PIX 515-E (Proxy Server Problem)

siutingchung · ‎09-13-2006

I have a PIX 515-E which connected to the router and it is connected to the proxy server within server farm. The situation is when a user which connected to PIX 515-E and go to Internet, it need through the proxy server. But, the problem is the user can't go to Internet even I permit ALL traffic in PIX 515-E and router. The PIX 515-E just do the NAT function and no traffic is blocked.

a.kiprawih · ‎09-13-2006

Hi,

Is your internet access working fine from users/clients without having to go through Proxy Server? You need to verify this before forcing/diverting clients to use it as gateway to access the internet.

Test internet access from a test workstation or Proxy Server itself (example IP: yy.yy.yy.200) to verify internet access is ok. If the PIX allows internet access directly, then the PIX config should be ok.

Just make sure your PIX is configured with the following for the test:

access-list inside permit udp host yy.yy.yy.200 any eq 53 --> allow single internal host for DNS query

access-list inside permit tcp host yy.yy.yy.200 any eq www --> allow single internal host for HTTP query

access-list inside deny ip any any

ip address outside xx.xx.xx.2 255.255.255.0

ip address inside yy.yy.yy.1 255.255.255.0

global (outside) 1 xx.xx.xx.12-xx.xx.xx.20 ----> use this (range of IP), or

global (outside) 1 xx.xx.xx.10 ------> single Public IP to go out (PAT)

nat (inside) 1 yy.yy.yy.200 255.255.255.255 --> allow specific internal host @Proxy Server, or

route outside 0 0 xx.xx.xx.1 ---> internet router IP xx.xx.xx.1

access-group inside in interface inside

If the above test is ok, and the test workstation or Proxy Server is able to access internet successfully, your PIX config is ok. But you need to modify them to strictly allow only Proxy Server to access the internet (also on behalf of clients where the Proxy Server IP will be used by all internal clients to access internet).

The config will more or less looks like below:

access-list inside permit udp host yy.yy.yy.200 any eq 53

access-list inside permit tcp host yy.yy.yy.200 any eq www

global (outside) 1 xx.xx.xx.12 ----> if you use single Public IP@PAT

nat (inside) 1 yy.yy.yy.200 255.255.255.255

access-group inside in interface inside

From PIX console, issue command "show xlate" and "show conn | include TCP" to verify whether your Proxy Server IP is doing his job.

Pls rate helpful post.

Rgds,

AK

siutingchung · ‎09-13-2006

Hi,

Thanks for your help.

I have checked that the PIX config is ok. But, the problem still exists. It seems that there is no response from Proxy Server to the user. Attached is the PIX 515E configuration and "show xlate" and "show conn"

Looking forward to your reply.

a.kiprawih · ‎09-13-2006

Hi,

Can your Proxy Server go out@access the internet?

I noticed that your firewall does not have public IP to be used by the Proxy Server (10.118.2.12) to go out to the internet.

You should associate the "nat (inside) 1 10.118.2.12 255.255.255.255" with global config/statement.

It should be:

global (outside) 1 interface <-- Add this

nat (inside) 1 10.118.2.12 255.255.255.255

NOTE:-

The keyword 'interface' refers to your outside interface IP.

You can assign any unused Public IP if you have any/spare. Just replace the 'interface' keyword with the IP.

You need to ensure that Proxy Server is able to reach internet first. If this is ok, then you need to verify that the server is configured properly before opening the proxy services to clients.

Pls rate all useful post(s).

Rgds,

AK