PIX 501 Config Problem : Unable to submit forms on external ASP sites

Discussion in 'Cisco' started by Mark Moran, Nov 27, 2007.

  1. Mark Moran

    Mark Moran Guest

    PIX 501 Outbound ASP FORM Site Acess Problem **Updated**

    **** UPDATED
    This was originally posted under PIX 501 Breaks Access To Net Banking but has been updated with more
    recent findings
    **** UPDATED


    Hi all

    I'm fairly new to the PIX and just installed a PIX 501 at a SMB client running a windows SBS 2003.

    Out of the box the PIX pretty much worked for the outbound traffic.
    Inbound required replication of existing port forwarding rules but these are now up and running. (My
    access lists and statics are below)

    However I have a remaining issue with external ASP form sites and I need to get them solved as they
    are effecting web banking, on line supplier ordering and government tax sites.

    All problems are with internal clients accessing external ASP sites requesting form data. When the
    form data is posted the sites all timeout

    However after adding my port forwarding rules we can now use these troublesome sites from the server
    but still not the clients

    Examples are below and then the network topology after if you need it.


    The only outbound rule is the default factory implicit one
    ie src:any dest:any interface:inside(Outbound) Service:ip

    The inbound rules to allow access to the OWA & OMA server (80/443) and also VNC (5800/5900) (Server
    IP is 192.168.1.2)
    These seems to be working ok. They are as follows :-

    static (inside,outside) tcp interface 80 192.168.1.2 80 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 443 192.168.1.2 443 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5800 192.168.1.2 5800 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5900 192.168.1.2 5900 netmask 255.255.255.255 0 0
    static (inside,outside) udp interface 500 192.168.1.2 500 netmask 255.255.255.255 0 0
    static (inside,outside) udp interface 4500 192.168.1.2 4500 netmask 255.255.255.255 0 0
    static (inside,outside) udp interface 1701 192.168.1.2 1701 netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 1723 192.168.1.2 1723 netmask 255.255.255.255 0 0

    access-list out2in permit tcp any any eq 80
    access-list out2in permit tcp any any eq 443
    access-list out2in permit tcp any any eq 5800
    access-list out2in permit tcp any any eq 5900
    access-list out2in permit udp any any eq 500
    access-list out2in permit udp any any eq 4500
    access-list out2in permit udp any any eq 1701
    access-list out2in permit tcp any any eq 1723
    access-list out2in permit gre any any
    access-list out2in permit esp any any
    access-list out2in permit ah any any
    access-list out2in deny ip any any

    access-group out2in in interface outside


    I've also installed a syslog server and captured the logs from one of our failed sessions but am
    having trouble seeing a cause.

    Example 1: Natwest Web Banking
    The client is able to surf to http://www.natwest.com, they then click on the login button and are
    taken to the ASP SSL site https://www.nwolb.com. (They can also navigate directly to here if
    necessary)
    When they put in their banking number and hit the login button to submit the form it just times out
    eventually.
    Unfortunately Natwest's "Technical Team" are of no help.


    Example 2: Peugeot "Build a car" site
    Client can Navigate to http://www.peugeot.co.uk. From the Showroom menu dropdown, select "Build your
    own car"
    Client is then taken to the ASP form at http://mynewcar.peugeot.com. When they select anything from
    the 1st dropdown, the form tries to auto submit and eventually times out as in the banking example
    above



    I set the PIX logs on Debugging and captured the output from Example 1
    : (it's also mixed with some server traffic ie dns lookups).
    I am having trouble deciphering any root cause.

    Any help or pointers would be appreciated


    Network Topology


    BT Voyager 205 ADSL Modem - Cisco PIX 501 - Internal Lan Inc SBS2003


    BT Voyager 205 Modem
    External IP : Dynamic
    Internal IP : 192.168.0.1
    DHCP : ON


    Cisco PIX 501 (6.3)
    Outside IP : 192.168.0.2
    Inside IP : 192.168.1.1
    DHCP : Off
    Using PAT


    Small Business Server 2003
    IP : 192.168.1.2
    DNS : ON
    DHCP : ON
    WINS : ON
    Gateway : 192.168.1.1


    Clients
    IP : 192.168.1.10 - onward (DHCP Assigned)
    DNS / WINS : SBS Server (192.168.1.2)
    Gateway : PIX (192.168.1.1)


    If you need to see the logs or my config file drop me a reply

    If you want to e-mail me remove NOSPAM from the address

    Many thanks



    Mark
     
    Mark Moran, Nov 27, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andre
    Replies:
    7
    Views:
    741
    Andre
    Feb 20, 2005
  2. Replies:
    6
    Views:
    644
  3. dipesh10
    Replies:
    0
    Views:
    1,685
    dipesh10
    Jun 27, 2007
  4. mredelin
    Replies:
    0
    Views:
    1,193
    mredelin
    Dec 20, 2007
  5. Replies:
    1
    Views:
    2,922
    sCissOrsRsharP
    Feb 7, 2008
Loading...

Share This Page