Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 261
  • Last Modified:

Opening Multiple Ports to Exchange on a PIX 506

I used the following commands to open port 443 to my Exchange Server. Traffic is flowing correctly for OWA. Is there a preferred way(set of commands) to open muliple ports to this server? I need to open ports 80,443,25 and 110 this same server. I am using a PIX 506 in this case.

access-list acl_inbound permit tcp any interface outside eq 443
access-group acl_inbound in interface outside
ststic (inside,outside) tcp interface 443 192.168.0.2 443 netmask 255.255.255.255
0
rotoboy
Asked:
rotoboy
  • 3
1 Solution
 
Pete LongConsultantCommented:
Nope you are already doing it correctly you just need a static and an ACL for each port
see my website here http://www.petenetlive.com/Tech/Firewalls/Cisco/portforward.htm
0
 
Alan Huseyin KayahanCommented:
    Hi rotoboy
           I agree with Pete. And here is another way
                *You do not have to enterACLs for each port in this way. Create an object-group called excsrv, and add the ports you want (you can add ports later also). Then create one ACL for that object group. Here is how to
               
                object-group service excsrv tcp-udp
                port-object eq 80
                port-object eq 443
               port-object eq 25
               port-object eq 110
                       
                  *Remove current ACL by
                 no access-list acl_inbound permit tcp any interface outside eq 443
                 * Add this
                access-list acl_inbound permit tcp any interface outside object-group excsrv
                 * When you want to add a port in future simply type
                  object-group service excsrv tcp-udp
                  port-object eq xx
            Unfortunately, you still have to add PAT entries one by one
           static (inside,outside) tcp interface 80 192.168.0.2 80 netmask 255.255.255.255
           static (inside,outside) tcp interface 110 192.168.0.2 110 netmask 255.255.255.255
           static (inside,outside) tcp interface 25 192.168.0.2 25 netmask 255.255.255.255

           But if you have the opportunity to change the current int address to something else, then you can do a one-to-one static to ex interface IP. And you wont have to type above PATs. Only adding port-object will be enough

Regards


0
 
Pete LongConsultantCommented:
Yeah - good Point, you can use object groups also, I dont usually use port-objects unless Im using a LOT or ports but MrHusy is correct :)
0
 
Pete LongConsultantCommented:
ThanQ
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now