Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX-5-304002: Access Denied ?? 1

Status
Not open for further replies.
rshendrix

rshendrix

MIS
Mar 5, 2002
134
0
0
Can someone shed some light on why I am getting this message in my PIX logs?

%PIX-5-304002: Access Denied URL SRC 10.0.39.28 DEST 205.188.145.184 on interface inside

Known facts:
(1) This comes from going to and trying to login to get mail.
(2) IE browser comes back with Cannot find server or DNS Error
(3) Only some computers on our LAN have this problem, others seem to logging on to AOL just fine.
(4) This started happening about 2 weeks ago, which is about the same time AOL changed their GUI at (5) PIX configuration has not changed recently.
(6) The PIX config is listed below:

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname xxxxxxxxxxx
domain-name xxxxx.xxx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list intf2_access_in permit ip 172.16.128.0 255.255.255.0 any
access-list intf2_access_in permit icmp any any
access-list inside_access_in deny tcp any any eq 5190
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
access-list smtp permit tcp any host 192.168.1.2 eq smtp
access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.x.x 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap notifications
logging host inside 10.0.39.24
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 100basetx
icmp permit any unreachable outside
icmp permit any echo-reply outside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 192.168.1.2 255.255.255.0
ip address inside 10.0.39.65 255.0.0.0
ip address intf2 172.16.128.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.x.x-192.168.x.x
pdm location 10.0.39.24 255.255.255.255 inside
pdm location 10.0.39.28 255.255.255.255 inside
pdm location 10.0.0.0 255.255.255.255 inside
pdm location 10.0.39.65 255.255.255.255 inside
pdm location 172.16.128.2 255.255.255.255 intf2
pdm location 172.16.128.1 255.255.255.255 intf2
pdm location 10.0.39.60 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
nat (intf2) 1 172.16.128.0 255.255.255.0 0 0
static (inside,outside) tcp 192.168.1.2 smtp 10.0.39.60 smtp netmask 255.255.255
.255 0 0
static (inside,intf2) 10.0.39.28 10.0.39.28 netmask .255.255.255 0 0
static (inside,intf2) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
access-group smtp in interface outside
access-group inside_access_in in interface inside
access-group intf2_access_in in interface intf2
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
url-server (inside) host 10.0.39.60 timeout 5 protocol TCP version 1
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 10.0.39.24 255.255.255.255 inside
http 10.0.39.28 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.0.39.28 c:\TFTP-Rootfloodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local ippool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup xxxxxxx address-pool ippool
vpngroup xxxxxxx split-tunnel 101
vpngroup xxxxxxx idle-time 1800
vpngroup xxxxxxx password ********
vpngroup address-pool idle-time 1800
telnet timeout 5
ssh timeout 5
terminal width 80

Any help will be appreciated.

Thanks.
 
Sort by date Sort by votes
I don't have a solution for you, but maybe a caution might be in order about posting a firewall config to an open forum.
 
Upvote 0 Downvote
HI.

> url-server (inside) host 10.0.39.60 timeout 5 protocol TCP version 1

Do you use WebSense?
Check the WebSense server configuration/logs/updates.

> (3) Only some computers on our LAN have this problem, others seem to logging on to AOL just fine.
Try to reboot the pix, websense, or both.
The pix might have cached URL filter rules entries for some users but not other. A reboot may line things up for easier troubleshooting.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
It looks like you are blocking AOL by this line:

access-list inside_access_in deny tcp any any eq 5190
 
Upvote 0 Downvote
That line actually blocks AOL access if you are using the AOL sotware and connecting via tcp/ip. That is not a new addition to the configuration. We certainly want to block AOL that way.

The problem I am having is while going to via Internet Explorer and trying to login and check mail, etc..
 
Upvote 0 Downvote
Check to see if their webpage is using that port though. You don't always have to use port 80 or 443 for webpages.

Also, since you are using websense w/ the "allow" option, try turning off the websense server temporarily and see if it will access the website.

-Bad Dos
 
Upvote 0 Downvote
Bad Dos,

Your right on the money! I removed the line and all worked. Looks like AOL may have changed things up a little. I will need to go back to the drawing board to keep the AOL software from getting access via tcp/ip.

Thanks again, Bad Dos!
 
Upvote 0 Downvote
This ended up being a Websense/Cisco PIX problem. I found the solution on the Websense FAQ page. I had to make the following PIX configuration additions:

url-block url-mempool 1500
url-glock url-size 4

These commands increase the size of the internal buffer that handles the GET requests when Websense is enabled. Typically, a user gets a "Page Cannot Be Displayed" message or the request appears to time out, due to the PIX's internal buffer not being able to handle the size and length of the URL string.

The PIX must be running firmware 6.2(2).

Thanks to all who replied.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
177
Shmid
Shmid
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
51
gbayi_omo
gbayi_omo
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
36
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
44
brownmab53
brownmab53
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
95
gkreg
gkreg

Part and Inventory Search

Sponsor

Back
Top