Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
275
Views
0
Helpful
2
Replies

Upgrade from 6.3(4) to 6.3(5)

brianmcatamney
Level 1
Level 1

‎11-29-2005 12:01 PM - edited ‎03-09-2019 01:11 PM

Hi, I upgraded the Pix 506e from 6.3(4) to 6.3(5). It then failed

to allow external port 443 traffic to our internal web server.

Error message on PIX when users try to connect is '710005: TCP request

discarded from (External IP address)/50649 to outside:200.x.x.x/https'.

I only want to allow external traffic through on port 443 to our Web server. No traffic is allowed out from internal hosts.

Pix config as below:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxx encrypted

passwd xxxxxxxxx encrypted

hostname Pix

domain-name Pix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl1 permit tcp any host 200.x.x.x eq https log 7 interval 600

pager lines 22

logging on

logging console debugging

mtu outside 1500

mtu inside 1500

ip address outside 200.x.x.x 255.x.x.x

ip address inside 192.168.x.x 255.x.x.x

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

static (inside,outside) tcp 200.x.x.x https 192.168.x.x https netmask

255.255.255.255 0 0

access-group acl1 in interface outside

route outside 0.0.0.0 0.0.0.0 200.x.x.x 1

route inside 192.168.x.x 255.x.x.x 192.168.x.x 1

route inside 192.168.x.x 255.x.x.x 192.168.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

Any ideas anyone?

Thanks.

Labels:
0 Helpful
2 Replies 2

Patrick Iseli
Level 7
Level 7

‎11-29-2005 12:58 PM

Config looks good, have done a < clear xlate> ?

sincerely

Patrick

0 Helpful

brianmcatamney
Level 1
Level 1
In response to Patrick Iseli

‎11-29-2005 02:40 PM

Yes I have, also ran 'clear arp' for good measure.

0 Helpful
Customers Also Viewed These Support Documents