topic Re: PIX weired problem in Network Security

PIX weired problem

teltac — Fri, 21 Feb 2020 07:02:38 GMT

Hello,

i have a PIX 520 running softwrae 5.1(4) , i have created a static translation in order to allow outside users access a server on port 443(HTTPS) .

This was done with the following statements:

-static(inside,outside) global_ip_address private_ip_address netmask 255.255.255.255 0 0

-access-list name1 permit tcp any host global_ip eq 443

-access-group name in interface outside

it is working fine ,

the problem is once a static translation is opened from an outside pc to that private destination on port 443 , i am able to initiate from the same pc another session to the same destination ON ANOTHER PORT ( FOR EXAMPLE PORT 80 or 3389) ,normally the pix should not allow that .

any one could help ?

Regards,

Jacob

Re: PIX weired problem

nkhawaja — Tue, 14 Oct 2003 18:29:47 GMT

Yes, you are right this should never be the case.

How about any other permit entries in access-list name1? May be you missed them out!

Thanks

Nadeem

Re: PIX weired problem

teltac — Wed, 15 Oct 2003 05:05:55 GMT

Hi Nadeem,

Thanks for your reply ,

there are no other entries in the access list name1 , should i add

access-list name1 deny any any

or it is added by default at the end of each access list? may be is it a software bug ?

help is needed

Regards,

Jacob

Re: PIX weired problem

nkhawaja — Wed, 15 Oct 2003 06:12:55 GMT

Hi,

Deny any any is implicitly there so no need to add.

Could you please confirm if you have done the "clear xlat"

Thanks

Nadeem

Re: PIX weired problem

teltac — Thu, 16 Oct 2003 09:15:46 GMT

Hi Nadeem,

yes ," clear xlate" was done before and i have tried it again and still i have the same problem.

Note that if i try to initiate a connection on a port other that specified in the access list it is denied by PIX , they are bypassed by PIX ONLY when there s a connection already opened to the port specified in the access list.

I hope that you get my idea ,

this problem really affects my network security because once an outside connection is opened to my mail sever , or graph server , the outside user could explore my servers on others ports !!?

Thanks in advance for your reply

Regards,

Jacob.

Re: PIX weired problem

p.mcgowan — Thu, 16 Oct 2003 11:41:15 GMT

You seem to be running an old version of software on your pix, this problem could be bug related. I would try and upgrade your pix to a more recent version (try 6.3(3) or 6.2(3))and see of the problem still exists

Re: PIX weired problem

teltac — Sat, 18 Oct 2003 14:51:56 GMT

Hello,

i have tried to upgrade pix to a newer Version 6.1 , but each time i do that, i am getting my pix reloaded by itself although it is equipped with 128 MB RAM and 16 MB Flash so i am obliged to go back to 5.1(4) , so what can i do in such case ?

Note : all my real servers ( DNS , mail, www server ..) are running behind that firewall , so i can't forced down for a long time .

Jacob.

Re: PIX weired problem

nkhawaja — Sat, 18 Oct 2003 17:10:48 GMT

Hi,

Most probably you have two Flash cards 2MB (old) + 16MB (new one). When the PIX reloads it dumps out the message of Flash card not supported or something similiar. That is why you are not able to load up 6.x code.

Please remove the old Flash card and upgrade the PIX.

Try to upgrade to 6.3.3 and not to 6.1

Thanks

Nadeem

Re: PIX weired problem

lwierenga — Sun, 19 Oct 2003 08:43:33 GMT

Are you using any conduits on the outside interface? Conduits and ACL's on the same interface can result in problems.