• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1899
  • Last Modified:

Open Ports 9002, 9003, and 9005 on Pix 515e

I need to open 3 ports on my Pix to access a server outside of the network.  I need to open ports 9002,9003,9005.  Please help.
0
fd1906
Asked:
fd1906
  • 6
  • 4
  • 3
1 Solution
 
rsivanandanCommented:
Not sure what you're asking for ? Are you asking to allow incoming connections ? or outgoing connection from PIX ?


If incoming what is the public ip ? or is it to the assigned ip on the outside interface ?

If it is outgoing then to which ip address ? or any ?


Cheers,
Rajesh
0
 
Jan SpringerCommented:
Are you trying to reach those ports on an IP address outside the firewall?

Are you currently restricting access by port on an incoming private access-list or outgoing public access-list?
0
 
fd1906Author Commented:
I'm trying to reach an outside IP address.  We have a program that connect to an IP accross the internet.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
rsivanandanCommented:
So you already have an access-list applied on the inside interface, so add these;

access-list <Name> permit tcp any host <Outside IP Address> eq 9002

access-list <Name> permit tcp any host <Outside IP Address> eq 9003

access-list <Name> permit tcp any host <Outside IP Address> eq 9005

access-list <Name> in interface inside

Replace the <Name> with whatever is applied there. Also if it is a udp port then change the 'tcp' in the lines above.

Cheers,
Rajesh
0
 
fd1906Author Commented:
I actually don't have anything applied on the inside interface.  Do I need another access-list with this one?
0
 
rsivanandanCommented:
If you don't have anything applied then by default all traffic from inside to outside is allowed.

Cheers,
Rajesh
0
 
Jan SpringerCommented:
Do you have an access-list applied to the outbound interface?

If no, what happens then you attempt to connect?

Can you reach the remote IP with a traceroute or pathping?
0
 
fd1906Author Commented:
no access-list applied outbound.

Here's a strange occurrence...I can't ping the IP address of the unit I want to connect to (outside the network) let's call it 67.100.x.x but I can ping google.com from behind the pix, however, from my other network (not behind the pix) I CAN ping the IP address that I want to connect to (67.100.x.x).  Any ideas?
0
 
rsivanandanCommented:
Can you post your configuration here ? Sanitized config (remove passwords and remove any octect from the public ip)

Cheers,
Rajesh
0
 
fd1906Author Commented:
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password PECp9le8VXXBpsRQ encrypted
passwd PECp9le8VXXBpsRQ encrypted
hostname DSLPix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list icmp permit icmp any any echo-reply
access-list icmp permit icmp any any unreachable
access-list icmp permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 67.100.x.x 255.0.0.0
ip address inside 172.16.1.1 255.255.0.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 67.100.x.x-67.100.x.x netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group icmp in interface outside
route outside 0.0.0.0 0.0.0.0 67.100.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:0
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 172.16.1.51-172.16.1.75 inside
dhcpd dns 64.105.x.x 64.105.x.x
dhcpd lease 64000
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:c24b6bfec18010c659002050974fd284
: end
0
 
fd1906Author Commented:
I figured it out...my outside IP had the default class a mask when it should have had a 29 bit mask.
0
 
fd1906Author Commented:
I'm confused because I thought PIX would block all traffic that is not http, smtp, etc... port 9002,9003, and 9005 should be blocked, no?  But the plain config let's it go through.
0
 
Jan SpringerCommented:
"The PIX Firewall's fixup commands tell the PIX Firewall to perform additional application inspection on the specified protocols. This additional inspection is needed on some protocols, because some protocols include the source IP address within the data payload of the packet."

So, no, they should not necessarily be blocked unless you have specified so.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now