Re: Pbl with Pix 506 E

synjay · ‎03-24-2004

Hi ...

I am New to Security.

I have a router(2600),Linux Proxy with 200 users.

I wanna to enable my firewall with linux proxy.

here is my config

PIX Version 6.3(1)

-------------------------------------------

interface ethernet0 auto

interface ethernet1 auto This is for enabling the particular interface

------------------------------------------------

nameif ethernet0 outside security0

nameif ethernet1 inside security100

-----------------------------------------------------------

enable password yMQsZfE0puy6mcN6 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname syntax-firewall

--------------------------------------------------------------------

domain-name syntaxsoft.com

----------------------------------------------------------------------

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

------------------------------------------------------------------------

names

pager lines 24

mtu outside 1500

mtu inside 1500

-------------------------------------------------------------------------

ip address outside 61.x.x.x 255.255.255.224 Assinging the IP address

ip address inside 192.200.x.x 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

-------------------------------------------------------------------------

pdm logging informational 100

pdm history enable

-------------------------------------------

arp timeout 14400

----------------------------------------------------------

global (outside) 1 61.x.x.1.0-61.x.x.5

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 61.x.x.x 1

--------------------------------------------------------------------------------------------------

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

----------------------------------------------------------------------------------------------------

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa proxy-limit disable

aaa authentication secure-http-client

http server enable

http 192.200.20.x 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

----------------------------------------------------

also my linus having 2 ethernet port one is assigend as Private Ip and other one as Public Ip.

can u send me an exact config file with sample configuration

waiting for reply

Jay

nkhawaja · ‎03-24-2004

If you want to only allow Linux Proxy to go to the internet and deny all other PC, if they try to bypass the proxy, then do the following

nat (inside) 1 255.255.255.255

Thanks

Nadeem

synjay · ‎03-24-2004

yes ur rite ,I want to allow only my linus proxy to get out

as per ur advise I have enabled the following command

nat (inside) 1 255.255.255.255

stil I am getting error as follows in debugging mode,still I am not able to browse

710005: UDP request discarded from 192.200.20.25/137 to inside:192.200.20.255/ne

tbios-ns

(this is my machine IP)

710005: UDP request discarded from 61.95.x.x/2301 to outside:255.255.255.255

/2301(this is Linus proxy global IP)

710005: UDP request discarded from 192.200.20.153/2301 to outside:255.255.255.25

5/2301(this is mail server IP local)

can u advise on the followig

1.wht could I make for browser setting.

2.My lan network is 192.200.20.0 series (is it make any differnce)

3.without fire wall I am using browser setting as with tht Proxy Ip with the port 3152.

waitinf for ur favourable reply

thanx a lot

Cheers

Jay

synjay · ‎03-24-2004

yes ur rite ,I want to allow only my linus proxy to get out

as per ur advise I have enabled the following command

nat (inside) 1 255.255.255.255

stil I am getting error as follows in debugging mode,still I am not able to browse

710005: UDP request discarded from 192.200.20.25/137 to inside:192.200.20.255/ne

tbios-ns

(this is my machine IP)

710005: UDP request discarded from 61.95.x.x/2301 to outside:255.255.255.255

/2301(this is Linus proxy global IP)

710005: UDP request discarded from 192.200.20.153/2301 to outside:255.255.255.25

5/2301(this is mail server IP local)

can u advise on the followig

1.wht could I make for browser setting.

2.My lan network is 192.200.20.0 series (is it make any differnce)

3.without fire wall I am using browser setting as with tht Proxy Ip with the port 3152.

waitinf for ur favourable reply

thanx a lot

Cheers

Jay

nkhawaja · ‎03-25-2004

The above messages are not related to your issue. As i said your configs looks good. this seems to be a design issue.

you said your linux proxy has two ip, one private and one public, so probably linux is directly tryign to reach the internet. what is the public ip is it one of the range of pix public network. if so, then how would you redirect your traffic to the inside interface

for answers to your question

1... Your browser should be pointing to your proxy server (provided you want to use the proxy)

2... You LAN network IP doesnot make any difference. What is the private and public IP of your proxy?

Thanks

synjay · ‎03-25-2004

Hi ...

thanx for ur response.

I forgot to write one issue.Rite now I am testing with my single PC with firewall.

i.e

cross cable

PC ------------ Fire stright cable

(inside) wall --outside----- Lan Port

also Inside,PC,one of the proxy are in 192.200.20.x series.

Outside,router and one of the proxy are 61.95.x.x same series.

May I am doing rite plz clarify me

If suppose I am doing like any routing should add or wht.

also above config I have added my routing proxy,still It is not working.

any one can plz help me out

my Yahoo ID is jk_jin@yahoo.com

interested plz help me in chat.

waiting for favouravle reply

thanx

J.Jayakumar

synjay · ‎03-29-2004

thanx for ur suggestion

my network detials

router

1.ehternet IP - 61.x.x.x(public IP)

2.Serial Ip - 202.x.x.x

Firewall

1.e0(outside)-61.x.x.x(public IP)

2.e1(inside)-192.200.x.x(Lan IP)

linux proxy

1.192.200.x.x(Lan IP)

2.61.x.x.x(public IP)

also I am coneecting with single PC where I am coneecting my ethernet port to inside port of Firewall using cross cable and outside of firewall I am connecting to mu LAN port,

is it make any difference to testing the firewall.

plz advise on this.