Question

Locked

Cisco Pix 506e firewall blocking Win07 from accessing a specific website?

By VCHD_IT ·
I formerly asked the question "Anyone experience in Windows 2007 where certain websites will not open?" I received replies but nothing resolved the issue that our agency's webpage will not open in the four new Windows 2007 computers our agency recently purchased. It can be opened on any of the agency's windows XP computers. I can open the website on a Window 07 laptop on my home network but once I bring the laptop to work and connect to the local network it cannot open the webiste. I've connected a windows 07 computer directly to the gateway by passing the firewall and switches and it can open the website.

I have boiled it down to possibly the issue originating from the configuration of our CISCO Pix 506e firewall. It has been in service for over ten years with very little or no updates. I have no experience with this hardware. It seems you need a CISCO service contract to be able to download utilites or firmware for hardware you own. Our agency does not have a current contract.

Is there a configuration or setting that could cause our agency's website from opening in a window 2007 PC?

This conversation is currently closed to new comments.

52 total posts (Page 2 of 6)   Prev   01 | 02 | 03 | 04 | 05   Next
| Thread display: Collapse - | Expand +

Clarifications

Collapse -
by dmritchie2

I didn't see your previous question, but are you (behind the PIX) able to open any websites or most but not your companies? What error is the browser throwing up when you try to access your agency's website?

All Answers

Collapse -

Reponse To Answer

by VCHD_IT In reply to more ideas

The server is inside. O7 & XP (all dynamic IP/ipv4 addresses) are on the same network. IP is the protocol used on the workgroup network. The XP computer for the most part rebooted each work day. The server is a new HP server running Window server 2008. Prior to the server we had been a Novell network. It was discovered shortly after the new server was placed into service that it had not been assigned a static address. For the past 2 months it has been assigned a static address. Other than that the server name was changed when the new server was placed into service apprx. 6 month ago. Ping the server and the website in question from an XP and from a 07 yields the same IP address. Both XP and 07 successfully ping the website and yield the same outside ip address. The home network is directly over the internet through a wireless router.

Our network setup starting a Comcast gateway to the CISCO pix then to 3 - 24 port 3COM switches that all workstations, network printers and electronic door locks communicate.

I won't be in the office until this evening to submit the CISCO Pix configuration and to try eliminate CISCO from network (connect gateway directly to switches) then attempt to connect to the agency's website through a window 07 box.

Collapse -

Reponse To Answer

by VCHD_IT In reply to more ideas

Here is the PIX configuration:

PIX versison 6.1 <4>
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable passwd
hostname pixfirewall
domain-name cisco.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inbound permit icmp any any echo-reply
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
ip audit info action alarm
ip audit attack action alarm
pdm history enale
arp timeout 14400
global <outside>1 interface
nat <inside> 1 0.0.0.0 0.0.0.0 00
access-group inbound in interface outside
route outside
route inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:0
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 0.0.0.0. 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
dhcpd address inside
dhcpd dns
dhcpd lease 604800
dhcpd ping_timeout 1500
dhcpd domain Mcleodusa.net
dhcpd enable inside
terminal width 80


The item that catches my eye is "dhcpd domain mcleodusa.net" This is a company we used years ago when we go our first high speed internet connection. We have since switched to a local company Soltec which was eventually bought by Iserv. Late last year we dropped Iserv and moved to Compcast for our high speed internet connection. I have notice when I do a ipconfig /all at any of the agency's computers the following is listed "DNS
Suffix Search List.........mcleodusa.net.

I removed the PIx from the network and connect the Comcast Gateway directly to the switch inwhich the PIX was connected. I booted our server and one of the windows 07 computers. The 07 computer could not connect to the server but did have an internet connection. It could open the agency's website. Since the PIX was the dhcp server, all the ip addresses were a dfferent range therefore the window 07 could not connect to the agency's server that has a static IP in a dfferent range. The subnet were the same.

Does this conclude that the PIX is the issue. What is the next step?

Collapse -

to reach a web site by name, you need DNS to resolve the name to an address

by CG IT In reply to Cisco Pix 506e firewall b ...

DNS server addresses are provided to clients as DNS options or are statically defined on the client machines.

If the DNS server does not have a record for the name and the address associated with the name, DNS will forward unresolved queries to root hint DNS servers. They the root hint servers don't resolve the name, the error is returned to the client in the browser as page and not be displayed.

you still haven't said where the web site is hosted. If it's hosted internally, then an internal DNS server should resolve the name to the correct address and send the query to the web server which then returns the web site in the users browser. If DNS does not resolve the name or if the users are using the incorrect DNS to resolve names, the user will get the page can not be displayed.

Collapse -

Reponse To Answer

by VCHD_IT In reply to to reach a web site by na ...

Our website is hosted at godaddy.

Collapse -

Reponse To Answer

by VCHD_IT In reply to to reach a web site by na ...

The windows 2007 boxes cannot browse to the agency website when the Url address is used or when the IP address is used. I have tried on Chrome and Firefox with the same results. What is Windows 2007 boxes doing different than the Windows XP boxes?

Collapse -

hmm

by gdeangelis In reply to Cisco Pix 506e firewall b ...

I'm not convinced that the pix is it just yet. Although I don't see an outbound access list in what you posted. I don't see any dhcp ip range or dns or anything like that either in this config, so I am a little confused as to whether or not the pix is actually acting as the dhcp server. Is it possible that the pix was booted recently and the config was partially lost, having not been saved? Might explain some of the holes.
Have you tried manually assigning an ip address to the 07 machine? Also, do you have access to your internal dns servers to see how the server is listed in there?
Couple other things to try. Have you tried another browser on the 07?
When you access the server from inside, are you using the full dns name,? or just http://servername? If your thought on the mcleodusa.net is true, it could be trying to resolve your server at that domain, rather than your own. You definitely have a head scratcher here.

Collapse -

Reponse To Answer

by VCHD_IT In reply to hmm

The PIX is over 10 years old and has been rebooted many times but anything is possible.

This morning I set static IP address for a windows 07 box and set the DNS server addresses. I attempted to connect to the agency website with no success. I rebooted the computer and tried to connect to the agency website, again, with no success.

I must admit upfront I do not have a lot of experience dealing with DNS servers. So any information I may provide on this subject is not being provided with 100% confidence. When doing a ipconfig /all at a command prompt it show that the preferred DNS are ip addresses belonging to Comcast our internet & email provider. I called them one day to see if the issue could be on their side. The tech had me connect a windows 07 box directly to their Comcast gateway and see if it could connect to the website. I did and the computer was able to connect to the agency website. The Comcast tech indicated since it could connect to the website the issue is not due to comcast.

I have tried to connect to the agency website using Chrome and Foxfire with no success. Having said that on a couple occassions when attempting to connect to the website using Chrome once the initial opening failed the browser offers a "reload" option. When I've selected it the website would open. I've researched to see if it may be possible to load IE 8.0 on a windows 07 box and see if I could open the webite but I've not found info showing how to do that when IE v. 9.0 is OEM on the computer.

When trying to open the agency website I have tried both the url address and the ip address with both failing in IE9, Chrome and Firefox.

Collapse -

My 2 cents

by sanjiv2 In reply to Cisco Pix 506e firewall b ...

Here is my understanding of your network:
http://www.gliffy.com/pubdoc/3741740/M.png

My Suggestions:
Here is my understanding:
Assumption A : If Webserver is outside the local network.


    Assumption B: If webserver is inside the local network



      It is safe to post entire PIX configuration provided you mask public IP, passwords (even if it is encrypted),domain names, or any other object name referencing your domain/company.
      Collapse -

      Reponse To Answer

      by VCHD_IT In reply to My 2 cents

      Your understanding of the network is correct with the webserver on the outside.

      I've tried assigning a ip and DNS to the Windows 07 boxes and using an alternative DNS with the same results that the website cannot be opened.

      I followed items 1 - 8 with no success, however after running ipconfig /dnsflush I used Chrome to attempt to open the agency's website once the ERR_TIMED_OUT error was shown, I immediately selected the "reload" option and the home page opened. I then clicked a link to another website page and it opened. When I then selected a pdf file link I received the ERR_TIMED_OUT error. I tried again to open the website in Chrome, got the same error, selected "reload" but this time it failed. I ran the ipconfig /dnsflush command again and tried to open the agency website in Chrome with the expectation of it failing but hoping that once select "reload' option it would open the agency website. It did not. It seems that the domain is not responding fast enough for the browser and time out is occurring.

      My knowledge of the PIX is pretty much what I have learned trying to resolve this issue. I believe what I have previously posted is the complete PIX config. I obtain this information by starting a telnet session. "Open" using PIX IP address. I then enter password and then typed "enable" and typed password again. Finally, I used "sh config" to get to the config information. Is there another command that would show more config info?

      Collapse -

      Reponse To Answer

      by VCHD_IT In reply to My 2 cents

      I failed to include in my reply that in item 7. the DNS was successful in resolving the domain name to an IP address.

      Item 6. Pinging the website and domain server were successful.

      Back to Networks Forum
      52 total posts (Page 2 of 6)   Prev   01 | 02 | 03 | 04 | 05   Next

      Hardware Forums