Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Trouble Banking

I am having trouble reaching a https bank site behind a PIX running 6.3.5. I can reach the first page without any difficulty. http://dsrefw03.hsbc.com.mx/aptrix/internetpub.nsf/Content/HomePersonas The problem is when I try to connect to the next page by clicking on ENTRAR. This resolves to https://conexion.bital.com.mx/conper/default.htm. This pages eventually times out. If I remove the pix, I can connect to this page and access the bsnking information. Using a packet sniffer, I see that I am able to send a SSLv2 Client Hello to the https page (200.16.50.21) and it stops there. In the pix log I see one attempt to build a outbound TCP connection 728 for outside:200.16.50.21/443 and nothing more. What within the configuration of the pix could be stopping this traffic?

16 REPLIES

Re: Trouble Banking

i hope you have the statics configured for the server IP on the PIX. have you given access to TCP 443 from outside to inside? Please check this, as the first site is a http access but the second (which fails) is a https access.

see if you have the fixup command configured for 443.

Hope this helps..

Raj

New Member

Re: Trouble Banking

I have posted my configuration below. I can reach other https sites without any problem, it is only this site that is causing problems. I cannot add fixup protocol https 443, I receive an invalid protocol error.

Gold

Re: Trouble Banking

Rich

I have just tried the URLs that you posted and it works fine for me (http ->https), I'm behind a PIX running 6.3(5) too.

Would it possible if you could post your PIX config, taking out any sensitive information.

Jay

New Member

Re: Trouble Banking

Here is my configuration:

show run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password encrypted

passwd encrypted

hostname xxxxxxx

domain-name xxxxx.com

clock timezone PST -8

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside permit icmp any any

access-list outside permit tcp any any

access-list inside permit ip any any

access-list inside permit tcp any any

access-list 101 permit ip 11.xxx.xx.xxx 255.255.255.240 10.xxx.xx.x 255.255.255.0

access-list 101 permit ip 10.xxx.xx.x 255.255.255.0 11.xxx.xx.xxx 255.255.255.240

pager lines 24

logging on

logging monitor errors

logging buffered debugging

logging host inside 11.xxx.xx.xxx 6/1470

mtu outside 1500

mtu inside 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 70.xxx.xx.xxx 255.255.255.0

ip address inside 11.xxx.xx.xxx 255.255.255.240

no ip address intf2

no ip address intf3

no ip address intf4

no ip address intf5

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm location 11.xxx.xx.xxx 255.255.255.255 inside

pdm location 192.xxx.x.x 255.255.255.0 outside

pdm history enable

arp timeout 14400

global (outside) 1 70.xxx.xx.xxx-70.xxx.xx.xxx

nat (inside) 1 11.xxx.xx.xxx 255.255.255.240 0 0

access-group inside in interface outside

route outside 0.0.0.0 0.0.0.0 70.xxx.xx.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 11.xxx.xx.xxx 255.255.255.255 inside

http 11.xxx.xx.xxx 255.255.255.255 inside

no snmp-server location

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto map toCanada 20 ipsec-isakmp

crypto map toCanada 20 set pfs group2

crypto map toCanada 20 set peer xxx.xxx.xxx.xxx

crypto map toCanada 20 set transform-set strong

crypto map toCanada 20 set security-association lifetime seconds 3600 kilobytes 8192

crypto map toCanada interface outside

isakmp enable outside

isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255

isakmp identity address

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption 3des

isakmp policy 9 hash sha

isakmp policy 9 group 2

isakmp policy 9 lifetime 86400

telnet 11.xxx.xx.xxx 255.255.255.240 inside

telnet timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxx

: end

Re: Trouble Banking

It may not be relevant but I noticed:

"crypto map toCanada 20" has no "match address..." line, though I expect it's acl101.

and your ACL on the outside interface has:

access-list inside permit ip any any

access-list inside permit tcp any any

Nothing else is obvious.

Can you check that crypto map line is there?

New Member

Re: Trouble Banking

Yes, I did repair the incomplete crypto map after posted this. This is a test configuration, whatever solution I come up with here will be applied to the production firewalls.

New Member

Re: Trouble Banking

I did notice that when I type show access-list in the pix I get this line.

access-list inside line 2 permit tcp any any (hitcnt=0)

When I do a packet capture from the https site outside of the pix I notice that all the communication from the site is tcp.

Gold

Re: Trouble Banking

Rich

For the sake of sanity, let's start afresh with your configuration and then add other services that are required i.e. L2L VPNs etc.

So, if you change your current configuration to the following and test:

ip address outside 70.xxx.xx.xxx 255.255.255.0

ip address inside 11.xxx.xx.xxx 255.255.255.240

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 70.xxx.xx.x 1

Don't add any ACL's or Static's. I have tested using my lab PIX running 6.3(5) and I can access the site and the site is communicating using SSL v3 !!!

Let me know your results.

Jay

Gold

Re: Trouble Banking

Oops slight typo on my other post:

This:

ip address outside 70.xxx.xx.xxx 255.255.255.0

ip address inside 11.xxx.xx.xxx 255.255.255.240

Should be:

ip address outside 70.xxx.xx.xxx 255.255.255.240

ip address inside 11.xxx.xx.xxx 255.255.255.0

New Member

Re: Trouble Banking

I have stripped out the acl's and the vpn tunnel configuration. My current configuration is below. I can get to the internet, I still cannot get to the https page referenced above.

show run

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password xxxxxxxxxxx encrypted

passwd xxxxxxxxxxx encrypted

hostname sdsnafw1

domain-name xxxxx.com

clock timezone PST -8

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

logging host inside 11.xxx.xx.xxx 6/1470

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 70.xxx.xx.xxx 255.255.255.0

ip address inside 11.xxx.xx.xxx 255.255.255.240

no ip address intf2

no ip address intf3

no ip address intf4

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm location 11.xxx.xx.xxx 255.255.255.255 inside

pdm location 11.xxx.xx.xxx 255.255.255.255 inside

pdm location 192.xxx.x.x 255.255.255.0 outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 70.xxx.xx.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 11.xxx.xx.xxx 255.255.255.255 inside

http 11.xxx.xx.xxx 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 11.xxx.xx.xxx /

floodguard enable

telnet 11.xxx.xx.xxx 255.255.255.240 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

: end

Gold

Re: Trouble Banking

Rich,

Now that's interesting! Ok let's try some troubleshooting.

Can you actually connect to tcp port 443 from behind the PIX i.e. telnet from an internal device:

telnet 200.16.50.21 443

Do you get a clean connection? If this don't work then enable logging on the PIX to see what the PIX see's.

Can you enable debug on the PIX please and post the output here (change any sensitive info before posting)

Logging on

Logging buffer debug

Show log

To disable issue no logging on.

Also, you could use a packet sniffer such as ethereal (free from http://www.ethereal.com), and run it on an internal device/PC, if you do use ethereal then use the filter option on ethereal to capture only tcp port 443.

Run ethereal on your PC (with the filter applied for SSL) and open up your browser and go to the https site. What does ethereal show when you try to access the site??

Let me know the results of the above, also I notice that you have on your PIX:

ip address outside 70.xxx.xx.xxx 255.255.255.0

ip address inside 11.xxx.xx.xxx 255.255.255.240

Has your ISP assigned you a large range of public IP's? Or should this be:

ip address outside 70.xxx.xx.xxx 255.255.255.240

ip address inside 11.xxx.xx.xxx 255.255.255.0

Anyway let me know....

Jay

New Member

Re: Trouble Banking

Jay, I won't be able to test this until Monday but I can reach other ssl sites without any problem from behind this firewall.

When I did a packet trace from ethereal behind the pix the communication stops with a ssl v2 Client Hello from the internal pc to the external web site. Without the pix etheral shows incoming tcp packets from the external site (not ssl) to random ports. I do not have the traces with me at the momment. The connection is completed and as was indicated earlier it is via sslv3. I can attach screen prints if necessary.

Yes our isp has provided us with a class c range.

Re: Trouble Banking

Hi,

We all know that the 'ip verify reverse-path' is used for anti-spoofing. But one of my customer experienced more or less similar problem, it works by removing the "ip verify reverse-path interface " parameter.

It may sounds weird, but certain apps COULD respond differently in certain situation. No harm trying. Like what Jay has suggested, start again from clean config without any restriction.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a008042c8c6.html#wp1053009

Rgds,

AK

New Member

Re: Trouble Banking

I won't be able to try this until Monday. If indeed this is the case, is there a way to "exempt" this particular site from the ip verify reverse-path parameter?

Gold

Re: Trouble Banking

Rich,

I have 'ip verify' enabled on my lab PIX and it does not have any problems when accessing the HSBC https site!!

Now, just for test take out the ip verify statement and see if this helps.

But what you haven't answered is - can you telnet to the https ip address on port 443 for this site from behind the PIX?

Let me know...

Jay

New Member

Re: Trouble Banking

After I read your original problem description the first thing that immediately came to mind is application layer problem. Noting that you stated the hostname to IP resolution is correct and a connection was established for outbound "SSLv2 client hello" I skipped over looking at the config, fired up my browser with it configured for SSLv3 only, https://conexion.bital.com.mx/conper/default.htm came up fine, then reconfigured my browser for SSLv2 only and got a "page cannot be displayed".

Final analysis: Application layer issue. To be more specific this particular bank appears to have chosen not to support the security vulnerable SSLv2 protocol but does appear to support the stronger SSLv3 and TLSv1. Most likely the client browser is old and doesn't support SSLv3 or TLSv1. Or, it's been misconfigured to disable support for the stronger encryption protocols.

I'm curious what OS, browser type and browser version you're running?

Cheers.

200
Views
0
Helpful
16
Replies
CreatePlease to create content