Help with PIX and external website

I wish I would have found this site months ago…

I have a problem with a website that our company is trying to access for information. I can get to it from my home connection (or any outside connection for that matter) but I am unable to access it from inside our company. I have been able to get to it twice from inside our company, but 99% of the time when we click on the link (which redirects to another ip) the page pops up and freezes. I have kind of been thrown in the role of the network admin, but I do have a solid server background. However, as I am finding out the PIX is a different animal to work with than the regular Cisco equipment that we have. Our current configuration is a PIX 515E running 7.0. I obviously do not want to call the other company and say that they have an issue on there end and waste their time; I deal with that on a daily basis. Here are the logs from the pix with the IP’s x’ed out to protect the innocent. I will post the connections to the initial website, then when the link is clicked. I am seeing reset o and i’s thru the log.


Built inbound TCP connection 709946 for outside:192.168.X.X/1161 (192.168.X.X/1161) to inside:192.53.X.X/443 (192.53.X.X/443)
Built local-host outside:192.53.X.X
Built dynamic TCP translation from inside:192.168.X.x/1161 to outside:72.20.X.X/3643
Built outbound TCP connection 709947 for outside:192.53.X.X/443 (192.53.X.X/443) to inside:192.168.X.X/1161 (72.20.X.X/3643)
Built inbound TCP connection 709948 for outside:192.168.X.X/1162 (192.168.X.X/1162) to inside:192.53.X.X/443 (192.53.X.X/443)
Built dynamic TCP translation from inside:192.168.X.X/1162 to outside:72.20.X.X/3644
Built outbound TCP connection 709949 for outside:192.53.X.X/443 (192.53.X.X/443) to inside:192.168.X.X/1162 (72.20.X.X/3644)
Built inbound TCP connection 709950 for outside:192.168.X.X/1163 (192.168.X.X/1163) to inside:192.53.X.X/443 (192.53.X.X/443)
Built dynamic TCP translation from inside:192.168.X.X/1163 to outside:72.20.X.X/3645
Built outbound TCP connection 709951 for outside:192.53.X.X/443 (192.53.X.X/443) to inside:192.168.X.X/1163 (72.20.X.X/3645)
Teardown dynamic TCP translation from inside:192.168.X.X/1154 to outside:72.20.X.X/3634 duration 0:00:30
Teardown dynamic TCP translation from inside:192.168.X.X/1155 to outside:72.20.X.X/3636 duration 0:00:30
Teardown dynamic TCP translation from inside:192.168.X.X/1157 to outside:72.20.X.X/3638 duration 0:00:30
Teardown TCP connection 709911 for outside:192.168.X.X/1152 to inside:146.130.X.X/80 duration 0:00:38 bytes 12295 TCP Reset-O
Teardown TCP connection 709913 for outside:192.168.X.X/1153 to inside:146.130.X.X/80 duration 0:00:37 bytes 3700 TCP Reset-O
Teardown local-host inside:146.130.X.X duration 0:00:38
Teardown TCP connection 709923 for outside:192.168.X.X/1156 to inside:146.130.X.X/443 duration 0:00:31 bytes 76422 TCP Reset-O
Teardown TCP connection 709943 for outside:192.168.X.X/1160 to inside:146.130.X.X/443 duration 0:00:20 bytes 16061 TCP Reset-O
Teardown local-host inside:146.130.X.X duration 0:00:32
Teardown TCP connection 709912 for outside:146.130.X.X/80 to inside:192.168.X.X/1152 duration 0:00:38 bytes 12295 TCP Reset-I
Teardown TCP connection 709914 for outside:146.130.X.X/80 to inside:192.168.X.X/1153 duration 0:00:37 bytes 3700 TCP Reset-I
Teardown local-host outside:146.130.X.X duration 0:00:38
Teardown TCP connection 709924 for outside:146.130.X.X/443 to inside:192.168.X.X/1156 duration 0:00:31 bytes 76422 TCP Reset-I
Teardown TCP connection 709944 for outside:146.130.X.X/443 to inside:192.168.X.X/1160 duration 0:00:20 bytes 16061 TCP Reset-I
Teardown local-host outside:146.130.X.X duration 0:00:32
Teardown TCP connection 709948 for outside:192.168.X.X/1162 to inside:192.53.X.X/443 duration 0:00:17 bytes 968 TCP Reset-O
Teardown TCP connection 709950 for outside:192.168.X.X/1163 to inside:192.53.X.X/443 duration 0:00:17 bytes 1049 TCP Reset-O
Teardown TCP connection 709949 for outside:192.53.X.X/443 to inside:192.168.X.X/1162 duration 0:00:17 bytes 968 TCP Reset-I
Teardown TCP connection 709951 for outside:192.53.X.X/443 to inside:192.168.X.X/1163 duration 0:00:17 bytes 1049 TCP Reset-I

The 146 address is the original connection, and then when the link is clicked it sends me to the 192.53 address. Any help in determining if the problem lies on my end would be great. We are doing no filtering on any outbound traffic, so anything that is allowed out should be able to come back in and we have had no other access issues from any other site to date. Just looking at the logs the first reset (reset-o) for the 192.53 is coming from the outside interface, which is making me believe that the issue is on the other end. Thanks in advance for any and all help.

Can you post your config please ? comment out passwords, and start part of the ip octets etc...

PIX Version 7.0(1)
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 72.20.X.X 255.255.255.224
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.30.250.X 255.255.252.0
!
interface Ethernet2
speed 100
duplex full
nameif trunk
security-level 10
no ip address
!
interface Ethernet2.238
vlan 238
nameif ssn
security-level 20
ip address 10.30.238.X 255.255.255.0
!
hostname XXXXXXXXXXXX
domain-name XXXXXXXXXXXXXXXXXXXX.com
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns retries 2
dns timeout 2
dns domain-lookup outside
dns name-server 205.X.X.X
dns name-server 72.X.X.X
object-group network public-dns
description Public DNS Servers
network-object 205.X.X.X 255.255.255.255
network-object 72.X.X.X 255.255.255.255
network-object 72.X.X.X 255.255.255.255
object-group service OWATCP tcp
description OWA TCP ports inbound
port-object eq 88
port-object eq 1600
port-object eq ldap
port-object eq 3268
port-object eq domain
port-object eq netbios-ssn
port-object eq 135
port-object eq 445
object-group service OWAUDP udp
description OWA UDP inbound ports
port-object eq 88
port-object eq netbios-dgm
port-object eq netbios-ns
port-object eq 389
port-object eq domain
port-object eq 135
access-list inside_nat0_outbound extended permit ip host 10.30.250.10 host 10.245.1.60
access-list inside_nat0_outbound extended permit ip host 10.30.250.10 host 10.245.1.146
access-list inside_nat0_outbound extended permit ip host 10.30.250.10 host 10.245.1.59
access-list inside_nat0_outbound extended permit ip host 10.30.240.102 host 10.30.238.100
access-list inside_nat0_outbound extended permit ip host 10.30.240.100 host 10.30.238.100
access-list inside_nat0_outbound extended permit ip host 10.30.240.101 host 10.30.238.100
access-list inside_nat0_outbound extended permit ip host 10.30.240.100 host 10.30.238.101
access-list inside_nat0_outbound extended permit ip host 10.30.240.102 host 10.30.238.101
access-list inside_nat0_outbound extended permit ip host 10.30.240.101 host 10.30.238.101
access-list inside_nat0_outbound extended permit ip any 10.30.236.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 10.30.240.106 host 10.30.238.101
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip host 10.30.240.102 host 10.30.238.102
access-list outside_cryptomap_40 extended permit ip host 10.30.250.10 host 10.245.1.60
access-list acl_outside remark Inbound FTP Server access (TCP/21) from any internet host
access-list acl_outside extended permit tcp any host 72.20.X.X eq ftp
access-list acl_outside remark Inbound FTP-Data access (TCP/20) from any internet host
access-list acl_outside extended permit tcp any host 72.20.X.X eq ftp-data
access-list acl_outside remark Inbound Web Server access (TCP/80) from any internet host for OWA
access-list acl_outside extended permit tcp any host 72.20.X.X eq www
access-list acl_outside remark Inbound HTTPS Server access (TCP/443) from any internet host for OWA
access-list acl_outside extended permit tcp any host 72.20.X.X eq https
access-list acl_outside extended permit icmp any any echo-reply
access-list acl_outside extended permit tcp 205.158.X.X 255.255.255.0 host 72.20.X.X eq ssh
access-list acl_outside extended permit tcp any host 72.20.X.X eq smtp
access-list acl_outside remark Inbound FTP Server access (TCP/21) from any internet host
access-list acl_outside remark Inbound FTP-Data access (TCP/20) from any internet host
access-list acl_outside remark Inbound Web Server access (TCP/80) from any internet host for OWA
access-list acl_outside remark Inbound HTTPS Server access (TCP/443) from any internet host for OWA
access-list outside_cryptomap_60 extended permit ip host 10.30.250.10 host 10.245.1.146
access-list outside_cryptomap_80 extended permit ip host 10.30.250.10 host 10.245.1.59
access-list ssn_access_in extended permit tcp host 10.30.238.100 host 10.30.240.102 eq smtp
access-list ssn_access_in extended permit udp host 10.30.238.100 host 10.30.240.100 eq domain
access-list ssn_access_in extended permit udp host 10.30.238.100 host 10.30.240.101 eq domain
access-list ssn_access_in extended permit tcp host 10.30.238.100 host 205.158.X.X eq www
access-list ssn_access_in remark Outbound SMTP Server (UDP/53) to the Public DNS Servers
access-list ssn_access_in extended permit udp host 10.30.238.101 object-group public-dns eq domain
access-list ssn_access_in remark Outbound SMTP Server (TCP/25) to any Public SMTP Server
access-list ssn_access_in extended permit tcp host 10.30.238.101 any eq smtp
access-list ssn_access_in remark Outbound Web Client access (TCP/80) to any Public Web Server
access-list ssn_access_in extended permit tcp host 10.30.238.101 any eq www
access-list ssn_access_in remark Outbound Web Client access (TCP/443) to any Public Web Server
access-list ssn_access_in extended permit tcp host 10.30.238.101 any eq https
access-list ssn_access_in remark Outbound FTP Client access (TCP/21) to any Public FTP Server
access-list ssn_access_in extended permit tcp host 10.30.238.101 any eq ftp
access-list ssn_access_in remark Outbound FTP-Data access (TCP/20) to any Public FTP Server
access-list ssn_access_in extended permit tcp host 10.30.238.101 any eq ftp-data
access-list ssn_access_in extended permit tcp host 10.30.238.100 205.158.X.X 255.255.255.0 eq ssh
access-list ssn_access_in remark TCP Ports needed for OWA
access-list ssn_access_in extended permit tcp host 10.30.238.101 host 10.30.240.100 object-group OWATCP
access-list ssn_access_in remark UDP ports needed for OWA
access-list ssn_access_in extended permit udp host 10.30.238.101 host 10.30.240.100 object-group OWAUDP
access-list ssn_access_in remark TCP ports needed for OWA Secondary
access-list ssn_access_in extended permit tcp host 10.30.238.101 host 10.30.240.101 object-group OWATCP
access-list ssn_access_in remark UDP ports needed for OWA Secondary
access-list ssn_access_in extended permit udp host 10.30.238.101 host 10.30.240.101 object-group OWAUDP
access-list ssn_access_in remark Inbound port needed for OWA server to domain controller
access-list ssn_access_in extended permit tcp host 10.30.238.101 host 10.30.240.102 eq www
access-list ssn_access_in remark Inbound port needed for OWA server to domain controller
access-list ssn_access_in extended permit tcp host 10.30.238.101 host 10.30.240.102 eq 691
access-list ssn_access_in extended permit ip host 10.30.238.101 any
access-list ssn_access_in remark Inbound port needed for SSN
access-list ssn_access_in extended permit tcp host 10.30.238.101 host 10.30.240.106 eq 13720
access-list ssn_access_in remark Inbound port needed for SSN
access-list ssn_access_in extended permit tcp host 10.30.238.101 host 10.30.240.106 eq 13724
access-list ssn_access_in remark Inbound port needed for SSN
access-list ssn_access_in remark Inbound port needed for SSN
access-list ssn_access_in remark Inbound port needed for SSN
access-list ssn_access_in remark Inbound port needed for SSN
access-list ssn_access_in extended permit ip host 10.30.238.102 any
access-list ssn_access_in remark Outbound SMTP Server (UDP/53) to the Public DNS Servers
access-list ssn_access_in remark Outbound SMTP Server (TCP/25) to any Public SMTP Server
access-list ssn_access_in remark Outbound Web Client access (TCP/80) to any Public Web Server
access-list ssn_access_in remark Outbound Web Client access (TCP/443) to any Public Web Server
access-list ssn_access_in remark Outbound FTP Client access (TCP/21) to any Public FTP Server
access-list ssn_access_in remark Outbound FTP-Data access (TCP/20) to any Public FTP Server
access-list ssn_access_in remark TCP Ports needed for OWA
access-list ssn_access_in remark UDP ports needed for OWA
access-list ssn_access_in remark TCP ports needed for OWA Secondary
access-list ssn_access_in remark UDP ports needed for OWA Secondary
access-list ssn_access_in remark Inbound port needed for OWA server to domain controller
access-list ssn_access_in remark Inbound port needed for OWA server to domain controller
access-list ssn_access_in remark Inbound port needed for SSN netbackup from
access-list ssn_access_in remark Inbound port needed for SSN netbackup
access-list ssn_access_in remark Inbound port needed for SSN netbackup
access-list ssn_access_in remark Inbound port needed for SSN netbackup
access-list ssn_access_in remark Inbound port needed for SSN netbackup
access-list ssn_access_in remark Inbound port needed for SSN netbackup
access-list outside_cryptomap_dyn_20 extended permit ip any 10.30.236.0 255.255.255.0
access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.1.0 255.255.255.128
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging history errors
logging asdm critical
logging host inside 10.30.134.11
logging permit-hostdown
no logging message 106011
mtu outside 1500
mtu inside 1500
mtu trunk 1500
mtu ssn 1500
ip local pool vendor-clientvpn 192.168.1.100-192.168.1.150 mask 255.255.255.0
ip local pool user-clientvpn 192.168.1.50-192.168.1.99 mask 255.255.255.0
no vpn-addr-assign aaa
no failover
monitor-interface outside
monitor-interface inside
monitor-interface trunk
asdm image flash:/asdm-501.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 72.20.X.X netmask 255.255.255.224
global (ssn) 1 10.30.238.254 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (ssn) 1 0.0.0.0 0.0.0.0
static (ssn,outside) 72.20.X.X 10.30.238.100 netmask 255.255.255.255
static (ssn,outside) 72.20.X.X 10.30.238.101 netmask 255.255.255.255
static (inside,outside) 72.20.X.X 10.30.240.102 netmask 255.255.255.255
access-group acl_outside in interface outside
access-group ssn_access_in in interface ssn
route outside 0.0.0.0 0.0.0.0 72.20.X.X 1
route outside 10.245.1.0 255.255.255.0 72.20.X.X 1
route inside 0.0.0.0 0.0.0.0 10.30.250.10 tunneled
route inside 192.168.0.0 255.255.0.0 10.30.250.10 1
route inside 10.0.0.0 255.0.0.0 10.30.250.10 1
timeout xlate 3:00:00
timeout conn 4:00:00 half-closed 1:00:00 udp 10:00:00 icmp 1:00:00
timeout sunrpc 1:10:00 h323 1:05:00 h225 1:00:00 mgcp 1:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server RADIUS protocol radius
aaa-server RADIUS host 10.30.X.X
key XXXXXXXXXXXXX
authentication-port 1812
accounting-port 1813
group-policy DfltGrpPolicy attributes
banner none
wins-server value 10.30.X.X
dns-server value 10.30.X.X 10.30.X.X
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value XXXXXXXXXXXXXXXXX.com
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy XXXXX internal
group-policy XXXXX attributes
vpn-filter value XXXXXX
group-policy RAS-VPN_Employees internal
group-policy RAS-VPN_Employees attributes
dhcp-network-scope 10.30.236.0
ipsec-udp enable
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-none
crypto ipsec transform-set TUNNEL_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set TUNNEL_ESP_3DES_SHA
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 12.178.X.X
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 12.43.X.X
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer 12.155.X.X
crypto map outside_map 80 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp enable inside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp ipsec-over-tcp port XXXXXXXXX
dhcprelay server 10.30.X.X inside
tunnel-group 12.178.X.X type ipsec-l2l
tunnel-group 12.178.X.X ipsec-attributes
pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
tunnel-group 12.43.X.X type ipsec-l2l
tunnel-group 12.43.X.X ipsec-attributes
pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
tunnel-group 12.155.X.X type ipsec-l2l
tunnel-group 12.155.X.X ipsec-attributes
pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
tunnel-group RAS-VPN_Employees type ipsec-ra
tunnel-group RAS-VPN_Employees general-attributes
address-pool user-clientvpn
authentication-server-group XXXXXXXX
default-group-policy RAS-VPN_Employees
dhcp-server 10.30.X.X
tunnel-group RAS-VPN_Employees ipsec-attributes
pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
tunnel-group XXXXXX type ipsec-ra
tunnel-group XXXXXXX general-attributes
address-pool vendor-clientvpn
default-group-policy XXXXXXXXX
dhcp-server 10.30.X.X
tunnel-group XXXXXXX ipsec-attributes
pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
ntp server 10.30.X.X source inside prefer
management-access inside
: end

---

show startup-config errors

---

INFO: No configuration errors

Blimey, thats an interesting config, some stuff i aint seen before in there

So, from what i can gather, the original post shows that the connections are coming from your VPN clients on the 192.168.x.x network. Can any other machines on the Internal network connect ok to this website ?

Also, is it going to be possible to do a packet capture on the external interface to see what is terminating and when ?

I aint really had time to fully go through the config but i will see if i can have another go to fully understand it (will need to research a couple of things i aint seen before).

Cheers

Yeah, lets just say it's been interesting learing about all this, but there is no better way to learn. lol

No, it does not work from the extranet (10.30.238.X), inside (10.30.X.X), (192.168.X.X) or from VPN (192.168.1.X). It would be pretty hard to sniff the connection on the ouside interface as there is no switch that it is plugged into, it's plugged straight in.

Hmm, running out of ideas now. I have noticed that you have access-lists on the SSN trunk and also the outside interface, you have nothing on the inside.

Can you try allowing everything through the firewall breifly just to test ? If you create an access list "access-list Allow_All extended permit ip any any" and temporary apply it to all interface and then quickly test the website ? I just want to see if it does in fact work ok.

I wanted to do the capture incase the website is somehow blocking your IP Address as its tearing down the connection. Maybe we will have to run a quick capture on the pix instead. If you are allowed to quickly turn off the access lists and allow everything out just to a quick test and then re-apply the access-lists so we can rule the access-lists out (although all looks ok)

Cheers