10-14-2003 08:07 AM - edited 02-20-2020 11:02 PM
Hello,
i have a PIX 520 running softwrae 5.1(4) , i have created a static translation in order to allow outside users access a server on port 443(HTTPS) .
This was done with the following statements:
-static(inside,outside) global_ip_address private_ip_address netmask 255.255.255.255 0 0
-access-list name1 permit tcp any host global_ip eq 443
-access-group name in interface outside
it is working fine ,
the problem is once a static translation is opened from an outside pc to that private destination on port 443 , i am able to initiate from the same pc another session to the same destination ON ANOTHER PORT ( FOR EXAMPLE PORT 80 or 3389) ,normally the pix should not allow that .
any one could help ?
Regards,
Jacob
10-14-2003 11:29 AM
Yes, you are right this should never be the case.
How about any other permit entries in access-list name1? May be you missed them out!
Thanks
Nadeem
10-14-2003 10:05 PM
Hi Nadeem,
Thanks for your reply ,
there are no other entries in the access list name1 , should i add
access-list name1 deny any any
or it is added by default at the end of each access list? may be is it a software bug ?
help is needed
Regards,
Jacob
10-14-2003 11:12 PM
Hi,
Deny any any is implicitly there so no need to add.
Could you please confirm if you have done the "clear xlat"
Thanks
Nadeem
10-16-2003 02:15 AM
Hi Nadeem,
yes ," clear xlate" was done before and i have tried it again and still i have the same problem.
Note that if i try to initiate a connection on a port other that specified in the access list it is denied by PIX , they are bypassed by PIX ONLY when there s a connection already opened to the port specified in the access list.
I hope that you get my idea ,
this problem really affects my network security because once an outside connection is opened to my mail sever , or graph server , the outside user could explore my servers on others ports !!?
Thanks in advance for your reply
Regards,
Jacob.
10-16-2003 04:41 AM
You seem to be running an old version of software on your pix, this problem could be bug related. I would try and upgrade your pix to a more recent version (try 6.3(3) or 6.2(3))and see of the problem still exists
10-18-2003 07:51 AM
Hello,
i have tried to upgrade pix to a newer Version 6.1 , but each time i do that, i am getting my pix reloaded by itself although it is equipped with 128 MB RAM and 16 MB Flash so i am obliged to go back to 5.1(4) , so what can i do in such case ?
Note : all my real servers ( DNS , mail, www server ..) are running behind that firewall , so i can't forced down for a long time .
Jacob.
10-18-2003 10:10 AM
Hi,
Most probably you have two Flash cards 2MB (old) + 16MB (new one). When the PIX reloads it dumps out the message of Flash card not supported or something similiar. That is why you are not able to load up 6.x code.
Please remove the old Flash card and upgrade the PIX.
Try to upgrade to 6.3.3 and not to 6.1
Thanks
Nadeem
10-19-2003 01:43 AM
Are you using any conduits on the outside interface? Conduits and ACL's on the same interface can result in problems.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: