Hi guys,
I've got a major problem with youtube and users behind a PIX. Site it self works fine but whenever you will try to watch video you have an error message saying that there is a problem and check later. My network hardware diagram looks like that
Internet <-> Cisco Router <-> Linux Transparent Bridge <-> PIX <-> Switch HP <-> LAN
So what I have done so far.
1. Laptop connected to switch - youtube doesn't work (streaming)
2. Laptop connected to PIX by crossover cable - doesn't work
3. Laptop connected to Linux by crossover cable - youtube works
4. Laptop connected to Cisco router - works fine.
Tests I've made are pointing to PIX but the problem is -although I consider myself as an expert on Linux firewalls,
that I don't have experience with PIX. I spend last three days trying to sort this out....
This is my PIX config:
: Saved
: Written by admin at 11:38:55.363 UTC Mon Jun 15 2009
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Su7XHFTZSB.anwQX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name mydomain
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.80.240.0 NET_MKC
name 10.82.72.12 LSSC-CURRICULUM
name 10.82.72.11 LSSC-13llp82j
name 10.82.72.4 LSSC-MAIL
name 10.82.72.3 LSSC-MANAGE
name 10.82.72.2 LSSC-NETPILOT
name external ip some.external.domain
name 10.82.72.0 NET_LSSC
name proxy external ip proxy.externaldomain
name dns.external.ip dns.externaldomain
name 10.82.76.0 LSSC-Clients
name 10.95.254.221 MKC-Firewall
name 10.94.0.144 OU-PC
name 10.82.76.207 Wireless_Point3
name onlinebackupexternalip1 OnlineBackup
name onlinebackupexternalip1 OnlineBackup2
name 10.82.72.16 LSSC-PROXY
access-list compiled
access-list inside_outbound_nat0_acl remark No NAT for LSSC Servers from MKC NET
access-list inside_outbound_nat0_acl permit ip NET_LSSC 255.255.255.0 NET_MKC 255.255.255.0
access-list inside_outbound_nat0_acl remark No NAT for LSSC-MAIL from Electon.mkschools.net
access-list inside_outbound_nat0_acl permit ip host LSSC-MAIL host some.external.domain
access-list inside_outbound_nat0_acl remark No NAT for LSSC-MAIL from dns.externaldomain
access-list inside_outbound_nat0_acl permit ip host LSSC-MAIL host dns.externaldomain
access-list inside_outbound_nat0_acl remark No NAT for LSSC-PROXY from proxy.externaldomain
access-list inside_outbound_nat0_acl permit ip host 10.82.72.5 host proxy.externaldomain
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.128
access-list split permit ip NET_LSSC 255.255.248.0 192.168.1.0 255.255.255.0
access-list outside_access_in remark Allow inbound SMTP from some.external.domain to LSSC-MAIL
access-list outside_access_in permit tcp host some.external.domainhost LSSC-MAIL eq smtp
access-list outside_access_in remark Allow Remote Desktop connection from MKC to LSSC Servers
access-list outside_access_in deny tcp NET_MKC 255.255.255.0 NET_LSSC 255.255.255.0 eq 3389
access-list outside_access_in remark Enable DNS Access (TCP) from MKC to LSSC-MANAGE
access-list outside_access_in deny tcp NET_MKC 255.255.255.0 host LSSC-MANAGE eq domain
access-list outside_access_in remark Enable DNS Access (TCP) from MKC to LSSC-CURRICULUM
access-list outside_access_in deny tcp NET_MKC 255.255.255.0 host LSSC-CURRICULUM eq domain
access-list outside_access_in remark Enable DNS Access (UDP) from MKC to LSSC-MANAGE
access-list outside_access_in deny udp NET_MKC 255.255.255.0 host LSSC-MANAGE eq domain
access-list outside_access_in remark Enable DNS Access (UDP) from MKC to LSSC-CURRICULUM
access-list outside_access_in deny udp NET_MKC 255.255.255.0 host LSSC-CURRICULUM eq domain
access-list outside_access_in remark Allow VPN client access
access-list outside_access_in permit ip 192.168.1.0 255.255.255.128 any
access-list outside_access_in permit ip any any
access-list inside_access_in remark Allow outbound access to proxy.externaldomain from LSSC-PROXY
access-list inside_access_in permit tcp host LSSC-PROXY host proxy.externaldomain eq 8080
access-list inside_access_in remark Allow outbound SMTP from LSSC-MAIL
access-list inside_access_in permit tcp host LSSC-MAIL any eq smtp
access-list inside_access_in remark Allow outbound access to MKC for LSSC Servers
access-list inside_access_in deny ip NET_LSSC 255.255.255.0 NET_MKC 255.255.255.0
access-list inside_access_in remark Allow outbound access to VPN clients
access-list inside_access_in permit ip any 192.168.1.0 255.255.255.128
access-list inside_access_in remark Deny ourbound access from Client PCs
access-list inside_access_in permit ip LSSC-Clients 255.255.252.0 any
access-list inside_access_in permit ip any any
access-list outside_cryptomap_dyn_20 remark Allow VPN access
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.0 255.255.255.128
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 10.94.0.158 255.255.255.240
ip address inside 10.82.72.1 255.255.248.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Leon-VPN-Pool 192.168.1.1-192.168.1.100
arp timeout 14400
global (outside) 3 10.82.77.1-10.82.79.254
global (outside) 1 interface
global (outside) 2 10.82.76.1
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 3 0.0.0.0 0.0.0.0 0 0
static (inside,outside) LSSC-MAIL LSSC-MAIL netmask 255.255.255.255 0 0
static (inside,outside) Wireless_Point3 Wireless_Point3 netmask 255.255.255.255 0 0
static (inside,outside) LSSC-13llp82j LSSC-13llp82j netmask 255.255.255.255 0 0
static (inside,outside) LSSC-PROXY LSSC-PROXY netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.94.0.145 1
route outside MKC-Firewall 255.255.255.255 10.94.0.145 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http NET_MKC 255.255.255.0 outside
http NET_MKC 255.255.255.0 inside
http NET_LSSC 255.255.255.0 inside
Have tried to disable fixup on http and rtsp with no luck.
I'm out of ideas so any help would be appreciated!
Thanks.
C
I've got a major problem with youtube and users behind a PIX. Site it self works fine but whenever you will try to watch video you have an error message saying that there is a problem and check later. My network hardware diagram looks like that
Internet <-> Cisco Router <-> Linux Transparent Bridge <-> PIX <-> Switch HP <-> LAN
So what I have done so far.
1. Laptop connected to switch - youtube doesn't work (streaming)
2. Laptop connected to PIX by crossover cable - doesn't work
3. Laptop connected to Linux by crossover cable - youtube works
4. Laptop connected to Cisco router - works fine.
Tests I've made are pointing to PIX but the problem is -although I consider myself as an expert on Linux firewalls,
that I don't have experience with PIX. I spend last three days trying to sort this out....
This is my PIX config:
: Saved
: Written by admin at 11:38:55.363 UTC Mon Jun 15 2009
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Su7XHFTZSB.anwQX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name mydomain
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.80.240.0 NET_MKC
name 10.82.72.12 LSSC-CURRICULUM
name 10.82.72.11 LSSC-13llp82j
name 10.82.72.4 LSSC-MAIL
name 10.82.72.3 LSSC-MANAGE
name 10.82.72.2 LSSC-NETPILOT
name external ip some.external.domain
name 10.82.72.0 NET_LSSC
name proxy external ip proxy.externaldomain
name dns.external.ip dns.externaldomain
name 10.82.76.0 LSSC-Clients
name 10.95.254.221 MKC-Firewall
name 10.94.0.144 OU-PC
name 10.82.76.207 Wireless_Point3
name onlinebackupexternalip1 OnlineBackup
name onlinebackupexternalip1 OnlineBackup2
name 10.82.72.16 LSSC-PROXY
access-list compiled
access-list inside_outbound_nat0_acl remark No NAT for LSSC Servers from MKC NET
access-list inside_outbound_nat0_acl permit ip NET_LSSC 255.255.255.0 NET_MKC 255.255.255.0
access-list inside_outbound_nat0_acl remark No NAT for LSSC-MAIL from Electon.mkschools.net
access-list inside_outbound_nat0_acl permit ip host LSSC-MAIL host some.external.domain
access-list inside_outbound_nat0_acl remark No NAT for LSSC-MAIL from dns.externaldomain
access-list inside_outbound_nat0_acl permit ip host LSSC-MAIL host dns.externaldomain
access-list inside_outbound_nat0_acl remark No NAT for LSSC-PROXY from proxy.externaldomain
access-list inside_outbound_nat0_acl permit ip host 10.82.72.5 host proxy.externaldomain
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.128
access-list split permit ip NET_LSSC 255.255.248.0 192.168.1.0 255.255.255.0
access-list outside_access_in remark Allow inbound SMTP from some.external.domain to LSSC-MAIL
access-list outside_access_in permit tcp host some.external.domainhost LSSC-MAIL eq smtp
access-list outside_access_in remark Allow Remote Desktop connection from MKC to LSSC Servers
access-list outside_access_in deny tcp NET_MKC 255.255.255.0 NET_LSSC 255.255.255.0 eq 3389
access-list outside_access_in remark Enable DNS Access (TCP) from MKC to LSSC-MANAGE
access-list outside_access_in deny tcp NET_MKC 255.255.255.0 host LSSC-MANAGE eq domain
access-list outside_access_in remark Enable DNS Access (TCP) from MKC to LSSC-CURRICULUM
access-list outside_access_in deny tcp NET_MKC 255.255.255.0 host LSSC-CURRICULUM eq domain
access-list outside_access_in remark Enable DNS Access (UDP) from MKC to LSSC-MANAGE
access-list outside_access_in deny udp NET_MKC 255.255.255.0 host LSSC-MANAGE eq domain
access-list outside_access_in remark Enable DNS Access (UDP) from MKC to LSSC-CURRICULUM
access-list outside_access_in deny udp NET_MKC 255.255.255.0 host LSSC-CURRICULUM eq domain
access-list outside_access_in remark Allow VPN client access
access-list outside_access_in permit ip 192.168.1.0 255.255.255.128 any
access-list outside_access_in permit ip any any
access-list inside_access_in remark Allow outbound access to proxy.externaldomain from LSSC-PROXY
access-list inside_access_in permit tcp host LSSC-PROXY host proxy.externaldomain eq 8080
access-list inside_access_in remark Allow outbound SMTP from LSSC-MAIL
access-list inside_access_in permit tcp host LSSC-MAIL any eq smtp
access-list inside_access_in remark Allow outbound access to MKC for LSSC Servers
access-list inside_access_in deny ip NET_LSSC 255.255.255.0 NET_MKC 255.255.255.0
access-list inside_access_in remark Allow outbound access to VPN clients
access-list inside_access_in permit ip any 192.168.1.0 255.255.255.128
access-list inside_access_in remark Deny ourbound access from Client PCs
access-list inside_access_in permit ip LSSC-Clients 255.255.252.0 any
access-list inside_access_in permit ip any any
access-list outside_cryptomap_dyn_20 remark Allow VPN access
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.0 255.255.255.128
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 10.94.0.158 255.255.255.240
ip address inside 10.82.72.1 255.255.248.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Leon-VPN-Pool 192.168.1.1-192.168.1.100
arp timeout 14400
global (outside) 3 10.82.77.1-10.82.79.254
global (outside) 1 interface
global (outside) 2 10.82.76.1
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 3 0.0.0.0 0.0.0.0 0 0
static (inside,outside) LSSC-MAIL LSSC-MAIL netmask 255.255.255.255 0 0
static (inside,outside) Wireless_Point3 Wireless_Point3 netmask 255.255.255.255 0 0
static (inside,outside) LSSC-13llp82j LSSC-13llp82j netmask 255.255.255.255 0 0
static (inside,outside) LSSC-PROXY LSSC-PROXY netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.94.0.145 1
route outside MKC-Firewall 255.255.255.255 10.94.0.145 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http NET_MKC 255.255.255.0 outside
http NET_MKC 255.255.255.0 inside
http NET_LSSC 255.255.255.0 inside
Have tried to disable fixup on http and rtsp with no luck.
I'm out of ideas so any help would be appreciated!
Thanks.
C