bandoafernandez
asked on
I need to open TCP/UDP ports on PIX 515
Hello, I have a PIX 515 running version 6.3(3). We have a new VTC system that requires TCP and UDP traffic to specific port ranges (listed below) What is the easiest way for me to open up these ports and keep my network secure? Conduits or access lists?
The required open ports are:
TCP 1720 & 5555 - 5595
UDP 2326 - 2373
Thanks for your asisstance!
The required open ports are:
TCP 1720 & 5555 - 5595
UDP 2326 - 2373
Thanks for your asisstance!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello, all of the changes have taken except for this command. I tried it with the new access list name(s), but it does not like it:
access-list <name> in interface outside
Is there something I am doing wrong? I have tried it in both configuration mode, and interface configuration mode.
Thanks
access-list <name> in interface outside
Is there something I am doing wrong? I have tried it in both configuration mode, and interface configuration mode.
Thanks
ASKER
Ah, it says this:
<in> not a valid permission
<in> not a valid permission
ASKER
Ok, the command looks like it should be:
access-group <name> in interface outside
Thanks
access-group <name> in interface outside
Thanks
Have you got it sorted ? If not, post your config part and I'll show you the correct syntax. The reason I or everybody else here keeps the acl name as something like <name> is the point that you already would be having this acl, and just the entries need to be appended.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Thanks, I think I have sorted it out, but am confused about one last thing. I can only assign one access group, even though I have two access lists. Shouldn't I have two access-groups, one per list? The PIX only seems to take one access group at a time. Here is what I have:
access-list VTC_1 permit tcp any host aus-vtc-ext object-group VTC_TCP
access-list VTC_2 permit udp any host aus-vtc-ext object-group VTC_UDP
access-group VTC_1 in interface outside
access-list VTC_1 permit tcp any host aus-vtc-ext object-group VTC_TCP
access-list VTC_2 permit udp any host aus-vtc-ext object-group VTC_UDP
access-group VTC_1 in interface outside
No no, why 2 access-lists ? Just have it in one acl itself;
access-list VTC_1 permit tcp any host aus-vtc-ext object-group VTC_TCP
access-list VTC_1 permit udp any host aus-vtc-ext object-group VTC_UDP
access-group VTC_1 in interface outside
Cheers,
Rajesh
access-list VTC_1 permit tcp any host aus-vtc-ext object-group VTC_TCP
access-list VTC_1 permit udp any host aus-vtc-ext object-group VTC_UDP
access-group VTC_1 in interface outside
Cheers,
Rajesh
ASKER
Ahhh, ok. Will do. Thanks!
ASKER