topic Re: Pix Firewall with Proxy Server in Network Security

Pix Firewall with Proxy Server

lasani — Fri, 21 Feb 2020 08:25:02 GMT

I need to allow only one IP address (the one for proxy server) to browse through Pix firewall to Internet.

What will be the commands in PIX firewall to block the traffic to Internet from all the inside network 10.2.1.x but only allow 10.2.1.10 (Proxy server).

All other computers will use proxy server address to use Internet.

Please let me know the correct commands and 2ndly let me know if other computer can browse Internet if they are using this particular Proxy server address?

Re: Pix Firewall with Proxy Server

Patrick Iseli — Sun, 25 Sep 2005 17:07:09 GMT

Could be something like this.

object-group service Proxy-TCP tcp

port-object eq 80

port-object eq 443

port-object eq 21

access-list proxy permit tcp host 10.2.1.10 any host object-group Proxy-TCP

access-list proxy deny tcp 10.2.1.0 255.255.255.0 any object-group Proxy-TCP

access-list proxy permit any any

access-group proxy in interface inside

This will block http, https and ftp for all inside host other than the Proxy server. Object group will be more flexible if you want to configure multiple TCP ports.

sincerely

Patrick

Re: Pix Firewall with Proxy Server

lasani — Sun, 25 Sep 2005 17:18:57 GMT

Dear Patrick,

Is it possible to make the configuration more STRICT such that all traffic to block from inside network (not only http, https and ftp) and allow all traffic from Proxy server.

What change do I have to make in this configuration?

I like the idea of object group here.

What if I have to use access-list without object group?

Re: Pix Firewall with Proxy Server

Patrick Iseli — Sun, 25 Sep 2005 17:24:56 GMT

Follow this example and all inside traffic will be blocked.

object-group service Proxy-TCP tcp

port-object eq 80

port-object eq 443

port-object eq 21

access-list proxy permit tcp host 10.2.1.10 any object-group Proxy-TCP

access-list proxy deny ip any any

access-group proxy in interface inside

Like this only the Proxy server can access the internet with http, https and ftp all other traffic will be blocked.

sincerely

Patrick

Re: Pix Firewall with Proxy Server

lasani — Mon, 26 Sep 2005 03:17:29 GMT

Hi again Patrick,

What is the difference in your first configuration and 2nd one?

In the first one you have given "access-list proxy permit any any"

whereas

In the 2nd one you have given "access-list proxy deny ip any any"

Do I need to combine both of them? or just follow the 2nd one to accomplish my task?

Re: Pix Firewall with Proxy Server

jackko — Mon, 26 Sep 2005 03:55:54 GMT

the reason for pat to change "permit ip any any" to "deny ip any any" is due to your requirement as stated:

Is it possible to make the configuration more STRICT such that all traffic to block from inside network (not only http, https and ftp) and allow all traffic from Proxy server.

in fact, you don't even need to put the "deny ip any any" as all acl by default would have this statement at the end.

so all you need are:

object-group service Proxy-TCP tcp

port-object eq 80

port-object eq 443

port-object eq 21

access-list proxy permit tcp host 10.2.1.10 any object-group Proxy-TCP

plus a proper nat/global statement

Re: Pix Firewall with Proxy Server

kthned — Mon, 26 Sep 2005 04:28:39 GMT

Will Object group command be work on IOS 6.1(4)

Thanks

Re: Pix Firewall with Proxy Server

lasani — Wed, 28 Sep 2005 10:03:38 GMT

Hi again,

First purpose is solved.

I am able to permit only Proxy server to go to the Internet and all other traffic is blocked.

Now, next step is that I need to allow some traffic like port 110, 25, citrix etc.

How can I make a new object group to open some ports and what will be the access-list for this new object group?

Re: Pix Firewall with Proxy Server

lasani — Wed, 28 Sep 2005 12:03:24 GMT

Hi again,

If I am giving the below mentioned ACLs, my purpose is solved:

access-list myproxy permit tcp host 10.2.1.10 any eq www

access-list myproxy permit tcp host 10.2.1.10 any eq https

access-list myproxy permit tcp host 10.2.1.10 any eq ftp-data

access-list myproxy permit tcp host 10.2.1.10 any eq ftp

Now I need to open smpt and pop3 for my email server, is the given below configuration correct:

access-list myproxy permit tcp any any eq smtp

access-list myproxy permit tcp any any eq pop3

access-group myproxy in interface inside

I think it should be OK, but I am not getting communication from outlook to the mail server.

Please assist.

Re: Pix Firewall with Proxy Server

Patrick Iseli — Wed, 28 Sep 2005 13:16:57 GMT

If you just want to open outgoing smtp and pop connections from any to any YES. From inside out outside (Internet)

If you want to allow smtp and pop connection from Internet to your Email server you need to create an access-list on the outside interface and a static for NAT for address translation.

example:

access-list outside permit tcp any host PublicIP-MailServer eq 25

access-list outside permit tcp any host PublicIP-MailServer eq 110

access-group outside in interface outside

Adress translation with a static public IP:

static (inside,outside) PublicIP-MailServer PrivateIP-MailServer netmask 255.255.255.255

Reset all connection - Address translation:

clear xlate

sincerely

Patrick

Re: Pix Firewall with Proxy Server

Patrick Iseli — Wed, 28 Sep 2005 13:22:58 GMT

No, object groups are just available on the 6.2.x release but not for 6.1.x.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094885.shtml

sincerely

Patrick

Re: Pix Firewall with Proxy Server

lasani — Wed, 28 Sep 2005 14:23:26 GMT

Dear Patrick,

I just need to allow outgoing smtp/pop3 (inside to outside) and only allow www traffic from proxy server i.e. 10.2.1.10.

Now, I have following configurations:

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq pop3

access-list 100 permit tcp host 10.2.1.10 any eq www

access-group 100 in interface inside

Does it make any difference if I write the access lists in this way (below)

access-list 100 permit tcp host 10.2.1.10 any eq www

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq pop3

access-group 100 in interface inside

What I am noticing is that, most of the time Internet and smtp/pop traffic goes fine but sometime Internet does not work and emails do not go and come to us.

I am confused a bit.

First of all check the configuration and then tell me if any suggestion.

Regards,

Lasani

Re: Pix Firewall with Proxy Server

Patrick Iseli — Wed, 28 Sep 2005 15:19:25 GMT

The access-list follows its order, line 1 then line 2 ..., it does not really matter. Both of your examples are OK.

Use the more important protocols access-list lines in the beginning.

Click on Rate this Post to help identify the most useful NetPro content.

sincerely

Patrick

Re: Pix Firewall with Proxy Server

lasani — Wed, 28 Sep 2005 15:48:19 GMT

Why sometime Internet stops and emails going out or coming in stop working?

Any idea?

Re: Pix Firewall with Proxy Server

Patrick Iseli — Wed, 28 Sep 2005 16:58:38 GMT

Difficult to say like this !

Might be a config problem, performance issue, internet problems ?

1.) How many internal users have you and what is your user license. See in < show version>

2.) Troubleshooting guide: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

3.) Enable logging to syslog or buffer to see whats going on:

logging on

logging buffered debugging

logging trap debugging

logging host SyslogIP

Syslog software can be found in:

http://www.ncat.co.uk/Download/3cdv2r10.exe

http://www.ncat.co.uk/Download/

sincerely

Patrick

Re: Pix Firewall with Proxy Server

jackko — Thu, 29 Sep 2005 12:30:00 GMT

just wondering what model of pix have you got? if you've got a pix501, then the issue maybe related to the user licence.

do "sh ver" on pix to verify the internal user licence.

Re: Pix Firewall with Proxy Server

lasani — Fri, 30 Sep 2005 13:10:22 GMT

Hi again,

I have Pix 515E in my network and there is no restruction for user licenses.

I have opened Port 80 and 443 only for Proxy server and port 25 and 110 for all network.

Sometime everything works fine, Internet users can browse, emails come and go without any problem. BUT sometime nothing works, browsing stops, emails send/receive also stop. When I do show xlat in PIX it shows no translation.

As soon as I remove access-list from the interface (no interface-group command), traffic starts flowing, Internet browsing and email traffic becomes normal. And if I re-apply the access-list on the interface on pix, it works for sometime but stops again till I remove the access-list.

I am really confused with this behavior.

What could be the problem?

Re: Pix Firewall with Proxy Server

lasani — Sat, 01 Oct 2005 07:15:16 GMT

Hi again,

I have this configuration on my PIX 515E:

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq pop3

access-list 100 permit tcp host 10.2.1.10 any eq www

access-list 100 permit tcp host 10.2.1.10 any eq 8080

access-list 100 permit tcp host 10.2.1.10 any eq https

access-group 100 in interface inside

It is passing web traffic but emails are not going through until I removed access-group command.

When I remove access-group command, things work but if I apply, sometime emails doesn't work, sometime web traffic doesn't work.

Please check and let me know what could be done

Re: Pix Firewall with Proxy Server

jmia — Sat, 01 Oct 2005 07:43:23 GMT

Try adding: access-list 100 permit ip any any

i.e.

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq pop3

access-list 100 permit tcp host 10.2.1.10 any eq www

access-list 100 permit tcp host 10.2.1.10 any eq 8080

access-list 100 permit tcp host 10.2.1.10 any eq https

access-list 100 permit ip any any

access-group 100 in interface inside

Save with: write mem and also issue: clear xlate

Let us know how you get on.

Jay

Re: Pix Firewall with Proxy Server

jackko — Sat, 01 Oct 2005 07:57:34 GMT

for outgoing email access, you are permitting smtp and pop3. how about imap? you need to permit this as well if you are using outlook to retrieve email.

with web traffic, i assume 10.2.1.10 is the proxy since it's the only host permited to browse the internet. maybe try to verify whether the pc is pointing the 10.2.1.10 as a proxy for internet.