Open Ports 9002, 9003, and 9005 on Pix 515e

Posted on 2007-08-07
Last Modified: 2013-11-05
I need to open 3 ports on my Pix to access a server outside of the network.  I need to open ports 9002,9003,9005.  Please help.
Question by:fd1906
    LVL 32

    Expert Comment

    Not sure what you're asking for ? Are you asking to allow incoming connections ? or outgoing connection from PIX ?

    If incoming what is the public ip ? or is it to the assigned ip on the outside interface ?

    If it is outgoing then to which ip address ? or any ?

    LVL 28

    Expert Comment

    by:Jan Springer
    Are you trying to reach those ports on an IP address outside the firewall?

    Are you currently restricting access by port on an incoming private access-list or outgoing public access-list?

    Author Comment

    I'm trying to reach an outside IP address.  We have a program that connect to an IP accross the internet.
    LVL 32

    Expert Comment

    So you already have an access-list applied on the inside interface, so add these;

    access-list <Name> permit tcp any host <Outside IP Address> eq 9002

    access-list <Name> permit tcp any host <Outside IP Address> eq 9003

    access-list <Name> permit tcp any host <Outside IP Address> eq 9005

    access-list <Name> in interface inside

    Replace the <Name> with whatever is applied there. Also if it is a udp port then change the 'tcp' in the lines above.


    Author Comment

    I actually don't have anything applied on the inside interface.  Do I need another access-list with this one?
    LVL 32

    Expert Comment

    If you don't have anything applied then by default all traffic from inside to outside is allowed.

    LVL 28

    Expert Comment

    by:Jan Springer
    Do you have an access-list applied to the outbound interface?

    If no, what happens then you attempt to connect?

    Can you reach the remote IP with a traceroute or pathping?

    Author Comment

    no access-list applied outbound.

    Here's a strange occurrence...I can't ping the IP address of the unit I want to connect to (outside the network) let's call it 67.100.x.x but I can ping from behind the pix, however, from my other network (not behind the pix) I CAN ping the IP address that I want to connect to (67.100.x.x).  Any ideas?
    LVL 32

    Expert Comment

    Can you post your configuration here ? Sanitized config (remove passwords and remove any octect from the public ip)


    Author Comment

    : Saved
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security4
    enable password PECp9le8VXXBpsRQ encrypted
    passwd PECp9le8VXXBpsRQ encrypted
    hostname DSLPix
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    access-list icmp permit icmp any any echo-reply
    access-list icmp permit icmp any any unreachable
    access-list icmp permit icmp any any time-exceeded
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    ip address outside 67.100.x.x
    ip address inside
    no ip address intf2
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 1 67.100.x.x-67.100.x.x netmask
    nat (inside) 1 0 0
    access-group icmp in interface outside
    route outside 67.100.x.x 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:0
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet inside
    telnet timeout 60
    ssh timeout 5
    console timeout 0
    dhcpd address inside
    dhcpd dns 64.105.x.x 64.105.x.x
    dhcpd lease 64000
    dhcpd ping_timeout 750
    dhcpd enable inside
    terminal width 80
    : end

    Author Comment

    I figured it outside IP had the default class a mask when it should have had a 29 bit mask.

    Author Comment

    I'm confused because I thought PIX would block all traffic that is not http, smtp, etc... port 9002,9003, and 9005 should be blocked, no?  But the plain config let's it go through.
    LVL 28

    Accepted Solution

    "The PIX Firewall's fixup commands tell the PIX Firewall to perform additional application inspection on the specified protocols. This additional inspection is needed on some protocols, because some protocols include the source IP address within the data payload of the packet."

    So, no, they should not necessarily be blocked unless you have specified so.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Suggested Solutions

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now