Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

opening ports through a pix 501

Posted on 2004-11-01
11
Medium Priority
?
179 Views
Last Modified: 2010-04-09
A quickie:  I need to remote administer a windows 2003 server.  What lines in the PIX do I need to write out to make this "hole" in the PIX firewall?
0
Comment
Question by:compinfo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12466585
Easy enough.

access-list outside_access_in permit tcp any interface outside e1 3389
static (inside,outside) tcp <win2k3 server ip> 3389 interface 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside

0
 

Author Comment

by:compinfo
ID: 12468517
upon putting in the first command line, I get this:

Result of firewall command: "access-list outside_access_in permit tcp any interface outside e1 3389"
 
ERROR: extra command argument(s)
Usage:      [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
      <protocol>|object-group <protocol_obj_grp_id>
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<icmp_type> | object-group <icmp_type_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
0
 

Author Comment

by:compinfo
ID: 12468539
So, I changed e1 to eq, it worked.

On the second command line, I tried with both the internal web server IP address
(static (inside,outside) tcp 192.168.1.100 3389 interface 3389 netmask 255.255.255.255) and the external IP address, both gave me this error:

ERROR: invalid local IP address interface

ideas?

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:compinfo
ID: 12468605
Ok, so I tried this and the PIX liked it:

static (inside,outside) tcp 192.168.1.100 3389 <real ip 4 webserver> 3389 netmask 255.255.255.255

Have not tested it yet...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12468658
D'OH! My fat fingers typed e1 instead of eq .... at least you got the idea....
I wasn't sure if you had more than one IP address.
If you put "interface" in the access-list, then is "<real ip 4 webserver>" the same IP?
You might have to change the access-list entry:

   access-list outside_access_in permit tcp any host <real ip 4 webserver> outside eq 3389

Don't forget to re-apply the acl to the interface any time you change it..
0
 

Author Comment

by:compinfo
ID: 12469043
Hmm...

Not sure about the interface question.  If 'interface' means the external interface to the internet on the PIX, then the answer is no.  The <real ip 4 webserver> is in the same subnet though.  So, what to do different?  I've tested this and now it is not working at all (can't even get to the web server portion....)

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 12469318
OK, let's take this again - from the top.
Pretend that <real public ip 4 webserver> = 12.34.56.7

access-list outside_access_in permit tcp any host 12.34.56.7 eq 3389
static (inside,outside) tcp 192.168.1.100 3389 12.34.56.7 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
0
 

Author Comment

by:compinfo
ID: 12477993
ah! ok, will try in about an hour...
0
 

Author Comment

by:compinfo
ID: 12479047
great it's working so far, Thanks!
0
 

Author Comment

by:compinfo
ID: 12571195
Well, I spoke too soon!  It seems that externally, I still can't get to port 22 (I have ssh tectia server running) or port 3389, so I've opened another ticket:

http://www.experts-exchange.com/Security/Firewalls/Q_21203708.html

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12571275
My BIG mistake!!!
>>>>static (inside,outside) tcp 192.168.1.100 3389 12.34.56.7 3389 netmask 255.255.255.255

Should be reversed:

   static (inside,outside) tcp 12.34.56.7 3389 192.168.1.100 3389 netmask 255.255.255.255

0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question