-access-list name1 permit tcp any host global_ip eq 443
-access-group name in interface outside
it is working fine ,
the problem is once a static translation is opened from an outside pc to that private destination on port 443 , i am able to initiate from the same pc another session to the same destination ON ANOTHER PORT ( FOR EXAMPLE PORT 80 or 3389) ,normally the pix should not allow that .
yes ," clear xlate" was done before and i have tried it again and still i have the same problem.
Note that if i try to initiate a connection on a port other that specified in the access list it is denied by PIX , they are bypassed by PIX ONLY when there s a connection already opened to the port specified in the access list.
I hope that you get my idea ,
this problem really affects my network security because once an outside connection is opened to my mail sever , or graph server , the outside user could explore my servers on others ports !!?
You seem to be running an old version of software on your pix, this problem could be bug related. I would try and upgrade your pix to a more recent version (try 6.3(3) or 6.2(3))and see of the problem still exists
i have tried to upgrade pix to a newer Version 6.1 , but each time i do that, i am getting my pix reloaded by itself although it is equipped with 128 MB RAM and 16 MB Flash so i am obliged to go back to 5.1(4) , so what can i do in such case ?
Note : all my real servers ( DNS , mail, www server ..) are running behind that firewall , so i can't forced down for a long time .
Most probably you have two Flash cards 2MB (old) + 16MB (new one). When the PIX reloads it dumps out the message of Flash card not supported or something similiar. That is why you are not able to load up 6.x code.
Please remove the old Flash card and upgrade the PIX.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :