Pix Firewall and Proxy Server

Access control
Application security
Current threats
Digital certificates
Disaster Recovery
human factors
Identity & Access Management
Incident response
Instant Messaging
Intrusion management
Microsoft Exchange
Network security
PEN testing
Platform Security
Risk management
Secure Coding
Security Program Management
Security tokens
Single sign-on
vulnerability management
Web security
I need to allow only one IP address (the one for proxy server) to browse through Pix firewall to Internet. What will be the commands in PIX firewall to block the traffic to Internet from all the network 10.2.1.x but only allow (Proxy server). All other computers will use proxy server address to use Internet. Please let me know the correct commands and 2ndly let me know if other computer can browse Internet if they are using this particular Proxy server address?

Answer Wiki

Thanks. We'll let you know when a new response is added.

You can do this, but there are some issues you are likely not aware of that you will need to address first.

The issue you are going to have with the PIX inline with a Proxy Server however is going to be with NAT and PAT.

A Proxy Server is essentially a “PAT BOX”. Proxy’s use PAT to allow the “many to one” scenario. The PIX likewise uses NAT and PAT.

The problem you will run into is often referred to as “double NAT”. NATPAT tables can get screwed up as varying RANDOM port numbers are assigned by the two devices performing NATPAT along the path. You will have to NATPAT on the PIX if it is the perimeter device where your registered IP’s are applied if you want your hosts to get to the Internet. This can interfere with some applications and will definitely slow down your Internet as PAT and NAT do their thing. And of course you can?t implement a Proxy Server without the use of PAT. Without PAT the proxy?s not a proxy.

It?s kind of a catch 22. You can?t turn off PAT on the proxy if you want it to actually Proxy, and if you want to use your IANA registered addresses to surf the web, then you won?t be able to turn off NAT on the PIX (something you can do if using private addresses on both interfaces, or if you have registered addresses on the inside).

As far as your question on how to restrict the traffic to certain hosts, well thats the easy part. Just allow NAT to the address of your Proxy?s outside interface, or use an outbound ACL permitting only traffic from the Proxy to the Internet. (I would stay away from outbound ACL?s as they tend to be problematic).

But your real issue is not restricting traffic, it?s using NAT and PAT through these 2 devices.

Let me be clear, you CAN double NAT if you want to. I see it all the time. But it will slow down your Internet, and cause plenty of errors and dropped connections, and some traffic will not work at all. Double NAT is a just a bad way to fly.

Chris Weber

Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Layer9
    BTW If I have not scared you away from this scenario yet then I would do it like this if I absolutley had to. First make sure your proxy is multi-homed. You don't want a one armed proxy for this. Set your outside of your proxy to an IP on the same subnet as the inside of the PIX. Next you will need one of your static IP's from you IANA assigned block to be free. You will be using this address to static NAT to your proxy server like the following example. static (inside,outside) x.x.outside.x x.x.inside.x netmask 0 0. This will keep your Proxy from using the PAT address of your PIX, and therefore the problems associated with PAT port address mappings will be reduced and thus so will latency created in a double NAT scenrio. Set the default gateway of the Proxy to the inside of the PIX. Put all of your internal clients who you want to surf the web through the Proxy on the inside subnet of the Proxy (say a subnet). Then on the outside of the PIX, remove the statement that is likely there, NAT (inside) 1 0 0 That statement NAT's anything on the inside which you don't want if you want to restrict traffic. The only device participating in NAT then will be the static mapping of the Proxy's outside interface, which already has a static NAT mapping. Everyone surfing the Internet, will go through the proxy using PAT to use the static outside address of the proxy, say, and this address will be NAT'd by the pix using a single IANA registered address. This will work and you won't have the port issues, but you are still NAT'ng twice and you have the proxy securing the clients. It's also important to remember that all you want to do is restrict which clients can surf the web, that you don't need a proxy server to do it. You can use a global PAT address on the PIX for Proxy like security, and only PAT the hosts or subnets you want to access the Internet. Hope this helps Chris Weber Layer9corp.com
    0 pointsBadges:
  • Layer9
    BTW, This is just one way of doing it, and based upon your needs it may not be the best way. You don't provide much information in your question so my answer is based on what you told me. There is much more information you could provide, like what sort of Proxy server, how many interfaces, what admin control do youhave over the PIX etc. I have done this before with an Mircosoft ISA server and a PIX 515. It does work, but it makes for some ugly traffic patterns when you examine them with a sniffer. If security is the reason for doing this I would look into siting an IDS off your network, and maybe an inline application Layer Firewall. And if you want just to control Internet access you don't need the proxy for tha. There are some creative ways of doing that with the PIX as well. Chris Weber Layer9corp.com
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: