09-13-2006 05:30 PM - edited 02-21-2020 01:10 AM
I have a PIX 515-E which connected to the router and it is connected to the proxy server within server farm. The situation is when a user which connected to PIX 515-E and go to Internet, it need through the proxy server. But, the problem is the user can't go to Internet even I permit ALL traffic in PIX 515-E and router. The PIX 515-E just do the NAT function and no traffic is blocked.
09-13-2006 06:13 PM
Hi,
Is your internet access working fine from users/clients without having to go through Proxy Server? You need to verify this before forcing/diverting clients to use it as gateway to access the internet.
Test internet access from a test workstation or Proxy Server itself (example IP: yy.yy.yy.200) to verify internet access is ok. If the PIX allows internet access directly, then the PIX config should be ok.
Just make sure your PIX is configured with the following for the test:
access-list inside permit udp host yy.yy.yy.200 any eq 53 --> allow single internal host for DNS query
access-list inside permit tcp host yy.yy.yy.200 any eq www --> allow single internal host for HTTP query
access-list inside deny ip any any
ip address outside xx.xx.xx.2 255.255.255.0
ip address inside yy.yy.yy.1 255.255.255.0
global (outside) 1 xx.xx.xx.12-xx.xx.xx.20 ----> use this (range of IP), or
global (outside) 1 xx.xx.xx.10 ------> single Public IP to go out (PAT)
nat (inside) 1 yy.yy.yy.200 255.255.255.255 --> allow specific internal host @Proxy Server, or
route outside 0 0 xx.xx.xx.1 ---> internet router IP xx.xx.xx.1
access-group inside in interface inside
If the above test is ok, and the test workstation or Proxy Server is able to access internet successfully, your PIX config is ok. But you need to modify them to strictly allow only Proxy Server to access the internet (also on behalf of clients where the Proxy Server IP will be used by all internal clients to access internet).
The config will more or less looks like below:
access-list inside permit udp host yy.yy.yy.200 any eq 53
access-list inside permit tcp host yy.yy.yy.200 any eq www
global (outside) 1 xx.xx.xx.12 ----> if you use single Public IP@PAT
nat (inside) 1 yy.yy.yy.200 255.255.255.255
access-group inside in interface inside
From PIX console, issue command "show xlate" and "show conn | include TCP" to verify whether your Proxy Server IP is doing his job.
Pls rate helpful post.
Rgds,
AK
09-13-2006 08:29 PM
09-13-2006 09:32 PM
Hi,
Can your Proxy Server go out@access the internet?
I noticed that your firewall does not have public IP to be used by the Proxy Server (10.118.2.12) to go out to the internet.
You should associate the "nat (inside) 1 10.118.2.12 255.255.255.255" with global config/statement.
It should be:
global (outside) 1 interface <-- Add this
nat (inside) 1 10.118.2.12 255.255.255.255
NOTE:-
The keyword 'interface' refers to your outside interface IP.
You can assign any unused Public IP if you have any/spare. Just replace the 'interface' keyword with the IP.
You need to ensure that Proxy Server is able to reach internet first. If this is ok, then you need to verify that the server is configured properly before opening the proxy services to clients.
Pls rate all useful post(s).
Rgds,
AK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide