Link to home
Avatar of s_sykes
s_sykesFlag for United States of America

asked on

Allow traffic from an IP Range in through a Pix firewall

I'm trying to setup a VOIP application on my network and it's not working.  The provider suggested that I add an exception to my PIX firewall (V. 7) for their IP range.  I know how to login to the pix and move around a bit, but that's about all.  I do know that there is already a few entries in an access list for my web and email servers.

Could anyone tell me how to let traffic in from their IP range?  They said just open all ports, but I'd like to try just opening the port their application runs on first if possible.  I'm guessing I just need to add an Access list entry and then save my configuration, but I"m not sure.  Any suggestions would be appreciated.
Avatar of batry_boy
Flag of United States of America image

These statements will allow you to do what you want...just substitute the appropriate ports for the ones you wish to allow, assuming the following example values:

provider IP range :
ports allowed : TCP 8000      <----just an example!
internal host you want to allow VOIP traffic to :
external public IP address mapped to internal host :

access-list acl_outside_in permit tcp host eq 8000
static (inside,outside) netmask
access-group acl_outside_in in interface outside
------END COMMANDS-----

The first command allows TCP 8000 inbound from any host on the network to host which is mapped to internal host in the static command.  The last command applies your access list to the outside interface.  You should already have an ACL applied to the interface since you mention that you have web and e-mail traffic already allowed.  You would add another access list statement to that same access list that looks like the above "access-list" statement in my example.

Please let me know if I need to clarify.
Avatar of Alan Huseyin Kayahan
first, lets create an object-group to hold the allowed ips. Enter the command line enable mode. Then...

configure terminal
object-group network Allowedipranges
description These ip ranges are allowed

now the object-group named Allowedipranges holds the ips that we want to be allowed. Now we have to assign acls.
if the ips in object-group resides in outside, you should set the following acl.

access-list voip_allow permit ip object-group Allowedipranges any
access-group voip_allow in interface outside

if the ips in object-group resides in dmz, you should set the following acl.

access-list voip_allow permit ip object-group Allowedipranges any
access-group voip_allow in interface dmz

the "any" word at the end of acl means "allowedipranges" can access any resource they want. If you want to define only one host, you should type     host hostipaddress   instead  any. And if you also want to specify ports you should type   host hostipaddress eq portnumber.
     Please post the running config and i would help much better.
MrHusy, I would hope that you submitted your post before you realized that I had already posted.
Avatar of s_sykes


batry boy,

I'd like to permit traffic into any IP on my internal network.  Is this possible instead of mapping to a specific address?  Is this dangerous?

Also, since ( I think) I already have an access list applied to the outside interface, do I need to run the last command you mention above?  Do I run the commands from the enable prompt or the config t prompt?  How do I save the change?

Finally, should I backup my current config before I make changes?
Yes, it's possible to allow this traffic to anything on your network, but you will have to have a public IP address for every internal IP address on your network.  For example, if you have 10 internal hosts that you want to allow inbound access to, you would have to have 10 public IP addresses that you could translate the internal hosts to so that you could allow the inbound traffic to them.

As long as you trust the source network specified in your access list (the provider's network in this case), then this isn't necessarily dangerous, but I would make sure that you limit the ports that the provider network can access.

No, you wouldn't have to apply the "access-group" command since you already have it applied.  Some folks think it is a good idea to reapply the access-group command if you make a change to the ACL referenced in it, but I don't think this is absolutely necessary.

You have to run these commands from the "pix(config)#" prompt.  Commands entered take effect immediately, but if you want to save the change so that they will be there upon a reboot of the PIX, you need to do a "write mem".

I always back up my current config before making changes to a firewall in case something happens.  You can just do a "show run" and then select it all and do a copy-paste into notepad for a simple way of saving off the config.
Avatar of s_sykes


batry boy,
I have a class C range of public IP's, so each machine on my network does get it's own public IP going out.  So I guess I'm doing NAT as opposed to PAT?  Each machine on the inside of my network has a private address assigned from DHCP.

So that being the case, how do I modifiy your commands above to let in their IP range, to the specified port, to any machine on my internal network?

Yes, you are doing NAT if each machine gets its own public IP.  If you are using DHCP for your internal hosts, are you using reservations?  If not, then how do you have your NAT set up in the firewall?

Before I suggest how to do what you want, I think I should see your sanitized PIX config...that way I won't mess up anything in your current configuration with my suggested commands!  :)
Avatar of s_sykes


PIX Version 7.0(1)
interface Ethernet0
 nameif outside
 security-level 0
 ip address
interface Ethernet1
 nameif inside
 security-level 100
 ip address

access-list outside extended permit tcp any host eq www
access-list outside extended permit tcp any host eq smtp
access-list outside extended permit tcp any host eq www
access-list outside extended permit tcp any host eq ftp
mtu outside 1500
mtu inside 1500
monitor-interface outside
monitor-interface inside
asdm image flash:/pdm
asdm history enable
arp timeout 14400
global (outside) 1 netmask
nat (inside) 1
static (inside,outside) netmask
static (inside,outside) netmask
static (inside,outside) netmask
access-group outside in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

http inside
http inside
http inside

no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set conquest esp-des esp-md5-hmac
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 1000
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
telnet inside
telnet timeout 15
ssh timeout 5console timeout 0

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
Avatar of batry_boy
Flag of United States of America image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
    Batry: No one has replied to that topic yet while i was typing my answer. When i clicked submit, i saw that i was second :)
    Anyway why are you so angry? You have done same before to me :)
You mistook my question for anger...I should have put a :) in there!  Sorry!
Avatar of s_sykes


Ewww, that doesn't sound very feasible.  From what you're saying I think I would have to do away with DHCP and assign everything on the network a static internal IP and then map everything to a static public IP.  I don't think that is worth it in this case since I'm not even sure that the firewall is the problem.  I've never had trouble with any other apps.

What about the object group Mr. Husy mentioned?  Could I use that instead?
The object groups he mentions only cover the filtering portion of this scenario.  You still have to translate your internal hosts to public IP addresses so that your provider can initiate traffic to your internal hosts.

Let me say that allowing inbound traffic from the Internet to every IP address on the internal network is a very non-standard way of doing things.  It's not something I've ever seen anyone do since there are inherent security risks...I was just trying to give you what you asked for.  I would recommend that you determine which internal hosts absolutely have to be accessed by your provider and just set up the translations for those hosts.  This would make your config much simpler to implement, not to mention more secure.
Avatar of s_sykes


True - I'll try one first and see if it works.
   Its ok m8 :)
       Sykes, batry is right. My access-lists allow any ip traffic and this is not recommended. As batry said, you should determine which internal hosts have to be accessed by your provider and which port(s).