We help IT Professionals succeed at work.

PIX 501 in-out problem connecting to media server

trey89501
trey89501 asked
on
764 Views
Last Modified: 2012-05-05
Problem=  Ports 1935,1936,5080

FedoraCore 7
Linux 2.6.22.9-91.fc7_HPTRAID
pixfirewall  Device PIX 501  
PDM Version 3.0(4)  PIX Version  6.3(5)  

I have a media server as part of an application that requires

ports 1935,1936,5080 to be open. I opened the three ports in

the Pix and it worked for a couple of weeks but I then installed

Imagemagick. Im not sure if that had a conflict I couldnt see

anything in the code with Imagemagick that affects the three

ports and Im not sure the problem didnt exist before the

install.

Bottom line.. The media server doesnt connect. Someone told

me they thought the issue was the ports were open for the

outside_in  but not for inside_out. So I did that... I think.

Im stumped&

Here is the current conf on the Pix:

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any any eq ftp-data
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq ssh
access-list outside_access_in permit tcp any any eq 42
access-list outside_access_in permit udp any any eq

nameserver
access-list outside_access_in permit tcp any any eq domain
access-list outside_access_in permit udp any any eq domain
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp any any eq pop3
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any any eq 465
access-list outside_access_in permit tcp any any eq 587
access-list outside_access_in permit tcp any any eq 995
access-list outside_access_in permit tcp any any eq 993
access-list outside_access_in permit tcp any any eq 3389
access-list outside_access_in permit tcp any any eq 8443
access-list outside_access_in permit tcp any any eq 9999
access-list outside_access_in permit tcp any any eq 2086
access-list outside_access_in permit tcp any any eq 2087
access-list outside_access_in permit tcp any any eq 2082
access-list outside_access_in permit tcp any any eq 2083
access-list outside_access_in permit tcp any any eq 2096
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any eq 2095
access-list outside_access_in permit tcp any any eq 1935
access-list outside_access_in permit tcp any any eq 1936
access-list outside_access_in permit tcp any any eq 5080
access-list outside_access_in deny tcp any any eq telnet
access-list outside_access_in deny tcp any any eq smtp
access-list outside_access_in deny tcp any any eq imap4
access-list outside_access_in deny tcp any any eq 1433
access-list outside_access_in deny tcp any any eq 3306
access-list outside_access_in deny tcp any any eq 9080
access-list outside_access_in deny tcp any any eq 9090
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any

source-quench
access-list outside_access_in permit icmp any any

unreachable
access-list outside_access_in permit icmp any any

time-exceeded
access-list outside_access_in remark Backups
access-list outside_access_in permit ip host  >>>>>>>>>>  

any
access-list outside_access_in remark Backups
access-list outside_access_in permit ip host  >>>>>>>>>> any
access-list outside_access_in remark Backups
access-list outside_access_in permit ip host  >>>>>>>>>> any
access-list outside_access_in remark Backups
access-list outside_access_in permit icmp host  >>>>>>>>>>

any echo
access-list outside_access_in remark Backups
access-list outside_access_in permit icmp host  >>>>>>>>>>  

any echo
access-list outside_access_in remark Backups
access-list outside_access_in permit icmp host  >>>>>>>>>>  

any echo
access-list outside_access_in permit tcp any any eq smtp
access-list inside_access_in permit tcp any any eq 1935
access-list inside_access_in permit tcp any any eq 1936
access-list inside_access_in permit tcp any any eq 5080
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside >>>>>>>>>>>>>>>255.255.255.0
ip address inside 10.0.0.254 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.1 255.255.255.255 inside
pdm location >>>>>>>>>> 255.255.255.255 outside
pdm location >>>>>>>>>> 255.255.255.255 outside
pdm location >>>>>>>>>>255.255.255.255 outside
pdm location  >>>>>>>>>> 255.255.255.255 outside
pdm location  >>>>>>>>>> 255.255.255.255 outside
pdm location  >>>>>>>>>>  255.255.255.255 outside
pdm location  >>>>>>>>>> 255.255.255.255 outside
pdm location  >>>>>>>>>> 255.255.255.255 outside
pdm history enable
arp timeout 14400
static (outside,inside) 10.0.0.1  >>>>>>>>>>  netmask 255.255.255.255 0 0
static (inside,outside)  >>>>>>>>>>  10.0.0.1 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0  >>>>>>>>>>  1
route outside  >>>>>>>>>>  255.255.255.255  >>>>>>>>>> 1
route outside  >>>>>>>>>> 255.255.255.255  >>>>>>>>>> 1
route outside  >>>>>>>>>>  255.255.255.255  >>>>>>>>>> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
<<<<<<<<<  end conf >>>>>>>>>
So...
1. Is the conf for the Pix right ?
2. Is there a conflict with Imagemagick I missed ?
3. Any ideas or do I scrap it all and start over ?
Comment
Watch Question

Author

Commented:
I searched/ then looked at  the first 300 questions here about Pix and didn't see a similar problem so I posted the question. 24 hours no response... have I offended some unwritten rule?

The questions didn't seem too complex:
1. Is the conf for the Pix right ?
2. Is there a conflict with Imagemagick I missed ?
3. Any ideas or do I scrap it all and start over ?

The EE has sent me 3 emails because of no responses.... will that continue since I made this comment ?

Another 24 hours and I start all over as well as evaluate the decision to participate in this service.
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Well I think you mean delete the the three lines of the conf that are

access-list inside_access_in permit tcp any any eq 1935
access-list inside_access_in permit tcp any any eq 1936
access-list inside_access_in permit tcp any any eq 5080

Those are the lines I mentioned I added because of not inside out so I will remove them. However It wasn't connecting before I put those in the conf.

When I look at those would they be :
access-list inside_access_outside permit tcp any any eq 1935
access-list inside_access_outside permit tcp any any eq 1936
access-list inside_access_outside permit tcp any any eq 5080

Thanks for the response I will remove and try then try the three lines just above.
 
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
No. Remove the access-group completely from the interface. This will allow all traffic out. Then the 3 lines of acl are irrelevant.
If it works without any acl applied to the interface, then we can work on a restrictive acl that will allow only that traffic and nothing else if that is what you desire.

Author

Commented:
I am sorry, I do not understand which ("Remove the access-group completely from the interface" ) access-group you mean.
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Just as I demonstrated above:
 
    no access-group inside_access_in in interface inside

Author

Commented:
I am sorry we are not communicating. As I said in my first comment

Well I think you mean delete the the three lines of the conf that are

access-list inside_access_in permit tcp any any eq 1935
access-list inside_access_in permit tcp any any eq 1936
access-list inside_access_in permit tcp any any eq 5080

Please,  just a "yes" or "no"

Then we can go further.
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:

As I already said - "no"
I said exactly what I mean. Don't worry about the content of the 3 lines of the access-list, just remove the group from the interface.
Deleting the 3 lines of acl will not make any difference if you don't remove the acl group from the interface first.

Author

Commented:
Ok, I finally found the line of code.

 I have now learned when ever I put in a file or code snippet I need to include line numbers. I was looking around the three lines I put in not realizing the pix software created something which was no where next to or "grouped" with  the acl lines. I made the assumption that headers like "names, name  server, unreachable, source-quench, et al" were names of groups and there was no  group that matched up. Multiple echo any was also confusing.....

Sorry for the confusion and my ignorance. I may yet be teachable. I will remove "access-group inside_access_in in interface inside".
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
LOL!!!
Cisco is a language all by itself...

Author

Commented:
I took out the 'inside" and the three acl lines for the ports.
I went and check ...still no connect to media server.

Here is the current Pix conf:

1      PIX Version 6.3(5)
2      interface ethernet0 100full
3      interface ethernet1 100full
4      nameif ethernet0 outside security0
5      nameif ethernet1 inside security100
6      
7      
8      
9      fixup protocol dns maximum-length 512
10      fixup protocol ftp 21
11      fixup protocol h323 h225 1720
12      fixup protocol h323 ras 1718-1719
13      fixup protocol http 80
14      fixup protocol rsh 514
15      fixup protocol rtsp 554
16      fixup protocol sip 5060
17      fixup protocol sip udp 5060
18      fixup protocol skinny 2000
19      fixup protocol smtp 25
20      fixup protocol sqlnet 1521
21      fixup protocol tftp 69
22      names
23      access-list outside_access_in permit tcp any any eq ftp-data
24      access-list outside_access_in permit tcp any any eq ftp
25      access-list outside_access_in permit tcp any any eq ssh
26      access-list outside_access_in permit tcp any any eq 42
27      access-list outside_access_in permit udp any any eq nameserver
28      access-list outside_access_in permit tcp any any eq domain
29      access-list outside_access_in permit udp any any eq domain
30      access-list outside_access_in permit tcp any any eq www
31      access-list outside_access_in permit tcp any any eq pop3
32      access-list outside_access_in permit tcp any any eq https
33      access-list outside_access_in permit tcp any any eq 465
34      access-list outside_access_in permit tcp any any eq 587
35      access-list outside_access_in permit tcp any any eq 995
36      access-list outside_access_in permit tcp any any eq 993
37      access-list outside_access_in permit tcp any any eq 3389
38      access-list outside_access_in permit tcp any any eq 8443
39      access-list outside_access_in permit tcp any any eq 9999
40      access-list outside_access_in permit tcp any any eq 2086
41      access-list outside_access_in permit tcp any any eq 2087
42      access-list outside_access_in permit tcp any any eq 2082
43      access-list outside_access_in permit tcp any any eq 2083
44      access-list outside_access_in permit tcp any any eq 2096
45      access-list outside_access_in permit icmp any any
46      access-list outside_access_in permit tcp any any eq 2095
47      access-list outside_access_in permit tcp any any eq 1935
48      access-list outside_access_in permit tcp any any eq 1936
49      access-list outside_access_in permit tcp any any eq 5080
50      access-list outside_access_in deny tcp any any eq telnet
51      access-list outside_access_in deny tcp any any eq smtp
52      access-list outside_access_in deny tcp any any eq imap4
53      access-list outside_access_in deny tcp any any eq 1433
54      access-list outside_access_in deny tcp any any eq 3306
55      access-list outside_access_in deny tcp any any eq 9080
56      access-list outside_access_in deny tcp any any eq 9090
57      access-list outside_access_in permit icmp any any echo-reply
58      access-list outside_access_in permit icmp any any source-quench
59      access-list outside_access_in permit icmp any any unreachable
60      access-list outside_access_in permit icmp any any time-exceeded
61      access-list outside_access_in remark Backups
62      access-list outside_access_in permit ip host >>>>>>>>>> any
63      access-list outside_access_in remark Backups
64      access-list outside_access_in permit ip host >>>>>>>>>> any
65      access-list outside_access_in remark Backups
66      access-list outside_access_in permit ip host >>>>>>>>>> any
67      access-list outside_access_in remark Backups
68      access-list outside_access_in permit icmp host >>>>>>>>>> any echo
69      access-list outside_access_in remark Backups
70      access-list outside_access_in permit icmp host >>>>>>>>>> any echo
71      access-list outside_access_in remark Backups
72      access-list outside_access_in permit icmp host >>>>>>>>>> any echo
73      access-list outside_access_in permit tcp any any eq smtp
74      pager lines 24
75      logging on
76      mtu outside 1500
77      mtu inside 1500
78      ip address outside >>>>>>>>>> 255.255.255.0
79      ip address inside 10.0.0.254 255.255.255.0
80      ip verify reverse-path interface outside
81      ip audit info action alarm
82      ip audit attack action alarm
83      pdm location 10.0.0.1 255.255.255.255 inside
84      pdm location >>>>>>>>>> 255.255.255.255 outside
85      pdm location >>>>>>>>>> 255.255.255.255 outside
86      pdm location >>>>>>>>>> 255.255.255.255 outside
87      pdm location >>>>>>>>>>255.255.255.255 outside
88      pdm location >>>>>>>>>> 255.255.255.255 outside
89      pdm location>>>>>>>>>> 255.255.255.255 outside
90      pdm location >>>>>>>>>> 255.255.255.255 outside
91      pdm location >>>>>>>>>> 255.255.255.255 outside
92      pdm history enable
93      arp timeout 14400
94      static (outside,inside) 10.0.0.1>>>>>>>>>> netmask 255.255.255.255 0 0
95      static (inside,outside) >>>>>>>>>> 10.0.0.1 netmask 255.255.255.255 0 0
96      access-group outside_access_in in interface outside
97      route outside 0.0.0.0 0.0.0.0 >>>>>>>>>> 1
98      route outside >>>>>>>>>> 255.255.255.255 >>>>>>>>>> 1
99      route outside >>>>>>>>>> 255.255.255.255 >>>>>>>>>> 1
100      route outside >>>>>>>>>>255.255.255.255 >>>>>>>>>>1
101      timeout xlate 3:00:00
102      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
103      timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
104      timeout sip-disconnect 0:02:00 sip-invite 0:03:00
105      timeout uauth 0:05:00 absolute
106      aaa-server TACACS+ protocol tacacs+
107      aaa-server TACACS+ max-failed-attempts 3
108      aaa-server TACACS+ deadtime 10
109      aaa-server RADIUS protocol radius
110      aaa-server RADIUS max-failed-attempts 3
111      aaa-server RADIUS deadtime 10
112      aaa-server LOCAL protocol local
113      aaa authentication ssh console LOCAL
114      http server enable
115      http 0.0.0.0 0.0.0.0 outside
116      http 10.0.0.0 255.255.255.0 inside
117      no snmp-server location
118      no snmp-server contact
119      snmp-server community public
120      no snmp-server enable traps
121      floodguard enable
122      telnet timeout 5
123      ssh 0.0.0.0 0.0.0.0 outside
124      ssh 0.0.0.0 0.0.0.0 inside
125      ssh timeout 5


That's all fokes...
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
What is the default gateway of the Media Server?

You can also remove this line:

94      static (outside,inside) 10.0.0.1>>>>>>>>>> netmask 255.255.255.255 0 0

Author

Commented:
208.109.168.30

With ports 1935,1936,5080 open
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
If the media server's IP address is 10.0.0.1, then its default gateway must be 10.0.0.254 - the PIX inside IP

Author

Commented:
Is that different than

79      ip address inside 10.0.0.254 255.255.255.0
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Yes. I'm talking about on the Media server itself, not the PIX.
If the Media server's IP address is 10.0.0.1, then its default gateway  must be the same as the inside IP of the PIX, which is 10.0.0.254


Author

Commented:
I am not sure what that is set to. I will go check the config files for the media server.

None of the setup file in the install mentioned anything but the ports and I never changed it. It was running and then quit.

I'll be back.

Author

Commented:
Ok... this is a RED5 open source media server that has been branded over to the application we purchased.

It looks like it is using "localhost" for the gateway which would be a default gateway of 127.0.0.1

Author

Commented:
First Irmore thank you for all the effort !!!

I've been chained to this box since about 8am so I need to take a break before I gear up for tonight. I'll get back to the grind. I usually go until about 3-4am.... you know the routine.

I'm in Reno so it will be past midnight your time before I lock myself in again.

Again thanks for all the help.

Trey

Author

Commented:
stiil no relief...

I have been through the Red5 config settings and it does use "localhost" / 127.0.0.1 so I guess I have to figure out how to tell the firewall that.

I can't even ping the server from the outside at this time byt I can ping it from the inside at 10.0.0.1
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
The default gateway has to be set on the server to 10.0.0.254 and not 127.0.0.1
  route add default gw 10.0.0.254

Author

Commented:
I went in  and changed the red5.properties file from either 0.0.0.0 or 127.0.0.1 to 10.0.0.254
Here is the file current file:
1      # HTTP
2      http.host=10.0.0.254
3      http.port=5080
4      # RTMP
5      rtmp.host=10.0.0.254
6      rtmp.port=1935
7      rtmp.event_threads_core=16
8      rtmp.event_threads_max=32
9      # event threads queue: -1 unbounded, 0 direct (no queue), n bounded queue
10      rtmp.event_threads_queue=-1
11      rtmp.event_threads_keepalive=60
12      rtmp.send_buffer_size=271360
13      rtmp.receive_buffer_size=65536
14      rtmp.ping_interval=5000
15      rtmp.max_inactivity=60000
16      # RTMPT
17      rtmpt.host=10.0.0.254
18      rtmpt.port=8088
19      rtmpt.ping_interval=5000
20      rtmpt.max_inactivity=60000
21      # Debug proxy (needs to be activated in red5-core.xml)
22      proxy.source_host=10.0.0.254
23      proxy.source_port=1936
24      proxy.destination_host=10.0.0.254
25      proxy.destination_port=1935

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I also opened port 8088 on the firewall
I then re-booted the server and no change so it still doesn't connect.

I will look for other files ( ie XML and others) that might use "localhost" as a setting and change those if I can find them if they exist.

It was working until I installed Imagemagick so at this point I must start to consider tearing the whole thing down, reprovisioning the server, reloading everything without Imgemagick and then figure a workaround for that. GD Lib won't take big files so I had to switch to Imagemagick.

This one is very confusing and frustrating but not un-typical for the wonderful world of computers.
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.