fd1906
asked on
Open Ports 9002, 9003, and 9005 on Pix 515e
I need to open 3 ports on my Pix to access a server outside of the network. I need to open ports 9002,9003,9005. Please help.
Are you trying to reach those ports on an IP address outside the firewall?
Are you currently restricting access by port on an incoming private access-list or outgoing public access-list?
Are you currently restricting access by port on an incoming private access-list or outgoing public access-list?
ASKER
I'm trying to reach an outside IP address. We have a program that connect to an IP accross the internet.
So you already have an access-list applied on the inside interface, so add these;
access-list <Name> permit tcp any host <Outside IP Address> eq 9002
access-list <Name> permit tcp any host <Outside IP Address> eq 9003
access-list <Name> permit tcp any host <Outside IP Address> eq 9005
access-list <Name> in interface inside
Replace the <Name> with whatever is applied there. Also if it is a udp port then change the 'tcp' in the lines above.
Cheers,
Rajesh
access-list <Name> permit tcp any host <Outside IP Address> eq 9002
access-list <Name> permit tcp any host <Outside IP Address> eq 9003
access-list <Name> permit tcp any host <Outside IP Address> eq 9005
access-list <Name> in interface inside
Replace the <Name> with whatever is applied there. Also if it is a udp port then change the 'tcp' in the lines above.
Cheers,
Rajesh
ASKER
I actually don't have anything applied on the inside interface. Do I need another access-list with this one?
If you don't have anything applied then by default all traffic from inside to outside is allowed.
Cheers,
Rajesh
Cheers,
Rajesh
Do you have an access-list applied to the outbound interface?
If no, what happens then you attempt to connect?
Can you reach the remote IP with a traceroute or pathping?
If no, what happens then you attempt to connect?
Can you reach the remote IP with a traceroute or pathping?
ASKER
no access-list applied outbound.
Here's a strange occurrence...I can't ping the IP address of the unit I want to connect to (outside the network) let's call it 67.100.x.x but I can ping google.com from behind the pix, however, from my other network (not behind the pix) I CAN ping the IP address that I want to connect to (67.100.x.x). Any ideas?
Here's a strange occurrence...I can't ping the IP address of the unit I want to connect to (outside the network) let's call it 67.100.x.x but I can ping google.com from behind the pix, however, from my other network (not behind the pix) I CAN ping the IP address that I want to connect to (67.100.x.x). Any ideas?
Can you post your configuration here ? Sanitized config (remove passwords and remove any octect from the public ip)
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password PECp9le8VXXBpsRQ encrypted
passwd PECp9le8VXXBpsRQ encrypted
hostname DSLPix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list icmp permit icmp any any echo-reply
access-list icmp permit icmp any any unreachable
access-list icmp permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 67.100.x.x 255.0.0.0
ip address inside 172.16.1.1 255.255.0.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 67.100.x.x-67.100.x.x netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group icmp in interface outside
route outside 0.0.0.0 0.0.0.0 67.100.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:0
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 172.16.1.51-172.16.1.75 inside
dhcpd dns 64.105.x.x 64.105.x.x
dhcpd lease 64000
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:c24b6bfec18
: end
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password PECp9le8VXXBpsRQ encrypted
passwd PECp9le8VXXBpsRQ encrypted
hostname DSLPix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list icmp permit icmp any any echo-reply
access-list icmp permit icmp any any unreachable
access-list icmp permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 67.100.x.x 255.0.0.0
ip address inside 172.16.1.1 255.255.0.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 67.100.x.x-67.100.x.x netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group icmp in interface outside
route outside 0.0.0.0 0.0.0.0 67.100.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:0
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 172.16.1.51-172.16.1.75 inside
dhcpd dns 64.105.x.x 64.105.x.x
dhcpd lease 64000
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:c24b6bfec18
: end
ASKER
I figured it out...my outside IP had the default class a mask when it should have had a 29 bit mask.
ASKER
I'm confused because I thought PIX would block all traffic that is not http, smtp, etc... port 9002,9003, and 9005 should be blocked, no? But the plain config let's it go through.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If incoming what is the public ip ? or is it to the assigned ip on the outside interface ?
If it is outgoing then to which ip address ? or any ?
Cheers,
Rajesh