Upload problem through proxy

[bobbys9]

I am using a PIX 515 for nat, and Proxy 2.0 for caching. I direct all internet traffic through the proxy, and then through the pix to an external address. I have users that run an application that works by uploading data to the developer's server. Not happening, and they have no expertise with pix.

I have set up conduit statements for each of the ports they use (1100, 1101, and 1102):

conduit permit udp host 209.158.xx.x eq 1100 host 10.8.63.200
conduit permit tcp host 209.158.xx.x eq 1100 host 10.8.63.200
conduit permit udp host 209.158.xx.x eq 1101 host 10.8.63.200
conduit permit tcp host 209.158.xx.x eq 1101 host 10.8.63.200
conduit permit udp host 209.158.xx.x eq 1102 host 10.8.63.200
conduit permit tcp host 209.158.xx.x eq 1102 host 10.8.63.200
conduit permit udp host 209.158.xx.x eq 1100 host 10.7.65.71
conduit permit tcp host 209.158.xx.x eq 1100 host 10.7.65.71
conduit permit udp host 209.158.xx.x eq 1101 host 10.7.65.71
conduit permit tcp host 209.158.xx.x eq 1101 host 10.7.65.71
conduit permit udp host 209.158.xx.x eq 1102 host 10.7.65.71
conduit permit tcp host 209.158.xx.x eq 1102 host 10.7.65.71
conduit permit udp host 209.158.xx.x eq 1100 host 10.6.61.112
conduit permit tcp host 209.158.xx.x eq 1100 host 10.6.61.112
conduit permit udp host 209.158.xx.x eq 1101 host 10.6.61.112
conduit permit tcp host 209.158.xx.x eq 1101 host 10.6.61.112
conduit permit udp host 209.158.xx.x eq 1102 host 10.6.61.112
conduit permit tcp host 209.158.xx.x eq 1102 host 10.6.61.112
conduit permit udp host 209.158.xx.x eq 1100 host 10.7.65.125
conduit permit tcp host 209.158.xx.x eq 1100 host 10.7.65.125
conduit permit udp host 209.158.xx.x eq 1101 host 10.7.65.125
conduit permit tcp host 209.158.xx.x eq 1101 host 10.7.65.125
conduit permit udp host 209.158.xx.x eq 1102 host 10.7.65.125
conduit permit tcp host 209.158.xx.x eq 1102 host 10.7.65.125

where 209.158.xx.x is the external address for our internet, and the host ip's are the users who are needing to upload.

Do I need to specify the address of the proxy (internal) server, instead of the outside address? Or should I not be using a conduit for this purpose? Any thoughts would be appreciated. Thanks.

 

[yizhar]

HI.

By default, the pix will allow any outbound traffic, so the conduits statements that you have posted here seem unneeded.

Here are my suggestions:

* Remove all the conduit statements related to this issue.

* Use syslog messages with level 4 (warnings) at the pix.
This will tell you if the pix is blocking anything and provide more details.
You can also use level 6 (informational) to see the actual sessions and get more info.

* Do the internal workstations have direct connection to the pix, or do you have 2 nics on the proxy server and workstation can go out ONLY via the proxy?
What is the default gateway of workstations, if any?
Have you installed the MS Proxy client on workstations?
Please provide more details about this.

In general, it seems to me that the pix is not the issue here - maybe the proxy server configuration should be changed.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[bobbys9]

Thanks Yizhar,

Solved the issue, but do not know why it works. User machines are both Windows 98. Installed Proxy Client on each, and now they can upload through the pix. Can anyone tell me what the difference is by installing this, and does it comprimise the network security? Thanks.