Q: PIX 515 Firewall suddenly blocking TCP HTTP/80 for no reason??

Q: PIX 515 Firewall suddenly blocking TCP HTTP/80 for no reason??
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Q: PIX 515 Firewall suddenly blocking TCP HTTP/80 for no reason?? x13 09-05-2007
Posted by x13 on September 5, 2007, 9:50 am
If you were  Registered and logged in, you could reply and use other advanced thread options
1x Cisco PIX 515 firewall running 6.0(1) firmware.
9x 3COM 3C250C hubs

Made no changes of any kind. FW suddenly started blocking HTTP/80
traffic. All other I/O traffic passes. All devices reloaded and later
cold-restarted (no errors on LEDS). As last resort, erased flash
config and re-entered via console cable. LAN users/servers are on
subnet 192.168.1.x and VPN users on subnet 192.168.3.x

My suspicions tend toward absence of OUTBOUND statements; TIMEOUT
XLATE value too long, or a brown-out during the night... Any ideas?
Config follows:

Thanks!
M.T.

nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********
passwd ********
hostname FWNKI
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 200 permit ip 192.168.1.0 255.255.255.0 192.168.3.0
255.255.255.0
pager lines 24
logging on
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside <public IP ending .235> 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool dealer 192.168.3.1-192.168.3.254
pdm history enable
arp timeout 14400
global (outside) 1 <public IP ending .237>
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) <public IP ending .234> 192.168.1.2 netmask
255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host <public IP ending .234> eq smtp any
conduit permit tcp host <public IP ending .238> eq domain any
conduit permit tcp host <public IP ending .234> eq 443 any
conduit permit tcp host <public IP ending .238> eq www any
route outside 0.0.0.0 0.0.0.0 <public IP ending .233> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt security fragguard
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac
crypto ipsec transform-set vpnmark esp-des esp-md5-hmac
crypto dynamic-map vpnclient 200 match address 200
crypto dynamic-map vpnclient 200 set transform-set vpnclient
crypto dynamic-map lexmap 10 set transform-set vpnmark
crypto map partner-map 10 ipsec-isakmp dynamic lexmap
crypto map partner-map 200 ipsec-isakmp dynamic vpnclient
crypto map partner-map client configuration address initiate
crypto map partner-map client configuration address respond
crypto map partner-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local dealer outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 200 authentication pre-share
isakmp policy 200 encryption des
isakmp policy 200 hash md5
isakmp policy 200 group 1
isakmp policy 200 lifetime 86400
vpngroup vpnnki address-pool dealer
vpngroup vpnnki idle-time 1800
vpngroup vpnnki password ********
telnet 192.168.1.2 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80


Posted by mak on September 7, 2007, 9:07 am
If you were  Registered and logged in, you could reply and use other advanced thread options
x13 wrote:
> 1x Cisco PIX 515 firewall running 6.0(1) firmware.
> 9x 3COM 3C250C hubs
>
> Made no changes of any kind.

hard to believe, maybe someone else?
telnet to pix is allowed, you have hubs behind it, perfect for sniffing
change to ssh


>FW suddenly started blocking HTTP/80
> traffic.
>All other I/O traffic passes. All devices reloaded and later
> cold-restarted (no errors on LEDS). As last resort, erased flash
> config and re-entered via console cable.

a drastic measure,IMHO
default is to block all traffic, so that was a waste of time.
you should have a backup of the config...

>LAN users/servers are on
> subnet 192.168.1.x and VPN users on subnet 192.168.3.x
>
> My suspicions tend toward absence of OUTBOUND statements; TIMEOUT
> XLATE value too long, or a brown-out during the night... Any ideas?
...

yes no outbound, (then you wouldn't have any access, not just http of course).
also do not mix access lists and conduits according to cisco.
also no "no-nat", between lan and vpn,(or is that implied in the vpn config in
6.0, not sure).
and 6.0 is known to be buggy, at least upgrade to 6.3 or something.

I say start fresh, plenty of docs out there,
e.g:
http://cisco.com/en/US/docs/security/pix/pix60/firewall/configuration/guide/commands.html

M

Similar ThreadsPosted
outpost firewall blocking http requests for no reason and without logging? February 6, 2007, 12:57 am
Zone Alarm Suddenly Blocking All Traffic February 25, 2007, 11:26 am
Firewall Blocking Use. Help! March 2, 2008, 7:19 am
Firewall Blocking ActiveX July 30, 2006, 9:34 pm
Blocking internet sharing in LAN without blocking file sharing May 10, 2006, 12:55 am
AOL Firewall blocking aolpspd and aolsmon. April 15, 2005, 10:52 am
Outpost Firewall blocking my internet May 17, 2005, 6:11 pm
Norton Firewall blocking port 81 July 8, 2005, 1:59 pm
Symantec Firewall Blocking Practally Everything, Why? December 13, 2005, 12:23 am
firewall blocking of loopback connection December 20, 2007, 5:09 pm

The site map in XML format XML site map

Contact Us | Privacy Policy