How to open specific ports on a PIX

I need to open specific ports on a pix firewall for connection to an online trading service.  How can I open specific ports and point them to a specific computer on my pix.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Depends on if the ports and if public IP addresses you have available to you.

Which PIX? What version? Available world-routable address? What ports?

throcktoAuthor Commented:
I need to open the following ports


No fixed IP address on my side

PIX 501 verion 6.33

I am unsure of what world-routable address's are.
Use extended access-list (not conduit which is deprecated) as in router (same format) and apply to the appropriate interface.  Use NAT as appropriate.  Here is the base example:

nameif ethernet0 outside 0
nameif ethernet1 inside 100

! change the inside IP address to your private address
ip address inside
! change the outside IP address to your public IP address
ip address outside

interface ethernet0 auto
interface ethernet1 auto

! change address
router outside 0 0

! NAT - change IP address as appropriate
global (outside) 1 netmask
! This is for PAT if out of NAT
global (outside) 1
nat (inside) 1

! Open up the port that you need - change port and ip address
! by default PIX deny all w/o an access-list where as router permit all w/o it.
! example opening up port 80 to your server
access-list ACLIN permit tcp any host 192.168.1.x eq www
! open up whatever else you need then apply it

! now apply the access-list
access-group ACLIN in interface outside

SolarWinds® VoIP and Network Quality Manager(VNQM)

WAN and VoIP monitoring tools that can help with troubleshooting via an intuitive web interface. Review quality of service data, including jitter, latency, packet loss, and MOS. Troubleshoot call performance and correlate call issues with WAN performance for Cisco and Avaya calls


My suggestion would be to obtain another world routable address from your ISP, put it on the DMZ and create a conduit to the machine that needs this. The inside machine would need a static address.

Otherwise you'd need a
static (inside,outside) tcp PORT 443 PORT 0 0

for each port and some of these are 'reserved' ports...

1. He said online trading service.....
2. Look at the low port numbers Ports:8080,2026,1019,1020,1021,1008,1023,1024,1040,2003,1041,1046,1042,1090,3026,

My post is just the starter, additional statements such as static NAT for the machine that he wants access.  


Do not use conduit -
1. Cisco already said that they are removing it in favor of ACL.  
2. Conduit is more of interface to interface.  "It creates an exception to the PIX Firewall ASA by permitting connections from one interface to access hosts on another." quoting Cisco FNS course.
3. "An ACL applies to a single interface, affecting ALL traffic entering that interface regardless of its security level."  quoting Cisco FNS course.

Don't put online trading machine on the DMZ.... unless, the application is designed for DMZ such as port www and ftp which are opened..... since DMZ machines have http, ftp, smtp, etc... opened.... if DMZ is compromise your online trading machine is open....

For port 8080: I guess you are using it for http - either use https or use "fixup protocol http 8080".  It depends on what other ports are used for you may be able to use the "fixup".
If partners are known setup IPSec end-points.

Other ports look like they are application specific, so the security is really depended on the applications.... as far as BOF attacks... not much you can do there.... use the ACL to open specific open to the IP address that you need access.  You can set specific network (if you know who your partners are), specific host (if know), specific user (use AAA).

You can use AAA (Radius or Tacacs+) to enforce authentication and open the ports based on authentication.  We don't know enough of your requirements to help with setup, so only comments are provided to help you figure out how it applies to your configuration.  

Since most of your ports are application specific, your Security Cisco representative should be able to set it up rather quickly for you.

Just for clarification sake:
Gnart posted:
>Use extended access-list (not conduit which is deprecated) as in router (same format)

PIX access-lists use subnet masks, while router access lists use wildcard masks. In this case, they are not the same format as router acls..

Chicagoan posted:
>put it on the DMZ

Note that this user has a PIX 501 which has no capacity for a DMZ interface

It's not clear to me from your question-- is this online trading service server behind your PIX, or external (somewhere else) and your inside clients need access to that server?

If it is a web-based server (port 8080 gives it away) why on earth would you also need to open up all those other ports?

heh - those ports are a lil' switch - cute

this just looks like one of those apps the vendor never fully explains to you (no port 443?)
If there were another public address available i'd pipe it through and close off all the usual suspects (135, 1434, 1433, 137, 445, etc.) or even route their IP block through a hole (with filters)...
lrmoore is right on the wildcard/router and netmask/Pix.  

My brain went numb after having to put up with Pix-router IPSec for several days straight only to find out that there is a timing error and bug in Cisco's IPSec.  Anyway, during the process I discovered undocumented debug commands in the Pix.

Well chicagoan, if the vendor won't divulge (security reason), let's hope their software does not have any buffer overflow problem.  Hey, why not contact the vendor for reference of another company that uses Pix.


throcktoAuthor Commented:
The online trading server is external and one of my internal clients needs to access it.  The connection gets disconnected randomly and the tech support at the trading company said in order to function properly all ports listed above must be open.
By default, all ports are already open outbound on the PIX, unless you have an oubound/apply list, or outbound access-list, there should be nothing else to configure on the PIX. However, what you might need is a 1-1 static NAT IP address for each internal host (1 public = 1 private IP)..

static (inside,outside) <public IP> <private IP> netmask
You can enable logging on the PIX to see if anything is getting denied. If the server actually tries to initiate any connection back to the client, you would need to add an inbound access-list entry.

For example, if the server initiates a connection back to the client TCP 4026, then add this type of inbound acl entry:

access-list inbound permit tcp host <ip of server> any eq 4026

If a whole range of ports are being denied as inbound connections, then permit anything from that specific host

access-list inbound permit tcp host <ip of server> any
access-group inbound in interface outside

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Depending on the state that you are in - as far as production status - either do an isolated test or send debugging message to a syslog server to capture and analyze message without impeding Pix's traffic.

logging host ....
logging trap debug

Besides from dynamic ports or ports being denied inbound from the outside interface, you may want to look at timeout parameters to see if you need to increase them.


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.