Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


how do i open ports on a pix firewall?

Posted on 2007-04-02
Medium Priority
Last Modified: 2010-04-09
Okay, I have been working on a similar problem for months and the other question is on here and still open.  I have a pix firewall and a static ip assigned from my isp and I also have a small business server.  I am to get the pix firewall to allow me to connect to the small business server via remote web workplace and web outlook access.  I have read various articles on EE and I do not seemed to understand even the basics.  I have internet on all boxes including the server.  I have also tested the remote web workplace with a cheap linksys router and everything worked from a remote location. All I need now is to get the pix configured to work with the remote web workplace and WOA.  I need someone to be very specific and  I need to know  NAT access list everything in detail.  I can do it from command I actually like it better but I will work from the PDM as well.  Thanks for you help.  
Question by:dcaggiano
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 19

Expert Comment

ID: 18840697
The basics would be as follows:
Internal ip addresses are in a nat pool which get translated to an external ip
The server you are trying to publish externally should have a specific nat translation called a static - it give the machine in question 1-1 translation from its specific internal address to a specific outside ip.
You then allow the ports you wish through the PIX to the translated address of the server - by created an access-list and applying it to the outside interface.
To give an over simplification:

access-list outside-in permit tcp any host eq www >>ACL allowing www access only

ip address outside>>outside ip of PIX
ip address inside>>Inside ip of PIX
nat (inside) 1>>Nats all internal ips in range
global (outside) 1>>Translated the internal ips on nat pool "1" to
route outside>>route to edge router and to internet
static (inside,outside) netmask>>1-1 static translation for server
access-group outside-in in interface outside>>applies the access-list "outside-in" to the outside interface

Post your config if you need specific help or if the above does not assist.

hope this helps

Author Comment

ID: 18874035
I do not quite follow the specifics, I will post the configuration as soon as I am back in the office and we can go from there.

Author Comment

ID: 18882614
Here is my current configuration. If you could give me specific commands it would be appreciated.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
object-group service RemoteWebWorkPlace tcp
  port-object range https https
  port-object range ftp ftp
  port-object range pptp pptp
  port-object range 4125 4125
  port-object range 444 444
  port-object range 3389 3389
  port-object range smtp smtp
  port-object range www www
access-list inside_access_in permit ip any any
access-list 101 permit tcp any host eq https
access-list fromoutside permit tcp any host eq 3389
access-list fromoutside permit tcp any host eq https
access-list fromoutside permit tcp any host eq 444
access-list fromoutside permit tcp any host eq ftp
access-list fromoutside permit tcp any host eq smtp
access-list fromoutside permit tcp any host eq www
access-list fromoutside permit tcp any host eq pptp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 74.XX.XXX.XXX
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
access-group inside_access_in in interface inside
route outside 74.XX.XXX.XXX 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum: is the server with remote web workplace.

LVL 19

Accepted Solution

nodisco earned 1000 total points
ID: 18886944
hi there

From the look of it - you have tried a few ways to get this to work!
Firstly - a little cleanup work:
The acl below is doing nothing for you as inside >outside traffic is already allowed out by default so remove:

no access-list inside_access_in permit ip any any
no access-group inside_access_in in interface inside

This acl is doing nothing either, its not applied to anywhere and its to an internal ip which will not work so remove

no access-list 101 permit tcp any host eq https

Now to start!
as your outside ip is a 30 bit mask - it means there are only 2 ips in the subnet - the pix outside ip and the next hop routers ip
ip address outside 74.XX.XXX.XXX
These addresses are 221 and 222 respectively.  As you only have 1 free ip (the PIX outside) you need to use port-redirection for this.  Its not too difficult - heres the steps:

Firstly - remove the old access-list
no access-list list fromoutside

Create the new one
access-list fromoutside permit tcp any interface outside eq 3389
access-list fromoutside permit tcp any interface outside eq https
access-list fromoutside permit tcp any interface outside eq 444
access-list fromoutside permit tcp any interface outside eq ftp
access-list fromoutside permit tcp any interface outside eq smtp
access-list fromoutside permit tcp any interface outside eq www
access-list fromoutside permit tcp any interface outside eq pptp

Then create the port redirections so traffic to the outside ip of the PIX is redirected to internally:
static (inside,outside) tcp interface 3389 3389 netmask
static (inside,outside) tcp interface https https netmask
static (inside,outside) tcp interface 444 444 netmask
static (inside,outside) tcp interface ftp ftp netmask
static (inside,outside) tcp interface smtp smtp netmask
static (inside,outside) tcp interface www www netmask
static (inside,outside) tcp interface pptp pptp netmask

Do the following to clear the translation table so these will work:
clear xlate

Then apply the access-list to the outside interface:
access-group fromoutside in interface outside

write mem
This is to save and voila - you're ready to rock.
FYI - you cannot port-forward a range of addresses with PAT so hence the need for the individual statics.  Essentially what they do is intercept www, smtp, ftp traffic destined to the PIX outside interface ip address and forwards it to the internal ip in the static command (note I used in the example - replace as required)

hope this helps


Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question