Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix Firewall with Proxy Server

I need to allow only one IP address (the one for proxy server) to browse through Pix firewall to Internet.

What will be the commands in PIX firewall to block the traffic to Internet from all the inside network 10.2.1.x but only allow 10.2.1.10 (Proxy server).

All other computers will use proxy server address to use Internet.

Please let me know the correct commands and 2ndly let me know if other computer can browse Internet if they are using this particular Proxy server address?

24 REPLIES

Re: Pix Firewall with Proxy Server

Could be something like this.

object-group service Proxy-TCP tcp

port-object eq 80

port-object eq 443

port-object eq 21

access-list proxy permit tcp host 10.2.1.10 any host object-group Proxy-TCP

access-list proxy deny tcp 10.2.1.0 255.255.255.0 any object-group Proxy-TCP

access-list proxy permit any any

access-group proxy in interface inside

This will block http, https and ftp for all inside host other than the Proxy server. Object group will be more flexible if you want to configure multiple TCP ports.

sincerely

Patrick

New Member

Re: Pix Firewall with Proxy Server

Dear Patrick,

Is it possible to make the configuration more STRICT such that all traffic to block from inside network (not only http, https and ftp) and allow all traffic from Proxy server.

What change do I have to make in this configuration?

I like the idea of object group here.

What if I have to use access-list without object group?

Re: Pix Firewall with Proxy Server

Follow this example and all inside traffic will be blocked.

object-group service Proxy-TCP tcp

port-object eq 80

port-object eq 443

port-object eq 21

access-list proxy permit tcp host 10.2.1.10 any object-group Proxy-TCP

access-list proxy deny ip any any

access-group proxy in interface inside

Like this only the Proxy server can access the internet with http, https and ftp all other traffic will be blocked.

sincerely

Patrick

New Member

Re: Pix Firewall with Proxy Server

Hi again Patrick,

What is the difference in your first configuration and 2nd one?

In the first one you have given "access-list proxy permit any any"

whereas

In the 2nd one you have given "access-list proxy deny ip any any"

Do I need to combine both of them? or just follow the 2nd one to accomplish my task?

Gold

Re: Pix Firewall with Proxy Server

the reason for pat to change "permit ip any any" to "deny ip any any" is due to your requirement as stated:

Is it possible to make the configuration more STRICT such that all traffic to block from inside network (not only http, https and ftp) and allow all traffic from Proxy server.

in fact, you don't even need to put the "deny ip any any" as all acl by default would have this statement at the end.

so all you need are:

object-group service Proxy-TCP tcp

port-object eq 80

port-object eq 443

port-object eq 21

access-list proxy permit tcp host 10.2.1.10 any object-group Proxy-TCP

plus a proper nat/global statement

New Member

Re: Pix Firewall with Proxy Server

Will Object group command be work on IOS 6.1(4)

Thanks

Re: Pix Firewall with Proxy Server

No, object groups are just available on the 6.2.x release but not for 6.1.x.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094885.shtml

sincerely

Patrick

New Member

Re: Pix Firewall with Proxy Server

Hi again,

First purpose is solved.

I am able to permit only Proxy server to go to the Internet and all other traffic is blocked.

Now, next step is that I need to allow some traffic like port 110, 25, citrix etc.

How can I make a new object group to open some ports and what will be the access-list for this new object group?

New Member

Re: Pix Firewall with Proxy Server

Hi again,

If I am giving the below mentioned ACLs, my purpose is solved:

access-list myproxy permit tcp host 10.2.1.10 any eq www

access-list myproxy permit tcp host 10.2.1.10 any eq https

access-list myproxy permit tcp host 10.2.1.10 any eq ftp-data

access-list myproxy permit tcp host 10.2.1.10 any eq ftp

Now I need to open smpt and pop3 for my email server, is the given below configuration correct:

access-list myproxy permit tcp any any eq smtp

access-list myproxy permit tcp any any eq pop3

access-group myproxy in interface inside

I think it should be OK, but I am not getting communication from outlook to the mail server.

Please assist.

Re: Pix Firewall with Proxy Server

If you just want to open outgoing smtp and pop connections from any to any YES. From inside out outside (Internet)

If you want to allow smtp and pop connection from Internet to your Email server you need to create an access-list on the outside interface and a static for NAT for address translation.

example:

access-list outside permit tcp any host PublicIP-MailServer eq 25

access-list outside permit tcp any host PublicIP-MailServer eq 110

access-group outside in interface outside

Adress translation with a static public IP:

static (inside,outside) PublicIP-MailServer PrivateIP-MailServer netmask 255.255.255.255

Reset all connection - Address translation:

clear xlate

sincerely

Patrick

New Member

Re: Pix Firewall with Proxy Server

Dear Patrick,

I just need to allow outgoing smtp/pop3 (inside to outside) and only allow www traffic from proxy server i.e. 10.2.1.10.

Now, I have following configurations:

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq pop3

access-list 100 permit tcp host 10.2.1.10 any eq www

access-group 100 in interface inside

Does it make any difference if I write the access lists in this way (below)

access-list 100 permit tcp host 10.2.1.10 any eq www

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq pop3

access-group 100 in interface inside

What I am noticing is that, most of the time Internet and smtp/pop traffic goes fine but sometime Internet does not work and emails do not go and come to us.

I am confused a bit.

First of all check the configuration and then tell me if any suggestion.

Regards,

Lasani

Re: Pix Firewall with Proxy Server

The access-list follows its order, line 1 then line 2 ..., it does not really matter. Both of your examples are OK.

Use the more important protocols access-list lines in the beginning.

Click on Rate this Post to help identify the most useful NetPro content.

sincerely

Patrick

New Member

Re: Pix Firewall with Proxy Server

Why sometime Internet stops and emails going out or coming in stop working?

Any idea?

Re: Pix Firewall with Proxy Server

Difficult to say like this !

Might be a config problem, performance issue, internet problems ?

1.) How many internal users have you and what is your user license. See in < show version>

2.) Troubleshooting guide: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

3.) Enable logging to syslog or buffer to see whats going on:

logging on

logging buffered debugging

logging trap debugging

logging host SyslogIP

Syslog software can be found in:

http://www.ncat.co.uk/Download/3cdv2r10.exe

http://www.ncat.co.uk/Download/

sincerely

Patrick

Gold

Re: Pix Firewall with Proxy Server

just wondering what model of pix have you got? if you've got a pix501, then the issue maybe related to the user licence.

do "sh ver" on pix to verify the internal user licence.

New Member

Re: Pix Firewall with Proxy Server

Hi again,

I have Pix 515E in my network and there is no restruction for user licenses.

I have opened Port 80 and 443 only for Proxy server and port 25 and 110 for all network.

Sometime everything works fine, Internet users can browse, emails come and go without any problem. BUT sometime nothing works, browsing stops, emails send/receive also stop. When I do show xlat in PIX it shows no translation.

As soon as I remove access-list from the interface (no interface-group command), traffic starts flowing, Internet browsing and email traffic becomes normal. And if I re-apply the access-list on the interface on pix, it works for sometime but stops again till I remove the access-list.

I am really confused with this behavior.

What could be the problem?

New Member

Re: Pix Firewall with Proxy Server

Hi again,

I have this configuration on my PIX 515E:

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq pop3

access-list 100 permit tcp host 10.2.1.10 any eq www

access-list 100 permit tcp host 10.2.1.10 any eq 8080

access-list 100 permit tcp host 10.2.1.10 any eq https

access-group 100 in interface inside

It is passing web traffic but emails are not going through until I removed access-group command.

When I remove access-group command, things work but if I apply, sometime emails doesn't work, sometime web traffic doesn't work.

Please check and let me know what could be done

Gold

Re: Pix Firewall with Proxy Server

Try adding: access-list 100 permit ip any any

i.e.

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq pop3

access-list 100 permit tcp host 10.2.1.10 any eq www

access-list 100 permit tcp host 10.2.1.10 any eq 8080

access-list 100 permit tcp host 10.2.1.10 any eq https

access-list 100 permit ip any any

access-group 100 in interface inside

Save with: write mem and also issue: clear xlate

Let us know how you get on.

Jay

Gold

Re: Pix Firewall with Proxy Server

for outgoing email access, you are permitting smtp and pop3. how about imap? you need to permit this as well if you are using outlook to retrieve email.

with web traffic, i assume 10.2.1.10 is the proxy since it's the only host permited to browse the internet. maybe try to verify whether the pc is pointing the 10.2.1.10 as a proxy for internet.

New Member

Re: Pix Firewall with Proxy Server

What is the port number for imap to open?

Problem is that, sometime webtraffic and email all works fine, sometime only webtraffic works and emails do not work and sometime both do not work till I remove access-group command. And as soon as I remove access-group command, everything starts to work.

Gold

Re: Pix Firewall with Proxy Server

i was thinking maybe the issue is related to the internal user licence. but then i found that the model you've got is 515e, so it doesn't matter.

just wondering if the issue is with the internet link rather than the pix configuration. to verify, log on to the console when the issue occurs, then ping any internet ip.

with outlook (not express), imap needs to be permitted and it's tcp 143.

New Member

Re: Pix Firewall with Proxy Server

Dear Jack,

There is nothing wrong with the Internet connection because as soon as I remove the access-list from the interface (no access-group) command, internet browsing and emails smtp/pop3 starts working fine.

It concludes that there is nothing wrong with the Internet Connection.

2ndly, when Internet and emails are not working and I give show xlat command, it doesn't show me any translation.

I really wonder what is going on?

I have auditing enabled on the PIX for internal and external interfaces, is it something to do with that?

Gold

Re: Pix Firewall with Proxy Server

"sh xlate" is blank?! interesting. would you please post the config as ver as "sh ver"

New Member

Re: Pix Firewall with Proxy Server

I think I have solved the problem :)

I have opened the port 53 from my Internal DNS server to the forwarder IP address which is the DNS server of my ISP.

Everything is working fine, no one had complained so far. Lets see till tomorrow.

I hope it will stay smooth.

257
Views
4
Helpful
24
Replies
CreatePlease login to create content