how do i open ports on a pix firewall?

Posted on 2007-04-02
Medium Priority
Last Modified: 2010-04-09
Okay, I have been working on a similar problem for months and the other question is on here and still open.  I have a pix firewall and a static ip assigned from my isp and I also have a small business server.  I am to get the pix firewall to allow me to connect to the small business server via remote web workplace and web outlook access.  I have read various articles on EE and I do not seemed to understand even the basics.  I have internet on all boxes including the server.  I have also tested the remote web workplace with a cheap linksys router and everything worked from a remote location. All I need now is to get the pix configured to work with the remote web workplace and WOA.  I need someone to be very specific and  I need to know  NAT access list everything in detail.  I can do it from command I actually like it better but I will work from the PDM as well.  Thanks for you help.  
Question by:dcaggiano
  • 2
  • 2
LVL 19

Expert Comment

ID: 18840697
The basics would be as follows:
Internal ip addresses are in a nat pool which get translated to an external ip
The server you are trying to publish externally should have a specific nat translation called a static - it give the machine in question 1-1 translation from its specific internal address to a specific outside ip.
You then allow the ports you wish through the PIX to the translated address of the server - by created an access-list and applying it to the outside interface.
To give an over simplification:

access-list outside-in permit tcp any host eq www >>ACL allowing www access only

ip address outside>>outside ip of PIX
ip address inside>>Inside ip of PIX
nat (inside) 1>>Nats all internal ips in range
global (outside) 1>>Translated the internal ips on nat pool "1" to
route outside>>route to edge router and to internet
static (inside,outside) netmask>>1-1 static translation for server
access-group outside-in in interface outside>>applies the access-list "outside-in" to the outside interface

Post your config if you need specific help or if the above does not assist.

hope this helps

Author Comment

ID: 18874035
I do not quite follow the specifics, I will post the configuration as soon as I am back in the office and we can go from there.

Author Comment

ID: 18882614
Here is my current configuration. If you could give me specific commands it would be appreciated.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
object-group service RemoteWebWorkPlace tcp
  port-object range https https
  port-object range ftp ftp
  port-object range pptp pptp
  port-object range 4125 4125
  port-object range 444 444
  port-object range 3389 3389
  port-object range smtp smtp
  port-object range www www
access-list inside_access_in permit ip any any
access-list 101 permit tcp any host eq https
access-list fromoutside permit tcp any host eq 3389
access-list fromoutside permit tcp any host eq https
access-list fromoutside permit tcp any host eq 444
access-list fromoutside permit tcp any host eq ftp
access-list fromoutside permit tcp any host eq smtp
access-list fromoutside permit tcp any host eq www
access-list fromoutside permit tcp any host eq pptp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 74.XX.XXX.XXX
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
access-group inside_access_in in interface inside
route outside 74.XX.XXX.XXX 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum: is the server with remote web workplace.

LVL 19

Accepted Solution

nodisco earned 1000 total points
ID: 18886944
hi there

From the look of it - you have tried a few ways to get this to work!
Firstly - a little cleanup work:
The acl below is doing nothing for you as inside >outside traffic is already allowed out by default so remove:

no access-list inside_access_in permit ip any any
no access-group inside_access_in in interface inside

This acl is doing nothing either, its not applied to anywhere and its to an internal ip which will not work so remove

no access-list 101 permit tcp any host eq https

Now to start!
as your outside ip is a 30 bit mask - it means there are only 2 ips in the subnet - the pix outside ip and the next hop routers ip
ip address outside 74.XX.XXX.XXX
These addresses are 221 and 222 respectively.  As you only have 1 free ip (the PIX outside) you need to use port-redirection for this.  Its not too difficult - heres the steps:

Firstly - remove the old access-list
no access-list list fromoutside

Create the new one
access-list fromoutside permit tcp any interface outside eq 3389
access-list fromoutside permit tcp any interface outside eq https
access-list fromoutside permit tcp any interface outside eq 444
access-list fromoutside permit tcp any interface outside eq ftp
access-list fromoutside permit tcp any interface outside eq smtp
access-list fromoutside permit tcp any interface outside eq www
access-list fromoutside permit tcp any interface outside eq pptp

Then create the port redirections so traffic to the outside ip of the PIX is redirected to internally:
static (inside,outside) tcp interface 3389 3389 netmask
static (inside,outside) tcp interface https https netmask
static (inside,outside) tcp interface 444 444 netmask
static (inside,outside) tcp interface ftp ftp netmask
static (inside,outside) tcp interface smtp smtp netmask
static (inside,outside) tcp interface www www netmask
static (inside,outside) tcp interface pptp pptp netmask

Do the following to clear the translation table so these will work:
clear xlate

Then apply the access-list to the outside interface:
access-group fromoutside in interface outside

write mem
This is to save and voila - you're ready to rock.
FYI - you cannot port-forward a range of addresses with PAT so hence the need for the individual statics.  Essentially what they do is intercept www, smtp, ftp traffic destined to the PIX outside interface ip address and forwards it to the internal ip in the static command (note I used in the example - replace as required)

hope this helps


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question