Cannot access tigerdirect.com through PIX

[rlcsystems]

I have a pix 501 configured with the default access rules and no AAA or filter rules defined. I've been using the pix for serveral months and am able to access any site through it, except for tigerdirect. I get 'the operation timed out' alert from my browser. When bypassing the pix, tigerdirect loads instantly. Any help would be appreciated.

 

[boymarty24]

What happens when you do a nslookup for tigerdirect on your computer?

 

[rlcsystems]

Server & ip address show my isp and my own ip.

Non-authoritative answer shows:

Name:

http://www.tigerdirect.com

Addresses: 199.181.77.55, 199.181.77.52, 199.181.77.56, 199.181.77.54, 199.181.77.53

 

[boymarty24]

try to set higher bit value on the fixup protocol for dns

fixup protocol dns maximum-length 1544

 

[rlcsystems]

Thanks, but that did not work. Any other ideas?

 

[brontosaurus]

what are the results of a traceroute?

 

[brontosaurus]

...also, can you telnet to

http://www.tigerdirect.com

on port 80?

 

[rlcsystems]

tracert tigerdirect.com

I get a request timed out over and over. Each line takes about 15 seconds for it to time out. This is true for any site it attempt to tracert though, not just specific to tigerdirect.

Telnetting to

http://www.tigerdirect.com

does not go through on port 80 (time out). Every other site i try connects normally..

 

[brontosaurus]

Are you using Fixup Protocol http?

 

[rlcsystems]

fixup protocol http 80 is being used. I entered the command and then checked the running configuration, so I'm not sure if it was enabled before. Sorry for the noob question, but after typing a command, does a simple 'refresh' configure the pix or are there other steps required to run the settings that are entered?

I find this a very odd problem, that it is only one site. And its not like i'm 'banned' from tdirect because I can access it when not using the firewall. Any other recommendations would be helpful.

 

[brontosaurus]

actually, I was going to ask you to temporarily disable the Fixup Protocol http (no fixup protocol http), refresh the configuration, and try again. I've seen a couple of instances where web sites get blocked by the security algorithm, although it's rare.

 

[rlcsystems]

Ok, disabled that feature, refreshed and still the same result. Not a bad idea though.

 

[brontosaurus]

And you definitely don't have any access-lists or filters that may be preventing you from getting to those IPs , right?

 

[rlcsystems]

http://imgfly.com/files/130906_011453/cisco1.jpg

http://imgfly.com/files/130906_011453/cisco2.jpg

http://imgfly.com/files/130906_011453/cisco3.jpg

I do not see anything. If there are other ways of showing where filters might be applied please let me know.

 

[brontosaurus]

Try turning up the logging and then attempt connection to tigerdirect. Maybe something will show up in the logs that gives a clue.

 

[normntwrk]

try poiting your browser to the IP address to see if it could be a DNS issue IE

http://199.181.77.55/

 

[rlcsystems]

I am still having trouble accessing this site. To answer normntwrk, it is not a DNS issue, because typing in that IP still produces the same result.

brontosaurus - Nothing out of the ordinary shows up in the logs. Nothing below a 6. I get this line when attempting to connect:

built outbound tcp connection 262777 for outside:199.181.77.35/80 (199.181.77.35/80) to inside:192.168.1.130/1878 (xx.xx.xx.xx/3178)

Like i said before, It is TigerDirect (199.181.77.35), and I also found that their affiliate Global Computer (199.181.77.85) does not work either. No problems with any other sites.

 

[boymarty24]

can you post your config?

 

[rlcsystems]

:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 1544
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 192.168.1.48 255.255.255.240
access-list outside_cryptomap_dyn_20 permit tcp any 192.168.1.48 255.255.255.240
access-list outside_cryptomap_dyn_40 permit ip any 192.168.1.48 255.255.255.240
pager lines 24
logging on
logging trap informational
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool RLCVPN 192.168.1.50-192.168.1.60
pdm logging debugging 512
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup RLC address-pool RLCVPN
vpngroup RLC idle-time 1800
vpngroup RLC secure-unit-authentication
vpngroup RLC password ********
vpngroup RLCVPN address-pool RLCVPN
vpngroup RLCVPN idle-time 1800
vpngroup RLCVPN password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.1.100-192.168.1.131 inside
dhcpd dns 192.168.1.97 68.87.75.194
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain RLC
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:05327906e0c5b0e0797d39d2e4482475
: end
[OK]

 

[rlcsystems]

Something I found out today, a few minutes after logging into PDM, tigerdirect.com loads. With PDM open, the site will continue to load and works normally for about 5 minutes until it goes back into timing out. Tigerdirect.com is accessible through all computers on the network during this time.

This leads me to believe maybe something is temporarily turned off while logging into PDM. Does anyone know if any settings in the PIX are changed while logging into the PDM? Does it have something to do with a secure connection? Please any help is appreciated.