Question

Locked

Cisco Pix 506e firewall blocking Win07 from accessing a specific website?

By VCHD_IT ·
I formerly asked the question "Anyone experience in Windows 2007 where certain websites will not open?" I received replies but nothing resolved the issue that our agency's webpage will not open in the four new Windows 2007 computers our agency recently purchased. It can be opened on any of the agency's windows XP computers. I can open the website on a Window 07 laptop on my home network but once I bring the laptop to work and connect to the local network it cannot open the webiste. I've connected a windows 07 computer directly to the gateway by passing the firewall and switches and it can open the website.

I have boiled it down to possibly the issue originating from the configuration of our CISCO Pix 506e firewall. It has been in service for over ten years with very little or no updates. I have no experience with this hardware. It seems you need a CISCO service contract to be able to download utilites or firmware for hardware you own. Our agency does not have a current contract.

Is there a configuration or setting that could cause our agency's website from opening in a window 2007 PC?

This conversation is currently closed to new comments.

52 total posts (Page 4 of 6)   Prev   02 | 03 | 04 | 05 | 06   Next
| Thread display: Collapse - | Expand +

Clarifications

Collapse -
by dmritchie2

I didn't see your previous question, but are you (behind the PIX) able to open any websites or most but not your companies? What error is the browser throwing up when you try to access your agency's website?

All Answers

Collapse -

Reponse To Answer

by dl_wraith In reply to Is this still a problem t ...

Yep - I gave you the right command for the right reasons. Go ahead and use that when you're ready.

Sorry - crisis of confidence for a moment there :)

Collapse -

Reponse To Answer

by VCHD_IT In reply to Is this still a problem t ...

I ran the FIXUP command and received a "bad protocol dns" message. I type it with dns lower case and upper case with same results.

I ran the access-list and tried connecting to agency website on a windows 2007 box still unsuccessful. I did run the no access-list later.

Collapse -

Reponse To Answer

by VCHD_IT In reply to Is this still a problem t ...

Just read your response 7/25/12 "Just remember to associate the access-list with an access-group with an interface."

I honestly don't know how to do this. When I ran the access-list command I just typed it as you showed in one of your response. (access-list acl_inside permit icmp any any).

Collapse -

Reponse To Answer

by dl_wraith In reply to Is this still a problem t ...

Access-lists don't work for an interface until you associate them with an interface. This is done via the access-group command.

In your ICMP case all you need is to telnet, enable and conf t (as usual), then:
access-group acl_inside in interface inside

You have one already, associatd with the outside interface. See your existing access-group command? What that says is you've associated the access-list called 'outside' with the interface called 'outside'.

Only one access-group can be associated with an interface at any time but you can have lots of access-list statements under the same name all bundled together using the access-group command. All you've got to do is keep the naming consistent.

I hope that helps.

Collapse -

Reponse To Answer

by VCHD_IT In reply to Is this still a problem t ...

I tried the access-group and access-list commands. We lost internet completely after i ran the commands. Due to my lack of expertise with the PIX I did not type the command in correctly. After some research I realized I fail to type our agency's interface name. I could not get the "no" access-list command to work to undo the damage I had created. I didn't know we had lost connection until I received a call from a user informing me that they could not access the internet. I remembered reading that changes made in the PIX are not automatically saved. I powered down the PIX and that reestablished our internet connection.

I ran the commands, again, using the correct acl-inside and the correct interface name. Still not able to connect to the agency's website. However, when the connection failed the Windows Network Diagnosis reported "Your computer appears to be correctly configured but the device or resource (agency's webite name) is not responding. I've not gotten that before. The diagnosis does not offer any corrective action.

Collapse -

I see an error in a statment

by dayen In reply to Cisco Pix 506e firewall b ...

first windows XP does not look at DNS the same as windows 7 I have trouble with 2 windows 7 machines that can't resolved DNS on one of my domains I bypass the problem by putting a router in between the network and the windows 7 machine new routers handle DNS resolution and it works so I could connect to the network server I add a USB network adaptor windows 7 does not do well with old hardware ie routers you may have to update the network hardware but test first, Ubuntu 12.4 has this problem too however you are going to love this I have xp in virtualBox on the same machine and 7 can't go put on the web nor ubuntu but my virtual XP does

Collapse -

One last idea from me

by gdeangelis In reply to Cisco Pix 506e firewall b ...

How about adding a host file entry for your website directly on the win 07 machine?
go to the c:\windows\system32\drivers\etc and edit the hosts file using notepad.
Leave everything in the file and at the bottom, after the ## comments, add the ip address and hostname of the server exactly as it would resolve on the internet and exactly as the remarks show it. dont add number symbol to your line. This will bypass dns for the web site.
If this works, it will buy you some time to look into the dns and pix issues. These 07 machines have the windows firewall turned on or off? If on, you can try switching that off as well, to rule it out.

I'm still confused with the dns part of this. I assume you have internal dns servers (maybe not) and they should use external helpers. When you did your ipconfig /all are you getting internal or external dns server ip addresses?

Collapse -

Reponse To Answer

by VCHD_IT In reply to One last idea from me

Thanks for the suggestion. Tried but no change.

Collapse -

If you've purchases a Cisco service contract with TACS support

by CG IT In reply to Cisco Pix 506e firewall b ...

then use one of your service support calls to solve your issue.

There are to many "could be this" to solve the problem your having reaching an external web site from within your local network through the PIX firewall. As sinjiv2 mentioned, if your XP machines can reach the external web site without problems, your Windows 7 machines should as well, provided both are using the same addressing and DNS schemes.

Collapse -

Is the Comcast Gateway a DSL/Cable Modem or Router?

by CG IT In reply to Cisco Pix 506e firewall b ...

Your question "where is the device that resolves your DNS queries? ". Here is the best answer I can give you. At any of the agency's PC the ipconfig /all command shows the DNS server address as those that belong to Comcast our internet and email provider. So I assume it is the Comcast Gateway box to the outside of the PIX. When I removed the PIX from the network and connected the Comcast Gateway directly to the 3COM switches the XP and 07 boxers had internet connection and the 07 boxes could connect to the agency's website. However neither boxes could connect to the agency network because they were assigned IP address (10.1...) outside the series used by our network (192.168...).


If you connect the comcast gateway to your switches, computers should NOT pull DHCP addresses if Comcast Gateway is just a DSL/Cable modem and if your assigned only 1 routable internet address. If your assigned a block of routable internet address, and the Comcast Gateway is in bridged mode, then computers could pull those public addresses.

If ithe Comcast Gateway is a DSL/Cable router and has DHCP enabled on it's LAN port, then computers could pull addresses, and could be assigned the private 10.X.X.X 255.0.0.0 subnet IF that is the default LAN addressing [which typically for consumer and small business routers, isn't not]

If that's the case, then one needs to question why the PIX is in there in the first place, as the Comcast "router" [if the device is a router] is handling NAT and firewall duties. You could configure the Comcast router, if that's what it is, to handle what the PIX was doing, and remove the PIX from the network configuration.

Check the model of the Comcast device and see if it's a DSL/Cable modem or DSL/Cable router.
Back to Networks Forum
52 total posts (Page 4 of 6)   Prev   02 | 03 | 04 | 05 | 06   Next

Hardware Forums