Solved

How to open specific ports on a PIX

Posted on 2003-11-30
12
2,094 Views
Last Modified: 2013-11-16
I need to open specific ports on a pix firewall for connection to an online trading service.  How can I open specific ports and point them to a specific computer on my pix.
0
Comment
Question by:throckto
  • 4
  • 3
  • 3
  • +1
12 Comments
 
LVL 18

Expert Comment

by:chicagoan
ID: 9845946
Depends on if the ports and if public IP addresses you have available to you.

Which PIX? What version? Available world-routable address? What ports?

0
 

Author Comment

by:throckto
ID: 9846084
I need to open the following ports

8080,2026,1019,1020,1021,1008,1023,1024,1040,2003,1041,1046,1042,1090,3026,
4026,6667,11007,1007,2211,2028,5026

No fixed IP address on my side

PIX 501 verion 6.33

I am unsure of what world-routable address's are.
0
 
LVL 13

Expert Comment

by:Gnart
ID: 9846125
Use extended access-list (not conduit which is deprecated) as in router (same format) and apply to the appropriate interface.  Use NAT as appropriate.  Here is the base example:

nameif ethernet0 outside 0
nameif ethernet1 inside 100

! change the inside IP address to your private address
ip address inside 10.0.0.1 255.255.255.0
! change the outside IP address to your public IP address
ip address outside 192.168.1.1 255.255.255.0

interface ethernet0 auto
interface ethernet1 auto

! change address
router outside 0 0 192.168.1.1

! NAT - change IP address as appropriate
global (outside) 1 192.168.1.20-192.168.1.253 netmask 255.255.255.0
! This is for PAT if out of NAT
global (outside) 1 192.168.1.254
nat (inside) 1 10.0.1.0 255.255.255.0

! Open up the port that you need - change port and ip address
! by default PIX deny all w/o an access-list where as router permit all w/o it.
! example opening up port 80 to your server
access-list ACLIN permit tcp any host 192.168.1.x eq www
! open up whatever else you need then apply it

! now apply the access-list
access-group ACLIN in interface outside

cheers
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9846156
Yikes...

My suggestion would be to obtain another world routable address from your ISP, put it on the DMZ and create a conduit to the machine that needs this. The inside machine would need a static address.

Otherwise you'd need a
static (inside,outside) tcp 123.123.123.123 PORT 192.168.123.123 443 PORT 255.255.255.255 0 0

for each port and some of these are 'reserved' ports...
0
 
LVL 13

Expert Comment

by:Gnart
ID: 9846580
Chicagoan,

1. He said online trading service.....
2. Look at the low port numbers Ports:8080,2026,1019,1020,1021,1008,1023,1024,1040,2003,1041,1046,1042,1090,3026,
4026,6667,11007,1007,2211,2028,5026.

My post is just the starter, additional statements such as static NAT for the machine that he wants access.  

Throckto,

Do not use conduit -
1. Cisco already said that they are removing it in favor of ACL.  
2. Conduit is more of interface to interface.  "It creates an exception to the PIX Firewall ASA by permitting connections from one interface to access hosts on another." quoting Cisco FNS course.
3. "An ACL applies to a single interface, affecting ALL traffic entering that interface regardless of its security level."  quoting Cisco FNS course.

Don't put online trading machine on the DMZ.... unless, the application is designed for DMZ such as port www and ftp which are opened..... since DMZ machines have http, ftp, smtp, etc... opened.... if DMZ is compromise your online trading machine is open....

For port 8080: I guess you are using it for http - either use https or use "fixup protocol http 8080".  It depends on what other ports are used for you may be able to use the "fixup".
If partners are known setup IPSec end-points.

Other ports look like they are application specific, so the security is really depended on the applications.... as far as BOF attacks... not much you can do there.... use the ACL to open specific open to the IP address that you need access.  You can set specific network (if you know who your partners are), specific host (if know), specific user (use AAA).

You can use AAA (Radius or Tacacs+) to enforce authentication and open the ports based on authentication.  We don't know enough of your requirements to help with setup, so only comments are provided to help you figure out how it applies to your configuration.  

Since most of your ports are application specific, your Security Cisco representative should be able to set it up rather quickly for you.

cheers
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9846635
Just for clarification sake:
Gnart posted:
>Use extended access-list (not conduit which is deprecated) as in router (same format)

PIX access-lists use subnet masks, while router access lists use wildcard masks. In this case, they are not the same format as router acls..

Chicagoan posted:
>put it on the DMZ

Note that this user has a PIX 501 which has no capacity for a DMZ interface

Throckto,
It's not clear to me from your question-- is this online trading service server behind your PIX, or external (somewhere else) and your inside clients need access to that server?

If it is a web-based server (port 8080 gives it away) why on earth would you also need to open up all those other ports?

0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 18

Expert Comment

by:chicagoan
ID: 9846887
heh - those ports are a lil' switch - cute

this just looks like one of those apps the vendor never fully explains to you (no port 443?)
If there were another public address available i'd pipe it through and close off all the usual suspects (135, 1434, 1433, 137, 445, etc.) or even route their IP block through a hole (with filters)...
0
 
LVL 13

Expert Comment

by:Gnart
ID: 9848182
lrmoore is right on the wildcard/router and netmask/Pix.  

My brain went numb after having to put up with Pix-router IPSec for several days straight only to find out that there is a timing error and bug in Cisco's IPSec.  Anyway, during the process I discovered undocumented debug commands in the Pix.

Well chicagoan, if the vendor won't divulge (security reason), let's hope their software does not have any buffer overflow problem.  Hey, why not contact the vendor for reference of another company that uses Pix.

cheeers



0
 

Author Comment

by:throckto
ID: 9851818
The online trading server is external and one of my internal clients needs to access it.  The connection gets disconnected randomly and the tech support at the trading company said in order to function properly all ports listed above must be open.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9852489
By default, all ports are already open outbound on the PIX, unless you have an oubound/apply list, or outbound access-list, there should be nothing else to configure on the PIX. However, what you might need is a 1-1 static NAT IP address for each internal host (1 public = 1 private IP)..

i.e.
static (inside,outside) <public IP> <private IP> netmask 255.255.255.255
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 9852517
You can enable logging on the PIX to see if anything is getting denied. If the server actually tries to initiate any connection back to the client, you would need to add an inbound access-list entry.

For example, if the server initiates a connection back to the client TCP 4026, then add this type of inbound acl entry:

access-list inbound permit tcp host <ip of server> any eq 4026

If a whole range of ports are being denied as inbound connections, then permit anything from that specific host

access-list inbound permit tcp host <ip of server> any
access-group inbound in interface outside
0
 
LVL 13

Expert Comment

by:Gnart
ID: 9853776
Depending on the state that you are in - as far as production status - either do an isolated test or send debugging message to a syslog server to capture and analyze message without impeding Pix's traffic.

logging host ....
logging trap debug

Besides from dynamic ports or ports being denied inbound from the outside interface, you may want to look at timeout parameters to see if you need to increase them.

gnart

0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now