Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

http traffic through pix

I have a dual-homed freebsd box running squid. The outside interface is connected to a switch that has the outside interface of the MS proxy connected to it and the inside interface of the PIX.

I can access the web just fine going through the MS Proxy, but from the FreeBSD box, I can only go to FTP sites, and do DNS lookups - http does not work, not even from the box itself. I can see requests going out, but no response.

Help.

2 REPLIES
Gold

Re: http traffic through pix

Hello Aun,

I think the problem is on the config of squid on your FreeBSD box rather then the PIX, Please read the following document which might help in your problem:

http://squid-docs.sourceforge.net/latest/html/x505.html

and here is the full guide to squid:

http://squid-docs.sourceforge.net/latest/html/book1.html

and : http://www.pix.net/software/squid/

Thanks -

Community Member

Re: http traffic through pix

I read the documentation. I am not sure the problem is entirely with the FreeBSD box, as I can get to FTP sites, and do domain lookups. Here's a tcpdump on the outside interface of the FreeBSD box:

14:18:49.789760 dnsserver.domain > aedxbweb01.timbuktu-srv4: 60190* 1/3/3 PTR[|domain] (DF)

14:18:49.790628 aedxbweb01.gandalf-lm > dnsserver.domain: 60191+ PTR? 233.171.68.207.in-addr.arpa. (45)

14:18:49.813683 dnsserver.domain > aedxbweb01.gandalf-lm: 60191 2/5/5[|domain] (DF)

14:18:52.720725 aedxbweb01.1188 > ld.cb.msn.com.http: S 3082282937:3082282937(0) win 57344 (DF)

14:18:55.920770 aedxbweb01.1188 > ld.cb.msn.com.http: S 3082282937:3082282937(0) win 57344 (DF)

14:18:59.120827 aedxbweb01.1188 > ld.cb.msn.com.http: S 3082282937:3082282937(0) win 57344 (DF)

So as you can you see, "domain" (port 53) traffic is working just fine, as does FTP and SMTP, when I try to telnet to those ports on machines sitting on the internet. HTTP does not work, the requests go unanswered.

Squid works when I try to go to FTP sites from the clients, so I don't think it is the FreeBSD box. Somethings happening on the PIX thats not letting it return HTTP addresses.

I have nat (inside) 1 0 0 and global (outside) 1 interface on the PIX for natting. Its currently PATting two addresses, one for the MS Proxy outside interface and one for the FreeBSD outside interface. MS Proxy works just fine though.

-aun.

118
Views
0
Helpful
2
Replies
CreatePlease to create content