[fw-wiz] pix configuration / errors question

From: Tomasz Ramsza (tomasz.ramsza_at_cc.com.pl)
Date: 11/10/03

  • Next message: Stephen Gill: "RE: [fw-wiz] RE: Why blocking bogons buys you nothing (Mikael Olsson)"
    To: firewall-wizards@honor.icsalabs.com
    Date: Mon, 10 Nov 2003 14:56:08 +0100
    
    

    Hello all,

    We have a very simple configuration. No NAT is used. In the internal LAN
    there are about 100 users accessing WWW proxy server at 192.168.1.10:80.
    It is the only allowed traffic. Everything is working fine (users are
    not complaning), but in the logs there are some errors. For example:

    Deny tcp src outside:192.168.1.10/80 dst inside:10.10.10.138/3865 by
    access-group "acl_out"

    Just as PIX was "forgetting" about the outgoing TCP connections too fast ?

    I have set logging to debug level and checked that connections to proxy
    server are finished by: FINs (ok), Reset-I or Reset-O. I know what it
    means on TCP level but I don't know if this is normal when IE is talking
    to proxy.

    The questions are:

    - is it a normal behaviour ?
    - if not, what can be changed ?

    We have a following PIX 515 configuration:
    =================================================
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    fixup protocol http 80
    names
    access-list acl_in permit tcp 10.10.10.0 255.255.255.0 host 192.168.1.10
    eq www
    access-list acl_in deny ip any any
    access-list acl_out deny ip any any
    pager lines 24
    logging on
    logging buffered warnings
    mtu outside 1500
    mtu inside 1500
    ip address outside 192.168.1.1 255.255.255.0
    ip address inside 10.10.10.1 255.255.255.0
    arp timeout 14400
    static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 0 0
    access-group acl_out in interface outside
    access-group acl_in in interface inside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    =================================================

    Thanks in advance,

    Tomek

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Stephen Gill: "RE: [fw-wiz] RE: Why blocking bogons buys you nothing (Mikael Olsson)"

    Relevant Pages

    • Re: [fw-wiz] Double firewall setup (long)
      ... You can disable NAT altogether on the 2nd PIX and just have IP Addresses pass ... > access-list OUTB permit tcp host exchange host mailsweeper eq smtp ... > access-group INB in interface outside ...
      (Firewall-Wizards)
    • Re: [fw-wiz] Enforcing content filtering with PIX515E
      ... access-list InsideOut permit tcp any host ip.of.pro.xy eq 80 ... access-group in interface inside ... This will force people to either use the proxy or have no internet access. ... access-list for the inside interface on the PIX currently reads: ...
      (Firewall-Wizards)