Is my syntax right?

[bobbys9]

I am using a pix 515 for nat. I also have all internal hosts use the proxy server as the only access to the internet. I have an application that needs to upload a database file to the application vendor's site using ports 1100, 1101, and 1102. I want to be able to allow these ports to pass through the proxy and the pix to the our external address. Here are my statements. They do not work. What is wrong??

conduit permit udp host 209.158.xx.x eq 1100 host 10.8.63.200
conduit permit tcp host 209.158.xx.x eq 1100 host 10.8.63.200
conduit permit udp host 209.158.xx.x eq 1101 host 10.8.63.200
conduit permit tcp host 209.158.xx.x eq 1101 host 10.8.63.200
conduit permit udp host 209.158.xx.x eq 1102 host 10.8.63.200
conduit permit tcp host 209.158.xx.x eq 1102 host 10.8.63.200
conduit permit udp host 209.158.xx.x eq 1100 host 10.7.65.71
conduit permit tcp host 209.158.xx.x eq 1100 host 10.7.65.71
conduit permit udp host 209.158.xx.x eq 1101 host 10.7.65.71
conduit permit tcp host 209.158.xx.x eq 1101 host 10.7.65.71
conduit permit udp host 209.158.xx.x eq 1102 host 10.7.65.71
conduit permit tcp host 209.158.xx.x eq 1102 host 10.7.65.71
conduit permit udp host 209.158.xx.x eq 1100 host 10.6.61.112
conduit permit tcp host 209.158.xx.x eq 1100 host 10.6.61.112
conduit permit udp host 209.158.xx.x eq 1101 host 10.6.61.112
conduit permit tcp host 209.158.xx.x eq 1101 host 10.6.61.112
conduit permit udp host 209.158.xx.x eq 1102 host 10.6.61.112
conduit permit tcp host 209.158.xx.x eq 1102 host 10.6.61.112
conduit permit udp host 209.158.xx.x eq 1100 host 10.7.65.125
conduit permit tcp host 209.158.xx.x eq 1100 host 10.7.65.125
conduit permit udp host 209.158.xx.x eq 1101 host 10.7.65.125
conduit permit tcp host 209.158.xx.x eq 1101 host 10.7.65.125
conduit permit udp host 209.158.xx.x eq 1102 host 10.7.65.125
conduit permit tcp host 209.158.xx.x eq 1102 host 10.7.65.125

Is this the command I should be using, or should I use an outbound command? Any help would be appreciated. Thanks.

 

[tbissett]

A few questions:
1) Which IPs are the vendor? I'm assuming the 209.158.x.x, but I want to be sure.
2) What IP is your proxy? You dont have to give the actual IP, but give at least a "fake" one for the purpose of showing examples.
3) When the app passes through the proxy on your three ports, will the traffic appear as coming from the proxy, or will the traffic have the IP of the original sender?
4) Instead of outbound and conduit, how about using access-lists? They replace the conduit and outbound commands, and Cisco will eventually phase out conduits and outbounds altogether.
5) If you're Ok with it, please post a complete config from your PIX, just to help fill in some gaps.

 

[bobbys9]

tbisset,
thanks for the reply. The 209 address is our internet address. The proxy is a 10.50 subnet--the 10.5,6,7,etc..x.x subnets go through this to the internet. (A static for the 209 from the 10.50)

I don't know what their server expects, but there is a place for proxy configuration in their software, so I believe that it should work with nat. You are confusing me RE the access list. I am reading the pix manual and what I am getting out of it is that access lists are used in conjunction with outbound commands. I set up a series of outbounds. Started with denying all, then adding in 80, 20/21, 23, 443, and the ones that the app needs--1100, 1101, and 1102. I specified the outbound ip address as that of the proxy server. It did not work. Maybe I need to specify 10.1.1.1 255.0.0.0 for the common ports, and the specific host addresses for the 1100's. Have not yet tried this. Maybe this helps. Thanks.

 

[tbissett]

OK. Let's start with the basics. First off, access-list commands are not used together with the outbound command. Not sure where you read that, but it's not correct.

First, let's get your proxy server talking to the outside world. These commands are assuming that the proxy server is the ONLY server allowed to talk to the Internet:
nat (inside) 1 10.50.x.x 255.255.255.255 (Sub x's for the IP of your proxy host)
global (outside) 1 interface (all Internet traffic will have a source IP for your firewall outside int).

Next, you want to restrict the ports that can go out. Here are the commands to do that:
access-list outbound permit tcp any any eq www
access-list outbound permit tcp any any eq ftp
access-list outbound permit tcp any any eq telnet
access-list outbound permit tcp any any eq 443
access-list outbound permit tcp any any eq 1100
access-list outbound permit tcp any any eq 1101
access-list outbound permit tcp any any eq 1102
access-group outbound in interface inside

The "any any" in the access-lists means "any source any destination." Because we limited the NAT statement to only your proxy server, we didn't need to specify it here. Also, access-lists have an implicit deny. Bascially that means if you don't specify it to be permitted, it will be denied.

You can get rid of all the conduits, outbounds, etc.

Try that for a first step, and we'll take it from there.

Tom