Questions

Cisco Pix 506e firewall blocking Win07 from accessing a specific website?

+
0 Votes
Locked

Cisco Pix 506e firewall blocking Win07 from accessing a specific website?

VCHD_IT
I formerly asked the question "Anyone experience in Windows 2007 where certain websites will not open?" I received replies but nothing resolved the issue that our agency's webpage will not open in the four new Windows 2007 computers our agency recently purchased. It can be opened on any of the agency's windows XP computers. I can open the website on a Window 07 laptop on my home network but once I bring the laptop to work and connect to the local network it cannot open the webiste. I've connected a windows 07 computer directly to the gateway by passing the firewall and switches and it can open the website.

I have boiled it down to possibly the issue originating from the configuration of our CISCO Pix 506e firewall. It has been in service for over ten years with very little or no updates. I have no experience with this hardware. It seems you need a CISCO service contract to be able to download utilites or firmware for hardware you own. Our agency does not have a current contract.

Is there a configuration or setting that could cause our agency's website from opening in a window 2007 PC?

Clarifications

Lots more information needed... That is correct on the Cisco hardware requiring a contract to download the new IOS. And, something that old is getting close to EOL (end of life)-- http://www.cisco .com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/ps4336/prod_eol_notice0900aecd80731dfa.html But, how are we to help unless we can see the configuration of the PIX?? Strip out all static IP's on the net, username/passwords, sensitive or identifying information. etc. Just a thought, but is DNS working OK on the internal network? XP may be using WINS or NetBIOS to resolve names... Can you ping the address on the Win7 Machine from the internal network?
+
0 Votes
gdeangelis

How about adding a host file entry for your website directly on the win 07 machine?
go to the c:\windows\system32\drivers\etc and edit the hosts file using notepad.
Leave everything in the file and at the bottom, after the ## comments, add the ip address and hostname of the server exactly as it would resolve on the internet and exactly as the remarks show it. dont add number symbol to your line. This will bypass dns for the web site.
If this works, it will buy you some time to look into the dns and pix issues. These 07 machines have the windows firewall turned on or off? If on, you can try switching that off as well, to rule it out.

I'm still confused with the dns part of this. I assume you have internal dns servers (maybe not) and they should use external helpers. When you did your ipconfig /all are you getting internal or external dns server ip addresses?

+
0 Votes
CG IT

then use one of your service support calls to solve your issue.

There are to many "could be this" to solve the problem your having reaching an external web site from within your local network through the PIX firewall. As sinjiv2 mentioned, if your XP machines can reach the external web site without problems, your Windows 7 machines should as well, provided both are using the same addressing and DNS schemes.

+
0 Votes
CG IT

Your question "where is the device that resolves your DNS queries? ". Here is the best answer I can give you. At any of the agency's PC the ipconfig /all command shows the DNS server address as those that belong to Comcast our internet and email provider. So I assume it is the Comcast Gateway box to the outside of the PIX. When I removed the PIX from the network and connected the Comcast Gateway directly to the 3COM switches the XP and 07 boxers had internet connection and the 07 boxes could connect to the agency's website. However neither boxes could connect to the agency network because they were assigned IP address (10.1...) outside the series used by our network (192.168...).


If you connect the comcast gateway to your switches, computers should NOT pull DHCP addresses if Comcast Gateway is just a DSL/Cable modem and if your assigned only 1 routable internet address. If your assigned a block of routable internet address, and the Comcast Gateway is in bridged mode, then computers could pull those public addresses.

If ithe Comcast Gateway is a DSL/Cable router and has DHCP enabled on it's LAN port, then computers could pull addresses, and could be assigned the private 10.X.X.X 255.0.0.0 subnet IF that is the default LAN addressing [which typically for consumer and small business routers, isn't not]

If that's the case, then one needs to question why the PIX is in there in the first place, as the Comcast "router" [if the device is a router] is handling NAT and firewall duties. You could configure the Comcast router, if that's what it is, to handle what the PIX was doing, and remove the PIX from the network configuration.

Check the model of the Comcast device and see if it's a DSL/Cable modem or DSL/Cable router.

+
0 Votes
danekan

One obvious but sometimes also subtle difference is they come with different versions of browsers and at this point xp's is near EOL. If you are running IE8 on all that's one thing, but is that actually the case?

IE9 handles non fully qualified domain names differently than any of it's predecessors so that brings about some potential gotchas...

Some people will type my portal.company.com while others may be using just myportal ... Per ie9 it made no difference but in ie9 the string may actually convert to a bing/google search. You can turn off this setting of course.

But along those same lines... A programmer on your site could be referencing the non-FQDN explicitly in code too which is not advisable ... If they programmed images to load from simply myportal/foo.jpg for instance you can be in a situation where some parts of site work and not others... But in this example the issue would more relate to improper dns suffix completion vs the prior where it's the browser thinking what you typed is a search string (BUT... The reasons it revert to search string vs knowing it was an intranet site can relate to improper DNA suffix configuration).

Also does the site use Only http protocol or is it using any others? any Direct links to files? That may present other potential issues such as whether it is using smb vs smb2.

As a test i would uninstall ie9 from a win7 machine to go back to ie8 to eliminate that issue first and foremost...

Lots more information needed... That is correct on the Cisco hardware requiring a contract to download the new IOS. And, something that old is getting close to EOL (end of life)-- http://www.cisco .com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/ps4336/prod_eol_notice0900aecd80731dfa.html But, how are we to help unless we can see the configuration of the PIX?? Strip out all static IP's on the net, username/passwords, sensitive or identifying information. etc. Just a thought, but is DNS working OK on the internal network? XP may be using WINS or NetBIOS to resolve names... Can you ping the address on the Win7 Machine from the internal network?
+
0 Votes
VCHD_IT

Thank you for the response. The win 07 boxes came with IE 9 installed. I've not see any way of removing ie 9. I can turn it off but then cannot install any previous version. Issue occurs in other browsers, Firefox and Chrome

WIth your explanation about the Comcast Gateway I'm going to contact Comcast and ask a few questions. I've contacted them before but didn't ask the right questions or inform them that we had a PIX between their gateway and our network.

+
0 Votes
CG IT

DNS suffix options in the advanced option/DNS in the nic card properties, for Windows 7 machine, come into play in a Microsoft Active Directory environment. unlike Windows XP, Windows 7 machines really need the Active Directory domain name listed in the DNS suffix options in the nic card properties page to be able to find domain controllers to authenticate with and by inclusion, the Active Directory DNS server in which to resolve domain name queries.

In your PIX config, you have

dhcpd domain Mcleodusa.net
as the dhcp domain name. A whois lookup of mcleodusa.net produces this:
Registrant:
WINDSTREAM COMMUNICATIONS, INC.
6400 C Street SW
PO Box 3177
Cedar Rapids, IA 52406
US

Domain name: MCLEODUSA.NET

Administrative Contact:
Inc., McLeodUSA
6400 C Street SW
PO Box 3177
Cedar Rapids, IA 52406
US
281.465.1200
Technical Contact:
Inc., McLeodUSA
6400 C Street SW
PO Box 3177
Cedar Rapids, IA 52406
US
281.465.1200

Registration Service Provider:
PAETEC,
800-340-2555
http://www.paetec.com
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.

Registrar of Record: TUCOWS, INC.
Record last updated on 11-Apr-2012.
Record expires on 20-Oct-2012.
Record created on 21-Oct-1996.

Registrar Domain Name Help Center:
http://tucowsdomains.com

Domain servers in listed order:
NS2.MCLEODUSA.NET 209.253.113.11
NS3.MCLEODUSA.NET 209.253.113.


It's possible, but maybe not probable, clients are being told the DNS server is mcleodusa.net by the PIX firewall in which to resolved DNS queries. If mcleodusa.net is not your DNS servers then this might be the reason Windows 7 clients can't reach your external web site, as the DNS listed in the PIX cant resolve the query and doesn't forward the unresolved query, by virtual of rejecting queries.

BUT, if you have statically assigned DNS servers in clients, with another DNS server address, such as your ISP's DNS servers then this DNS option in DHCP on the PIX this shouldn't matter. The client computers will use the DNS servers that are configured.
BUT, the other difference with Windows 7 than Windows XP is Windows 7 supports IPv6 [and the PIX 506 doesn't] so, it's possible, but not probable, that Windows 7 is using IPv6, which is on by default, and using information obtained from the PIX such as DNS servers, which may be the wrong ones. A test is to turn off IPv6 on the Windows 7 boxes and only use IPv4 see if that makes a difference. It may or may not.

Lots of good information from all posters here and armed with that, you'll get a good idea of the information you need to discover, to narrow down the potential cause of the problem of your external web site, not displaying in Windows 7 machines.

Lots more information needed... That is correct on the Cisco hardware requiring a contract to download the new IOS. And, something that old is getting close to EOL (end of life)-- http://www.cisco .com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/ps4336/prod_eol_notice0900aecd80731dfa.html But, how are we to help unless we can see the configuration of the PIX?? Strip out all static IP's on the net, username/passwords, sensitive or identifying information. etc. Just a thought, but is DNS working OK on the internal network? XP may be using WINS or NetBIOS to resolve names... Can you ping the address on the Win7 Machine from the internal network?
+
0 Votes
CG IT

The reason DNS suffixs and registration of the network adapter in Windows 7 plays a role in Microsoft's Active Directory domain environment is in Windows 7 network and sharing center. this really is the biggest difference between Windows XP and Window 7. The Network and Sharing Center is a security enhancement that Windows XP doesn't have and can cause problems with Windows 7 finding DNS servers in Active Directory domains with Windows 7. Without going into a log diatribe of why, The Network and Sharing Center handles how Windows 7 works on a TPC/IP network. So to find and join a Windows 7 computer to an Active Directory environment, DNS suffix is almost a requirement to be able to join the Windows 7 comp to a domain as the DNS suffix is used to locate the DNS server that handles the domain being joined to, thus the domain controller to authenticate to for joining the Active Directory domain.

+
0 Votes
VCHD_IT

IPv6 has been turned off on the Window 07 boxes and they're still not able to open the agency's website.

Our agency's network is a workgroup, no domain.

+
0 Votes
NetMan1958

First I want to make sure I understand the situation.
With PIX in the path:
Windows XP box can access a website over the Internet by typing "http://ip address of website"
Windows 7 box cannot access same website over the Internet by typing "http://ip address of website"

Without PIX in the path:
Both Win7 and Win XP boxes can access this website

If the above is correct, here is what I suggest trying:

On the PIX, run the following commands:
conf t
access-list inbound permit tcp any eq 80 any
access-list inbound permit tcp any eq 443 any
no fixup protocol http 80
exit

This has the effect of turning of http inspection while allowing responses from web servers through the outside interface. Now try accessing the website from Windows 7 and see if it makes a difference.

To return to the previous config run the following commands:
conf t
no access-list inbound permit tcp any eq 80 any
no access-list inbound permit tcp any eq 443 any
fixup protocol http 80
exit

Lots more information needed... That is correct on the Cisco hardware requiring a contract to download the new IOS. And, something that old is getting close to EOL (end of life)-- http://www.cisco .com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/ps4336/prod_eol_notice0900aecd80731dfa.html But, how are we to help unless we can see the configuration of the PIX?? Strip out all static IP's on the net, username/passwords, sensitive or identifying information. etc. Just a thought, but is DNS working OK on the internal network? XP may be using WINS or NetBIOS to resolve names... Can you ping the address on the Win7 Machine from the internal network?
+
0 Votes
VCHD_IT

Thanks for the suggestions. I'm out of the office Friday. I will try the no "access-list" suggestions on Monday.

Looking forward to the day that i try one of these, much appreciated, suggestions and the Windows 07 will open the website. This issue really shouldn't be that big a deal but seem important that an agency's computers can open their own website. We haven't had any other issues with the Window 07 computers that couldn't be resolved quickly.

+
0 Votes
NetMan1958

Did you ever try my suggestion?

+
0 Votes
VCHD_IT

Sorry, this discussion has gotten lengthy and I ran a couple other recommended commands yesterday after business hours. See response to dl.wraith above.

I ran the three commands, you recommened, and lost all internet connection. Windows Network Diagnosis reported "Wndows can't communicate with the device or resource (primary DNS server)."

Running the three commands again with the "no": in front of the first two and removing the "no" from the third command did not work to reestablish the internet connection. I power downed the PIX to reestablish internet.