Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


How to open specific ports on a PIX

Posted on 2003-11-30
Medium Priority
Last Modified: 2013-11-16
I need to open specific ports on a pix firewall for connection to an online trading service.  How can I open specific ports and point them to a specific computer on my pix.
Question by:throckto
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
LVL 18

Expert Comment

ID: 9845946
Depends on if the ports and if public IP addresses you have available to you.

Which PIX? What version? Available world-routable address? What ports?


Author Comment

ID: 9846084
I need to open the following ports


No fixed IP address on my side

PIX 501 verion 6.33

I am unsure of what world-routable address's are.
LVL 13

Expert Comment

ID: 9846125
Use extended access-list (not conduit which is deprecated) as in router (same format) and apply to the appropriate interface.  Use NAT as appropriate.  Here is the base example:

nameif ethernet0 outside 0
nameif ethernet1 inside 100

! change the inside IP address to your private address
ip address inside
! change the outside IP address to your public IP address
ip address outside

interface ethernet0 auto
interface ethernet1 auto

! change address
router outside 0 0

! NAT - change IP address as appropriate
global (outside) 1 netmask
! This is for PAT if out of NAT
global (outside) 1
nat (inside) 1

! Open up the port that you need - change port and ip address
! by default PIX deny all w/o an access-list where as router permit all w/o it.
! example opening up port 80 to your server
access-list ACLIN permit tcp any host 192.168.1.x eq www
! open up whatever else you need then apply it

! now apply the access-list
access-group ACLIN in interface outside

WEBINAR - Latest Cyber Tips for Defense

Join the WatchGuard Threat Research Team on October 26th for an informative webinar featuring expert tips and tricks for defending your organization from today's latest cyber threats. Don't leave yourself vulnerable to attack. Register for the webinar today!

LVL 18

Expert Comment

ID: 9846156

My suggestion would be to obtain another world routable address from your ISP, put it on the DMZ and create a conduit to the machine that needs this. The inside machine would need a static address.

Otherwise you'd need a
static (inside,outside) tcp PORT 443 PORT 0 0

for each port and some of these are 'reserved' ports...
LVL 13

Expert Comment

ID: 9846580

1. He said online trading service.....
2. Look at the low port numbers Ports:8080,2026,1019,1020,1021,1008,1023,1024,1040,2003,1041,1046,1042,1090,3026,

My post is just the starter, additional statements such as static NAT for the machine that he wants access.  


Do not use conduit -
1. Cisco already said that they are removing it in favor of ACL.  
2. Conduit is more of interface to interface.  "It creates an exception to the PIX Firewall ASA by permitting connections from one interface to access hosts on another." quoting Cisco FNS course.
3. "An ACL applies to a single interface, affecting ALL traffic entering that interface regardless of its security level."  quoting Cisco FNS course.

Don't put online trading machine on the DMZ.... unless, the application is designed for DMZ such as port www and ftp which are opened..... since DMZ machines have http, ftp, smtp, etc... opened.... if DMZ is compromise your online trading machine is open....

For port 8080: I guess you are using it for http - either use https or use "fixup protocol http 8080".  It depends on what other ports are used for you may be able to use the "fixup".
If partners are known setup IPSec end-points.

Other ports look like they are application specific, so the security is really depended on the applications.... as far as BOF attacks... not much you can do there.... use the ACL to open specific open to the IP address that you need access.  You can set specific network (if you know who your partners are), specific host (if know), specific user (use AAA).

You can use AAA (Radius or Tacacs+) to enforce authentication and open the ports based on authentication.  We don't know enough of your requirements to help with setup, so only comments are provided to help you figure out how it applies to your configuration.  

Since most of your ports are application specific, your Security Cisco representative should be able to set it up rather quickly for you.

LVL 79

Expert Comment

ID: 9846635
Just for clarification sake:
Gnart posted:
>Use extended access-list (not conduit which is deprecated) as in router (same format)

PIX access-lists use subnet masks, while router access lists use wildcard masks. In this case, they are not the same format as router acls..

Chicagoan posted:
>put it on the DMZ

Note that this user has a PIX 501 which has no capacity for a DMZ interface

It's not clear to me from your question-- is this online trading service server behind your PIX, or external (somewhere else) and your inside clients need access to that server?

If it is a web-based server (port 8080 gives it away) why on earth would you also need to open up all those other ports?

LVL 18

Expert Comment

ID: 9846887
heh - those ports are a lil' switch - cute

this just looks like one of those apps the vendor never fully explains to you (no port 443?)
If there were another public address available i'd pipe it through and close off all the usual suspects (135, 1434, 1433, 137, 445, etc.) or even route their IP block through a hole (with filters)...
LVL 13

Expert Comment

ID: 9848182
lrmoore is right on the wildcard/router and netmask/Pix.  

My brain went numb after having to put up with Pix-router IPSec for several days straight only to find out that there is a timing error and bug in Cisco's IPSec.  Anyway, during the process I discovered undocumented debug commands in the Pix.

Well chicagoan, if the vendor won't divulge (security reason), let's hope their software does not have any buffer overflow problem.  Hey, why not contact the vendor for reference of another company that uses Pix.



Author Comment

ID: 9851818
The online trading server is external and one of my internal clients needs to access it.  The connection gets disconnected randomly and the tech support at the trading company said in order to function properly all ports listed above must be open.
LVL 79

Expert Comment

ID: 9852489
By default, all ports are already open outbound on the PIX, unless you have an oubound/apply list, or outbound access-list, there should be nothing else to configure on the PIX. However, what you might need is a 1-1 static NAT IP address for each internal host (1 public = 1 private IP)..

static (inside,outside) <public IP> <private IP> netmask
LVL 79

Accepted Solution

lrmoore earned 1500 total points
ID: 9852517
You can enable logging on the PIX to see if anything is getting denied. If the server actually tries to initiate any connection back to the client, you would need to add an inbound access-list entry.

For example, if the server initiates a connection back to the client TCP 4026, then add this type of inbound acl entry:

access-list inbound permit tcp host <ip of server> any eq 4026

If a whole range of ports are being denied as inbound connections, then permit anything from that specific host

access-list inbound permit tcp host <ip of server> any
access-group inbound in interface outside
LVL 13

Expert Comment

ID: 9853776
Depending on the state that you are in - as far as production status - either do an isolated test or send debugging message to a syslog server to capture and analyze message without impeding Pix's traffic.

logging host ....
logging trap debug

Besides from dynamic ports or ports being denied inbound from the outside interface, you may want to look at timeout parameters to see if you need to increase them.



Featured Post

Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This program is used to assist in finding and resolving common problems with wireless connections.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question