1. Home
  2. Cisco Systems
  3. Port 443 problem on PIX506

Port 443 problem on PIX506

Guys I have a problem. I'm using Pix506 Firewall, Exchange Server

192.168.2.11 and Symantec Mail Security 8220 Spam Filter 192.168.2.5.

The mail traffic is routed from PIX to Spam8220 and Spam 8220 routes it to the Exchange server. When somebody is tried to access its own mailbox from outside. The http traffic is routed directly to the exchange server. Also I route traffic through port 443 from PIX to Spam8220. Spam8220 uses https to connect to Symantec Update Center in the Internet and make updates.

Everything running fine except that it makes the update and at the next day email traffic running fine but the port 443 on the pix is closed. When I type #clear xlate command the update is done immediately and everything is OK up to next day, when shows me again that problem.

I can't understand why that happen only with the traffic through port

433.

Anybody have any idea?

That is the config file:

PIX Version 6.x nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password /ZZZZZZZZZ encrypted passwd ZZZZZZZZ encrypted hostname NRP-PIX fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 names access-list inside_access_out permit tcp any any eq smtp access-list inside_access_out permit tcp any any eq www access-list inside_access_out permit tcp any any eq 443 access-list inside_access_out permit tcp any any eq 3389 access-list inside_access_out permit tcp any any eq domain access-list inside_access_out permit udp any any eq domain access-list inside_access_out permit tcp any any eq 1776 access-list inside_access_out permit tcp any any eq ftp access-list inside_access_out permit icmp any any echo access-list inside_access_out permit tcp any any eq 8080 access-list inside_access_out permit tcp any any eq 2443 access-list vpnacl permit ip 192.168.2.0 255.255.255.0 10.1.1.0

255.255.255.0 pager lines 24 logging on logging trap notifications logging history notifications logging facility 0 logging host inside 192.168.2.12 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside zzz.xxx.yyy.96 255.255.252.0 ip address inside 192.168.2.2 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool clientpool 10.1.1.10-10.1.1.36 pdm history enable arp timeout 14400 global (outside) 1 zzz.xxx.yyy.104 netmask 255.255.252.0 global (outside) 1 zzz.xxx.yyy.105 netmask 255.255.252.0 nat (inside) 0 access-list vpnacl nat (inside) 1 192.168.2.0 255.255.255.0 0 0 static (inside,outside) tcp zzz.xxx.yyy.99 25 192.168.2.5 25 netmask 255.255.255.255 0 0 static (inside,outside) tcp zzz.xxx.yyy.99 80 192.168.2.11 80 netmask 255.255.255.255 0 0 static (inside,outside) tcp zzz.xxx.yyy.99 domain 192.168.2.11 domain netmask 255.255.255.255 0 0 static (inside,outside) udp zzz.xxx.yyy.99 domain 192.168.2.11 domain netmask 255.255.255.255 0 0 static (inside,outside) tcp zzz.xxx.yyy.99 443 192.168.2.5 443 netmask 255.255.255.255 0 0

access-group inside_access_out in interface inside conduit deny ip any host 81.48.75.223 conduit permit ip any 141.152.97.50 255.255.255.224 conduit permit tcp host zzz.xxx.yyy.99 eq smtp any conduit permit tcp host zzz.xxx.yyy.99 eq www any conduit permit tcp host zzz.xxx.yyy.99 eq domain any conduit permit ip host zzz.xxx.yyy.99 host 141.152.97.35 route outside 0.0.0.0 0.0.0.0 zzz.xxx.yyy.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323

0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ (inside) host 192.168.2.10 secretkey timeout 5 aaa-server RADIUS protocol radius aaa-server LOCAL protocol tacacs+ aaa-server mytacacs protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server inside 192.168.2.10 tftp floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 20 set transform-set myset crypto map newmap 20 ipsec-isakmp dynamic dynmap crypto map newmap interface outside crypto map vpngroup client authentication TACACS+ isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup XXX address-pool clientpool vpngroup XXX dns-server 192.168.2.10 vpngroup XXX wins-server 192.168.2.10 vpngroup XXX default-domain AAAAA.com vpngroup XXX split-tunnel vpnacl vpngroup XXX idle-time 1800 vpngroup XXX password ******** telnet 192.168.2.0 255.255.255.0 inside telnet timeout 10 ssh timeout 5
Reply to
Exclusive
Loading thread data ...

Looking at your config, you have a /22, or about 1024 IP addresses available to the outside interface of the PIX. Why not use two seperate routable IP addresses for the Exchange server and Spam8220 when defining the static mappings, instead of using port mapping?

Also, the Spam8220 may use port 443 to get updates, but it will send traffic *to* port 443 on some server at Symantec. The source port of the traffic will be something else.

Reply to
Mark Williams

Since you hav a static translation, you shouldnt have to "clear xlate" unless your ip address are used up in your global pool. How many hosts do you hav behind this pix? Do you own the whole ip address range in your global addrss pool?

It seems this: global (outside) 1 zzz.xxx.yyy.104 netmask 255.255.252.0 global (outside) 1 zzz.xxx.yyy.105 netmask 255.255.252.0

should be configured like this global (outside) 1 zzz.xxx.yyy.104 netmask 255.255.255.255 global (outside) 1 zzz.xxx.yyy.105 netmask 255.255.255.255

Reply to
farisb

When I use #clear xlate command everythig is OK and the update is running immediatly. But it's up to the next day, when I have to type #clear xlate and again everythig is OK. The source port looks to be

443.
Reply to
Exclusive

If that can help somebody for any ideas: This is the output of #Show xlate when the spam filter shows that cant communicate with Symantec Center because port 443 on the PIX is closed.

42 in use, 497 most used PAT Global 206.111.123.104(16760) Local 192.168.2.61(2048) PAT Global 206.111.123.104(21224) Local 192.168.2.77(3996) PAT Global 206.111.123.104(21225) Local 192.168.2.77(3998) PAT Global 206.111.123.104(14649) Local 192.168.2.67(1130) PAT Global 206.111.123.99(25) Local 192.168.2.5(25) PAT Global 206.111.123.104(21226) Local 192.168.2.77(3999) PAT Global 206.111.123.104(21194) Local 192.168.2.11(21270) PAT Global 206.111.123.104(21227) Local 192.168.2.77(4000) PAT Global 206.111.123.104(21051) Local 192.168.2.61(3014) PAT Global 206.111.123.104(26587) Local 192.168.2.10(1566) PAT Global 206.111.123.104(139) Local 192.168.2.5(53) PAT Global 206.111.123.104(21228) Local 192.168.2.56(4189) PAT Global 206.111.123.104(21164) Local 192.168.2.79(2791) PAT Global 206.111.123.104(21052) Local 192.168.2.61(3015) PAT Global 206.111.123.104(21229) Local 192.168.2.77(4001) PAT Global 206.111.123.104(21165) Local 192.168.2.79(2792) PAT Global 206.111.123.104(19678) Local 192.168.2.56(4174) PAT Global 206.111.123.104(21230) Local 192.168.2.77(4002) PAT Global 206.111.123.104(21054) Local 192.168.2.61(3017) PAT Global 206.111.123.104(21038) Local 192.168.2.67(1830) PAT Global 206.111.123.104(26766) Local 192.168.2.5(35332) PAT Global 206.111.123.104(15742) Local 192.168.2.77(2503) PAT Global 206.111.123.104(19039) Local 192.168.2.79(2626) PAT Global 206.111.123.104(16879) Local 192.168.2.63(3356) PAT Global 206.111.123.104(21247) Local 192.168.2.77(4016) PAT Global 206.111.123.104(21231) Local 192.168.2.11(21320) PAT Global 206.111.123.104(21263) Local 192.168.2.75(1801) PAT Global 206.111.123.104(14575) Local 192.168.2.67(1129) PAT Global 206.111.123.104(21040) Local 192.168.2.67(1832) PAT Global 206.111.123.104(21264) Local 192.168.2.79(2794) PAT Global 206.111.123.104(21248) Local 192.168.2.77(4017) PAT Global 206.111.123.99(80) Local 192.168.2.11(80) PAT Global 206.111.123.104(21265) Local 192.168.2.75(1802) PAT Global 206.111.123.104(21249) Local 192.168.2.77(4018) PAT Global 206.111.123.104(21266) Local 192.168.2.75(1803) PAT Global 206.111.123.104(21250) Local 192.168.2.77(4019) PAT Global 206.111.123.104(21235) Local 192.168.2.11(21322) PAT Global 206.111.123.104(21267) Local 192.168.2.64(4197) PAT Global 206.111.123.104(21251) Local 192.168.2.75(1782) PAT Global 206.111.123.104(21268) Local 192.168.2.75(1805) PAT Global 206.111.123.104(21252) Local 192.168.2.75(1785) PAT Global 206.111.123.104(21205) Local 192.168.2.80(2666) PAT Global 206.111.123.104(21269) Local 192.168.2.11(21344) PAT Global 206.111.123.104(21253) Local 192.168.2.75(1787) PAT Global 206.111.123.104(21238) Local 192.168.2.77(4008) PAT Global 206.111.123.104(21046) Local 192.168.2.67(1837) PAT Global 206.111.123.104(21254) Local 192.168.2.75(1786) PAT Global 206.111.123.104(14518) Local 192.168.2.67(1111) PAT Global 206.111.123.104(21271) Local 192.168.2.64(4198) PAT Global 206.111.123.104(21255) Local 192.168.2.75(1789)

This is the output after: PIX(config)# clear xlate PIX(config)# show xlate

80 in use, 497 most used PAT Global 206.111.123.104(21480) Local 192.168.2.68(1574) PAT Global 206.111.123.104(21352) Local 192.168.2.61(3102) PAT Global 206.111.123.104(21336) Local 192.168.2.68(1528) PAT Global 206.111.123.104(21656) Local 192.168.2.11(21528) PAT Global 206.111.123.104(21640) Local 192.168.2.67(1964) PAT Global 206.111.123.104(21624) Local 192.168.2.67(1948) PAT Global 206.111.123.104(21592) Local 192.168.2.67(1942) PAT Global 206.111.123.104(21337) Local 192.168.2.68(1529) PAT Global 206.111.123.104(21657) Local 192.168.2.67(1977) PAT Global 206.111.123.104(21641) Local 192.168.2.67(1965) PAT Global 206.111.123.104(21625) Local 192.168.2.67(1949) PAT Global 206.111.123.104(21593) Local 192.168.2.67(1943) PAT Global 206.111.123.99(25) Local 192.168.2.5(25) PAT Global 206.111.123.104(21498) Local 192.168.2.57(4706) PAT Global 206.111.123.104(21466) Local 192.168.2.79(2807) PAT Global 206.111.123.104(21658) Local 192.168.2.56(4208) PAT Global 206.111.123.104(21642) Local 192.168.2.67(1966) PAT Global 206.111.123.104(21626) Local 192.168.2.67(1950) PAT Global 206.111.123.104(21594) Local 192.168.2.56(4206) PAT Global 206.111.123.104(21530) Local 192.168.2.57(4725) PAT Global 206.111.123.104(21403) Local 192.168.2.67(1938) PAT Global 206.111.123.104(21307) Local 192.168.2.77(4027) PAT Global 206.111.123.104(21659) Local 192.168.2.67(1978) PAT Global 206.111.123.104(21643) Local 192.168.2.67(1967) PAT Global 206.111.123.104(21627) Local 192.168.2.67(1951) PAT Global 206.111.123.104(21611) Local 192.168.2.56(4207) PAT Global 206.111.123.104(21595) Local 192.168.2.61(3174) PAT Global 206.111.123.104(21324) Local 192.168.2.68(1522) PAT Global 206.111.123.104(21660) Local 192.168.2.77(4056) PAT Global 206.111.123.104(21644) Local 192.168.2.67(1968) PAT Global 206.111.123.104(21628) Local 192.168.2.67(1952) PAT Global 206.111.123.104(21612) Local 192.168.2.61(3178) PAT Global 206.111.123.104(21516) Local 192.168.2.68(1110) PAT Global 206.111.123.104(21373) Local 192.168.2.67(1936) PAT Global 206.111.123.104(21661) Local 192.168.2.56(4209) PAT Global 206.111.123.104(21645) Local 192.168.2.67(1969) PAT Global 206.111.123.104(21629) Local 192.168.2.67(1953) PAT Global 206.111.123.104(26781) Local 192.168.2.10(1566) PAT Global 206.111.123.104(141) Local 192.168.2.5(53) PAT Global 206.111.123.104(21662) Local 192.168.2.67(1979) PAT Global 206.111.123.104(21646) Local 192.168.2.67(1970) PAT Global 206.111.123.104(21630) Local 192.168.2.67(1954) PAT Global 206.111.123.104(21112) Local 192.168.2.56(4205) PAT Global 206.111.123.104(21407) Local 192.168.2.67(1939) PAT Global 206.111.123.104(21663) Local 192.168.2.11(21538) PAT Global 206.111.123.104(21647) Local 192.168.2.67(1971) PAT Global 206.111.123.104(21631) Local 192.168.2.67(1955) PAT Global 206.111.123.104(21615) Local 192.168.2.61(3188) PAT Global 206.111.123.104(21113) Local 192.168.2.80(2677) PAT Global 206.111.123.104(21567) Local 192.168.2.79(2824) PAT Global 206.111.123.104(21551) Local 192.168.2.61(3122) PAT Global 206.111.123.104(21424) Local 192.168.2.63(3613) PAT Global 206.111.123.104(21648) Local 192.168.2.67(1972) PAT Global 206.111.123.104(21632) Local 192.168.2.67(1956) PAT Global 206.111.123.104(21616) Local 192.168.2.61(3189) PAT Global 206.111.123.104(21114) Local 192.168.2.80(2678) PAT Global 206.111.123.104(21552) Local 192.168.2.61(3123) PAT Global 206.111.123.99(80) Local 192.168.2.11(80) PAT Global 206.111.123.104(21649) Local 192.168.2.67(1973) PAT Global 206.111.123.104(21633) Local 192.168.2.67(1957) PAT Global 206.111.123.104(21617) Local 192.168.2.11(21514) PAT Global 206.111.123.104(21115) Local 192.168.2.80(2679) PAT Global 206.111.123.104(21378) Local 192.168.2.67(1937) PAT Global 206.111.123.104(21650) Local 192.168.2.67(1974) PAT Global 206.111.123.104(21634) Local 192.168.2.67(1958) PAT Global 206.111.123.104(21116) Local 192.168.2.80(2680) PAT Global 206.111.123.104(21651) Local 192.168.2.67(1975) PAT Global 206.111.123.104(21635) Local 192.168.2.67(1959) PAT Global 206.111.123.104(21555) Local 192.168.2.61(3124) PAT Global 206.111.123.104(21316) Local 192.168.2.68(1514) PAT Global 206.111.123.104(21652) Local 192.168.2.67(1976) PAT Global 206.111.123.104(21636) Local 192.168.2.67(1960) PAT Global 206.111.123.104(21620) Local 192.168.2.11(21520) PAT Global 206.111.123.104(21653) Local 192.168.2.5(55490) PAT Global 206.111.123.104(21637) Local 192.168.2.67(1961) PAT Global 206.111.123.104(21621) Local 192.168.2.67(1945) PAT Global 206.111.123.104(21654) Local 192.168.2.5(55491) PAT Global 206.111.123.104(21638) Local 192.168.2.67(1962) PAT Global 206.111.123.104(21622) Local 192.168.2.67(1946) PAT Global 206.111.123.104(21479) Local 192.168.2.68(1573) PAT Global 206.111.123.104(21655) Local 192.168.2.77(4055) PAT Global 206.111.123.104(21639) Local 192.168.2.67(1963) PAT Global 206.111.123.104(21623) Local 192.168.2.67(1947) PAT Global 206.111.123.104(21591) Local 192.168.2.67(1941)

And the update is immediatly done!

And If anybody can explain me why is that: PAT Global 206.111.123.104(141) Local 192.168.2.5(53) I'll appreciate!

Thanks!

Reply to
Exclusive

Hiding the exact PIX version is counter-productive. There are version-specific bugs that we might be able to tell you about -- and there are clues about the version in the details of some of the command options.

I can see that you are using at PIX 6.2, not PIX 6.3; I'm not going to bother to chase down the subrelease.

255.255.255.255 0 0

Get rid of the conduits. The very existance of conduits in a 6.x configuration can result in Bad Things Happening. And here's a case where your deliberate obscurity has interfered with us giving detailed advice: the conduit problems are particularily bad in

6.2(1) and 6.2(2) [not that they are great in any later 6.2 or 6.3 release.]

Cisco mostly gave up on fixing conduits at around 5.3(2), and only touched the code in 6.2 because they had to in order to add PAT to 6.2(1). They fixed the absolute worst of the bugs, but the more subtle bugs are marked WON'T FIX. conduits have been deprecated since 5.2(1).

I'm not saying that the conduits are definitely the cause of the problem you are observing: I'm saying that it isn't worth trying to debug your problem until you remove the conduits.

Reply to
Walter Roberson

you only static PAT'd dns for 192.168.2.11, so outgoing DNS requests sourced by port 53 of 192.168.2.5 are going to use the nat/global pairs you have set up. You have not set up any globals with ip ranges, so the controling global is the one you marked in the configuration as

global (outside) 1 x.x.x.104

If x.x.x.104 is synonymous with 206.111.123.104, then we see why that address is used on the global side. The choice of port number 141 was just the next unused port number in the PAT subpool from

1 to 1023 which is used for outgoing requests sourced from ports 1 to 1023 (the "privileged ports").
Reply to
Walter Roberson

Thanks for your advices! I will try that! I use IOS v6.1 I know it's old but I don't know where to find out a newer.

Reply to
Exclusive

Tahnks Walter!

I've replaced the conduit commands with ACL and right now everything is running well!

Appreciate your help!

Reply to
Exclusive

As a technical point: the OS for the PIX is named Finesse, not IOS.

Anyhow, if you are using PIX 6.1, I'm not surprised you had conduit problems. Early 6.1 especially were pretty buggy.

If you are running something before 6.1(5), then see the following for an authorization for a free update to 6.1(5):

formatting link
Then you can get up to 6.1(5)102 via
formatting link
But I don't think you can get further than that without either a support contract or purchasing a newer release.

You probably cannot get a hardware support contract on a device that old -- not unless you want to pay several hundred dollars for an examination fee (and you would have to ship the 506 to Cisco for the examination.) That effectively leaves you out of all of the CON-* support contract part numbers. You might, however, still be able to get a SASU-* support contract, which covers software upgrades (an "upgrade" allows you to go to new releases; there is also an SAS-* part number which is for "updates", which would only allow you to go as far as 6.1(5).)

formatting link

I don't know the pricing of a software upgrade. It might be more cost effective to go for a new PIX 515E with PIX 7.x [the 506 does not support 7.x], or for one of the new CISCO ASA security devices.

formatting link

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.