?
Solved

Cisco Pix 501 port opening

Posted on 2007-09-27
8
Medium Priority
?
269 Views
Last Modified: 2010-04-09
Needing instructions: I have a Cisco Pix 501 with latest firmware and PDM 3. I need to open pptp port from any outside connection to an internal ip. I cant seem to do this as the PIX wants to know what ip im connecting from. Im sure if i read documentation long enough i will find the answer but kind of need a fast solution here. Thanks in advance. (I am planning to study Cisco firewalls in depth so hope i dont seem lazy :)
0
Comment
Question by:Powerhousecomputing
  • 4
  • 3
8 Comments
 
LVL 16

Expert Comment

by:grahamnonweiler
ID: 19975320
Provided you are directing the external request to a specific internal IP address then you do not need to define the external IP address/host.

In the pop-up to enter the rule through PDM 3 - enter "Any" at the source IP and then for the destination enter the internal IP address  with a subnet mask 255.255.255.255

By setting the source to "Any" it allows anyone from the Internet to connect using the defined service - and when that connection hits the 501 it will be redirected to the defined Internal IP address.

0
 
LVL 6

Expert Comment

by:Galtar99
ID: 19975339
Create an access list allowing any to your host that is your VPN server.  Make sure to use the keyword host to define your VPN server.  Ports you need to allow for PPTP (1723 and GRE)) sometimes 500, 50 and 51.  You'll also need static mappings allowing these ports in as well.
0
 

Author Comment

by:Powerhousecomputing
ID: 19975436
This time the settings took and i was able to flash however VPN still not working. I couldnt find GRE anywhere in the list of services. -Also could the cisco have port 1723 reserved for its own use? how do i switch it off if that is the case? many thanks
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Expert Comment

by:Galtar99
ID: 19975465
Unless you have your PIX setup to perform VPN encryption/authentication as well.  I don't think you can do both, or at least you'd have tp specify from which hosts to expect what.  

GRE is an entire protocol, not just port.  So you must specify as such.  Do you need the syntax?
0
 

Author Comment

by:Powerhousecomputing
ID: 19975496
i have an sbs server behind the firewall. i would like windows to do the authentication and turn off the pix's. is that doable? and yes i am dummy when it comes cisco please give details. thanks.
0
 
LVL 6

Accepted Solution

by:
Galtar99 earned 1500 total points
ID: 19975521
The PIX won't perform any VPN functions if you have not enabled that feature. (defined a crypto map, ACL for interesting traffic, IPSec rules, etc)  Just make sure you preform static mappings in for the ports I indicated and have an ACL applied that allows that traffic in too.  I don't use the PDM much except to look at the graphs.  So I'm not sure where you have to go to set that all up within the PDM.
0
 

Author Comment

by:Powerhousecomputing
ID: 19975618
1. what do you meen by ACL?
2. if i the name of the internal host is wrong i.e it is set to 'smtp_internal'. should i change this to 'host' as you suggested earlier? -i tried to set a second host, using the same internal ip and wasnt allowed.
0
 
LVL 6

Expert Comment

by:Galtar99
ID: 19981383
1. Access Control List - It is how traffic is defined by IP address range, protocol, port and whether you want to allow or deny it.

2.  Use the keyword host when defining the host, but use its IP address as this should not change. (i.e. access list 101 permit gre any host 192.168.0.1)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month15 days, 18 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question