PIX Firewall with Surfcontrol Server: Illegal Traffic not Blocked

I currently have a PIX 501 firewall connected to my ISP, and behind that I have 3 switches trunked off of each other with one connection back to the PIX. I mirrored a port on switch A where it connects to the PIX and my Win2003 SP1 Server (Surfcontrol Server 5.0) is the box receiving the mirrored info. This is also on switch A, along with the trunk to the next switch (B) and 15+ other host ports that are active on switch A. My problem is that all of the websites that are supposedly blocked are coming through, regardless of where that box is in the network; switch A, B or C.. I have enabled all of the surfcontrol rules and they are active, but nothing is actually being blocked, though the monitor (and real time monitor) show blockage . I've also uninstalled and reinstalled Surfcontrol with the same result. I would prefer to move the surfcontrol server to one of the PIX ports and mirror the Switch A connection to that new PIX port, but I can't find any commands to mirror or SPAN a port on a PIX.

 Can someone come up with a possible solution or direct me to my flaw...



PS. My Surfcontrol server has a secondary NIC that is a standard portfast fastE port (no mirroring) that I use to RDP into the box. Just thought I'd add this tidbit of info...
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

>I can't find any commands to mirror or SPAN a port on a PIX.
Sorry, but there isn't one. You can't span ports directly on the PIX.

Unfortunately, the PIX does not support SurfControl natively like it does N2H2 and Websense.
I don't know how Surfcontrol is supposed to work by connecting to a SPAN port... I know it can see all the traffic that way, but how does it prevent users from going there?
What kind of switches do you have? They need to support bi-directional SPAN. Many Cisco switches do not support this feature.

I would think that the surfcontrol server would have to be in direct line between the users and the firewall.
Have you seen this document from SurfControl?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lrmoore is right , you are doing port mirroring and it doesn't work like port filtering.

your scenario will be.

Internet --->  Pix ----->> SurfControl Server ----->  rest of lan.

BigBro007Author Commented:
ANd I truly understand that.... I've seen the document, and it states to mirror a port on the switch (2950) which is mirroring both directions of traffic. The docuemtn doesn't state whether or not host devices  can be plugged into the switch or not. And per this docuement, the server doesn't have to be a true"in-band" solution. That would be more along the lines of an appliance that was transparent. Thisi is supposedly a "pass-by" filtering device that can sit "off-band" and provide the solution of blocking the sites...

Any other info?

Ps. Surfcontrol calls for port mirroring; not filtering on the switch - surfcontrol does the filtering...
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

> mirror a port on the switch (2950) which is mirroring both directions of traffic.
Ah, but the port is not bi-directional meaning that it's like a firehose letting Surfcontrol see all the traffic, but no traffic can be sent from the Server into that same interface. Too much coming out to let any in. Sort of like a tadpole trying to swim into the fire hydrant with the water on full blast..
From SPAN on 2950 documentation:
 The destination port has these characteristics:
   * The port does not transmit any traffic except that required for the SPAN session

Therefore, this does not meet the requirement for a bi-directional mirror port.

Big Bro007,

I have a similar setup here. You need to review the documentation for you switch and be sure the port mirroring is bi-directional. By default the mirroring on alot of switches is not bi-directional.

I have all the clients on my network plugged into twenty NetGear Prosafe switches. One port on each switch plugs into another ProSafe switch (I call it my root switch), which also has my firewall and my SurfControl Webfilter server plugged into it. I bi-directionally mirrored (the option on the switch GUI is listed as Tx/Rx) the port the firewall is on to the port the SurfController is on it works great.

Before I had switches that could mirror ports, I had a small hub between my firewall and root switch that I plugged SurfController into which also worked (it was an old Linksys hub, I think the newer ones have Cisco switching technology in them so they wont work it has to be straight up broadcast style to all ports on the hub). That could work for you too, if you REALLY need to get it running ASAP.

So: check your switch documentation and get a new switch is needed, I wouldn't recommend what I did with the hub because that could seriously bottleneck your network if you are not careful!


P.S. I am jealous of your budget and 2950's!

BigBro007Author Commented:
From my 2950:

Session 1
Source Ports:
    RX Only:       None
    TX Only:       None
    Both:          Fa0/24
Destination Ports: Fa0/22

The port is monitoring in both directions; it just won't stop any clients even though there is a blocking statement active in the rule sets...

do you have any host on the "root switch" in your network? I have host on my "root switch" and was wondering if this is causing some problems...
>Destination Ports: Fa0/22
This is the port connected to the SurfControl, yes?
It is *not* bi-directional.
Fa0/24 is connected to your firewall, yes?
traffic coming in Rx and going out Tx of that port is all mirrored to port fa0/22
SurfContrl sees everything
NOTHING can be sent out fa0/22, meaning that SurfControl cannot block anything.

Yes, I have hosts on my root switch. That shouldn't matter. See lrmoore's comments. I think your switch is sending both recieved and transmitted packets from port 24 to port 22, but 22 is unable to send anything out.

Like I said you could always try a hub (w/o switching technology) or get a new switch that will allow the destination port in port-mirroring to transmit as well.

BigBro007Author Commented:
I now think I understand what you all are saying about being able to transmit on the port while receiving SPAN'd data. Does anyone know (before I google it) if the 2950's are capable of such a behavior?

I *think* it might be possible based on the documentation which states:

"You can use the SPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) Sensor Appliance to a destination port, the IDS device can send TCP Reset packets to close down the TCP session of a suspected attacker."


"The destination port does not transmit any traffic except that traffic required for the SPAN session unless "learning" is enabled. If learning is enabled, the port also transmits traffic directed to hosts that have been learned on the destination port."


Do you have a contact with Cisco TAC or a warranty on this piece of equipment? Give them a call and ask them for some configuration assistance for this feature.

Good Luck!

BigBro007Author Commented:
I actually re-read the cisco documentation this morning in regards to spanning the port. It looks as though I have to enable ingress on the actual destination port to allow me to send traffic out of the monitoring port... Im assuming that this is what they mean when they mention "...learning is enabled."
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.