• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 570
  • Last Modified:

I need to open TCP/UDP ports on PIX 515

Hello, I have a PIX 515 running version 6.3(3).  We have a new VTC system that requires TCP and UDP traffic to specific port ranges (listed below)  What is the easiest way for me to open up these ports and keep my network secure?  Conduits or access lists?  

The required open ports are:
TCP  1720 & 5555 - 5595      
UDP  2326 - 2373

Thanks for your asisstance!
0
bandoafernandez
Asked:
bandoafernandez
  • 6
  • 3
1 Solution
 
rsivanandanCommented:
Access-lists would be the best way to go since Conduits are deprecated now.

object-group service VTC_TCP tcp
port-object range 5555 5595
port-object 1720

object-group service VTC_UDP udp
port-object range 2326 2373

static (inside,outside) <PublicIP_for_VTC> <PrivateIP_for_VTC> netmask 255.255.255.255

access-list <Name> permit tcp <Internet_IP> host <PublicIP_for_VTC> object-group VTC_TCP
access-list <Name> permit tcp <Internet_IP> host <PublicIP_for_VTC> object-group VTC_UDP

access-list <Name> in interface outside

Cheers,
Rajesh
0
 
bandoafernandezAuthor Commented:
Thank you!
0
 
bandoafernandezAuthor Commented:
Hello, all of the changes have taken except for this command.  I tried it with the new access list name(s), but it does not like it:

access-list <name> in interface outside

Is there something I am doing wrong?  I have tried it in both configuration mode, and interface configuration mode.

Thanks
0
How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

 
bandoafernandezAuthor Commented:
Ah, it says this:
<in> not a valid permission
0
 
bandoafernandezAuthor Commented:
Ok, the command looks like it should be:
access-group <name> in interface outside

Thanks

0
 
rsivanandanCommented:
Have you got it sorted ? If not, post your config part and I'll show you the correct syntax. The reason I or everybody else here keeps the acl name as something like <name> is the point that you already would be having this acl, and just the entries need to be appended.


Cheers,
Rajesh
0
 
bandoafernandezAuthor Commented:
Thanks, I think I have sorted it out, but am confused about one last thing.  I can only assign one access group, even though I have two access lists.  Shouldn't I have two access-groups, one per list?  The PIX only seems to take one access group at a time.  Here is what I have:

access-list VTC_1 permit tcp any host aus-vtc-ext object-group VTC_TCP
access-list VTC_2 permit udp any host aus-vtc-ext object-group VTC_UDP

access-group VTC_1 in interface outside



0
 
rsivanandanCommented:
No no, why 2 access-lists ? Just have it in one acl itself;

access-list VTC_1 permit tcp any host aus-vtc-ext object-group VTC_TCP
access-list VTC_1 permit udp any host aus-vtc-ext object-group VTC_UDP

access-group VTC_1 in interface outside

Cheers,
Rajesh
0
 
bandoafernandezAuthor Commented:
Ahhh, ok.  Will do.  Thanks!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now