PIX 515E will not connect to a certain portion of a Canadian Website 1

[shirelabs]

We are attempting to access

http://patents1.ic.gc.ca/intro-e.html

and are unable to display the page. We are able to access

http://www.gc.ca

which , as we understand, is the root of the site.

The rough framework of the network is (from outside -in):

Cisco 1720 to PIX515E To Bluecoat SG400 to Baracuda to Internal Switch Fabric.

Troubleshooting: We have eliminated everything past the 1720 and are able to reach the site. Adding the PIX515E results in inability to connect. We have hooked up a laptop to our Sprint dial-up service and are able to connect. All signs seem to point towards the PIX515E. At this point, we don't know where in the PIX515E to look when it appears that only a portion of a site is unable to be accessed. Ideas?

 

[ChrisAC]

Can you resolve DNS for this site from behind the firewall? Do you have any outbound rules on the firewall or is all traffic from LAN allowed out. Can you traceroute to this site? Do the firewall logs show any problems/drops? Is there any shunning set up on the firewall that may prevent traffic from this site? Have you tried from the Bluecoat box or from a machine plugged directly into the Pix? Do you have any networks set up on the 192.197.183 range? Have you proven that traffic destined for this site is leaving your site via the 1720?

Pix config?

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[shirelabs]

Yes, it does resolve to cpddis-cluster.ic.gc.ca [192.197.183.209] from behind the firewall. All traffic is allowed out, as far as I know. Traceroute appears to fail from the PIX515E. The firewall logs, viewed from our syslog server, do not appear to indicate any issues as there are no entries that I can see that point to this transaction. I do not know for sure if there is shunning. (PIX515E was setup by an outside service and I am not near as knowledgeable as I ought to be.)(Outside service that set it up can no longer be contacted, go figure.) From the Bluecoat or a Pc connected to the PIX515e, the same problem exists. I have no networks setup in 192.197.138 range.

I have not been able to prove that traffic destined for this site can leave the 1720. (Again, I'm probably not as knowledgeable as I should be.)

As for the config, I will try to paste it up here on Tuesday morn. (05/31/05) as I am answering from home at the moment.

Thanks for replying.

 

[shirelabs]

Here is the config from the PIX515E That I promised. I have purposefully obscured the private information however, if there is a piece that you need to complete the puzzle just let me know. Here goes:

domainpix# sh conf
: Saved
: Written by enable_15 at 11:05:16.462 UTC Sat May 28 2005
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password ****** encrypted
passwd g****** encrypted
hostname ******
domain-name ******.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
name 172.16.*.* Host1
name 172.16.*.* Host2
name 172.16.*.* Host3
name 208.*.*.* NameSpace
name 172.16.*.* Barracuda_NAT
name 172.16.*.* OWA_machine
name 172.16.*.* smtp.domain.com
name 172.16.*.* owa.domain.com
object-group service irc-group tcp
description Internet Relay Chat Protocol
port-object range 6660 6670
object-group service RealAudio-group tcp-udp
description RealAudio common ports
port-object eq 7070
port-object range 6090 7070
object-group network domain.net.internal
network-object 172.16.0.0 255.255.0.0
network-object 10.6.1.0 255.255.255.0
network-object 10.6.2.0 255.255.255.0
network-object 10.6.3.0 255.255.255.0
network-object 10.6.4.0 255.255.255.0
network-object 10.6.5.0 255.255.255.0
network-object 10.6.6.0 255.255.255.0
network-object 10.6.7.0 255.255.255.0
network-object 10.6.8.0 255.255.255.0
network-object 10.6.9.0 255.255.255.0
network-object 10.6.100.0 255.255.255.0
network-object 10.6.10.0 255.255.255.0
network-object 10.6.35.0 255.255.255.0
object-group network DMZhosts
description CP had HTTP,DNS,Mail. PIX only has OWA
network-object host 208.*.*.*
object-group service port8080 tcp
port-object range 8080 8080
access-list OutBound deny tcp object-group domain.net.internal any object-group irc-group
access-list OutBound deny tcp object-group domain.net.internal any object-group RealAudio-group
access-list OutBound permit ip object-group domain.net.internal any
access-list OutBound deny ip any any
access-list Inbound permit tcp any host 208.*.*.35
access-list Inbound permit tcp any host 208.*.*.38 object-group port8080
access-list Inbound permit tcp any host 208.*.*.36 object-group port8080
access-list Inbound permit ip 10.6.255.0 255.255.255.0 any
access-list Inbound permit icmp any host 208.*.*.21 echo-reply
access-list Inbound permit icmp any host 208.*.*.21 unreachable
access-list Inbound deny tcp any host 208.*.*.34 eq smtp
access-list Inbound permit tcp any host 208.*.*.34 eq https
access-list dontNat permit ip object-group domain.net.internal 10.6.255.0 255.255.255.0
access-list inbound permit tcp host 208.*.*.20 host 208.*.*.18 eq telnet
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging buffered informational
logging trap errors
logging queue 1024
logging host inside 172.16.*.*
no logging message 109001
no logging message 109003
no logging message 109002
no logging message 109005
no logging message 109007
no logging message 106014
no logging message 109009
no logging message 106015
no logging message 109008
no logging message 106012
no logging message 109011
no logging message 106013
no logging message 109010
no logging message 106010
no logging message 109013
no logging message 109012
no logging message 106006
no logging message 106007
no logging message 106002
no logging message 106001
no logging message 308002
no logging message 201005
no logging message 201006
no logging message 199003
no logging message 106018
no logging message 106017
no logging message 305007
no logging message 305006
no logging message 305005
no logging message 309002
no logging message 309001
no logging message 305012
no logging message 305011
no logging message 303002
no logging message 302009
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304003
no logging message 302003
no logging message 304002
no logging message 304001
no logging message 304007
no logging message 304004
no logging message 302004
no logging message 304008
no logging message 208005
no logging message 112001
no logging message 108002
no logging message 302016
interface ethernet0 100basetx
interface ethernet1 100full
interface ethernet2 auto
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any dmz
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 208.*.*.18 255.255.255.192
ip address inside 172.16.*.* 255.255.0.0
ip address dmz 216.*.*.* 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit name ExtAuditAttackPolicy attack action alarm drop reset
ip audit interface outside ExtAuditAttackPolicy
ip audit info action alarm
ip audit attack action alarm
ip local pool domainpool 10.6.255.1-10.6.255.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm locations (removed for simplicity)
arp timeout 600
global (outside) 1 208.*.*.21
global (dmz) 1 208.*.*.150
nat (outside) 1 10.6.255.0 255.255.255.0 0 0
nat (inside) 0 access-list dontNat
nat (inside) 1 10.6.0.0 255.255.0.0 0 0
nat (inside) 1 172.16.0.0 255.255.0.0 0 0
nat (inside) 1 10.6.255.0 255.255.255.0 outside 0 0
nat (dmz) 0 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 208.*.*.35 smtp Barracuda_NAT smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 208.*.*.34 smtp 172.16.*.* smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 208.*.*.38 8080 owa.domain.com 8080 netmask 255.255.255.255 0 0
static (inside,outside) tcp 208.*.*.34 https 172.16.*.* https netmask 255.255.255.255 0 0
static (inside,outside) tcp 208.*.*.36 8080 OWA_machine 8080 netmask 255.255.255.255 0 0
static (inside,outside) 208.*.*.22 Host1 netmask 255.255.255.255 0 0
static (inside,outside) 208.*.*.37 smtp.domain.com netmask 255.255.255.255 0 0
access-group Inbound in interface outside
access-group OutBound in interface inside
route outside 0.0.0.0 0.0.0.0 208.*.*.20 1
route inside 10.0.0.0 255.0.0.0 172.16.*.* 1
route inside 192.168.110.0 255.255.255.0 172.16.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media
0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host Host3 domainpix timeout 30
aaa-server LOCAL protocol local
http server enable
http Host1 255.255.255.255 inside
http Host2 255.255.255.255 inside
http 172.16.*.* 255.255.255.255 inside
snmp-server host inside 172.16.*.*
snmp-server location (removed for privacy)
snmp-server community domainpixcommunitystring
snmp-server enable traps
tftp-server inside 172.16.*.* /pix
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
auth-prompt prompt For Authorized Company Use Only. Unauthorized use is prohibited and will
be punished to the fullest extent of the law. Your activities are being monitored.
crypto ipsec transform-set singledes esp-des esp-md5-hmac
crypto dynamic-map vpndynmap 10 set transform-set singledes
crypto map outsidecmap 10 ipsec-isakmp dynamic vpndynmap
crypto map outsidecmap client configuration address initiate
crypto map outsidecmap client configuration address respond
crypto map outsidecmap client token authentication RADIUS
crypto map outsidecmap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local domainpool outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup domainvpngroup address-pool domainpool
vpngroup domainvpngroup dns-server 172.16.*.* 172.16.*.*
vpngroup domainvpngroup wins-server 172.16.*.*
vpngroup domainvpngroup default-domain ******.com
vpngroup domainvpngroup idle-time 1800
vpngroup domainvpngroup password ********
telnet 208.*.*.20 255.255.255.255 outside
telnet Host1 255.255.255.255 inside
telnet Host2 255.255.255.255 inside
telnet 172.16.*.* 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:******
domainpix#

 

[Zen37]

Hi There

Are you sure the site does not need any other port than TCP80? I've seen government sites that needed another port than TCP80 to work

When you do your test without the PIX, do a netstat -an and see if you have other ports opened to that site.

Let me know if this helps.

 

[shirelabs]

Zen;

We are able to connect to this site through a laptop with external dial-up access with no issue. This I would assume would indicate that it is not a port issue. (Just an assumption but, a safe one I think.) I would try the Netstat -an but I am unsure what it would indicate to me if I do not have the PIX in the path.
The way that we test past the PIX is to hook up a laptop into a hub that is fed by the Cisco1720 router which is the last step out before the wire from the ISP. When testing in this method, we are able to connect to the site without issue. The problem only seems to come when we reintroduce the PIX515E into the picture. I still have to guess that there is something in our config that is stopping us when we try to access the very specific portion of the site.

For a reminder, we are able to access

http://www.gc.ca

but not

http://www.ic.gc.ca

which is a sub of the root gc.ca.

Thanks for trying to help me and as always, I am open to further discussion by any and all who care to give it a shot.

 

[Zen37]

Not really

If you can reach the site with a dial up connection without a firewall, then it could be a port issue in your PIX. But, as it turns out, i did the test and it does not use any other ports.

Can you reach

http://ic.gc.ca?

You have an address in the DMZ that starts with 216. Is this segment registered and belongs to your company? Can you give me the complete segment address?

 

[shirelabs]

I am unable to reach

http://ic.gc.ca

.
The address in the 216.x.x.x range is a dsl address from Cavalier telephone that is attached to a card in the PIX that is designated as the DMZ interface. That card is NOT physically cabled to the rest of the network. We were, at one time, going to use it as a backup way to get out if the primary T-1 went down but wound up abandoning the idea.

 

[Zen37]

Ok, i was asking that because i did a traceroute to

http://www.ic.gc.ca

and got an address 216.0.0.0 and wanted to be sure it was not a conflict.

This is really a special issue. I cannot detect anything in your config that could cause this. I'm at a lost for words or solution.

Sorry buddy, i guess i'll have to throw the question back at the forum.

 

[Zen37]

Just one last try ;0)

Can you tell me what IP you get when you do an NSLookup from the dial up and what IP you get when you do a NSLookup from behind your firewall.

I'm asking you this because i had this problem once and it turned out the DNS on my dial up had the right data but the DNS of my firewall link did not. Both were giving be addreses but the one from my firewall was wrong.

 

[shirelabs]

I'll check and let ya know.

 

[shirelabs]

Inside and outside dial up agree.

Napoleon.ic.gc.ca
192.197.183.151

http://www.ic.gc.ca

 

[Zen37]

Sorry then, i'm out of ideas.

 

[shirelabs]

<bump>

Anybody else got any ideas?

 

[lambent]

doing a nslookup in the above sites returns the following IP addresses:

Name:

http://www.gc.ca

Address: 198.103.238.30

Name: napoleon.ic.gc.ca
Address: 192.197.183.151
Aliases:

http://www.ic.gc.ca

Name: ic.gc.ca
Address: 192.197.183.149

Seems like you have problem connecting to 192.197.183.x network. Some questsions to you:

1) Did you use the same addressing space (i.e. 192.197.183.0/24) inside your internal network?
2) Apart from the above sites you've mentioned, any other site that you cannot access behind the firewall, but you can access using direct internet connection like dialup or broadband or whatever?
3) Do you use proxy servers within your internal network?

 

[shirelabs]

In answers to your questions:

1) We have not used the 192.197.183.0/24 anywhere in our network.

2) That I know of, we do not have any issue contacting other sites.

3) We have a Bluecoat SG400 with Websense inline in the network. As I have noted in my posts higher up in the thread, for troubleshooting purposes, we have tested with the device removed and still experience the same situation. Further, we have tested past the PIX515E and achieved success. The problem only recurrs when the PIX515E is returned to the network path.

 

[lambent]

Can you telnet to the URL using port 80?

 

[hinesjrh]

Maybe you have already answered this (I only quickly glanced over all the previous posts), but did you check the log files within Websense (which integrates with your PIX). We have run into similar situations and found that Websense was blocking a portion of a site, but not most parts of a website. I believe you can specifically allow that web address within Websense.

 

[shirelabs]

In response to Lambent: I attempted telnet to

http://ic.gc.ca

80 . The screen goes blank with a flashing prompt waiting for input in the corner. I didn't really know what to do as I don't Telnet frequently. hitting enter just returned the same prompt. Tried typing helo and enter and then I see a bit of HTML code that looks like maybe the header to the site then the connection to host is lost.

Can you give me a bit of a hand here for what I need to do to try to help you troubleshoot my issue in this manner?

Thanks.

 

[shirelabs]

For Hinesjrh:

I checked the logs after an attempt to

http://ic.gc.ca

and found the following 2 entries:

2005-06-10 12:05:48 185 "WORKSTATION ADDRESS" 503 TCP_ERR_MISS 1762 401 GET http ic.gc.ca - - - NONE "BLUECOAT ADDRESS" - "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 (ax)" PROXIED Government - "BLUECOAT ADDRESS" SG-HTTP-Service

2005-06-10 12:05:48 106 "WORKSTATION ADDRESS" 503 TCP_ERR_MISS 1762 332 GET http ic.gc.ca /favicon.ico - - NONE "BLUECOAT ADDRESS" - "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 (ax)" PROXIED Government - "BLUECOAT ADDRESS" SG-HTTP-Service


For privacy, I have removed the actual TCP/IP address' from the log output. Let me know if you need them and we can e-mail. I don't think, from these entries, that the Bluecoat is blocking the site. Your input?

FWIW, In testing, we completely shut off the Bluecoat to eliminate it as a possibility. Our Bluecoat is configured with a Pass-Thru card so that traffic still moves whether it is "On" or not. We have, however, tested in both a cabled without power and an uncabled scenario as far as the Bluecoat goes.