topic Re: pix https in Network Security

pix https

wharrison — Fri, 21 Feb 2020 07:35:59 GMT

I have pix 525 with three interfaces. All traffic flows accept for https connections, they work to the dmz.

Re: pix https

nkhawaja — Fri, 27 Aug 2004 01:26:02 GMT

Hi,

so i get that you can't open up https sites from inside to outside? Is this a new installation? What OS version of PIX? Are there any syslog messages you can collect? is there any particular site you are having trouble with?

Even my questions are longer than your description of problem 😉

Thanks

Nadeem

Re: pix https

wharrison — Fri, 27 Aug 2004 10:29:40 GMT

This is a new installation, we have six web servers on the dmz. Two of the web servers run https. These are the two web servers that you can not access thru 443 from inside or outside. I just upgraded the OS from 6.3.1 to 6.3.4 along with the pdm 3.01 to 3.02. One server is MS Exchange OWA, the other a ssl java website page.

Re: pix https

nkhawaja — Fri, 27 Aug 2004 16:51:10 GMT

So was it working with 6.3.1?

Can you share the config (hide the IP addresses).

Any syslog messages? What is the server in question IP

Thanks

Re: pix https

wharrison — Sun, 29 Aug 2004 14:23:28 GMT

It did not work with 6.3.1, but I wonder if adding 443 to the fixup protocol will work. please respond.

Re: pix https

nkhawaja — Sun, 29 Aug 2004 17:16:44 GMT

I doubt it will work with adding fixup 443,

you need to collect syslog messages now.

Re: pix https

wharrison — Mon, 30 Aug 2004 17:31:15 GMT

I discovered the two web servers also have two nic cards, one connected to the dmz and the other to the lan network. I think this might be the problem please respond.

Re: pix https

TimeCr0ss — Wed, 01 Sep 2004 22:16:34 GMT

Sounds like you're confusing your servers. Each nic on the servers is configured for a different network (dmz/inside). Try removing the servers from the LAN and add the corresponding statements in your PIX to talk to the servers through the DMZ.

Re: pix https

a.awan — Thu, 02 Sep 2004 04:48:42 GMT

I personally do not consider this a good security practice to connect a device in DMZ directly to the internal LAN. The justification being if your DMZ server is compromised your internal devices are at a higher risk of being compromised. If the second NIC on the DMZ servers connects to some other LAN (such as a dedicated backup LAN) then my concerns do not apply to your situation and ignore them.

To answer your actual question, when you have multiple NICs installed in a MS Windows machine the TCP/IP stack only uses one default gateway to communicate with the outside world. There is not hard and fast rule as to which gateway will be used. Do you have multiple default gateways configured?: If yes then i will recommend removing the default gateway on the NIC connected to the internal LAN thereby forcing all traffic from unknown destinations to flow through the PIX. Only communication to internal LAN hosts will flow through the secondary NIC.