Questions

Cisco Pix 506e firewall blocking Win07 from accessing a specific website?

+
0 Votes
Locked

Cisco Pix 506e firewall blocking Win07 from accessing a specific website?

VCHD_IT
I formerly asked the question "Anyone experience in Windows 2007 where certain websites will not open?" I received replies but nothing resolved the issue that our agency's webpage will not open in the four new Windows 2007 computers our agency recently purchased. It can be opened on any of the agency's windows XP computers. I can open the website on a Window 07 laptop on my home network but once I bring the laptop to work and connect to the local network it cannot open the webiste. I've connected a windows 07 computer directly to the gateway by passing the firewall and switches and it can open the website.

I have boiled it down to possibly the issue originating from the configuration of our CISCO Pix 506e firewall. It has been in service for over ten years with very little or no updates. I have no experience with this hardware. It seems you need a CISCO service contract to be able to download utilites or firmware for hardware you own. Our agency does not have a current contract.

Is there a configuration or setting that could cause our agency's website from opening in a window 2007 PC?

Clarifications

Clarifications Clarifications
dmritchie2
Collapse -

I didn't see your previous question, but are you (behind the PIX) able to open any websites or most but not your companies? What error is the browser throwing up when you try to access your agency's website?

Clarifications Clarifications
+
0 Votes
VCHD_IT
Collapse -

The gateway is a SMC commercial cable modem.

+
0 Votes
danekan
Collapse -

One obvious but sometimes also subtle difference is they come with different versions of browsers and at this point xp's is near EOL. If you are running IE8 on all that's one thing, but is that actually the case?

IE9 handles non fully qualified domain names differently than any of it's predecessors so that brings about some potential gotchas...

Some people will type my portal.company.com while others may be using just myportal ... Per ie9 it made no difference but in ie9 the string may actually convert to a bing/google search. You can turn off this setting of course.

But along those same lines... A programmer on your site could be referencing the non-FQDN explicitly in code too which is not advisable ... If they programmed images to load from simply myportal/foo.jpg for instance you can be in a situation where some parts of site work and not others... But in this example the issue would more relate to improper dns suffix completion vs the prior where it's the browser thinking what you typed is a search string (BUT... The reasons it revert to search string vs knowing it was an intranet site can relate to improper DNA suffix configuration).

Also does the site use Only http protocol or is it using any others? any Direct links to files? That may present other potential issues such as whether it is using smb vs smb2.

As a test i would uninstall ie9 from a win7 machine to go back to ie8 to eliminate that issue first and foremost...

+
0 Votes
VCHD_IT
Collapse -

Thank you for the response. The win 07 boxes came with IE 9 installed. I've not see any way of removing ie 9. I can turn it off but then cannot install any previous version. Issue occurs in other browsers, Firefox and Chrome

WIth your explanation about the Comcast Gateway I'm going to contact Comcast and ask a few questions. I've contacted them before but didn't ask the right questions or inform them that we had a PIX between their gateway and our network.

+
0 Votes
CG IT
Collapse -

DNS suffix options in the advanced option/DNS in the nic card properties, for Windows 7 machine, come into play in a Microsoft Active Directory environment. unlike Windows XP, Windows 7 machines really need the Active Directory domain name listed in the DNS suffix options in the nic card properties page to be able to find domain controllers to authenticate with and by inclusion, the Active Directory DNS server in which to resolve domain name queries.

In your PIX config, you have

dhcpd domain Mcleodusa.net
as the dhcp domain name. A whois lookup of mcleodusa.net produces this:
Registrant:
WINDSTREAM COMMUNICATIONS, INC.
6400 C Street SW
PO Box 3177
Cedar Rapids, IA 52406
US

Domain name: MCLEODUSA.NET

Administrative Contact:
Inc., McLeodUSA
6400 C Street SW
PO Box 3177
Cedar Rapids, IA 52406
US
281.465.1200
Technical Contact:
Inc., McLeodUSA
6400 C Street SW
PO Box 3177
Cedar Rapids, IA 52406
US
281.465.1200

Registration Service Provider:
PAETEC,
800-340-2555
http://www.paetec.com
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.

Registrar of Record: TUCOWS, INC.
Record last updated on 11-Apr-2012.
Record expires on 20-Oct-2012.
Record created on 21-Oct-1996.

Registrar Domain Name Help Center:
http://tucowsdomains.com

Domain servers in listed order:
NS2.MCLEODUSA.NET 209.253.113.11
NS3.MCLEODUSA.NET 209.253.113.


It's possible, but maybe not probable, clients are being told the DNS server is mcleodusa.net by the PIX firewall in which to resolved DNS queries. If mcleodusa.net is not your DNS servers then this might be the reason Windows 7 clients can't reach your external web site, as the DNS listed in the PIX cant resolve the query and doesn't forward the unresolved query, by virtual of rejecting queries.

BUT, if you have statically assigned DNS servers in clients, with another DNS server address, such as your ISP's DNS servers then this DNS option in DHCP on the PIX this shouldn't matter. The client computers will use the DNS servers that are configured.
BUT, the other difference with Windows 7 than Windows XP is Windows 7 supports IPv6 [and the PIX 506 doesn't] so, it's possible, but not probable, that Windows 7 is using IPv6, which is on by default, and using information obtained from the PIX such as DNS servers, which may be the wrong ones. A test is to turn off IPv6 on the Windows 7 boxes and only use IPv4 see if that makes a difference. It may or may not.

Lots of good information from all posters here and armed with that, you'll get a good idea of the information you need to discover, to narrow down the potential cause of the problem of your external web site, not displaying in Windows 7 machines.

+
0 Votes
CG IT
Collapse -

The reason DNS suffixs and registration of the network adapter in Windows 7 plays a role in Microsoft's Active Directory domain environment is in Windows 7 network and sharing center. this really is the biggest difference between Windows XP and Window 7. The Network and Sharing Center is a security enhancement that Windows XP doesn't have and can cause problems with Windows 7 finding DNS servers in Active Directory domains with Windows 7. Without going into a log diatribe of why, The Network and Sharing Center handles how Windows 7 works on a TPC/IP network. So to find and join a Windows 7 computer to an Active Directory environment, DNS suffix is almost a requirement to be able to join the Windows 7 comp to a domain as the DNS suffix is used to locate the DNS server that handles the domain being joined to, thus the domain controller to authenticate to for joining the Active Directory domain.

+
0 Votes
VCHD_IT
Collapse -

IPv6 has been turned off on the Window 07 boxes and they're still not able to open the agency's website.

Our agency's network is a workgroup, no domain.

+
0 Votes
NetMan1958
Collapse -

First I want to make sure I understand the situation.
With PIX in the path:
Windows XP box can access a website over the Internet by typing "http://ip address of website"
Windows 7 box cannot access same website over the Internet by typing "http://ip address of website"

Without PIX in the path:
Both Win7 and Win XP boxes can access this website

If the above is correct, here is what I suggest trying:

On the PIX, run the following commands:
conf t
access-list inbound permit tcp any eq 80 any
access-list inbound permit tcp any eq 443 any
no fixup protocol http 80
exit

This has the effect of turning of http inspection while allowing responses from web servers through the outside interface. Now try accessing the website from Windows 7 and see if it makes a difference.

To return to the previous config run the following commands:
conf t
no access-list inbound permit tcp any eq 80 any
no access-list inbound permit tcp any eq 443 any
fixup protocol http 80
exit

+
0 Votes
VCHD_IT
Collapse -

Thanks for the suggestions. I'm out of the office Friday. I will try the no "access-list" suggestions on Monday.

Looking forward to the day that i try one of these, much appreciated, suggestions and the Windows 07 will open the website. This issue really shouldn't be that big a deal but seem important that an agency's computers can open their own website. We haven't had any other issues with the Window 07 computers that couldn't be resolved quickly.

+
0 Votes
NetMan1958
Collapse -

Did you ever try my suggestion?

+
0 Votes
VCHD_IT
Collapse -

Sorry, this discussion has gotten lengthy and I ran a couple other recommended commands yesterday after business hours. See response to dl.wraith above.

I ran the three commands, you recommened, and lost all internet connection. Windows Network Diagnosis reported "Wndows can't communicate with the device or resource (primary DNS server)."

Running the three commands again with the "no": in front of the first two and removing the "no" from the third command did not work to reestablish the internet connection. I power downed the PIX to reestablish internet.