Solved

opening ports through a pix 501

Posted on 2004-11-01
173 Views
Last Modified: 2010-04-09
A quickie:  I need to remote administer a windows 2003 server.  What lines in the PIX do I need to write out to make this "hole" in the PIX firewall?
0
Question by:compinfo
    11 Comments
     
    LVL 79

    Expert Comment

    by:lrmoore
    Easy enough.

    access-list outside_access_in permit tcp any interface outside e1 3389
    static (inside,outside) tcp <win2k3 server ip> 3389 interface 3389 netmask 255.255.255.255
    access-group outside_access_in in interface outside

    0
     

    Author Comment

    by:compinfo
    upon putting in the first command line, I get this:

    Result of firewall command: "access-list outside_access_in permit tcp any interface outside e1 3389"
     
    ERROR: extra command argument(s)
    Usage:      [no] access-list compiled
    [no] access-list deny-flow-max <n>
    [no] access-list alert-interval <secs>
    [no] access-list <id> compiled
    [no] access-list <id> [line <line-num>] remark <text>
    [no] access-list <id> [line <line-num>] deny|permit
          <protocol>|object-group <protocol_obj_grp_id>
          <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
          [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
          <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
          [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
          [log [disable|default] | [<level>] [interval <secs>]]
    [no] access-list <id> [line <line-num>] deny|permit icmp
          <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
          <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
          [<icmp_type> | object-group <icmp_type_obj_grp_id>]
          [log [disable|default] | [<level>] [interval <secs>]]
    Restricted ACLs for route-map use:
    [no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
    Command failed
    0
     

    Author Comment

    by:compinfo
    So, I changed e1 to eq, it worked.

    On the second command line, I tried with both the internal web server IP address
    (static (inside,outside) tcp 192.168.1.100 3389 interface 3389 netmask 255.255.255.255) and the external IP address, both gave me this error:

    ERROR: invalid local IP address interface

    ideas?

    0
     

    Author Comment

    by:compinfo
    Ok, so I tried this and the PIX liked it:

    static (inside,outside) tcp 192.168.1.100 3389 <real ip 4 webserver> 3389 netmask 255.255.255.255

    Have not tested it yet...
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    D'OH! My fat fingers typed e1 instead of eq .... at least you got the idea....
    I wasn't sure if you had more than one IP address.
    If you put "interface" in the access-list, then is "<real ip 4 webserver>" the same IP?
    You might have to change the access-list entry:

       access-list outside_access_in permit tcp any host <real ip 4 webserver> outside eq 3389

    Don't forget to re-apply the acl to the interface any time you change it..
    0
     

    Author Comment

    by:compinfo
    Hmm...

    Not sure about the interface question.  If 'interface' means the external interface to the internet on the PIX, then the answer is no.  The <real ip 4 webserver> is in the same subnet though.  So, what to do different?  I've tested this and now it is not working at all (can't even get to the web server portion....)

    0
     
    LVL 79

    Accepted Solution

    by:
    OK, let's take this again - from the top.
    Pretend that <real public ip 4 webserver> = 12.34.56.7

    access-list outside_access_in permit tcp any host 12.34.56.7 eq 3389
    static (inside,outside) tcp 192.168.1.100 3389 12.34.56.7 3389 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    0
     

    Author Comment

    by:compinfo
    ah! ok, will try in about an hour...
    0
     

    Author Comment

    by:compinfo
    great it's working so far, Thanks!
    0
     

    Author Comment

    by:compinfo
    Well, I spoke too soon!  It seems that externally, I still can't get to port 22 (I have ssh tectia server running) or port 3389, so I've opened another ticket:

    http://www.experts-exchange.com/Security/Firewalls/Q_21203708.html

    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    My BIG mistake!!!
    >>>>static (inside,outside) tcp 192.168.1.100 3389 12.34.56.7 3389 netmask 255.255.255.255

    Should be reversed:

       static (inside,outside) tcp 12.34.56.7 3389 192.168.1.100 3389 netmask 255.255.255.255

    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    Course: From Zero to Hero with Nodejs & MongoDB

    Interested in Node.js, but don't know where to start or how to learn it properly? Confused about how the MEAN stack pieces of MongoDB, Expressjs, Angularjs, and Nodejs fit together? Or how it's even possible to run JavaScript outside of the browser?

    Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
    This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
    Want to pick and choose which updates you receive? Feel free to check out this quick video on how to manage your email notifications.
    Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

    875 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now