cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
400
Views
0
Helpful
8
Replies

PIX weired problem

teltac
Level 1
Level 1

Hello,

i have a PIX 520 running softwrae 5.1(4) , i have created a static translation in order to allow outside users access a server on port 443(HTTPS) .

This was done with the following statements:

-static(inside,outside) global_ip_address private_ip_address netmask 255.255.255.255 0 0

-access-list name1 permit tcp any host global_ip eq 443

-access-group name in interface outside

it is working fine ,

the problem is once a static translation is opened from an outside pc to that private destination on port 443 , i am able to initiate from the same pc another session to the same destination ON ANOTHER PORT ( FOR EXAMPLE PORT 80 or 3389) ,normally the pix should not allow that .

any one could help ?

Regards,

Jacob

8 Replies 8

nkhawaja
Cisco Employee
Cisco Employee

Yes, you are right this should never be the case.

How about any other permit entries in access-list name1? May be you missed them out!

Thanks

Nadeem

Hi Nadeem,

Thanks for your reply ,

there are no other entries in the access list name1 , should i add

access-list name1 deny any any

or it is added by default at the end of each access list? may be is it a software bug ?

help is needed

Regards,

Jacob

Hi,

Deny any any is implicitly there so no need to add.

Could you please confirm if you have done the "clear xlat"

Thanks

Nadeem

Hi Nadeem,

yes ," clear xlate" was done before and i have tried it again and still i have the same problem.

Note that if i try to initiate a connection on a port other that specified in the access list it is denied by PIX , they are bypassed by PIX ONLY when there s a connection already opened to the port specified in the access list.

I hope that you get my idea ,

this problem really affects my network security because once an outside connection is opened to my mail sever , or graph server , the outside user could explore my servers on others ports !!?

Thanks in advance for your reply

Regards,

Jacob.

You seem to be running an old version of software on your pix, this problem could be bug related. I would try and upgrade your pix to a more recent version (try 6.3(3) or 6.2(3))and see of the problem still exists

Hello,

i have tried to upgrade pix to a newer Version 6.1 , but each time i do that, i am getting my pix reloaded by itself although it is equipped with 128 MB RAM and 16 MB Flash so i am obliged to go back to 5.1(4) , so what can i do in such case ?

Note : all my real servers ( DNS , mail, www server ..) are running behind that firewall , so i can't forced down for a long time .

Jacob.

Hi,

Most probably you have two Flash cards 2MB (old) + 16MB (new one). When the PIX reloads it dumps out the message of Flash card not supported or something similiar. That is why you are not able to load up 6.x code.

Please remove the old Flash card and upgrade the PIX.

Try to upgrade to 6.3.3 and not to 6.1

Thanks

Nadeem

Are you using any conduits on the outside interface? Conduits and ACL's on the same interface can result in problems.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: