Port 443 problem on PIX506

Discussion in 'Cisco' started by Exclusive, May 2, 2006.

  1. Exclusive

    Exclusive Guest

    Guys I have a problem. I'm using Pix506 Firewall, Exchange Server
    192.168.2.11 and Symantec Mail Security 8220 Spam Filter 192.168.2.5.

    The mail traffic is routed from PIX to Spam8220 and Spam 8220 routes it
    to the Exchange server. When somebody is tried to access its own
    mailbox from outside. The http traffic is routed directly to the
    exchange server. Also I route traffic through port 443 from PIX to
    Spam8220. Spam8220 uses https to connect to Symantec Update Center in
    the Internet and make updates.

    Everything running fine except that it makes the update and at the next
    day email traffic running fine but the port 443 on the pix is closed.
    When I type
    #clear xlate command the update is done immediately and everything is
    OK up to next day, when shows me again that problem.

    I can't understand why that happen only with the traffic through port
    433.

    Anybody have any idea?


    That is the config file:

    PIX Version 6.x
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password /ZZZZZZZZZ encrypted
    passwd ZZZZZZZZ encrypted
    hostname NRP-PIX
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    names
    access-list inside_access_out permit tcp any any eq smtp
    access-list inside_access_out permit tcp any any eq www
    access-list inside_access_out permit tcp any any eq 443
    access-list inside_access_out permit tcp any any eq 3389
    access-list inside_access_out permit tcp any any eq domain
    access-list inside_access_out permit udp any any eq domain
    access-list inside_access_out permit tcp any any eq 1776
    access-list inside_access_out permit tcp any any eq ftp
    access-list inside_access_out permit icmp any any echo
    access-list inside_access_out permit tcp any any eq 8080
    access-list inside_access_out permit tcp any any eq 2443
    access-list vpnacl permit ip 192.168.2.0 255.255.255.0 10.1.1.0
    255.255.255.0
    pager lines 24
    logging on
    logging trap notifications
    logging history notifications
    logging facility 0
    logging host inside 192.168.2.12
    interface ethernet0 auto
    interface ethernet1 auto
    mtu outside 1500
    mtu inside 1500
    ip address outside zzz.xxx.yyy.96 255.255.252.0
    ip address inside 192.168.2.2 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool clientpool 10.1.1.10-10.1.1.36
    pdm history enable
    arp timeout 14400
    global (outside) 1 zzz.xxx.yyy.104 netmask 255.255.252.0
    global (outside) 1 zzz.xxx.yyy.105 netmask 255.255.252.0
    nat (inside) 0 access-list vpnacl
    nat (inside) 1 192.168.2.0 255.255.255.0 0 0
    static (inside,outside) tcp zzz.xxx.yyy.99 25 192.168.2.5 25 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp zzz.xxx.yyy.99 80 192.168.2.11 80 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp zzz.xxx.yyy.99 domain 192.168.2.11 domain
    netmask 255.255.255.255 0 0
    static (inside,outside) udp zzz.xxx.yyy.99 domain 192.168.2.11 domain
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp zzz.xxx.yyy.99 443 192.168.2.5 443 netmask
    255.255.255.255 0 0



    access-group inside_access_out in interface inside
    conduit deny ip any host 81.48.75.223
    conduit permit ip any 141.152.97.50 255.255.255.224
    conduit permit tcp host zzz.xxx.yyy.99 eq smtp any
    conduit permit tcp host zzz.xxx.yyy.99 eq www any
    conduit permit tcp host zzz.xxx.yyy.99 eq domain any
    conduit permit ip host zzz.xxx.yyy.99 host 141.152.97.35
    route outside 0.0.0.0 0.0.0.0 zzz.xxx.yyy.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 si
    p 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ (inside) host 192.168.2.10 secretkey timeout 5
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol tacacs+
    aaa-server mytacacs protocol radius
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside 192.168.2.10 tftp
    floodguard enable
    sysopt connection permit-ipsec
    no sysopt route dnat
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 20 set transform-set myset
    crypto map newmap 20 ipsec-isakmp dynamic dynmap
    crypto map newmap interface outside
    crypto map vpngroup client authentication TACACS+
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup XXX address-pool clientpool
    vpngroup XXX dns-server 192.168.2.10
    vpngroup XXX wins-server 192.168.2.10
    vpngroup XXX default-domain AAAAA.com
    vpngroup XXX split-tunnel vpnacl
    vpngroup XXX idle-time 1800
    vpngroup XXX password ********
    telnet 192.168.2.0 255.255.255.0 inside
    telnet timeout 10
    ssh timeout 5
     
    Exclusive, May 2, 2006
    #1
    1. Advertising

  2. Looking at your config, you have a /22, or about 1024 IP addresses
    available to the outside interface of the PIX. Why not use two seperate
    routable IP addresses for the Exchange server and Spam8220 when
    defining the static mappings, instead of using port mapping?

    Also, the Spam8220 may use port 443 to get updates, but it will send
    traffic *to* port 443 on some server at Symantec. The source port of
    the traffic will be something else.
     
    Mark Williams, May 2, 2006
    #2
    1. Advertising

  3. Exclusive

    farisb Guest

    Since you hav a static translation, you shouldnt have to "clear xlate"
    unless your ip address are used up in your global pool. How many hosts
    do you hav behind this pix? Do you own the whole ip address range in
    your global addrss pool?

    It seems this:
    global (outside) 1 zzz.xxx.yyy.104 netmask 255.255.252.0
    global (outside) 1 zzz.xxx.yyy.105 netmask 255.255.252.0

    should be configured like this
    global (outside) 1 zzz.xxx.yyy.104 netmask 255.255.255.255
    global (outside) 1 zzz.xxx.yyy.105 netmask 255.255.255.255


    --
    farisb
    ------------------------------------------------------------------------
    farisb's Profile: http://www.CertificationChat.com/member.php?userid=2
    View this thread: http://www.CertificationChat.com/showthread.php?t=49127
     
    farisb, May 2, 2006
    #3
  4. Exclusive

    Exclusive Guest

    >>Also, the Spam8220 may use port 443 to get updates, but it will send
    >>traffic *to* port 443 on some server at Symantec. The source port of
    >>the traffic will be something else.


    When I use #clear xlate command everythig is OK and the update is
    running immediatly. But it's up to the next day, when I have to type
    #clear xlate and again everythig is OK. The source port looks to be
    443.
     
    Exclusive, May 2, 2006
    #4
  5. Exclusive

    Exclusive Guest

    If that can help somebody for any ideas:
    This is the output of #Show xlate when the spam filter shows that cant
    communicate with Symantec Center because port 443 on the PIX is closed.


    42 in use, 497 most used
    PAT Global 206.111.123.104(16760) Local 192.168.2.61(2048)
    PAT Global 206.111.123.104(21224) Local 192.168.2.77(3996)
    PAT Global 206.111.123.104(21225) Local 192.168.2.77(3998)
    PAT Global 206.111.123.104(14649) Local 192.168.2.67(1130)
    PAT Global 206.111.123.99(25) Local 192.168.2.5(25)
    PAT Global 206.111.123.104(21226) Local 192.168.2.77(3999)
    PAT Global 206.111.123.104(21194) Local 192.168.2.11(21270)
    PAT Global 206.111.123.104(21227) Local 192.168.2.77(4000)
    PAT Global 206.111.123.104(21051) Local 192.168.2.61(3014)
    PAT Global 206.111.123.104(26587) Local 192.168.2.10(1566)
    PAT Global 206.111.123.104(139) Local 192.168.2.5(53)
    PAT Global 206.111.123.104(21228) Local 192.168.2.56(4189)
    PAT Global 206.111.123.104(21164) Local 192.168.2.79(2791)
    PAT Global 206.111.123.104(21052) Local 192.168.2.61(3015)
    PAT Global 206.111.123.104(21229) Local 192.168.2.77(4001)
    PAT Global 206.111.123.104(21165) Local 192.168.2.79(2792)
    PAT Global 206.111.123.104(19678) Local 192.168.2.56(4174)
    PAT Global 206.111.123.104(21230) Local 192.168.2.77(4002)
    PAT Global 206.111.123.104(21054) Local 192.168.2.61(3017)
    PAT Global 206.111.123.104(21038) Local 192.168.2.67(1830)
    PAT Global 206.111.123.104(26766) Local 192.168.2.5(35332)
    PAT Global 206.111.123.104(15742) Local 192.168.2.77(2503)
    PAT Global 206.111.123.104(19039) Local 192.168.2.79(2626)
    PAT Global 206.111.123.104(16879) Local 192.168.2.63(3356)
    PAT Global 206.111.123.104(21247) Local 192.168.2.77(4016)
    PAT Global 206.111.123.104(21231) Local 192.168.2.11(21320)
    PAT Global 206.111.123.104(21263) Local 192.168.2.75(1801)
    PAT Global 206.111.123.104(14575) Local 192.168.2.67(1129)
    PAT Global 206.111.123.104(21040) Local 192.168.2.67(1832)
    PAT Global 206.111.123.104(21264) Local 192.168.2.79(2794)
    PAT Global 206.111.123.104(21248) Local 192.168.2.77(4017)
    PAT Global 206.111.123.99(80) Local 192.168.2.11(80)
    PAT Global 206.111.123.104(21265) Local 192.168.2.75(1802)
    PAT Global 206.111.123.104(21249) Local 192.168.2.77(4018)
    PAT Global 206.111.123.104(21266) Local 192.168.2.75(1803)
    PAT Global 206.111.123.104(21250) Local 192.168.2.77(4019)
    PAT Global 206.111.123.104(21235) Local 192.168.2.11(21322)
    PAT Global 206.111.123.104(21267) Local 192.168.2.64(4197)
    PAT Global 206.111.123.104(21251) Local 192.168.2.75(1782)
    PAT Global 206.111.123.104(21268) Local 192.168.2.75(1805)
    PAT Global 206.111.123.104(21252) Local 192.168.2.75(1785)
    PAT Global 206.111.123.104(21205) Local 192.168.2.80(2666)
    PAT Global 206.111.123.104(21269) Local 192.168.2.11(21344)
    PAT Global 206.111.123.104(21253) Local 192.168.2.75(1787)
    PAT Global 206.111.123.104(21238) Local 192.168.2.77(4008)
    PAT Global 206.111.123.104(21046) Local 192.168.2.67(1837)
    PAT Global 206.111.123.104(21254) Local 192.168.2.75(1786)
    PAT Global 206.111.123.104(14518) Local 192.168.2.67(1111)
    PAT Global 206.111.123.104(21271) Local 192.168.2.64(4198)
    PAT Global 206.111.123.104(21255) Local 192.168.2.75(1789)

    This is the output after:
    PIX(config)# clear xlate
    PIX(config)# show xlate
    80 in use, 497 most used
    PAT Global 206.111.123.104(21480) Local 192.168.2.68(1574)
    PAT Global 206.111.123.104(21352) Local 192.168.2.61(3102)
    PAT Global 206.111.123.104(21336) Local 192.168.2.68(1528)
    PAT Global 206.111.123.104(21656) Local 192.168.2.11(21528)
    PAT Global 206.111.123.104(21640) Local 192.168.2.67(1964)
    PAT Global 206.111.123.104(21624) Local 192.168.2.67(1948)
    PAT Global 206.111.123.104(21592) Local 192.168.2.67(1942)
    PAT Global 206.111.123.104(21337) Local 192.168.2.68(1529)
    PAT Global 206.111.123.104(21657) Local 192.168.2.67(1977)
    PAT Global 206.111.123.104(21641) Local 192.168.2.67(1965)
    PAT Global 206.111.123.104(21625) Local 192.168.2.67(1949)
    PAT Global 206.111.123.104(21593) Local 192.168.2.67(1943)
    PAT Global 206.111.123.99(25) Local 192.168.2.5(25)
    PAT Global 206.111.123.104(21498) Local 192.168.2.57(4706)
    PAT Global 206.111.123.104(21466) Local 192.168.2.79(2807)
    PAT Global 206.111.123.104(21658) Local 192.168.2.56(4208)
    PAT Global 206.111.123.104(21642) Local 192.168.2.67(1966)
    PAT Global 206.111.123.104(21626) Local 192.168.2.67(1950)
    PAT Global 206.111.123.104(21594) Local 192.168.2.56(4206)
    PAT Global 206.111.123.104(21530) Local 192.168.2.57(4725)
    PAT Global 206.111.123.104(21403) Local 192.168.2.67(1938)
    PAT Global 206.111.123.104(21307) Local 192.168.2.77(4027)
    PAT Global 206.111.123.104(21659) Local 192.168.2.67(1978)
    PAT Global 206.111.123.104(21643) Local 192.168.2.67(1967)
    PAT Global 206.111.123.104(21627) Local 192.168.2.67(1951)
    PAT Global 206.111.123.104(21611) Local 192.168.2.56(4207)
    PAT Global 206.111.123.104(21595) Local 192.168.2.61(3174)
    PAT Global 206.111.123.104(21324) Local 192.168.2.68(1522)
    PAT Global 206.111.123.104(21660) Local 192.168.2.77(4056)
    PAT Global 206.111.123.104(21644) Local 192.168.2.67(1968)
    PAT Global 206.111.123.104(21628) Local 192.168.2.67(1952)
    PAT Global 206.111.123.104(21612) Local 192.168.2.61(3178)
    PAT Global 206.111.123.104(21516) Local 192.168.2.68(1110)
    PAT Global 206.111.123.104(21373) Local 192.168.2.67(1936)
    PAT Global 206.111.123.104(21661) Local 192.168.2.56(4209)
    PAT Global 206.111.123.104(21645) Local 192.168.2.67(1969)
    PAT Global 206.111.123.104(21629) Local 192.168.2.67(1953)
    PAT Global 206.111.123.104(26781) Local 192.168.2.10(1566)
    PAT Global 206.111.123.104(141) Local 192.168.2.5(53)
    PAT Global 206.111.123.104(21662) Local 192.168.2.67(1979)
    PAT Global 206.111.123.104(21646) Local 192.168.2.67(1970)
    PAT Global 206.111.123.104(21630) Local 192.168.2.67(1954)
    PAT Global 206.111.123.104(21112) Local 192.168.2.56(4205)
    PAT Global 206.111.123.104(21407) Local 192.168.2.67(1939)
    PAT Global 206.111.123.104(21663) Local 192.168.2.11(21538)
    PAT Global 206.111.123.104(21647) Local 192.168.2.67(1971)
    PAT Global 206.111.123.104(21631) Local 192.168.2.67(1955)
    PAT Global 206.111.123.104(21615) Local 192.168.2.61(3188)
    PAT Global 206.111.123.104(21113) Local 192.168.2.80(2677)
    PAT Global 206.111.123.104(21567) Local 192.168.2.79(2824)
    PAT Global 206.111.123.104(21551) Local 192.168.2.61(3122)
    PAT Global 206.111.123.104(21424) Local 192.168.2.63(3613)
    PAT Global 206.111.123.104(21648) Local 192.168.2.67(1972)
    PAT Global 206.111.123.104(21632) Local 192.168.2.67(1956)
    PAT Global 206.111.123.104(21616) Local 192.168.2.61(3189)
    PAT Global 206.111.123.104(21114) Local 192.168.2.80(2678)
    PAT Global 206.111.123.104(21552) Local 192.168.2.61(3123)
    PAT Global 206.111.123.99(80) Local 192.168.2.11(80)
    PAT Global 206.111.123.104(21649) Local 192.168.2.67(1973)
    PAT Global 206.111.123.104(21633) Local 192.168.2.67(1957)
    PAT Global 206.111.123.104(21617) Local 192.168.2.11(21514)
    PAT Global 206.111.123.104(21115) Local 192.168.2.80(2679)
    PAT Global 206.111.123.104(21378) Local 192.168.2.67(1937)
    PAT Global 206.111.123.104(21650) Local 192.168.2.67(1974)
    PAT Global 206.111.123.104(21634) Local 192.168.2.67(1958)
    PAT Global 206.111.123.104(21116) Local 192.168.2.80(2680)
    PAT Global 206.111.123.104(21651) Local 192.168.2.67(1975)
    PAT Global 206.111.123.104(21635) Local 192.168.2.67(1959)
    PAT Global 206.111.123.104(21555) Local 192.168.2.61(3124)
    PAT Global 206.111.123.104(21316) Local 192.168.2.68(1514)
    PAT Global 206.111.123.104(21652) Local 192.168.2.67(1976)
    PAT Global 206.111.123.104(21636) Local 192.168.2.67(1960)
    PAT Global 206.111.123.104(21620) Local 192.168.2.11(21520)
    PAT Global 206.111.123.104(21653) Local 192.168.2.5(55490)
    PAT Global 206.111.123.104(21637) Local 192.168.2.67(1961)
    PAT Global 206.111.123.104(21621) Local 192.168.2.67(1945)
    PAT Global 206.111.123.104(21654) Local 192.168.2.5(55491)
    PAT Global 206.111.123.104(21638) Local 192.168.2.67(1962)
    PAT Global 206.111.123.104(21622) Local 192.168.2.67(1946)
    PAT Global 206.111.123.104(21479) Local 192.168.2.68(1573)
    PAT Global 206.111.123.104(21655) Local 192.168.2.77(4055)
    PAT Global 206.111.123.104(21639) Local 192.168.2.67(1963)
    PAT Global 206.111.123.104(21623) Local 192.168.2.67(1947)
    PAT Global 206.111.123.104(21591) Local 192.168.2.67(1941)

    And the update is immediatly done!

    And If anybody can explain me why is that:
    PAT Global 206.111.123.104(141) Local 192.168.2.5(53)
    I'll appreciate!

    Thanks!
     
    Exclusive, May 3, 2006
    #5
  6. In article <>,
    Exclusive <> wrote:
    >Guys I have a problem. I'm using Pix506 Firewall, Exchange Server


    >PIX Version 6.x


    Hiding the exact PIX version is counter-productive. There are
    version-specific bugs that we might be able to tell you about -- and
    there are clues about the version in the details of some of the command
    options.

    I can see that you are using at PIX 6.2, not PIX 6.3; I'm not
    going to bother to chase down the subrelease.


    >access-list inside_access_out permit tcp any any eq 443


    >static (inside,outside) tcp zzz.xxx.yyy.99 443 192.168.2.5 443 netmask 255.255.255.255 0 0


    >access-group inside_access_out in interface inside


    >conduit deny ip any host 81.48.75.223
    >conduit permit ip any 141.152.97.50 255.255.255.224
    >conduit permit tcp host zzz.xxx.yyy.99 eq smtp any
    >conduit permit tcp host zzz.xxx.yyy.99 eq www any
    >conduit permit tcp host zzz.xxx.yyy.99 eq domain any
    >conduit permit ip host zzz.xxx.yyy.99 host 141.152.97.35



    Get rid of the conduits. The very existance of conduits in a 6.x
    configuration can result in Bad Things Happening. And here's a
    case where your deliberate obscurity has interfered with us giving
    detailed advice: the conduit problems are particularily bad in
    6.2(1) and 6.2(2) [not that they are great in any later 6.2 or 6.3
    release.]

    Cisco mostly gave up on fixing conduits at around 5.3(2), and
    only touched the code in 6.2 because they had to in order to add
    PAT to 6.2(1). They fixed the absolute worst of the bugs, but
    the more subtle bugs are marked WON'T FIX. conduits have been
    deprecated since 5.2(1).


    I'm not saying that the conduits are definitely the cause of the problem
    you are observing: I'm saying that it isn't worth trying to debug
    your problem until you remove the conduits.
     
    Walter Roberson, May 3, 2006
    #6
  7. In article <>,
    Exclusive <> wrote:

    >And If anybody can explain me why is that:
    >PAT Global 206.111.123.104(141) Local 192.168.2.5(53)
    >I'll appreciate!


    you only static PAT'd dns for 192.168.2.11, so outgoing DNS
    requests sourced by port 53 of 192.168.2.5 are going to use
    the nat/global pairs you have set up. You have not set up any
    globals with ip ranges, so the controling global is the one
    you marked in the configuration as

    global (outside) 1 x.x.x.104

    If x.x.x.104 is synonymous with 206.111.123.104, then we see why
    that address is used on the global side. The choice of port number 141
    was just the next unused port number in the PAT subpool from
    1 to 1023 which is used for outgoing requests sourced from ports
    1 to 1023 (the "privileged ports").
     
    Walter Roberson, May 3, 2006
    #7
  8. Exclusive

    Exclusive Guest

    Thanks for your advices! I will try that!
    I use IOS v6.1
    I know it's old but I don't know where to find out a newer.
     
    Exclusive, May 3, 2006
    #8
  9. Exclusive

    Exclusive Guest

    Tahnks Walter!

    I've replaced the conduit commands with ACL and right now everything is
    running well!

    Appreciate your help!
     
    Exclusive, May 4, 2006
    #9
  10. In article <>,
    Exclusive <> wrote:
    >I use IOS v6.1


    As a technical point: the OS for the PIX is named Finesse, not IOS.

    Anyhow, if you are using PIX 6.1, I'm not surprised you had
    conduit problems. Early 6.1 especially were pretty buggy.


    >I know it's old but I don't know where to find out a newer.


    If you are running something before 6.1(5), then see the following
    for an authorization for a free update to 6.1(5):

    http://www.cisco.com/en/US/products/products_security_advisory09186a00801e118a.shtml

    Then you can get up to 6.1(5)102 via
    http://www.cisco.com/en/US/products/products_security_advisory09186a0080207d5f.shtml

    But I don't think you can get further than that without either a support
    contract or purchasing a newer release.

    You probably cannot get a hardware support contract on a device
    that old -- not unless you want to pay several hundred dollars for
    an examination fee (and you would have to ship the 506 to Cisco for
    the examination.) That effectively leaves you out of all of the
    CON-* support contract part numbers. You might, however, still be
    able to get a SASU-* support contract, which covers software upgrades
    (an "upgrade" allows you to go to new releases; there is also an
    SAS-* part number which is for "updates", which would only allow you
    to go as far as 6.1(5).)

    http://www.cisco.com/en/US/products/svcs/ps3034/ps2827/ps2993/serv_home.html


    I don't know the pricing of a software upgrade. It might be more
    cost effective to go for a new PIX 515E with PIX 7.x [the 506 does
    not support 7.x], or for one of the new CISCO ASA security devices.
    http://www.cisco.com/go/asa
     
    Walter Roberson, May 5, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. meinereiner

    Port Routing on Pix506?

    meinereiner, Nov 3, 2004, in forum: Cisco
    Replies:
    3
    Views:
    444
    Walter Roberson
    Nov 4, 2004
  2. Jyri Korhonen
    Replies:
    4
    Views:
    7,075
    Walter Roberson
    Nov 30, 2004
  3. sugu

    Permit port 443 in ACL

    sugu, Nov 7, 2006, in forum: Cisco
    Replies:
    0
    Views:
    715
  4. Opening up port 443

    , Oct 12, 2006, in forum: Cisco
    Replies:
    1
    Views:
    399
    Walter Roberson
    Oct 12, 2006
  5. vbMark

    IIS and port 443

    vbMark, Apr 10, 2006, in forum: Computer Support
    Replies:
    4
    Views:
    6,134
Loading...

Share This Page