opening ports through a pix 501

A quickie:  I need to remote administer a windows 2003 server.  What lines in the PIX do I need to write out to make this "hole" in the PIX firewall?
compinfoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Easy enough.

access-list outside_access_in permit tcp any interface outside e1 3389
static (inside,outside) tcp <win2k3 server ip> 3389 interface 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside

0
compinfoAuthor Commented:
upon putting in the first command line, I get this:

Result of firewall command: "access-list outside_access_in permit tcp any interface outside e1 3389"
 
ERROR: extra command argument(s)
Usage:      [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
      <protocol>|object-group <protocol_obj_grp_id>
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<icmp_type> | object-group <icmp_type_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
0
compinfoAuthor Commented:
So, I changed e1 to eq, it worked.

On the second command line, I tried with both the internal web server IP address
(static (inside,outside) tcp 192.168.1.100 3389 interface 3389 netmask 255.255.255.255) and the external IP address, both gave me this error:

ERROR: invalid local IP address interface

ideas?

0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

compinfoAuthor Commented:
Ok, so I tried this and the PIX liked it:

static (inside,outside) tcp 192.168.1.100 3389 <real ip 4 webserver> 3389 netmask 255.255.255.255

Have not tested it yet...
0
lrmooreCommented:
D'OH! My fat fingers typed e1 instead of eq .... at least you got the idea....
I wasn't sure if you had more than one IP address.
If you put "interface" in the access-list, then is "<real ip 4 webserver>" the same IP?
You might have to change the access-list entry:

   access-list outside_access_in permit tcp any host <real ip 4 webserver> outside eq 3389

Don't forget to re-apply the acl to the interface any time you change it..
0
compinfoAuthor Commented:
Hmm...

Not sure about the interface question.  If 'interface' means the external interface to the internet on the PIX, then the answer is no.  The <real ip 4 webserver> is in the same subnet though.  So, what to do different?  I've tested this and now it is not working at all (can't even get to the web server portion....)

0
lrmooreCommented:
OK, let's take this again - from the top.
Pretend that <real public ip 4 webserver> = 12.34.56.7

access-list outside_access_in permit tcp any host 12.34.56.7 eq 3389
static (inside,outside) tcp 192.168.1.100 3389 12.34.56.7 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
compinfoAuthor Commented:
ah! ok, will try in about an hour...
0
compinfoAuthor Commented:
great it's working so far, Thanks!
0
compinfoAuthor Commented:
Well, I spoke too soon!  It seems that externally, I still can't get to port 22 (I have ssh tectia server running) or port 3389, so I've opened another ticket:

http://www.experts-exchange.com/Security/Firewalls/Q_21203708.html

0
lrmooreCommented:
My BIG mistake!!!
>>>>static (inside,outside) tcp 192.168.1.100 3389 12.34.56.7 3389 netmask 255.255.255.255

Should be reversed:

   static (inside,outside) tcp 12.34.56.7 3389 192.168.1.100 3389 netmask 255.255.255.255

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.