How to prevent PIX 6.3(1) act as proxy for internal users

Unanswered Question
Mar 14th, 2007

We have PIX 515 with version 6.3(1).Most of the users use seperate proxy server for internet access. Some of them are allowed to access internet without proxy which is allowed through inside interface access-list. Some users who suppose to use internet through proxy server, has tried to use PIX inside interface IP as their proxy and they can access the internet. But we have not allowed their IPs in the inside access-list. we are using PAT [ nat (inside) , Global (outside) interface]

In this case, those users are using PIX as their proxy and accessing internet which we cannot control.

I have tried to use access-list for NAT statement but it is not supporting and giving the following error(looks like access-lists can be applied only for nat 0)

pix(config)# nat (inside) 1 access-list acl-in-nat

ERROR: invalid nat ID, <1>, with access-list

Usage: [no] nat [(<if_name>)] <nat_id> <local_ip> [<mask>

[dns] [outside]

[<max_conns> [emb_limit> [<norandomseq>]]]]

[no] nat [(if_name)] 0 [access-list <acl-name> [outside]]

Please suggest a solution.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 03/15/2007 - 02:42


if you have an inside access-list then a user who's IP address is not in that list should not be allowed out to the Internet. The Pix will check the user IP address against the acl on your inside interface before it tries to do any NAT on it.

So it looks like you have a problem with your inside acl.

As far as your NAT goes, access-lists can be applied for instances of NAT other than 0 - we do this on our firewalls.

Could you send a copy of the config with any sensitiev information removed and an exmaple of the client who shouldn't be allowed through but can get access to the Internet via the Pix.


upul Thu, 03/15/2007 - 09:52

Hi Jon,

I have nat (inside) 1 , thats why my users are using PIX as proxy even though they are not included in the inside access-list as allowed hosts.

I am planning to have nat (inside) 1 access-list instead of allowing all.

Jon Marshall Thu, 03/15/2007 - 12:15


I think i might not have explained clearly enough.

The nat statement nat (inside) 1 means translate all addresses. But it does not mean all addresses have access. If you did not have an access-list on your inside interface then it would allow all people access from inside to outside but if you have an access-list on your inside interface then no matter what your NAT says it will still check the access-list first. only if it passes the access-list will NAT then be applied.

Does this make sense ?


upul Fri, 03/16/2007 - 03:37


You still did not get my point, for a example I have user X inside my network which is not included in the permit list on my inside interface access-list. User X can browse the internet by using PIX inside interface as proxy ip address and port as 80. In that case inside access-list match source ip as inside interface ip address of the PIX.

Jon Marshall Fri, 03/16/2007 - 06:43


Apologies for the delay in replying but i needed to set this up to test. Also your are right, i did not fully understand what you were saying so apologies for that too.

However I could not get this to work on a pix 515E running 6.3(5)

1) nat (inside) 1

2) global (outside) 1 interface

3) Make sure my client IP address is not included in the inside interface access-list.

4) set the proxy in my web browser to be the inside interface of the pix firewall on port 80.

5) try and access a web server on the other side of the pix.

No matter what i did i could not get this to work. I was always denied access to the web server.



This Discussion