Pix UDP/TCP port problem

rbrindisi
rbrindisi used Ask the Experts™
on
I am trying to open some TCP and UDP ports on my PIX 520 v6.3(4) firewall. Below is a partial config listing.
The public IP 72.XX.XX.2 is the outside interface of my PIX. The local IP 192.168.0.35 can no longer access the internet. Any idea what I did wrong?


access-list 102 permit tcp any host 72.XX.XX.2 eq 10032
access-list 102 permit tcp any host 72.XX.XX.2 eq 10064
access-list 102 permit udp any host 72.XX.XX.2 eq 5060
access-list 102 permit udp any host 72.XX.XX.2 eq 10060

static (inside,outside) 72.XX.XX.2 192.168.0.35 netmask 255.255.255.255 0 0

access-group 102 in interface outside

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
These commands alone should not cause an Internet access problem for that host.  What do your nat and global commands look like?

Author

Commented:

Here you go...thanks for your help

global (outside) 1 72.xx.xx.4
nat (inside) 0 access-list 103
nat (inside) 2 access-list 101 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Do you have echo replies allowed back into your outside interface so that you can perform ping testing?  The command would look something like this:

access-list 102 permit icmp any any echo-reply

If ICMP echo replies are allowed, try pinging an Internet host by IP address (I typically use 4.2.2.2 as ping test since it's easy to remember).  Does this work?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I have this

access-list 102 permit icmp any any
That should do it...although I don't think I would leave it like that for security reasons...this would allow someone to execute a DOS attack against any public IP address that you have a "static" command for.  If you replace:

access-list 102 permit icmp any any

with this:

access-list 102 permit icmp any any echo-reply

this would be a more secure solution.  Anyway, you should be able to try and ping an Internet host as it is right now...have you tried yet?

Author

Commented:
Time out when I ping 4.2.2.2
From the PIX CLI, can you ping 4.2.2.2?

Author

Commented:
From the PIX....Yes

What I did do is remove the static (inside,outside) 72.XX.XX.2 192.168.0.35 netmask 255.255.255.255 0 0 and I can access the Internet from the local IP 192.168.0.35. Could it be that the the 72.xx.xx.2 IP is causing the problem?
Can you post your "ip address outside" command?

Author

Commented:
ip address outside 72.xx.xx.2 255.255.255.xxx
Now, I see the problem...(I missed it in the problem statement initially)...you are using the IP address that is assigned to the public interface of the PIX for your translation of your server.  You should either use a different 72.x.x.x IP address for your static translation of the 192.168.0.35 or perform port redirection on your outside interface to allow those specific ports inbound to the 192.168.0.35 server.  For example the following commands will implement port forwarding on those specific ports to inside address 192.168.0.35 when someone from the Internet tries to go to 72.x.x.2:

static (inside,outside) tcp interface 10032 192.168.0.35 10032 netmask 255.255.255.255
static (inside,outside) tcp interface 10064 192.168.0.35 10064 netmask 255.255.255.255
static (inside,outside) udp interface 5060 192.168.0.35 5060 netmask 255.255.255.255
static (inside,outside) udp interface 10060 192.168.0.35 10060  netmask 255.255.255.255
access-list 102 permit tcp any interface outside eq 10032
access-list 102 permit tcp any interface outside eq 10064
access-list 102 permit udp any interface outside eq 5060
access-list 102 permit udp any interface outside eq 10060

Author

Commented:
Just to be clear...

Is the term "interface" in the static lines the word interface or an actual IP address?
It's the actual word "interface"...it's a special keyword in the PIX OS...

Author

Commented:
Sorry for the delay...
It seems I need to open additional port ranges. Does this look right?

access-list 102 permit tcp any interface outside range 49152-49211
access-list 102 permit udp any interface outside range 49152-49211
Yes, but leave out the dash.  It should look like:

access-list 102 permit tcp any interface outside range 49152 49211

However, you will also need to put in the static commands to do the actual port redirection.  The access list commands only allow the traffic inbound to those ports.  The static command implements the port redirection itself.

I don't believe you can specify port ranges with the static command, so if you have a lot of ports you want to redirect, you'll need a single static command for every port you want redirected.  For example,

static (inside,outside) tcp interface 49152 192.168.0.35 49152 netmask 255.255.255.255
static (inside,outside) tcp interface 49153 192.168.0.35 49153 netmask 255.255.255.255
static (inside,outside) tcp interface 49154 192.168.0.35 49154 netmask 255.255.255.255
static (inside,outside) tcp interface 49155 192.168.0.35 49155 netmask 255.255.255.255
...
...
...

Author

Commented:
Again I apologize for my lateness.

It seems that the consultants that are setting up our Voip system discovered that their system does not play nice with Cisco 6.3(4) firmware; even though all the necessary ports are open on my end. It looks like I will be upgrading to 7.2(1) shortly. You may be getting more questions form me soon.  :-) Thanks for all your help.
If you're going to upgrade, go to 7.2(2) which is the latest.  I've been told by Cisco that there are several problems fixed since 7.2(1)

Author

Commented:
Thanks again

Have you ever upgraded before? Any issues I should be aware of?


Yes, I've upgraded before...went pretty smooth.

However, I have some bad news for you...since you have an older PIX 520 firewall, it looks like you can't upgrade to 7.x.  See the following link on the 6.x to 7.x upgrade procedure:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml

Here is the text from that URL about not being able to upgrade a PIX 520 to 7.x:

"Note: Only the PIX Security Appliances in this table are supported in version 7.x. Older PIX Security Appliances, such as the PIX-520, 510, 10000, and Classic have been discontinued and do not run version 7.0 or later. If you have one of these appliances and wish to run 7.x or later, contact your local Cisco Account Team or Reseller in order to purchase a newer Security Appliance. In addition, PIX Firewalls with less than 64 MB of RAM (PIX-501, PIX-506, and PIX-506E) are unable to run the initial 7.0 release. "

Author

Commented:
Wow... Thank again... you saved me a ton of research time.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial