Pix UDP/TCP port problem
I am trying to open some TCP and UDP ports on my PIX 520 v6.3(4) firewall. Below is a partial config listing.
The public IP 72.XX.XX.2 is the outside interface of my PIX. The local IP 192.168.0.35 can no longer access the internet. Any idea what I did wrong?
access-list 102 permit tcp any host 72.XX.XX.2 eq 10032
access-list 102 permit tcp any host 72.XX.XX.2 eq 10064
access-list 102 permit udp any host 72.XX.XX.2 eq 5060
access-list 102 permit udp any host 72.XX.XX.2 eq 10060
static (inside,outside) 72.XX.XX.2 192.168.0.35 netmask 255.255.255.255 0 0
access-group 102 in interface outside
The public IP 72.XX.XX.2 is the outside interface of my PIX. The local IP 192.168.0.35 can no longer access the internet. Any idea what I did wrong?
access-list 102 permit tcp any host 72.XX.XX.2 eq 10032
access-list 102 permit tcp any host 72.XX.XX.2 eq 10064
access-list 102 permit udp any host 72.XX.XX.2 eq 5060
access-list 102 permit udp any host 72.XX.XX.2 eq 10060
static (inside,outside) 72.XX.XX.2 192.168.0.35 netmask 255.255.255.255 0 0
access-group 102 in interface outside
batry_boy
These commands alone should not cause an Internet access problem for that host. What do your nat and global commands look like?
ASKER
Here you go...thanks for your help
global (outside) 1 72.xx.xx.4
nat (inside) 0 access-list 103
nat (inside) 2 access-list 101 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Do you have echo replies allowed back into your outside interface so that you can perform ping testing? The command would look something like this:
access-list 102 permit icmp any any echo-reply
If ICMP echo replies are allowed, try pinging an Internet host by IP address (I typically use 4.2.2.2 as ping test since it's easy to remember). Does this work?
access-list 102 permit icmp any any echo-reply
If ICMP echo replies are allowed, try pinging an Internet host by IP address (I typically use 4.2.2.2 as ping test since it's easy to remember). Does this work?
ASKER
I have this
access-list 102 permit icmp any any
access-list 102 permit icmp any any
That should do it...although I don't think I would leave it like that for security reasons...this would allow someone to execute a DOS attack against any public IP address that you have a "static" command for. If you replace:
access-list 102 permit icmp any any
with this:
access-list 102 permit icmp any any echo-reply
this would be a more secure solution. Anyway, you should be able to try and ping an Internet host as it is right now...have you tried yet?
access-list 102 permit icmp any any
with this:
access-list 102 permit icmp any any echo-reply
this would be a more secure solution. Anyway, you should be able to try and ping an Internet host as it is right now...have you tried yet?
ASKER
Time out when I ping 4.2.2.2
From the PIX CLI, can you ping 4.2.2.2?
ASKER
From the PIX....Yes
What I did do is remove the static (inside,outside) 72.XX.XX.2 192.168.0.35 netmask 255.255.255.255 0 0 and I can access the Internet from the local IP 192.168.0.35. Could it be that the the 72.xx.xx.2 IP is causing the problem?
What I did do is remove the static (inside,outside) 72.XX.XX.2 192.168.0.35 netmask 255.255.255.255 0 0 and I can access the Internet from the local IP 192.168.0.35. Could it be that the the 72.xx.xx.2 IP is causing the problem?
Can you post your "ip address outside" command?
ASKER
ip address outside 72.xx.xx.2 255.255.255.xxx
Now, I see the problem...(I missed it in the problem statement initially)...you are using the IP address that is assigned to the public interface of the PIX for your translation of your server. You should either use a different 72.x.x.x IP address for your static translation of the 192.168.0.35 or perform port redirection on your outside interface to allow those specific ports inbound to the 192.168.0.35 server. For example the following commands will implement port forwarding on those specific ports to inside address 192.168.0.35 when someone from the Internet tries to go to 72.x.x.2:
static (inside,outside) tcp interface 10032 192.168.0.35 10032 netmask 255.255.255.255
static (inside,outside) tcp interface 10064 192.168.0.35 10064 netmask 255.255.255.255
static (inside,outside) udp interface 5060 192.168.0.35 5060 netmask 255.255.255.255
static (inside,outside) udp interface 10060 192.168.0.35 10060 netmask 255.255.255.255
access-list 102 permit tcp any interface outside eq 10032
access-list 102 permit tcp any interface outside eq 10064
access-list 102 permit udp any interface outside eq 5060
access-list 102 permit udp any interface outside eq 10060
static (inside,outside) tcp interface 10032 192.168.0.35 10032 netmask 255.255.255.255
static (inside,outside) tcp interface 10064 192.168.0.35 10064 netmask 255.255.255.255
static (inside,outside) udp interface 5060 192.168.0.35 5060 netmask 255.255.255.255
static (inside,outside) udp interface 10060 192.168.0.35 10060 netmask 255.255.255.255
access-list 102 permit tcp any interface outside eq 10032
access-list 102 permit tcp any interface outside eq 10064
access-list 102 permit udp any interface outside eq 5060
access-list 102 permit udp any interface outside eq 10060
ASKER
Just to be clear...
Is the term "interface" in the static lines the word interface or an actual IP address?
Is the term "interface" in the static lines the word interface or an actual IP address?
It's the actual word "interface"...it's a special keyword in the PIX OS...
ASKER
Sorry for the delay...
It seems I need to open additional port ranges. Does this look right?
access-list 102 permit tcp any interface outside range 49152-49211
access-list 102 permit udp any interface outside range 49152-49211
It seems I need to open additional port ranges. Does this look right?
access-list 102 permit tcp any interface outside range 49152-49211
access-list 102 permit udp any interface outside range 49152-49211
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Again I apologize for my lateness.
It seems that the consultants that are setting up our Voip system discovered that their system does not play nice with Cisco 6.3(4) firmware; even though all the necessary ports are open on my end. It looks like I will be upgrading to 7.2(1) shortly. You may be getting more questions form me soon. :-) Thanks for all your help.
It seems that the consultants that are setting up our Voip system discovered that their system does not play nice with Cisco 6.3(4) firmware; even though all the necessary ports are open on my end. It looks like I will be upgrading to 7.2(1) shortly. You may be getting more questions form me soon. :-) Thanks for all your help.
If you're going to upgrade, go to 7.2(2) which is the latest. I've been told by Cisco that there are several problems fixed since 7.2(1)
ASKER
Thanks again
Have you ever upgraded before? Any issues I should be aware of?
Have you ever upgraded before? Any issues I should be aware of?
Yes, I've upgraded before...went pretty smooth.
However, I have some bad news for you...since you have an older PIX 520 firewall, it looks like you can't upgrade to 7.x. See the following link on the 6.x to 7.x upgrade procedure:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml
Here is the text from that URL about not being able to upgrade a PIX 520 to 7.x:
"Note: Only the PIX Security Appliances in this table are supported in version 7.x. Older PIX Security Appliances, such as the PIX-520, 510, 10000, and Classic have been discontinued and do not run version 7.0 or later. If you have one of these appliances and wish to run 7.x or later, contact your local Cisco Account Team or Reseller in order to purchase a newer Security Appliance. In addition, PIX Firewalls with less than 64 MB of RAM (PIX-501, PIX-506, and PIX-506E) are unable to run the initial 7.0 release. "
However, I have some bad news for you...since you have an older PIX 520 firewall, it looks like you can't upgrade to 7.x. See the following link on the 6.x to 7.x upgrade procedure:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml
Here is the text from that URL about not being able to upgrade a PIX 520 to 7.x:
"Note: Only the PIX Security Appliances in this table are supported in version 7.x. Older PIX Security Appliances, such as the PIX-520, 510, 10000, and Classic have been discontinued and do not run version 7.0 or later. If you have one of these appliances and wish to run 7.x or later, contact your local Cisco Account Team or Reseller in order to purchase a newer Security Appliance. In addition, PIX Firewalls with less than 64 MB of RAM (PIX-501, PIX-506, and PIX-506E) are unable to run the initial 7.0 release. "
ASKER
Wow... Thank again... you saved me a ton of research time.