• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2171
  • Last Modified:

How to open specific ports on a PIX

I need to open specific ports on a pix firewall for connection to an online trading service.  How can I open specific ports and point them to a specific computer on my pix.
0
throckto
Asked:
throckto
  • 4
  • 3
  • 3
  • +1
1 Solution
 
chicagoanCommented:
Depends on if the ports and if public IP addresses you have available to you.

Which PIX? What version? Available world-routable address? What ports?

0
 
throcktoAuthor Commented:
I need to open the following ports

8080,2026,1019,1020,1021,1008,1023,1024,1040,2003,1041,1046,1042,1090,3026,
4026,6667,11007,1007,2211,2028,5026

No fixed IP address on my side

PIX 501 verion 6.33

I am unsure of what world-routable address's are.
0
 
GnartCommented:
Use extended access-list (not conduit which is deprecated) as in router (same format) and apply to the appropriate interface.  Use NAT as appropriate.  Here is the base example:

nameif ethernet0 outside 0
nameif ethernet1 inside 100

! change the inside IP address to your private address
ip address inside 10.0.0.1 255.255.255.0
! change the outside IP address to your public IP address
ip address outside 192.168.1.1 255.255.255.0

interface ethernet0 auto
interface ethernet1 auto

! change address
router outside 0 0 192.168.1.1

! NAT - change IP address as appropriate
global (outside) 1 192.168.1.20-192.168.1.253 netmask 255.255.255.0
! This is for PAT if out of NAT
global (outside) 1 192.168.1.254
nat (inside) 1 10.0.1.0 255.255.255.0

! Open up the port that you need - change port and ip address
! by default PIX deny all w/o an access-list where as router permit all w/o it.
! example opening up port 80 to your server
access-list ACLIN permit tcp any host 192.168.1.x eq www
! open up whatever else you need then apply it

! now apply the access-list
access-group ACLIN in interface outside

cheers
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
chicagoanCommented:
Yikes...

My suggestion would be to obtain another world routable address from your ISP, put it on the DMZ and create a conduit to the machine that needs this. The inside machine would need a static address.

Otherwise you'd need a
static (inside,outside) tcp 123.123.123.123 PORT 192.168.123.123 443 PORT 255.255.255.255 0 0

for each port and some of these are 'reserved' ports...
0
 
GnartCommented:
Chicagoan,

1. He said online trading service.....
2. Look at the low port numbers Ports:8080,2026,1019,1020,1021,1008,1023,1024,1040,2003,1041,1046,1042,1090,3026,
4026,6667,11007,1007,2211,2028,5026.

My post is just the starter, additional statements such as static NAT for the machine that he wants access.  

Throckto,

Do not use conduit -
1. Cisco already said that they are removing it in favor of ACL.  
2. Conduit is more of interface to interface.  "It creates an exception to the PIX Firewall ASA by permitting connections from one interface to access hosts on another." quoting Cisco FNS course.
3. "An ACL applies to a single interface, affecting ALL traffic entering that interface regardless of its security level."  quoting Cisco FNS course.

Don't put online trading machine on the DMZ.... unless, the application is designed for DMZ such as port www and ftp which are opened..... since DMZ machines have http, ftp, smtp, etc... opened.... if DMZ is compromise your online trading machine is open....

For port 8080: I guess you are using it for http - either use https or use "fixup protocol http 8080".  It depends on what other ports are used for you may be able to use the "fixup".
If partners are known setup IPSec end-points.

Other ports look like they are application specific, so the security is really depended on the applications.... as far as BOF attacks... not much you can do there.... use the ACL to open specific open to the IP address that you need access.  You can set specific network (if you know who your partners are), specific host (if know), specific user (use AAA).

You can use AAA (Radius or Tacacs+) to enforce authentication and open the ports based on authentication.  We don't know enough of your requirements to help with setup, so only comments are provided to help you figure out how it applies to your configuration.  

Since most of your ports are application specific, your Security Cisco representative should be able to set it up rather quickly for you.

cheers
0
 
lrmooreCommented:
Just for clarification sake:
Gnart posted:
>Use extended access-list (not conduit which is deprecated) as in router (same format)

PIX access-lists use subnet masks, while router access lists use wildcard masks. In this case, they are not the same format as router acls..

Chicagoan posted:
>put it on the DMZ

Note that this user has a PIX 501 which has no capacity for a DMZ interface

Throckto,
It's not clear to me from your question-- is this online trading service server behind your PIX, or external (somewhere else) and your inside clients need access to that server?

If it is a web-based server (port 8080 gives it away) why on earth would you also need to open up all those other ports?

0
 
chicagoanCommented:
heh - those ports are a lil' switch - cute

this just looks like one of those apps the vendor never fully explains to you (no port 443?)
If there were another public address available i'd pipe it through and close off all the usual suspects (135, 1434, 1433, 137, 445, etc.) or even route their IP block through a hole (with filters)...
0
 
GnartCommented:
lrmoore is right on the wildcard/router and netmask/Pix.  

My brain went numb after having to put up with Pix-router IPSec for several days straight only to find out that there is a timing error and bug in Cisco's IPSec.  Anyway, during the process I discovered undocumented debug commands in the Pix.

Well chicagoan, if the vendor won't divulge (security reason), let's hope their software does not have any buffer overflow problem.  Hey, why not contact the vendor for reference of another company that uses Pix.

cheeers



0
 
throcktoAuthor Commented:
The online trading server is external and one of my internal clients needs to access it.  The connection gets disconnected randomly and the tech support at the trading company said in order to function properly all ports listed above must be open.
0
 
lrmooreCommented:
By default, all ports are already open outbound on the PIX, unless you have an oubound/apply list, or outbound access-list, there should be nothing else to configure on the PIX. However, what you might need is a 1-1 static NAT IP address for each internal host (1 public = 1 private IP)..

i.e.
static (inside,outside) <public IP> <private IP> netmask 255.255.255.255
0
 
lrmooreCommented:
You can enable logging on the PIX to see if anything is getting denied. If the server actually tries to initiate any connection back to the client, you would need to add an inbound access-list entry.

For example, if the server initiates a connection back to the client TCP 4026, then add this type of inbound acl entry:

access-list inbound permit tcp host <ip of server> any eq 4026

If a whole range of ports are being denied as inbound connections, then permit anything from that specific host

access-list inbound permit tcp host <ip of server> any
access-group inbound in interface outside
0
 
GnartCommented:
Depending on the state that you are in - as far as production status - either do an isolated test or send debugging message to a syslog server to capture and analyze message without impeding Pix's traffic.

logging host ....
logging trap debug

Besides from dynamic ports or ports being denied inbound from the outside interface, you may want to look at timeout parameters to see if you need to increase them.

gnart

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now