Just a thought. Use the access-list as trouble-shooting help. put a permit
tcp any any
in there and try to get a page. then do a sho access-list...or is it sho
logg...anyway,
see if the rule is getting hit (in parenthesis after the rule). I had a
similar
situation that even stumped tac. The client had tried to install proxy the
day before I
got there with the pix. Proxy cilent was on the machines and it wasn't even
getting to
the pix. I put permit tcp any any statement and could see it wasn't even
hitting the
pix.
Hansraj Patil wrote:
> here is pix config
>
> PIX Version 5.2(5)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password ***** encrypted
> passwd ****** encrypted
> hostname host515
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> names
> access-list icmp_traffic permit icmp any any
> pager lines 24
> logging on
> no logging timestamp
> no logging standby
> no logging console
> no logging monitor
> logging buffered debugging
> no logging trap
> no logging history
> logging facility 20
> logging queue 512
> interface ethernet0 auto
> interface ethernet1 auto
> mtu outside 1500
> mtu inside 1500
> ip address outside 208.68.87.26 255.255.255.0
> ip address inside 192.168.20.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 192.168.20.0 255.255.255.0 0 0
> static (inside,outside) 208.68.87.33 192.168.20.100 netmask 255.255.255.255
> 0 0
> access-group icmp_traffic in interface outside
> route outside 0.0.0.0 0.0.0.0 208.68.87.25 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 si
> p 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> no sysopt route dnat
> isakmp identity hostname
> telnet timeout 5
> ssh timeout 15
> terminal width 80
> Cryptochecksum:b9b3c3f7fb3d4543a6a41ac6
>
> >From: "Allen May"
> >Reply-To: "Allen May"
> >To: [EMAIL PROTECTED]
> >Subject: Re: poor web acces through PIX [7:7812]
> >Date: Mon, 11 Jun 2001 10:52:04 -0400
> >
> >If you still need help, cut & paste your config into an email. Just
remove
> >any sensitive information first.
> >
> >Allen May
> >
> >----- Original Message -----
> >From: "Hansraj Patil"
> >To:
> >Sent: Friday, June 08, 2001 11:22 PM
> >Subject: poor web acces through PIX [7:7812]
> >
> >
> > > Hello friends,
> > >
> > > Here is problem...
> > >
> > > I have straightforward configuration of pix firewall. PIX is doing PAT
&
> > > IPsec tunnel.
> > >
> > > PIX ver is 5.2(5)
> > >
> > > Inside machine can ping outside but when tried to access any web site
it
> > > times out. Web page is not downloaded. If I see log, they are normal. I
> >can
> > > see request going for web page & repply comming back. This is not an
> >issue
> > > with access-list, because I tried with 'permit ip any any'. I tried
> >using
> > > access-list as well as conduits. But still no luck.
> > >
> > > IF I remove PIX & directly connect machine to internt everything workes
> > > fine.
> > >
> > >
> > > Can anybody help me out with this problem ?
> > >
> > > I open Cisco TAC. They checked the configs and looks like there is no
> > > problem with config.
> > >
> > >
> > > Any help is greatly appriciated.
> > >
> > > thanks
> > > hansraj.
> > >
> > >
> > >
> > > _________________________________________________________________
> > > Get your FREE download of MSN Explorer at http://explorer.msn.com
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=8587&t=7812
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
