Solved

How to open ports in cisco pix 515 version 6.01  to play Tiberian Sun video Game.

Posted on 2004-09-21
26
480 Views
Last Modified: 2012-05-05
Whats up everybody. Im trying to get my pix to allow for me to play Tiberian Sun.  Says it needs incoming and outgoing ports  1140-1234, 4000   Im just not sure how to set that up in the pix.  Iwork for a small company. Everyone is away on a retreat this week., Im getting very bored. hehe DOnt you wish you had my problems. THanks in advance for any help.
0
Comment
Question by:emilbus20
  • 10
  • 7
  • 3
  • +3
26 Comments
 
LVL 1

Expert Comment

by:negativl
Comment Utility
Seriously?  That's really easy... but a most things cisco are easy to screw up, you sure you want to mess with it?  breaking everything while everyone else is away isn't always the wisest course of action. ;)

ok, so the rule to pass things through to one server is
conduit permit <proto> host <IP address> eq <port> any
i.e.
conduit permit udp host 192.200.2.106 eq 4000 any


If you're using NAT/PAT, you'll need to start off with static entries to map the insite and outside addresses/ports.

Try entering a question mark at the prompt.  you can enter a command and use the ? anywhere along the way to see what options you need.
0
 
LVL 5

Expert Comment

by:netspec01
Comment Utility
Seriously - Using Conduits!  

With 6.01 he should be using the PDM graphical user interface and creating service groups.
0
 
LVL 15

Expert Comment

by:Yan_west
Comment Utility
Opening port from the ouside to the inside should not be done in a corporate environment if it'S not for business needs.. Usually, games does not need any firewalls to be opened from the outside to the inside..

check your access list for your inside interface and add

access-list acl_lan permit tcp (or udp) host ipofyourmachine any eq port#

and for the outside

access-list acl_outside permit tcp (or udp)  any host ipofyourmachine eq port #
0
 
LVL 5

Expert Comment

by:zerofield
Comment Utility
whoa, conduits..flashback there..

yea, use the PDM, its really the best part about managing a PIX.  enable it command line by typing:

pdm location <ip address> <netmask> <interface>

the interface would be either inside or outside.  if you intend to use this from home, you'd put your cable modem ip address, and either a 255.255.255.0 or 255.255.255.255 netmask.  the latter being if the ip of your modem doesnt change often or at all.

after that's done, you can open up a browser and type in:

https://address.to.your.pix

it'll fire up some java and ask you for your login info.  a common mistake is not having usersnames setup, which means you'll have a blank username when it asks you for one, but use the "enable" password for the password field.

if none of this is working, do a 'sh ver' and make sure it looks like this:

# sh ver

Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 13-Aug-03 13:55 by morlee
FWHQ up 224 days 12 hours
Hardware:   PIX-515, 64 MB RAM, CPU Pentium 200 MHz

Granted I'm probably a few revisions behind myself (i just started here not long ago), it should say you have a PIX Device Manager Version ____ present.  If it is older tahn 3, UPGRADE IT.  The old ones were a pain.
0
 
LVL 15

Expert Comment

by:Yan_west
Comment Utility
Hmm btw, what is the difference between conduit and what I did?
0
 
LVL 1

Expert Comment

by:negativl
Comment Utility
older version/method.  Guess I should pay the cisco support contract and upgrade, but have long since stopped using my old PIX for anything that matters.
0
 
LVL 5

Expert Comment

by:netspec01
Comment Utility
You may not necessarily have to open up inbound connections.  I don't know the game, but a lot of software specifies inbound/oubound when they really mean the outbound connections must be allowed.
0
 
LVL 15

Expert Comment

by:Yan_west
Comment Utility
Yes, most software like I said does not need you to open ports from the outside.. it would be a bad thing for your security..
0
 
LVL 1

Author Comment

by:emilbus20
Comment Utility
Hey guys thanks for the quick answers. So IM putting in access-list acl_lan permit tcp (or udp) host ipofyourmachine any eq port#  wiht the correct host Ip and port # but it is not letting me add it.   I think the problem is from the inside to the out as well.  Is there a specific command to get to the inside access list or is show access-list all i need to see what i have done?
0
 
LVL 5

Expert Comment

by:netspec01
Comment Utility
1. get PDM working
2. add a rule to permit "any inside" to  "any outside" with a service group called Tiberian.  The Tiberian service group should be created and define two port ranges. (4000-4000 and 1140-1234).
0
 
LVL 15

Expert Comment

by:Yan_west
Comment Utility
What do you mean, it'S not letting you add it? are you receiving a message? By the way.. the pix processes access list from the top to the bottom.

If your last access list is access-list acl_lan deny ip any any and you add up your commands after, it will reject it because it will never go to the last..

you have to write

No access-list acl_lan deny ip any any
then after, add the line I gave you.

Then add again no access-list acl_lan deny ip any any..
0
 
LVL 15

Expert Comment

by:Yan_west
Comment Utility
add again access-list acl_lan deny ip any any..

Btw, this line does not have to be there because each access list as a default deny any any at the end, but you cannot see it. Some people add it for debugging purpose.. to be able to count request that were blocked.
0
 
LVL 5

Expert Comment

by:zerofield
Comment Utility
netspec01's comment:
You may not necessarily have to open up inbound connections.  I don't know the game, but a lot of software specifies inbound/oubound when they really mean the outbound connections must be allowed.

On a non-stateful (SPI/stateful packet inspection) firewall, if you allowed OUT port, say, 30000 for a game, and packets wanted to come back in on port 30000, it wouldnt let them.  On a pix, if you allow OUT 30000, and it the packets originated from 30000, it'd let communicates resume.  Basically on modern firewalls, the comments about not needing to open inbound ports is correct.  I'm not saying its true in this case, but it's a very likely thing to consider.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Author Comment

by:emilbus20
Comment Utility
Man I dunno. I can now get a step further in the process but when the game loads up I lose the connection to the other player.  Yanwest-IM not really following you. I have never used anyting like that before. access-list acl_lan deny ip any any  Not realy sure. Not even sure what you mean but what is added afterwards. Isnt everything in the access-lsit affected.  Like when I type show access-list.    SOrry if I sound confused. I am!!
When I typed access-list acl_lan permit tcp (or udp) host ipofyourmachine any eq port#  "with my info"  it just hit me up with how I can type ? for help etc.  Im lost and bored and I need to play tiberian sun. heh.  Im trying to learn this stuff but its difficult, but il get there,I appreciate the help.
0
 
LVL 1

Author Comment

by:emilbus20
Comment Utility
Hey its telling me ERROR: access-list <acl_lan> does not exist  ?
0
 
LVL 15

Expert Comment

by:Yan_west
Comment Utility
Oh, lol..

The ACL_Lan have to be replaced with the name of the acl binded to your Internal Interface :)

to see all access list you have type

show access-list

:)
0
 
LVL 15

Accepted Solution

by:
Yan_west earned 500 total points
Comment Utility
btw, if you don't know this more then that.. DO NOT play with it.. your PIX config is serious matters, if you mess it up, you'll be in serious trouble.. and let me tell you, it's easy to mess up your acls..
0
 
LVL 1

Author Comment

by:emilbus20
Comment Utility
When I type show-access list I see nothing like acl_lan. I dunno maybe i just shouldnt mess with it.
0
 
LVL 15

Expert Comment

by:Yan_west
Comment Utility
Don't :) I strongly agree with that..

Btw, it doesnt have to be named acl_lan, could be named anything.. like Gonzo, Hankythechrismaspoo or whatever name you could think of :)

if you wanna study the configuration, type

write term

after, press a few times on your space bar until the entire config as been displayed.

Then select the entire configuration, put it in word, and study it.. searching for stuff you do not understand on google. That will keep you busy :)
0
 
LVL 3

Expert Comment

by:hehewithbrackets
Comment Utility
I agree with Yan.  Why do you even have access to your company's PIX box?
0
 
LVL 1

Author Comment

by:emilbus20
Comment Utility
Heh cause Im the IT guy here. Duh.  Pix was already in place here when I got here. Im thinking abou tmoving to Windows ISA server. Heard its pretty good. Any advice.  
0
 
LVL 15

Expert Comment

by:Yan_west
Comment Utility
WHAT? don't do that.. the PIX has to stay there, it's an excellent device, and worth a couple of grands.. also, you cannot beat the security and control it provides you.

Often, people have both a PIX and an ISA server for further control of internet access...

I would suggest you to go and follow a course on Cisco's pix products / OS... go and get you a CCNA..  it will give you some basic training with cisco's products..

0
 
LVL 1

Author Comment

by:emilbus20
Comment Utility
Yeah this is true.  I like a gui, but i guess thats just what iM used too. Hopefully the boss will flip the bill for a pix class.
0
 
LVL 5

Expert Comment

by:zerofield
Comment Utility
ccna doesnt even mention the pix though.. in fact im not even sure ccnp requires you know much about them..

a class would run you $2k'ish and pay itself off almost immediately, i'd take yan's advice on that.  please god in heaven dont pull a pix for an ISA server... *gack*
0
 
LVL 15

Expert Comment

by:Yan_west
Comment Utility
ZeroField: I almost choked when I heard that :)
0
 
LVL 1

Author Comment

by:emilbus20
Comment Utility
Yeah its just hard when I ever I need something done to it I need to pay some rediculous fee.  But I will learn. I have heard some good things about ISA though. I know people have their preferences.  Thanks for all the help though.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now