topic Re: Pix 525 static proxied computers cannot go out in Network Security

Pix 525 static proxied computers cannot go out

edugger — Fri, 21 Feb 2020 07:40:40 GMT

Im using the "static (inside,outside).." command to create incomming proxies to webservers and a mailserver. I can access to the webservers, but the webservers that are proxied to cannot go out to the internet. Mail doesn't work in either direction. All other clients can get to all other resources.

Is there any special acl's or commands that need to be done to allow for the proxied PCs to access the internet? I thought they would fall under the ACL of any any from that interfaces subnet but its not working.

Re: Pix 525 static proxied computers cannot go out

k.subramaniam — Wed, 13 Oct 2004 05:07:57 GMT

Hi,

I also have faced the same problem some time ago.

I had PIX OS 6.3.3 on PIX 515UR.

I had 2 webservers and 1 mailserver behind it.

The static proxied mail server would not go out to the internet after the static entry, however the web servers coould go out.

I then read somewhere that this might be a IOS bug, so i uploaded 6.3.4.

with this IOS, all servers could not reach out to the internet.

I then uploaded 6.3.3 from the cisco site, not the original one, again all servers not being able to go outside.

Finally, we give up and the case is under observation.

Someone having a clue please help both of us.

Regards.

Re: Pix 525 static proxied computers cannot go out

jimwelsh — Wed, 13 Oct 2004 05:15:38 GMT

The static(inside,outside) command does two things: 1) it creates a mapping of global IP Address to local IP Address for the inside servers, and 2) it permits traffic to flow from the lower-security to the higher-security interface. You also need to create an access-list and apply it to the outside interface with the access-group command to permit traffic on specific ports to come into the interface to the inside servers.

SMTP traffic can be thwarted by the "fixup protocol smtp" command. Depending on what SMTP servers are in use, I find that I often need to disable this command in order for SMTP traffic to flow.

As long as you have an appropriate nat and global command set to allow outbound access, you shoud be OK.

Can you post your config for examination?

Re: Pix 525 static proxied computers cannot go out

bvanniekerk — Wed, 13 Oct 2004 08:36:56 GMT

With each static (inside,outside) mapping, you will need an accompanying acl entry, thus:

acces-list ccc permit tcp any host outside_int eq smtp

should do the trick

Fixup allows for only 5 commands, so for testing purposes I suggest you disable it and then, when testing complete, re-activate and test again.

HTH

byron

Re: Pix 525 static proxied computers cannot go out

edugger — Wed, 13 Oct 2004 13:37:03 GMT

Here is my config. Its too big to post so its a txt attachment.

Thanks for your help.

Re: Pix 525 static proxied computers cannot go out

k.subramaniam — Thu, 14 Oct 2004 04:07:17 GMT

Hey JimWelsh,

I was talking in reference to any server, not a mail server or a web server particularly.

The actual problem is once the static command is given, the local pc which is mapped cannot reach out to the internet.

This is a strange problem.

Regards.