Re: [fw-wiz] PIX Transparent proxy

• Previous message: Melson, Paul: "RE: [fw-wiz] Re: Ethics, morality and the industry"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <firewall-wizards@honor.icsalabs.com>
Date: Wed, 10 Nov 2004 10:37:11 +1100

On Fri, 22 Oct 2004 12:13:38 -0700, Juan Pablo Feria
<feria@tpitic.com.mx> wrote:

>> on the squid documentation tells about routers, but the configuration
>> commands are not on the pix...
>>
>> http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.5
>
>> Anyone has any ideas to send the port 80 requests to the squid box?

>I do not believe PIX offers this functionality.

>Cisco routers offer two distinct options which will assist in
>deploying a "transparent" caching proxy -- route-map (to re-route
>packets to a cache based on the port, protocol or any other ACL match)
>and Web Cache Communication Protocol (WCCP).

I to was just looking at the same thing the other day.
It appears the PIX will do a static PAT (since version 6.2?) in order to
solve this type of thing.

The command:
  static (inside,outside) tcp interface www 10.0.0.1 www netmask
255.255.255.255
Is apparently the way to go about it. Oh yeah you need the right
access-list on the outside too something like
  access-list outside_in permit tcp any host pu.bl.ic.ip eq www

My dilemma is I can't seem to make it work. I'm not using it in the
Cisco style fashion but more like what Juan wants.

  static (inside,browse_dmz) tcp interface 80 10.0.0.1 3128 netmask
255.255.255.255
  access-list from_browse_dmz permit tcp 192.168.1.0 255.255.255.0 any
eq 80
  access-group from_browse_dmz in interface browse_dmz

This shows nothing in the pix logs, and a tcpdump on 10.0.0.1 shows
nothing hitting it. If I remove the access-list rule it does show the
packets being denied so I think they are being allowed successfully
(also confirmed but hit count on a show access-list. The routing from
browse_dmz to inside also works OK as I tested allowing 3128 directly
and you can get to 3128 fine. I also bumped IE/Mozilla from the equation
by trying a straight - telnet some.host 80

Anyone got any ideas? Maybe able to solve two problems at once.

-- 
Luke Butcher
It's not winning that matters, it's winning in style that matters... 
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Melson, Paul: "RE: [fw-wiz] Re: Ethics, morality and the industry"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: WILL PAY. Need help to setup VPN between a PIX 506 and a Checkpoint 4.1 Firewall ... remove the failover commands: failover is not supported on the PIX 506 ... if some inside host forges random IPs ... as the source for packets, the PIX would let the packets out (replies ... (comp.security.firewalls) Re: [fw-wiz] Syslog montioring and usage. ... While the PIX doesn't have a "port scan" syslog message it does log what it ... source IP address of the packets, as well as the protocol and port the ... (Firewall-Wizards) RE: [fw-wiz] Odd PIX / router behavior ... When you saw the original spoofed traffic, what kind of packets were ... My first thought was a misconfigured internal host too, ... 10.0.0.1 is the inside interface of the PIX. ... (Firewall-Wizards) Re: Open port PIX 501 ... :i can't open the port in my PIX. ... :I need open the port 1000 to point to the IP 10.254.254.222. ... in practice only DNS servers doing zone transfers need tcp. ... of UDP, it would be a highly unusual client which did not stick ... (comp.dcom.sys.cisco) Re: Testing A Cisco PIX 501 ... and it uses let's say 53 DNS port or HTTP 80 port ... Optionally write a test bench. ... I would like to, for example, be safer from trojans. ... my PIX, my PC is also cabled to the PIX and my wireless router is also ... (comp.security.firewalls)