Solved

how do i open ports on a pix firewall?

Posted on 2007-04-02
4
354 Views
Last Modified: 2010-04-09
Okay, I have been working on a similar problem for months and the other question is on here and still open.  I have a pix firewall and a static ip assigned from my isp and I also have a small business server.  I am to get the pix firewall to allow me to connect to the small business server via remote web workplace and web outlook access.  I have read various articles on EE and I do not seemed to understand even the basics.  I have internet on all boxes including the server.  I have also tested the remote web workplace with a cheap linksys router and everything worked from a remote location. All I need now is to get the pix configured to work with the remote web workplace and WOA.  I need someone to be very specific and  I need to know  NAT access list everything in detail.  I can do it from command I actually like it better but I will work from the PDM as well.  Thanks for you help.  
0
Comment
Question by:dcaggiano
  • 2
  • 2
4 Comments
 
LVL 19

Expert Comment

by:nodisco
ID: 18840697
The basics would be as follows:
Internal ip addresses are in a nat pool which get translated to an external ip
The server you are trying to publish externally should have a specific nat translation called a static - it give the machine in question 1-1 translation from its specific internal address to a specific outside ip.
You then allow the ports you wish through the PIX to the translated address of the server - by created an access-list and applying it to the outside interface.
To give an over simplification:

access-list outside-in permit tcp any host 201.201.201.201 eq www >>ACL allowing www access only

ip address outside 201.201.201.202 255.255.255.0>>outside ip of PIX
ip address inside 192.168.1.1 255.255.255.0>>Inside ip of PIX
nat (inside) 1 192.168.1.0 255.255.255.0>>Nats all internal ips in range 192.168.1.0/24
global (outside) 1 201.201.201.204>>Translated the internal ips on nat pool "1" to 201.201.201.204
route outside 0.0.0.0 0.0.0.0 201.201.201.203>>route to edge router and to internet
static (inside,outside) 201.201.201.201 192.168.1.10 netmask 255.255.255.255>>1-1 static translation for server
access-group outside-in in interface outside>>applies the access-list "outside-in" to the outside interface

Post your config if you need specific help or if the above does not assist.

hope this helps
0
 

Author Comment

by:dcaggiano
ID: 18874035
I do not quite follow the specifics, I will post the configuration as soon as I am back in the office and we can go from there.
Thanks,
Jon
0
 

Author Comment

by:dcaggiano
ID: 18882614
Here is my current configuration. If you could give me specific commands it would be appreciated.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service RemoteWebWorkPlace tcp
  port-object range https https
  port-object range ftp ftp
  port-object range pptp pptp
  port-object range 4125 4125
  port-object range 444 444
  port-object range 3389 3389
  port-object range smtp smtp
  port-object range www www
access-list inside_access_in permit ip any any
access-list 101 permit tcp any host 172.30.9.195 eq https
access-list fromoutside permit tcp any host 74.94.196.221 eq 3389
access-list fromoutside permit tcp any host 74.94.196.221 eq https
access-list fromoutside permit tcp any host 74.94.196.221 eq 444
access-list fromoutside permit tcp any host 74.94.196.221 eq ftp
access-list fromoutside permit tcp any host 74.94.196.221 eq smtp
access-list fromoutside permit tcp any host 74.94.196.221 eq www
access-list fromoutside permit tcp any host 74.94.196.221 eq pptp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 74.XX.XXX.XXX 255.255.255.252
ip address inside 172.30.9.194 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 172.30.9.192 255.255.255.192 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 74.XX.XXX.XXX 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.30.9.192 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum:



172.30.9.195 is the server with remote web workplace.

Thanks
0
 
LVL 19

Accepted Solution

by:
nodisco earned 250 total points
ID: 18886944
hi there

From the look of it - you have tried a few ways to get this to work!
Firstly - a little cleanup work:
The acl below is doing nothing for you as inside >outside traffic is already allowed out by default so remove:

no access-list inside_access_in permit ip any any
no access-group inside_access_in in interface inside

This acl is doing nothing either, its not applied to anywhere and its to an internal ip which will not work so remove

no access-list 101 permit tcp any host 172.30.9.195 eq https

Now to start!
as your outside ip is a 30 bit mask - it means there are only 2 ips in the subnet - the pix outside ip and the next hop routers ip
ip address outside 74.XX.XXX.XXX 255.255.255.252
These addresses are 221 and 222 respectively.  As you only have 1 free ip (the PIX outside) you need to use port-redirection for this.  Its not too difficult - heres the steps:

Firstly - remove the old access-list
no access-list list fromoutside

Create the new one
access-list fromoutside permit tcp any interface outside eq 3389
access-list fromoutside permit tcp any interface outside eq https
access-list fromoutside permit tcp any interface outside eq 444
access-list fromoutside permit tcp any interface outside eq ftp
access-list fromoutside permit tcp any interface outside eq smtp
access-list fromoutside permit tcp any interface outside eq www
access-list fromoutside permit tcp any interface outside eq pptp

Then create the port redirections so traffic to the outside ip of the PIX is redirected to 172.30.9.195 internally:
static (inside,outside) tcp interface 3389 172.30.9.195 3389 netmask 255.255.255.255
static (inside,outside) tcp interface https 172.30.9.195 https netmask 255.255.255.255
static (inside,outside) tcp interface 444 172.30.9.195 444 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 172.30.9.195 ftp netmask 255.255.255.255
static (inside,outside) tcp interface smtp 172.30.9.195 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 172.30.9.195 www netmask 255.255.255.255
static (inside,outside) tcp interface pptp 172.30.9.195 pptp netmask 255.255.255.255

Do the following to clear the translation table so these will work:
clear xlate

Then apply the access-list to the outside interface:
access-group fromoutside in interface outside

write mem
This is to save and voila - you're ready to rock.
FYI - you cannot port-forward a range of addresses with PAT so hence the need for the individual statics.  Essentially what they do is intercept www, smtp, ftp traffic destined to the PIX outside interface ip address and forwards it to the internal ip in the static command (note I used 172.30.9.195 in the example - replace as required)

hope this helps



0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now