[c-nsp] PIX file transfer problem

Thu Jun 28 08:37:45 EDT 2007

Hi,

I am using Cisco PIX-535, a public ip address which is translated for a 
server connect to the inside interface. However i am having strange 
problem, that if i initiate a web connection from inside to outside for 
a big file then there is no glitch and traffic is smooth, but if i want 
to upload some data using http/ssh to the server from outside then the 
file stucks in the middle. Following is my config. Plz suggest how to 
resolve the issue.

Regards
-Azher

PIX Version 7.2(2)
!
hostname pix
domain-name niit.edu.pk
enable password Rl/xH70b2D.0Ug6C encrypted
names
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 202.125.157.195 255.255.255.240
!
interface Ethernet1
 speed 100
 duplex full
 nameif dmz
 security-level 20
 ip address 172.16.0.1 255.255.255.0
!
interface Ethernet2
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.10.4.40 255.0.0.0
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone PKST 5
dns server-group DefaultDNS
 domain-name niit.edu.pk
access-list outside_int extended permit tcp any host 202.125.157.199 eq smtp
access-list outside_int extended permit tcp any host 202.125.157.199 eq www
access-list outside_int extended permit tcp any host 202.125.157.199 eq 
imap4
access-list outside_int extended permit tcp any host 202.125.157.199 eq ssh
access-list outside_int extended permit tcp any host 202.125.157.199 eq 
https
access-list outside_int extended permit tcp any host 202.125.157.199 eq 993
access-list outside_int extended permit tcp any host 202.125.157.199 eq 995
access-list outside_int extended permit tcp any host 202.125.157.199 eq pop3
access-list outside_int extended permit tcp any host 202.125.157.199 eq 465
access-list outside_int extended permit udp any host 202.125.157.199 eq ntp
access-list outside_int extended permit udp any host 202.125.157.199 eq 
domain
access-list outside_int extended permit icmp any host 202.125.157.199
access-list dmz_int extended permit tcp host 172.16.0.2 any eq smtp
access-list dmz_int extended permit tcp host 172.16.0.2 any eq www
access-list dmz_int extended permit tcp host 172.16.0.2 any eq pop3
access-list dmz_int extended permit tcp host 172.16.0.2 any eq ssh
access-list dmz_int extended permit udp host 172.16.0.2 any eq domain
access-list dmz_int extended permit udp host 172.16.0.2 any eq ntp
access-list dmz_int extended permit icmp host 203.99.50.203 any
access-list dmz_int extended permit udp host 172.16.0.2 any eq 20
access-list dmz_int extended permit udp host 172.16.0.2 any eq 21
pager lines 24
logging enable
logging buffered debugging
logging trap debugging
logging asdm informational
logging host outside 202.125.157.18
mtu outside 1500
mtu dmz 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (dmz,outside) 202.125.157.199 172.16.0.2 netmask 255.255.255.255
access-group outside_int in interface outside
access-group dmz_int in interface dmz
route outside 0.0.0.0 0.0.0.0 202.125.157.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 
0:02:00
timeout uauth 0:05:00 absolute
username azher password IdvoRszej5cPIVo encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 3
http server enable
snmp-server host outside xxx.xxx.xxx.xxx community xxxxxx
snmp-server location Server Room
snmp-server contact Azher Amin
snmp-server community peering1
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp identity address
telnet timeout 5
ssh timeout 30
ssh version 2
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
ntp server 202.125.157.193 source outside
prompt hostname context
Cryptochecksum:0d1026df4121865a6d4c608ace10f0da
: end