Solved

How to open ports in cisco pix 515 version 6.01  to play Tiberian Sun video Game.

Posted on 2004-09-21
26
540 Views
Last Modified: 2012-05-05
Whats up everybody. Im trying to get my pix to allow for me to play Tiberian Sun.  Says it needs incoming and outgoing ports  1140-1234, 4000   Im just not sure how to set that up in the pix.  Iwork for a small company. Everyone is away on a retreat this week., Im getting very bored. hehe DOnt you wish you had my problems. THanks in advance for any help.
0
Comment
Question by:emilbus20
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 7
  • 3
  • +3
26 Comments
 
LVL 1

Expert Comment

by:negativl
ID: 12112777
Seriously?  That's really easy... but a most things cisco are easy to screw up, you sure you want to mess with it?  breaking everything while everyone else is away isn't always the wisest course of action. ;)

ok, so the rule to pass things through to one server is
conduit permit <proto> host <IP address> eq <port> any
i.e.
conduit permit udp host 192.200.2.106 eq 4000 any


If you're using NAT/PAT, you'll need to start off with static entries to map the insite and outside addresses/ports.

Try entering a question mark at the prompt.  you can enter a command and use the ? anywhere along the way to see what options you need.
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12112867
Seriously - Using Conduits!  

With 6.01 he should be using the PDM graphical user interface and creating service groups.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12112922
Opening port from the ouside to the inside should not be done in a corporate environment if it'S not for business needs.. Usually, games does not need any firewalls to be opened from the outside to the inside..

check your access list for your inside interface and add

access-list acl_lan permit tcp (or udp) host ipofyourmachine any eq port#

and for the outside

access-list acl_outside permit tcp (or udp)  any host ipofyourmachine eq port #
0
Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

 
LVL 5

Expert Comment

by:zerofield
ID: 12112944
whoa, conduits..flashback there..

yea, use the PDM, its really the best part about managing a PIX.  enable it command line by typing:

pdm location <ip address> <netmask> <interface>

the interface would be either inside or outside.  if you intend to use this from home, you'd put your cable modem ip address, and either a 255.255.255.0 or 255.255.255.255 netmask.  the latter being if the ip of your modem doesnt change often or at all.

after that's done, you can open up a browser and type in:

https://address.to.your.pix

it'll fire up some java and ask you for your login info.  a common mistake is not having usersnames setup, which means you'll have a blank username when it asks you for one, but use the "enable" password for the password field.

if none of this is working, do a 'sh ver' and make sure it looks like this:

# sh ver

Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 13-Aug-03 13:55 by morlee
FWHQ up 224 days 12 hours
Hardware:   PIX-515, 64 MB RAM, CPU Pentium 200 MHz

Granted I'm probably a few revisions behind myself (i just started here not long ago), it should say you have a PIX Device Manager Version ____ present.  If it is older tahn 3, UPGRADE IT.  The old ones were a pain.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12112949
Hmm btw, what is the difference between conduit and what I did?
0
 
LVL 1

Expert Comment

by:negativl
ID: 12112968
older version/method.  Guess I should pay the cisco support contract and upgrade, but have long since stopped using my old PIX for anything that matters.
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12113019
You may not necessarily have to open up inbound connections.  I don't know the game, but a lot of software specifies inbound/oubound when they really mean the outbound connections must be allowed.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12113038
Yes, most software like I said does not need you to open ports from the outside.. it would be a bad thing for your security..
0
 
LVL 1

Author Comment

by:emilbus20
ID: 12113066
Hey guys thanks for the quick answers. So IM putting in access-list acl_lan permit tcp (or udp) host ipofyourmachine any eq port#  wiht the correct host Ip and port # but it is not letting me add it.   I think the problem is from the inside to the out as well.  Is there a specific command to get to the inside access list or is show access-list all i need to see what i have done?
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12113082
1. get PDM working
2. add a rule to permit "any inside" to  "any outside" with a service group called Tiberian.  The Tiberian service group should be created and define two port ranges. (4000-4000 and 1140-1234).
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12113084
What do you mean, it'S not letting you add it? are you receiving a message? By the way.. the pix processes access list from the top to the bottom.

If your last access list is access-list acl_lan deny ip any any and you add up your commands after, it will reject it because it will never go to the last..

you have to write

No access-list acl_lan deny ip any any
then after, add the line I gave you.

Then add again no access-list acl_lan deny ip any any..
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12113104
add again access-list acl_lan deny ip any any..

Btw, this line does not have to be there because each access list as a default deny any any at the end, but you cannot see it. Some people add it for debugging purpose.. to be able to count request that were blocked.
0
 
LVL 5

Expert Comment

by:zerofield
ID: 12113443
netspec01's comment:
You may not necessarily have to open up inbound connections.  I don't know the game, but a lot of software specifies inbound/oubound when they really mean the outbound connections must be allowed.

On a non-stateful (SPI/stateful packet inspection) firewall, if you allowed OUT port, say, 30000 for a game, and packets wanted to come back in on port 30000, it wouldnt let them.  On a pix, if you allow OUT 30000, and it the packets originated from 30000, it'd let communicates resume.  Basically on modern firewalls, the comments about not needing to open inbound ports is correct.  I'm not saying its true in this case, but it's a very likely thing to consider.
0
 
LVL 1

Author Comment

by:emilbus20
ID: 12114002
Man I dunno. I can now get a step further in the process but when the game loads up I lose the connection to the other player.  Yanwest-IM not really following you. I have never used anyting like that before. access-list acl_lan deny ip any any  Not realy sure. Not even sure what you mean but what is added afterwards. Isnt everything in the access-lsit affected.  Like when I type show access-list.    SOrry if I sound confused. I am!!
When I typed access-list acl_lan permit tcp (or udp) host ipofyourmachine any eq port#  "with my info"  it just hit me up with how I can type ? for help etc.  Im lost and bored and I need to play tiberian sun. heh.  Im trying to learn this stuff but its difficult, but il get there,I appreciate the help.
0
 
LVL 1

Author Comment

by:emilbus20
ID: 12114301
Hey its telling me ERROR: access-list <acl_lan> does not exist  ?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12114430
Oh, lol..

The ACL_Lan have to be replaced with the name of the acl binded to your Internal Interface :)

to see all access list you have type

show access-list

:)
0
 
LVL 15

Accepted Solution

by:
Yan_west earned 500 total points
ID: 12114442
btw, if you don't know this more then that.. DO NOT play with it.. your PIX config is serious matters, if you mess it up, you'll be in serious trouble.. and let me tell you, it's easy to mess up your acls..
0
 
LVL 1

Author Comment

by:emilbus20
ID: 12114526
When I type show-access list I see nothing like acl_lan. I dunno maybe i just shouldnt mess with it.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12114715
Don't :) I strongly agree with that..

Btw, it doesnt have to be named acl_lan, could be named anything.. like Gonzo, Hankythechrismaspoo or whatever name you could think of :)

if you wanna study the configuration, type

write term

after, press a few times on your space bar until the entire config as been displayed.

Then select the entire configuration, put it in word, and study it.. searching for stuff you do not understand on google. That will keep you busy :)
0
 
LVL 3

Expert Comment

by:hehewithbrackets
ID: 12117889
I agree with Yan.  Why do you even have access to your company's PIX box?
0
 
LVL 1

Author Comment

by:emilbus20
ID: 12122668
Heh cause Im the IT guy here. Duh.  Pix was already in place here when I got here. Im thinking abou tmoving to Windows ISA server. Heard its pretty good. Any advice.  
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12122764
WHAT? don't do that.. the PIX has to stay there, it's an excellent device, and worth a couple of grands.. also, you cannot beat the security and control it provides you.

Often, people have both a PIX and an ISA server for further control of internet access...

I would suggest you to go and follow a course on Cisco's pix products / OS... go and get you a CCNA..  it will give you some basic training with cisco's products..

0
 
LVL 1

Author Comment

by:emilbus20
ID: 12123035
Yeah this is true.  I like a gui, but i guess thats just what iM used too. Hopefully the boss will flip the bill for a pix class.
0
 
LVL 5

Expert Comment

by:zerofield
ID: 12123119
ccna doesnt even mention the pix though.. in fact im not even sure ccnp requires you know much about them..

a class would run you $2k'ish and pay itself off almost immediately, i'd take yan's advice on that.  please god in heaven dont pull a pix for an ISA server... *gack*
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 12123132
ZeroField: I almost choked when I heard that :)
0
 
LVL 1

Author Comment

by:emilbus20
ID: 12123448
Yeah its just hard when I ever I need something done to it I need to pay some rediculous fee.  But I will learn. I have heard some good things about ISA though. I know people have their preferences.  Thanks for all the help though.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question