Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
siutingchung
siutingchung
Community Member
‎09-13-2006 05:30 PM
‎09-13-2006 05:30 PM

PIX 515-E (Proxy Server Problem)

I have a PIX 515-E which connected to the router and it is connected to the proxy server within server farm. The situation is when a user which connected to PIX 515-E and go to Internet, it need through the proxy server. But, the problem is the user can't go to Internet even I permit ALL traffic in PIX 515-E and router. The PIX 515-E just do the NAT function and no traffic is blocked.

0 Helpful
Reply
3 REPLIES
a.kiprawih
a.kiprawih Gold
Gold
‎09-13-2006 06:13 PM
‎09-13-2006 06:13 PM

Re: PIX 515-E (Proxy Server Problem)

Hi,

Is your internet access working fine from users/clients without having to go through Proxy Server? You need to verify this before forcing/diverting clients to use it as gateway to access the internet.

Test internet access from a test workstation or Proxy Server itself (example IP: yy.yy.yy.200) to verify internet access is ok. If the PIX allows internet access directly, then the PIX config should be ok.

Just make sure your PIX is configured with the following for the test:

access-list inside permit udp host yy.yy.yy.200 any eq 53 --> allow single internal host for DNS query

access-list inside permit tcp host yy.yy.yy.200 any eq www --> allow single internal host for HTTP query

access-list inside deny ip any any

ip address outside xx.xx.xx.2 255.255.255.0

ip address inside yy.yy.yy.1 255.255.255.0

global (outside) 1 xx.xx.xx.12-xx.xx.xx.20 ----> use this (range of IP), or

global (outside) 1 xx.xx.xx.10 ------> single Public IP to go out (PAT)

nat (inside) 1 yy.yy.yy.200 255.255.255.255 --> allow specific internal host @Proxy Server, or

route outside 0 0 xx.xx.xx.1 ---> internet router IP xx.xx.xx.1

access-group inside in interface inside

If the above test is ok, and the test workstation or Proxy Server is able to access internet successfully, your PIX config is ok. But you need to modify them to strictly allow only Proxy Server to access the internet (also on behalf of clients where the Proxy Server IP will be used by all internal clients to access internet).

The config will more or less looks like below:

access-list inside permit udp host yy.yy.yy.200 any eq 53

access-list inside permit tcp host yy.yy.yy.200 any eq www

global (outside) 1 xx.xx.xx.12 ----> if you use single Public IP@PAT

nat (inside) 1 yy.yy.yy.200 255.255.255.255

access-group inside in interface inside

From PIX console, issue command "show xlate" and "show conn | include TCP" to verify whether your Proxy Server IP is doing his job.

Pls rate helpful post.

Rgds,

AK

0 Helpful
Reply
siutingchung
siutingchung
Community Member
‎09-13-2006 08:29 PM
‎09-13-2006 08:29 PM

Re: PIX 515-E (Proxy Server Problem)

Hi,

Thanks for your help.

I have checked that the PIX config is ok. But, the problem still exists. It seems that there is no response from Proxy Server to the user. Attached is the PIX 515E configuration and "show xlate" and "show conn"

Looking forward to your reply.

0 Helpful
Reply
a.kiprawih
a.kiprawih Gold
Gold
‎09-13-2006 09:32 PM
‎09-13-2006 09:32 PM

Re: PIX 515-E (Proxy Server Problem)

Hi,

Can your Proxy Server go out@access the internet?

I noticed that your firewall does not have public IP to be used by the Proxy Server (10.118.2.12) to go out to the internet.

You should associate the "nat (inside) 1 10.118.2.12 255.255.255.255" with global config/statement.

It should be:

global (outside) 1 interface <-- Add this

nat (inside) 1 10.118.2.12 255.255.255.255

NOTE:-

The keyword 'interface' refers to your outside interface IP.

You can assign any unused Public IP if you have any/spare. Just replace the 'interface' keyword with the IP.

You need to ensure that Proxy Server is able to reach internet first. If this is ok, then you need to verify that the server is configured properly before opening the proxy services to clients.

Pls rate all useful post(s).

Rgds,

AK

Reply
Latest Documents
Snort IPS on ISR, ISRv and CSR - Step-By-Step Configuration
Created by Kureli Sankar on 04-19-2018 11:25 AM
0
0
0
0
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin... view more
Upgrade Chassis Manager (FXOS)
Created by Jeet Kumar on 02-23-2018 02:51 AM
2
15
2
15
    Login to the FXOS chassis manager. Direct your browser to https://hostname/, and log-in using the user-name and password.     Go to Help > About and check the current version:    Check the current version availa... view more
ASA 5506-X with ipv6 no access to internet
Created by Klaxel on 02-08-2018 01:25 AM
3
5
3
5
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6. In Syslog I also se... view more
All Documents
173
Views
3
Helpful
3
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
AnyConnect Certificate Based Authentication.
Created by Marvin Ruiz on 08-27-2012 05:20 PM
36
75
36
75
BLOG (No Title)
Created by athukral on 06-14-2011 04:23 AM
15
35
15
35
Wireless Hacking
Created by Anim Saxena on 01-24-2013 07:56 AM
2
25
2
25
All Blogs