Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Problems with external Net access from behind a 506E

Status
Not open for further replies.
rpreston

rpreston

Technical User
Apr 15, 2003
93
0
0
GB
I have a PIX506E with no content filtering and no other restrictions on outgoing traffic.

I am having a couple of issues which I don't quite understand.

1. I am unable to ping external sites that I should otherwise be able to ping, i.e. etc. If I ping these addresses from behing the PIX, I get timeouts. If I ping the same addresses from the router on the other side of the PIX, I get ping responses. If I'm not putting any access restrictions on outgoing traffic, why is this happening ?

2. I seem to experience problems when accessing certain websites. Ebay is one example, where the web pages take a long time to display, and when they do display images are missing, text blocks are missing, etc.

I don't understand how I can be having these problems when I have no outgoing restrictions. It's my understanding that any incoming traffic that is a response to valid packets originating from the inside of the PIX is allowed through - can anyone help ????

TIA


Rob
 
Sort by date Sort by votes
By default the Pix blocks inbound icmp traffic and so you would have to allow that on an inbound acl. The OUTBOUND icmp will be allowed but the reply from the other end will be blocked.

As for slow web sites, who knows? Are you getting any packet loss?

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
Go ahead and post a cleaned up config (ie, sensitive IPs changed and passwords removed) so that we can check it out.

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
Chris,

I don't think packet loss is the issue, to give you a bit more background info......

We've had a couple of problems lately with our ADSL router, which the PIX sits behind. We have a second ADSL link which is behind a router with built-in firewall. We switched over to this link when our main router failed, and we found that we then had no problems accessing websites which hadn't been displaying properly when running through the PIX.

We recently had to use this router on our main ADSL line, thus replacing the PIX on the same line the PIX uses, and we again found we had no problems accessing websites.

On both occasions, as soon as we brought the PIX back into play the website access problems returned.


Rob
 
Upvote 0 Downvote
I can't say that I really have any idea what that might be. I'm behind a Pix 506E and my connection is just fine. Have you tried a replacement firewall? Do you maybe have a speed/duplex mis-match between the router and the firewall or the firewall and the switch? Is there a memory leak on the firewall?

You see, it could be one of a million things causing this. It's not just that you use a Pix 506E. Something else is going on.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
Also, maybe try changing the speed of the link between the PIX and the ADSL Router, as Auto doesn't always work correctly.

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
Tidied up config below.


PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname xxxxxxxx
domain-name companyname.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list pol7 permit ip 167.165.0.0 255.255.0.0 location3.ip.address.0 255.255.255.192
access-list pol7 permit ip 167.165.0.0 255.255.0.0 location3.ip.address.64 255.255.255.224
access-list pol7 permit ip 167.165.0.0 255.255.0.0 host location3.outside.ipaddress.156
access-list pol5 permit ip 167.165.0.0 255.255.0.0 location2.dmz.ipaddress.64 255.255.255.224
access-list pol5 permit ip 167.165.0.0 255.255.0.0 location2.inside.ipaddress.192 255.255.255.192
access-list pol5 permit ip 167.165.0.0 255.255.0.0 167.165.100.0 255.255.255.0
access-list pol5 permit ip 167.165.0.0 255.255.0.0 host location3.outside.ipaddress.156
access-list pol5 permit ip 167.165.0.0 255.255.0.0 location3.ip.address.0 255.255.255.192
access-list pol5 permit ip 167.165.0.0 255.255.0.0 location3.ip.address.64 255.255.255.224
access-list pol5 permit ip 167.165.0.0 255.255.0.0 host location2.outside.ipaddress.50
access-list pol6 permit ip 167.165.0.0 255.255.0.0 location2.dmz.ipaddress.64 255.255.255.224
access-list pol6 permit ip 167.165.0.0 255.255.0.0 location2.inside.ipaddress.192 255.255.255.192
access-list pol6 permit ip 167.165.0.0 255.255.0.0 host location2.outside.ipaddress.50
access-list splittun permit ip 167.165.0.0 255.255.0.0 167.165.100.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap errors
logging facility 23
logging host inside 167.165.0.42 17/1400
no logging message 602301
no logging message 602302
no logging message 302002
no logging message 304001
no logging message 302001
no logging message 302006
no logging message 302005
no logging message 609002
no logging message 609001
interface ethernet0 10full
interface ethernet1 10full
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside public.ip.address.113 255.255.255.240
ip address inside 167.165.0.254 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 167.165.100.10-167.165.100.11
ip local pool ippool2 167.165.100.12-167.165.100.13
ip local pool ippool3 167.165.100.14-167.165.100.15
ip local pool ippool4 167.165.100.16-167.165.100.17
ip local pool ippool5 167.165.100.18-167.165.100.19
pdm location 167.165.0.42 255.255.255.255 inside
pdm location 167.165.0.11 255.255.255.255 inside
pdm location 167.165.0.18 255.255.255.255 inside
pdm location 167.165.0.19 255.255.255.255 inside
pdm location 167.165.0.20 255.255.255.255 inside
pdm location 167.165.0.200 255.255.255.255 inside
pdm location 167.165.0.202 255.255.255.255 inside
pdm location 167.165.100.101 255.255.255.255 inside
pdm location 167.165.200.1 255.255.255.255 inside
pdm location 167.165.200.2 255.255.255.255 inside
pdm location 167.165.200.3 255.255.255.255 inside
pdm location 167.165.200.4 255.255.255.255 inside
pdm location 167.165.200.5 255.255.255.255 inside
pdm location 167.165.200.6 255.255.255.255 inside
pdm location location2.inside.ipaddress.192 255.255.255.192 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list pol5
nat (inside) 1 167.165.0.0 255.255.0.0 0 0
static (inside,outside) tcp public.ip.address.113 51892 167.165.0.152 51892 netmask 255.255.255.255 0 0
static (inside,outside) public.ip.address.118 167.165.0.200 netmask 255.255.255.255 0 0
static (inside,outside) public.ip.address.125 167.165.200.1 netmask 255.255.255.255 0 0
static (inside,outside) public.ip.address.124 167.165.200.2 netmask 255.255.255.255 0 0
static (inside,outside) public.ip.address.123 167.165.200.3 netmask 255.255.255.255 0 0
static (inside,outside) public.ip.address.122 167.165.200.4 netmask 255.255.255.255 0 0
static (inside,outside) public.ip.address.121 167.165.200.5 netmask 255.255.255.255 0 0
static (inside,outside) public.ip.address.120 167.165.200.6 netmask 255.255.255.255 0 0
static (inside,outside) public.ip.address.114 167.165.0.18 netmask 255.255.255.255 0 0
static (inside,outside) public.ip.address.117 167.165.0.202 netmask 255.255.255.255 0 0
static (inside,outside) public.ip.address.115 167.165.0.19 netmask 255.255.255.255 0 0
static (inside,outside) public.ip.address.119 167.165.0.11 netmask 255.255.255.255 0 0
static (inside,outside) public.ip.address.116 167.165.0.20 netmask 255.255.255.255 0 0
conduit permit tcp host public.ip.address.118 eq conduit permit tcp host public.ip.address.118 eq 22 any
conduit permit tcp host public.ip.address.118 eq telnet any
conduit permit tcp host public.ip.address.114 eq smtp any
conduit permit tcp host public.ip.address.116 eq conduit permit tcp host public.ip.address.116 eq 443 any
conduit permit tcp host public.ip.address.116 eq 8010 any
conduit permit tcp host public.ip.address.116 eq 8011 any
conduit permit tcp host public.ip.address.116 eq 8012 any
conduit permit tcp host public.ip.address.116 eq 8013 any
conduit permit tcp host public.ip.address.116 eq 8014 any
conduit permit tcp host public.ip.address.116 eq 8015 any
conduit permit tcp host public.ip.address.116 eq 9009 any
conduit permit udp host public.ip.address.116 eq 9009 any
conduit permit udp host public.ip.address.116 eq 48500 any
conduit permit tcp host public.ip.address.117 eq smtp any
conduit permit udp host public.ip.address.117 eq domain any
conduit permit tcp host public.ip.address.116 eq 48500 any
conduit permit ip public.ip.address.112 255.255.255.248 location3.ip.address.0 255.255.255.192
conduit permit ip public.ip.address.112 255.255.255.248 location3.ip.address.64 255.255.255.224
conduit permit ip host public.ip.address.125 any
conduit permit ip host public.ip.address.124 any
conduit permit ip host public.ip.address.123 any
conduit permit ip host public.ip.address.122 any
conduit permit ip host public.ip.address.121 any
conduit permit ip host public.ip.address.120 any
conduit permit tcp host public.ip.address.114 eq conduit permit tcp host public.ip.address.114 eq 443 any
route outside 0.0.0.0 0.0.0.0 public.ip.address.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute uauth 0:05:00 inactivity
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server clientauth protocol radius
aaa-server clientauth (inside) host 167.165.100.101 companyname123 timeout 5
http server enable
http 167.165.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community xxxxxxxx
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set pol5 esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set pol5
crypto map n01-ldc02 5 ipsec-isakmp
crypto map n01-ldc02 5 match address pol6
crypto map n01-ldc02 5 set pfs group2
crypto map n01-ldc02 5 set peer location2.dmz.ipaddress.50
crypto map n01-ldc02 5 set transform-set pol5
crypto map n01-ldc02 5 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map n01-ldc02 10 ipsec-isakmp
crypto map n01-ldc02 10 match address pol7
crypto map n01-ldc02 10 set pfs group2
crypto map n01-ldc02 10 set peer location3.outside.ipaddress.156
crypto map n01-ldc02 10 set transform-set pol5
crypto map n01-ldc02 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map n01-ldc02 20 ipsec-isakmp dynamic dynmap
crypto map n01-ldc02 client authentication clientauth
crypto map n01-ldc02 interface outside
isakmp enable outside
isakmp key ******** address location2.dmz.ipaddress.50 netmask 255.255.255.255
isakmp key ******** address location3.outside.ipaddress.156 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption des
isakmp policy 5 hash md5
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
vpngroup companyname address-pool ippool
vpngroup companyname dns-server 167.165.0.17 167.165.0.11
vpngroup companyname default-domain city.country.companyname
vpngroup companyname split-tunnel splittun
vpngroup companyname idle-time 1800
vpngroup companyname password ********
vpngroup companyname2 address-pool ippool2
vpngroup companyname2 dns-server 167.165.0.17 167.165.0.11
vpngroup companyname2 default-domain city.country.companyname
vpngroup companyname2 split-tunnel splittun
vpngroup companyname2 idle-time 1800
vpngroup companyname2 password ********
vpngroup companyname3 address-pool ippool3
vpngroup companyname3 dns-server 167.165.0.17 167.165.0.11
vpngroup companyname3 default-domain city.country.companyname
vpngroup companyname3 split-tunnel splittun
vpngroup companyname3 idle-time 1800
vpngroup companyname3 password ********
vpngroup companyname4 address-pool ippool4
vpngroup companyname4 dns-server 167.165.0.17 167.165.0.11
vpngroup companyname4 default-domain city.country.companyname
vpngroup companyname4 split-tunnel splittun
vpngroup companyname4 idle-time 1800
vpngroup companyname4 password ********
vpngroup companyname5 address-pool ippool
vpngroup companyname5 dns-server 167.165.0.17 167.165.0.11
vpngroup companyname5 default-domain city.country.companyname
vpngroup companyname5 split-tunnel splittun
vpngroup companyname5 idle-time 1800
vpngroup companyname5 password ********
vpngroup companyname6 address-pool ippool2
vpngroup companyname6 dns-server 167.165.0.17 167.165.0.11
vpngroup companyname6 default-domain city.country.companyname
vpngroup companyname6 split-tunnel splittun
vpngroup companyname6 idle-time 1800
vpngroup companyname6 password ********
vpngroup companyname7 address-pool ippool3
vpngroup companyname7 dns-server 167.165.0.17 167.165.0.11
vpngroup companyname7 default-domain city.country.companyname
vpngroup companyname7 split-tunnel splittun
vpngroup companyname7 idle-time 1800
vpngroup companyname7 password ********
vpngroup companyname8 address-pool ippool4
vpngroup companyname8 dns-server 167.165.0.17
vpngroup companyname8 default-domain city.country.companyname
vpngroup companyname8 split-tunnel splittun
vpngroup companyname8 idle-time 1800
vpngroup companyname8 password ********
vpngroup companyname9 address-pool ippool5
vpngroup companyname9 dns-server 167.165.0.17 167.165.0.11
vpngroup companyname9 default-domain city.country.companyname
vpngroup companyname9 split-tunnel splittun
vpngroup companyname9 idle-time 1800
vpngroup companyname9 password ********
telnet 167.165.0.0 255.255.0.0 inside
telnet timeout 5
ssh location2.inside.ipaddress.192 255.255.255.192 outside
ssh timeout 5
dhcpd address 167.165.0.150-167.165.0.160 inside
dhcpd dns 167.165.0.13 167.165.0.17
dhcpd lease 36000
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
: end
[OK]


If this gives you any cluse, let me know.

Thanks.


Rob
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
97
hairlessupportmonkey
hairlessupportmonkey
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
169
Shmid
Shmid
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
98
Sparrow4
Sparrow4
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
70
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top