Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Port 443 problem on PIX506

Reply
Thread Tools

Port 443 problem on PIX506

 
 
Exclusive
Guest
Posts: n/a
 
      05-02-2006
Guys I have a problem. I'm using Pix506 Firewall, Exchange Server
192.168.2.11 and Symantec Mail Security 8220 Spam Filter 192.168.2.5.

The mail traffic is routed from PIX to Spam8220 and Spam 8220 routes it
to the Exchange server. When somebody is tried to access its own
mailbox from outside. The http traffic is routed directly to the
exchange server. Also I route traffic through port 443 from PIX to
Spam8220. Spam8220 uses https to connect to Symantec Update Center in
the Internet and make updates.

Everything running fine except that it makes the update and at the next
day email traffic running fine but the port 443 on the pix is closed.
When I type
#clear xlate command the update is done immediately and everything is
OK up to next day, when shows me again that problem.

I can't understand why that happen only with the traffic through port
433.

Anybody have any idea?


That is the config file:

PIX Version 6.x
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password /ZZZZZZZZZ encrypted
passwd ZZZZZZZZ encrypted
hostname NRP-PIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list inside_access_out permit tcp any any eq smtp
access-list inside_access_out permit tcp any any eq www
access-list inside_access_out permit tcp any any eq 443
access-list inside_access_out permit tcp any any eq 3389
access-list inside_access_out permit tcp any any eq domain
access-list inside_access_out permit udp any any eq domain
access-list inside_access_out permit tcp any any eq 1776
access-list inside_access_out permit tcp any any eq ftp
access-list inside_access_out permit icmp any any echo
access-list inside_access_out permit tcp any any eq 8080
access-list inside_access_out permit tcp any any eq 2443
access-list vpnacl permit ip 192.168.2.0 255.255.255.0 10.1.1.0
255.255.255.0
pager lines 24
logging on
logging trap notifications
logging history notifications
logging facility 0
logging host inside 192.168.2.12
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside zzz.xxx.yyy.96 255.255.252.0
ip address inside 192.168.2.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 10.1.1.10-10.1.1.36
pdm history enable
arp timeout 14400
global (outside) 1 zzz.xxx.yyy.104 netmask 255.255.252.0
global (outside) 1 zzz.xxx.yyy.105 netmask 255.255.252.0
nat (inside) 0 access-list vpnacl
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
static (inside,outside) tcp zzz.xxx.yyy.99 25 192.168.2.5 25 netmask
255.255.255.255 0 0
static (inside,outside) tcp zzz.xxx.yyy.99 80 192.168.2.11 80 netmask
255.255.255.255 0 0
static (inside,outside) tcp zzz.xxx.yyy.99 domain 192.168.2.11 domain
netmask 255.255.255.255 0 0
static (inside,outside) udp zzz.xxx.yyy.99 domain 192.168.2.11 domain
netmask 255.255.255.255 0 0
static (inside,outside) tcp zzz.xxx.yyy.99 443 192.168.2.5 443 netmask
255.255.255.255 0 0



access-group inside_access_out in interface inside
conduit deny ip any host 81.48.75.223
conduit permit ip any 141.152.97.50 255.255.255.224
conduit permit tcp host zzz.xxx.yyy.99 eq smtp any
conduit permit tcp host zzz.xxx.yyy.99 eq www any
conduit permit tcp host zzz.xxx.yyy.99 eq domain any
conduit permit ip host zzz.xxx.yyy.99 host 141.152.97.35
route outside 0.0.0.0 0.0.0.0 zzz.xxx.yyy.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 192.168.2.10 secretkey timeout 5
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
aaa-server mytacacs protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.2.10 tftp
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 20 set transform-set myset
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
crypto map vpngroup client authentication TACACS+
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup XXX address-pool clientpool
vpngroup XXX dns-server 192.168.2.10
vpngroup XXX wins-server 192.168.2.10
vpngroup XXX default-domain AAAAA.com
vpngroup XXX split-tunnel vpnacl
vpngroup XXX idle-time 1800
vpngroup XXX password ********
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5

 
Reply With Quote
 
 
 
 
Mark Williams
Guest
Posts: n/a
 
      05-02-2006
Looking at your config, you have a /22, or about 1024 IP addresses
available to the outside interface of the PIX. Why not use two seperate
routable IP addresses for the Exchange server and Spam8220 when
defining the static mappings, instead of using port mapping?

Also, the Spam8220 may use port 443 to get updates, but it will send
traffic *to* port 443 on some server at Symantec. The source port of
the traffic will be something else.

 
Reply With Quote
 
 
 
 
farisb
Guest
Posts: n/a
 
      05-02-2006

Since you hav a static translation, you shouldnt have to "clear xlate"
unless your ip address are used up in your global pool. How many hosts
do you hav behind this pix? Do you own the whole ip address range in
your global addrss pool?

It seems this:
global (outside) 1 zzz.xxx.yyy.104 netmask 255.255.252.0
global (outside) 1 zzz.xxx.yyy.105 netmask 255.255.252.0

should be configured like this
global (outside) 1 zzz.xxx.yyy.104 netmask 255.255.255.255
global (outside) 1 zzz.xxx.yyy.105 netmask 255.255.255.255


--
farisb
------------------------------------------------------------------------
farisb's Profile: http://www.CertificationChat.com/member.php?userid=2
View this thread: http://www.CertificationChat.com/showthread.php?t=49127

 
Reply With Quote
 
Exclusive
Guest
Posts: n/a
 
      05-02-2006
>>Also, the Spam8220 may use port 443 to get updates, but it will send
>>traffic *to* port 443 on some server at Symantec. The source port of
>>the traffic will be something else.


When I use #clear xlate command everythig is OK and the update is
running immediatly. But it's up to the next day, when I have to type
#clear xlate and again everythig is OK. The source port looks to be
443.

 
Reply With Quote
 
Exclusive
Guest
Posts: n/a
 
      05-03-2006
If that can help somebody for any ideas:
This is the output of #Show xlate when the spam filter shows that cant
communicate with Symantec Center because port 443 on the PIX is closed.


42 in use, 497 most used
PAT Global 206.111.123.104(16760) Local 192.168.2.61(204
PAT Global 206.111.123.104(21224) Local 192.168.2.77(3996)
PAT Global 206.111.123.104(21225) Local 192.168.2.77(399
PAT Global 206.111.123.104(14649) Local 192.168.2.67(1130)
PAT Global 206.111.123.99(25) Local 192.168.2.5(25)
PAT Global 206.111.123.104(21226) Local 192.168.2.77(3999)
PAT Global 206.111.123.104(21194) Local 192.168.2.11(21270)
PAT Global 206.111.123.104(21227) Local 192.168.2.77(4000)
PAT Global 206.111.123.104(21051) Local 192.168.2.61(3014)
PAT Global 206.111.123.104(26587) Local 192.168.2.10(1566)
PAT Global 206.111.123.104(139) Local 192.168.2.5(53)
PAT Global 206.111.123.104(2122 Local 192.168.2.56(4189)
PAT Global 206.111.123.104(21164) Local 192.168.2.79(2791)
PAT Global 206.111.123.104(21052) Local 192.168.2.61(3015)
PAT Global 206.111.123.104(21229) Local 192.168.2.77(4001)
PAT Global 206.111.123.104(21165) Local 192.168.2.79(2792)
PAT Global 206.111.123.104(1967 Local 192.168.2.56(4174)
PAT Global 206.111.123.104(21230) Local 192.168.2.77(4002)
PAT Global 206.111.123.104(21054) Local 192.168.2.61(3017)
PAT Global 206.111.123.104(2103 Local 192.168.2.67(1830)
PAT Global 206.111.123.104(26766) Local 192.168.2.5(35332)
PAT Global 206.111.123.104(15742) Local 192.168.2.77(2503)
PAT Global 206.111.123.104(19039) Local 192.168.2.79(2626)
PAT Global 206.111.123.104(16879) Local 192.168.2.63(3356)
PAT Global 206.111.123.104(21247) Local 192.168.2.77(4016)
PAT Global 206.111.123.104(21231) Local 192.168.2.11(21320)
PAT Global 206.111.123.104(21263) Local 192.168.2.75(1801)
PAT Global 206.111.123.104(14575) Local 192.168.2.67(1129)
PAT Global 206.111.123.104(21040) Local 192.168.2.67(1832)
PAT Global 206.111.123.104(21264) Local 192.168.2.79(2794)
PAT Global 206.111.123.104(2124 Local 192.168.2.77(4017)
PAT Global 206.111.123.99(80) Local 192.168.2.11(80)
PAT Global 206.111.123.104(21265) Local 192.168.2.75(1802)
PAT Global 206.111.123.104(21249) Local 192.168.2.77(401
PAT Global 206.111.123.104(21266) Local 192.168.2.75(1803)
PAT Global 206.111.123.104(21250) Local 192.168.2.77(4019)
PAT Global 206.111.123.104(21235) Local 192.168.2.11(21322)
PAT Global 206.111.123.104(21267) Local 192.168.2.64(4197)
PAT Global 206.111.123.104(21251) Local 192.168.2.75(1782)
PAT Global 206.111.123.104(2126 Local 192.168.2.75(1805)
PAT Global 206.111.123.104(21252) Local 192.168.2.75(1785)
PAT Global 206.111.123.104(21205) Local 192.168.2.80(2666)
PAT Global 206.111.123.104(21269) Local 192.168.2.11(21344)
PAT Global 206.111.123.104(21253) Local 192.168.2.75(1787)
PAT Global 206.111.123.104(2123 Local 192.168.2.77(400
PAT Global 206.111.123.104(21046) Local 192.168.2.67(1837)
PAT Global 206.111.123.104(21254) Local 192.168.2.75(1786)
PAT Global 206.111.123.104(1451 Local 192.168.2.67(1111)
PAT Global 206.111.123.104(21271) Local 192.168.2.64(419
PAT Global 206.111.123.104(21255) Local 192.168.2.75(1789)

This is the output after:
PIX(config)# clear xlate
PIX(config)# show xlate
80 in use, 497 most used
PAT Global 206.111.123.104(21480) Local 192.168.2.68(1574)
PAT Global 206.111.123.104(21352) Local 192.168.2.61(3102)
PAT Global 206.111.123.104(21336) Local 192.168.2.68(152
PAT Global 206.111.123.104(21656) Local 192.168.2.11(2152
PAT Global 206.111.123.104(21640) Local 192.168.2.67(1964)
PAT Global 206.111.123.104(21624) Local 192.168.2.67(194
PAT Global 206.111.123.104(21592) Local 192.168.2.67(1942)
PAT Global 206.111.123.104(21337) Local 192.168.2.68(1529)
PAT Global 206.111.123.104(21657) Local 192.168.2.67(1977)
PAT Global 206.111.123.104(21641) Local 192.168.2.67(1965)
PAT Global 206.111.123.104(21625) Local 192.168.2.67(1949)
PAT Global 206.111.123.104(21593) Local 192.168.2.67(1943)
PAT Global 206.111.123.99(25) Local 192.168.2.5(25)
PAT Global 206.111.123.104(2149 Local 192.168.2.57(4706)
PAT Global 206.111.123.104(21466) Local 192.168.2.79(2807)
PAT Global 206.111.123.104(2165 Local 192.168.2.56(420
PAT Global 206.111.123.104(21642) Local 192.168.2.67(1966)
PAT Global 206.111.123.104(21626) Local 192.168.2.67(1950)
PAT Global 206.111.123.104(21594) Local 192.168.2.56(4206)
PAT Global 206.111.123.104(21530) Local 192.168.2.57(4725)
PAT Global 206.111.123.104(21403) Local 192.168.2.67(193
PAT Global 206.111.123.104(21307) Local 192.168.2.77(4027)
PAT Global 206.111.123.104(21659) Local 192.168.2.67(197
PAT Global 206.111.123.104(21643) Local 192.168.2.67(1967)
PAT Global 206.111.123.104(21627) Local 192.168.2.67(1951)
PAT Global 206.111.123.104(21611) Local 192.168.2.56(4207)
PAT Global 206.111.123.104(21595) Local 192.168.2.61(3174)
PAT Global 206.111.123.104(21324) Local 192.168.2.68(1522)
PAT Global 206.111.123.104(21660) Local 192.168.2.77(4056)
PAT Global 206.111.123.104(21644) Local 192.168.2.67(196
PAT Global 206.111.123.104(2162 Local 192.168.2.67(1952)
PAT Global 206.111.123.104(21612) Local 192.168.2.61(317
PAT Global 206.111.123.104(21516) Local 192.168.2.68(1110)
PAT Global 206.111.123.104(21373) Local 192.168.2.67(1936)
PAT Global 206.111.123.104(21661) Local 192.168.2.56(4209)
PAT Global 206.111.123.104(21645) Local 192.168.2.67(1969)
PAT Global 206.111.123.104(21629) Local 192.168.2.67(1953)
PAT Global 206.111.123.104(26781) Local 192.168.2.10(1566)
PAT Global 206.111.123.104(141) Local 192.168.2.5(53)
PAT Global 206.111.123.104(21662) Local 192.168.2.67(1979)
PAT Global 206.111.123.104(21646) Local 192.168.2.67(1970)
PAT Global 206.111.123.104(21630) Local 192.168.2.67(1954)
PAT Global 206.111.123.104(21112) Local 192.168.2.56(4205)
PAT Global 206.111.123.104(21407) Local 192.168.2.67(1939)
PAT Global 206.111.123.104(21663) Local 192.168.2.11(2153
PAT Global 206.111.123.104(21647) Local 192.168.2.67(1971)
PAT Global 206.111.123.104(21631) Local 192.168.2.67(1955)
PAT Global 206.111.123.104(21615) Local 192.168.2.61(318
PAT Global 206.111.123.104(21113) Local 192.168.2.80(2677)
PAT Global 206.111.123.104(21567) Local 192.168.2.79(2824)
PAT Global 206.111.123.104(21551) Local 192.168.2.61(3122)
PAT Global 206.111.123.104(21424) Local 192.168.2.63(3613)
PAT Global 206.111.123.104(2164 Local 192.168.2.67(1972)
PAT Global 206.111.123.104(21632) Local 192.168.2.67(1956)
PAT Global 206.111.123.104(21616) Local 192.168.2.61(3189)
PAT Global 206.111.123.104(21114) Local 192.168.2.80(267
PAT Global 206.111.123.104(21552) Local 192.168.2.61(3123)
PAT Global 206.111.123.99(80) Local 192.168.2.11(80)
PAT Global 206.111.123.104(21649) Local 192.168.2.67(1973)
PAT Global 206.111.123.104(21633) Local 192.168.2.67(1957)
PAT Global 206.111.123.104(21617) Local 192.168.2.11(21514)
PAT Global 206.111.123.104(21115) Local 192.168.2.80(2679)
PAT Global 206.111.123.104(2137 Local 192.168.2.67(1937)
PAT Global 206.111.123.104(21650) Local 192.168.2.67(1974)
PAT Global 206.111.123.104(21634) Local 192.168.2.67(195
PAT Global 206.111.123.104(21116) Local 192.168.2.80(2680)
PAT Global 206.111.123.104(21651) Local 192.168.2.67(1975)
PAT Global 206.111.123.104(21635) Local 192.168.2.67(1959)
PAT Global 206.111.123.104(21555) Local 192.168.2.61(3124)
PAT Global 206.111.123.104(21316) Local 192.168.2.68(1514)
PAT Global 206.111.123.104(21652) Local 192.168.2.67(1976)
PAT Global 206.111.123.104(21636) Local 192.168.2.67(1960)
PAT Global 206.111.123.104(21620) Local 192.168.2.11(21520)
PAT Global 206.111.123.104(21653) Local 192.168.2.5(55490)
PAT Global 206.111.123.104(21637) Local 192.168.2.67(1961)
PAT Global 206.111.123.104(21621) Local 192.168.2.67(1945)
PAT Global 206.111.123.104(21654) Local 192.168.2.5(55491)
PAT Global 206.111.123.104(2163 Local 192.168.2.67(1962)
PAT Global 206.111.123.104(21622) Local 192.168.2.67(1946)
PAT Global 206.111.123.104(21479) Local 192.168.2.68(1573)
PAT Global 206.111.123.104(21655) Local 192.168.2.77(4055)
PAT Global 206.111.123.104(21639) Local 192.168.2.67(1963)
PAT Global 206.111.123.104(21623) Local 192.168.2.67(1947)
PAT Global 206.111.123.104(21591) Local 192.168.2.67(1941)

And the update is immediatly done!

And If anybody can explain me why is that:
PAT Global 206.111.123.104(141) Local 192.168.2.5(53)
I'll appreciate!

Thanks!

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      05-03-2006
In article <(E-Mail Removed) .com>,
Exclusive <(E-Mail Removed)> wrote:
>Guys I have a problem. I'm using Pix506 Firewall, Exchange Server


>PIX Version 6.x


Hiding the exact PIX version is counter-productive. There are
version-specific bugs that we might be able to tell you about -- and
there are clues about the version in the details of some of the command
options.

I can see that you are using at PIX 6.2, not PIX 6.3; I'm not
going to bother to chase down the subrelease.


>access-list inside_access_out permit tcp any any eq 443


>static (inside,outside) tcp zzz.xxx.yyy.99 443 192.168.2.5 443 netmask 255.255.255.255 0 0


>access-group inside_access_out in interface inside


>conduit deny ip any host 81.48.75.223
>conduit permit ip any 141.152.97.50 255.255.255.224
>conduit permit tcp host zzz.xxx.yyy.99 eq smtp any
>conduit permit tcp host zzz.xxx.yyy.99 eq www any
>conduit permit tcp host zzz.xxx.yyy.99 eq domain any
>conduit permit ip host zzz.xxx.yyy.99 host 141.152.97.35



Get rid of the conduits. The very existance of conduits in a 6.x
configuration can result in Bad Things Happening. And here's a
case where your deliberate obscurity has interfered with us giving
detailed advice: the conduit problems are particularily bad in
6.2(1) and 6.2(2) [not that they are great in any later 6.2 or 6.3
release.]

Cisco mostly gave up on fixing conduits at around 5.3(2), and
only touched the code in 6.2 because they had to in order to add
PAT to 6.2(1). They fixed the absolute worst of the bugs, but
the more subtle bugs are marked WON'T FIX. conduits have been
deprecated since 5.2(1).


I'm not saying that the conduits are definitely the cause of the problem
you are observing: I'm saying that it isn't worth trying to debug
your problem until you remove the conduits.
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      05-03-2006
In article <(E-Mail Removed). com>,
Exclusive <(E-Mail Removed)> wrote:

>And If anybody can explain me why is that:
>PAT Global 206.111.123.104(141) Local 192.168.2.5(53)
>I'll appreciate!


you only static PAT'd dns for 192.168.2.11, so outgoing DNS
requests sourced by port 53 of 192.168.2.5 are going to use
the nat/global pairs you have set up. You have not set up any
globals with ip ranges, so the controling global is the one
you marked in the configuration as

global (outside) 1 x.x.x.104

If x.x.x.104 is synonymous with 206.111.123.104, then we see why
that address is used on the global side. The choice of port number 141
was just the next unused port number in the PAT subpool from
1 to 1023 which is used for outgoing requests sourced from ports
1 to 1023 (the "privileged ports").

 
Reply With Quote
 
Exclusive
Guest
Posts: n/a
 
      05-03-2006
Thanks for your advices! I will try that!
I use IOS v6.1
I know it's old but I don't know where to find out a newer.

 
Reply With Quote
 
Exclusive
Guest
Posts: n/a
 
      05-04-2006
Tahnks Walter!

I've replaced the conduit commands with ACL and right now everything is
running well!

Appreciate your help!

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      05-05-2006
In article <(E-Mail Removed) .com>,
Exclusive <(E-Mail Removed)> wrote:
>I use IOS v6.1


As a technical point: the OS for the PIX is named Finesse, not IOS.

Anyhow, if you are using PIX 6.1, I'm not surprised you had
conduit problems. Early 6.1 especially were pretty buggy.


>I know it's old but I don't know where to find out a newer.


If you are running something before 6.1(5), then see the following
for an authorization for a free update to 6.1(5):

http://www.cisco.com/en/US/products/...801e118a.shtml

Then you can get up to 6.1(5)102 via
http://www.cisco.com/en/US/products/...80207d5f.shtml

But I don't think you can get further than that without either a support
contract or purchasing a newer release.

You probably cannot get a hardware support contract on a device
that old -- not unless you want to pay several hundred dollars for
an examination fee (and you would have to ship the 506 to Cisco for
the examination.) That effectively leaves you out of all of the
CON-* support contract part numbers. You might, however, still be
able to get a SASU-* support contract, which covers software upgrades
(an "upgrade" allows you to go to new releases; there is also an
SAS-* part number which is for "updates", which would only allow you
to go as far as 6.1(5).)

http://www.cisco.com/en/US/products/...serv_home.html


I don't know the pricing of a software upgrade. It might be more
cost effective to go for a new PIX 515E with PIX 7.x [the 506 does
not support 7.x], or for one of the new CISCO ASA security devices.
http://www.cisco.com/go/asa
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Permit port 443 in ACL sugu Cisco 0 11-07-2006 09:20 AM
Opening up port 443 chrismtoth@gmail.com Cisco 1 10-12-2006 03:47 PM
IIS and port 443 vbMark Computer Support 4 04-10-2006 06:14 PM
Re: Opening tcp port 443, on a Cisco 515e Jyri Korhonen Cisco 4 11-30-2004 12:59 AM
Port Routing on Pix506? meinereiner Cisco 3 11-04-2004 03:56 PM



Advertisments