Questions

Cisco Pix 506e firewall blocking Win07 from accessing a specific website?

+
0 Votes
Locked

Cisco Pix 506e firewall blocking Win07 from accessing a specific website?

VCHD_IT
I formerly asked the question "Anyone experience in Windows 2007 where certain websites will not open?" I received replies but nothing resolved the issue that our agency's webpage will not open in the four new Windows 2007 computers our agency recently purchased. It can be opened on any of the agency's windows XP computers. I can open the website on a Window 07 laptop on my home network but once I bring the laptop to work and connect to the local network it cannot open the webiste. I've connected a windows 07 computer directly to the gateway by passing the firewall and switches and it can open the website.

I have boiled it down to possibly the issue originating from the configuration of our CISCO Pix 506e firewall. It has been in service for over ten years with very little or no updates. I have no experience with this hardware. It seems you need a CISCO service contract to be able to download utilites or firmware for hardware you own. Our agency does not have a current contract.

Is there a configuration or setting that could cause our agency's website from opening in a window 2007 PC?

Clarifications

dmritchie2
Collapse -

I didn't see your previous question, but are you (behind the PIX) able to open any websites or most but not your companies? What error is the browser throwing up when you try to access your agency's website?

+
0 Votes
cmiller5400
Collapse -

That is correct on the Cisco hardware requiring a contract to download the new IOS. And, something that old is getting close to EOL (end of life)-- http://www.cisco .com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/ps4336/prod_eol_notice0900aecd80731dfa.html

But, how are we to help unless we can see the configuration of the PIX?? Strip out all static IP's on the net, username/passwords, sensitive or identifying information. etc.

Just a thought, but is DNS working OK on the internal network? XP may be using WINS or NetBIOS to resolve names... Can you ping the address on the Win7 Machine from the internal network?

+
0 Votes
VCHD_IT
Collapse -

The DNS is working OK on the internal network. WINS is disabled on the XP boxes. I can ping the website from a windows 07 box successfully.

I will attempt to copy config file and post. I will not be in the office again until Monday evening.

+
0 Votes
gdeangelis
Collapse -

Out of curiosity, does the link that will not open have a port at the end?
Like http://www.the-web-site.com:8080/the-page.htm
If so, you will need to open that port outbound.
Post your config like cmiller says and check the link for a port and let us know.

+
0 Votes
VCHD_IT
Collapse -

There is no port on the end of the link. I will need to research how to copy the config and will post. Will not be back at work until Monday evening. Going in late so I can remove CISCO Pix from the network and see if the Window 07 box can then open the webiste.

Thanks for the response.

+
1 Votes
CG IT
Collapse -

The PIX firewall filters traffic going into and out of the PIX. That's basically all it does. So if the web site is hosted inside of the PIX, it's not the PIX. If the web site is hosted outside of the PIX, then I would say yes, it's the PIX.

side note: "updates" to Cisco's IOS would not be the issue. The issue would be ACLs, extended ACLs, which are Cisco's IOS method of filtering traffic. Cisco ACLs have an implicit deny at the end of it and is not viewable in the ACL configuration. That implicit deny means that if an ACL is used, traffic that is not specifically allowed, is denied. ACLs can be configured to filter traffic in a multitude of ways from ip address to a range of addresses to specific content type, to MAC addresses, and can be implimented on either the internal interface, or external interface. If you know nothing about Cisco or very little, hire a consultant or hire Cisco to fix it.

+
0 Votes
VCHD_IT
Collapse -

I agree with your last statement, however how do you locate a CISCO consultant. I contacted CISCO and they could not direct me to a directory just mention I should locate forums.

+
0 Votes
VCHD_IT
Collapse -

I've also have spoken one of our agency vendors to get quote for purchasing a service contract. The vendor needed to know what specific hardware I was needing the contract.

Are their service contract hardware specific?

+
0 Votes
CG IT
Collapse -

I'm surprised Cisco representatives didn't point you to their directory of Cisco partners in your area. See this link: http://www.cisco.com/web/partners/index.html

I'm also surprised Cisco didn't quote you a price for TACS support

http://www.cisco.com/web/services/ordering/contracts/index.html

+
0 Votes
CG IT
Collapse -

Yes Cisco support is hardware specific. Your PIX firewall is a discontinued item. The ASA series is Cisco's new firewall. But that should not mean Cisco won't help, or that you could not find a Cisco partner that could help.

+
0 Votes
gdeangelis
Collapse -

I reread your post. I'll throw a few more questions to you. So inside from xp is good, inside from win07 no good. Depending on how your network is configured, (i.e. your pix is between the 07 device and the site, or something else is in the mix), you can troubleshoot from there. That layout is important, and the config will help rule the pix in or out. You mentioned bypassing pix and switches, so there is some gray area in there as to where the issue lies. If your server lies in a dmz somewhere behind the pix or another device, you can dig there. Is the server internal, or external? I'd be curious to know if your xp and 07 pc's are in the same network, and if they are resolving an internal or external address (if you ping the server by name, what address do you get). cmiller mentioned netbios and wins which makes sense, but we do need a little more to go on. Sometimes, the dialog will help find the answer or places to look, which is even better than someone pointing it out.
So, a couple more questions to help sort this out.
server inside or outside, or dmz
if inside in dmz, where is that compared to pix?
07 and xp on same network and ip range?
dns working internally?
Have the xp machines been rebooted recently?
Name, ip or network change recently on server?
A ping from xp and 07 to name of server yields what address (inside or outside) even if this fails, this is good information to have. If you get an inside address on the xp and outside address on the 07, that is a clue.
Lastly, when you say from home it works, is that over a vpn or directly over the internet?