub.nsf/Content/HomePersonas The problem is when I try to connect to the next page by clicking on ENTRAR. This resolves to https://conexion.bital.com.mx/conper/default.htm. This pages eventually times out. If I remove the pix, I can connect to this page and access the bsnking information. Using a packet sniffer, I see that I am able to send a SSLv2 Client Hello to the https page (200.16.50.21) and it stops there. In the pix log I see one attempt to build a outbound TCP connection 728 for outside:200.16.50.21/443 and nothing more. What within the configuration of the pix could be stopping this traffic?
06-28-2006 11:07 PM
i hope you have the statics configured for the server IP on the PIX. have you given access to TCP 443 from outside to inside? Please check this, as the first site is a http access but the second (which fails) is a https access.
see if you have the fixup command configured for 443.
Hope this helps..
Raj
06-29-2006 07:15 AM
I have posted my configuration below. I can reach other https sites without any problem, it is only this site that is causing problems. I cannot add fixup protocol https 443, I receive an invalid protocol error.
06-29-2006 04:46 AM
Rich
I have just tried the URLs that you posted and it works fine for me (http ->https), I'm behind a PIX running 6.3(5) too.
Would it possible if you could post your PIX config, taking out any sensitive information.
Jay
06-29-2006 07:13 AM
Here is my configuration:
show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password encrypted
passwd encrypted
hostname xxxxxxx
domain-name xxxxx.com
clock timezone PST -8
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit icmp any any
access-list outside permit tcp any any
access-list inside permit ip any any
access-list inside permit tcp any any
access-list 101 permit ip 11.xxx.xx.xxx 255.255.255.240 10.xxx.xx.x 255.255.255.0
access-list 101 permit ip 10.xxx.xx.x 255.255.255.0 11.xxx.xx.xxx 255.255.255.240
pager lines 24
logging on
logging monitor errors
logging buffered debugging
logging host inside 11.xxx.xx.xxx 6/1470
mtu outside 1500
mtu inside 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 70.xxx.xx.xxx 255.255.255.0
ip address inside 11.xxx.xx.xxx 255.255.255.240
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location 11.xxx.xx.xxx 255.255.255.255 inside
pdm location 192.xxx.x.x 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 70.xxx.xx.xxx-70.xxx.xx.xxx
nat (inside) 1 11.xxx.xx.xxx 255.255.255.240 0 0
access-group inside in interface outside
route outside 0.0.0.0 0.0.0.0 70.xxx.xx.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 11.xxx.xx.xxx 255.255.255.255 inside
http 11.xxx.xx.xxx 255.255.255.255 inside
no snmp-server location
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map toCanada 20 ipsec-isakmp
crypto map toCanada 20 set pfs group2
crypto map toCanada 20 set peer xxx.xxx.xxx.xxx
crypto map toCanada 20 set transform-set strong
crypto map toCanada 20 set security-association lifetime seconds 3600 kilobytes 8192
crypto map toCanada interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
telnet 11.xxx.xx.xxx 255.255.255.240 inside
telnet timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxx
: end
06-29-2006 07:23 AM
It may not be relevant but I noticed:
"crypto map toCanada 20" has no "match address..." line, though I expect it's acl101.
and your ACL on the outside interface has:
access-list inside permit ip any any
access-list inside permit tcp any any
Nothing else is obvious.
Can you check that crypto map line is there?
06-29-2006 09:40 AM
Yes, I did repair the incomplete crypto map after posted this. This is a test configuration, whatever solution I come up with here will be applied to the production firewalls.
06-29-2006 10:29 AM
I did notice that when I type show access-list in the pix I get this line.
access-list inside line 2 permit tcp any any (hitcnt=0)
When I do a packet capture from the https site outside of the pix I notice that all the communication from the site is tcp.
06-30-2006 12:25 AM
Rich
For the sake of sanity, let's start afresh with your configuration and then add other services that are required i.e. L2L VPNs etc.
So, if you change your current configuration to the following and test:
ip address outside 70.xxx.xx.xxx 255.255.255.0
ip address inside 11.xxx.xx.xxx 255.255.255.240
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 70.xxx.xx.x 1
Don't add any ACL's or Static's. I have tested using my lab PIX running 6.3(5) and I can access the site and the site is communicating using SSL v3 !!!
Let me know your results.
Jay
06-30-2006 12:44 AM
Oops slight typo on my other post:
This:
ip address outside 70.xxx.xx.xxx 255.255.255.0
ip address inside 11.xxx.xx.xxx 255.255.255.240
Should be:
ip address outside 70.xxx.xx.xxx 255.255.255.240
ip address inside 11.xxx.xx.xxx 255.255.255.0
06-30-2006 04:07 PM
I have stripped out the acl's and the vpn tunnel configuration. My current configuration is below. I can get to the internet, I still cannot get to the https page referenced above.
show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
hostname sdsnafw1
domain-name xxxxx.com
clock timezone PST -8
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging host inside 11.xxx.xx.xxx 6/1470
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 70.xxx.xx.xxx 255.255.255.0
ip address inside 11.xxx.xx.xxx 255.255.255.240
no ip address intf2
no ip address intf3
no ip address intf4
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location 11.xxx.xx.xxx 255.255.255.255 inside
pdm location 11.xxx.xx.xxx 255.255.255.255 inside
pdm location 192.xxx.x.x 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 70.xxx.xx.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 11.xxx.xx.xxx 255.255.255.255 inside
http 11.xxx.xx.xxx 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 11.xxx.xx.xxx /
floodguard enable
telnet 11.xxx.xx.xxx 255.255.255.240 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
07-01-2006 02:10 AM
Rich,
Now that's interesting! Ok let's try some troubleshooting.
Can you actually connect to tcp port 443 from behind the PIX i.e. telnet from an internal device:
telnet 200.16.50.21 443
Do you get a clean connection? If this don't work then enable logging on the PIX to see what the PIX see's.
Can you enable debug on the PIX please and post the output here (change any sensitive info before posting)
Logging on
Logging buffer debug
Show log
To disable issue no logging on.
Also, you could use a packet sniffer such as ethereal (free from http://www.ethereal.com), and run it on an internal device/PC, if you do use ethereal then use the filter option on ethereal to capture only tcp port 443.
Run ethereal on your PC (with the filter applied for SSL) and open up your browser and go to the https site. What does ethereal show when you try to access the site??
Let me know the results of the above, also I notice that you have on your PIX:
ip address outside 70.xxx.xx.xxx 255.255.255.0
ip address inside 11.xxx.xx.xxx 255.255.255.240
Has your ISP assigned you a large range of public IP's? Or should this be:
ip address outside 70.xxx.xx.xxx 255.255.255.240
ip address inside 11.xxx.xx.xxx 255.255.255.0
Anyway let me know....
Jay
07-01-2006 05:24 AM
Jay, I won't be able to test this until Monday but I can reach other ssl sites without any problem from behind this firewall.
When I did a packet trace from ethereal behind the pix the communication stops with a ssl v2 Client Hello from the internal pc to the external web site. Without the pix etheral shows incoming tcp packets from the external site (not ssl) to random ports. I do not have the traces with me at the momment. The connection is completed and as was indicated earlier it is via sslv3. I can attach screen prints if necessary.
Yes our isp has provided us with a class c range.
07-01-2006 05:00 AM
Hi,
We all know that the 'ip verify reverse-path' is used for anti-spoofing. But one of my customer experienced more or less similar problem, it works by removing the "ip verify reverse-path interface
It may sounds weird, but certain apps COULD respond differently in certain situation. No harm trying. Like what Jay has suggested, start again from clean config without any restriction.
Rgds,
AK
07-01-2006 05:27 AM
I won't be able to try this until Monday. If indeed this is the case, is there a way to "exempt" this particular site from the ip verify reverse-path parameter?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide