Cisco PIX 506E - refine configuration for 2nd IP

Posted on 2009-04-13
Medium Priority
Last Modified: 2012-05-06
I have a Cisco PIX 506e that is replacing a 501.  We have 2 static IP addresses - and (used for VOIP) and the configuration below works fine but I am concerned about all the ports being opened for security issues.  The VOIP phone specs indicate that the following ports need to be opened for the phone to function:
UDP Port 5000-6200 for Incoming and Outgoing
TCP Port 5566 Incoming and Outgoing
5566 needs to be forwarded to the IP Phone system.

Below is the current configuration that work fine:
cisco-pix(config)# show config
: Saved
PIX Version 6.3(5)
interface ethernet0 10full
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname cisco-pix
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name domainpdc
name domaindc1
access-list 101 permit ip
access-list 101 permit ip host
access-list 101 permit ip host
access-list 101 permit ip host
access-list 101 permit ip any
access-list acl-out permit icmp any any
access-list acl-out permit tcp any host eq 3389
access-list acl-out permit udp any host eq 3389
access-list acl-out permit ip any host
access-list 90 permit ip
access-list outside_cryptomap_dyn_30 permit ip any
pager lines 24
logging on
logging buffered errors
logging trap debugging
logging host inside
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool
ip local pool vpnpool
pdm location inside
pdm location inside
pdm location inside
pdm location inside
pdm location abbatrondc1 inside
pdm location inside
pdm location inside
pdm location outside
pdm location outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0 0
static (inside,outside) tcp interface 3389 abbatrondc1 3389 netmask 255.255.2
255 0 0
static (inside,outside) udp interface 3389 abbatrondc1 3389 netmask 255.255.2
255 0 0
static (inside,outside) netmask 0 0
access-group acl-out in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 30 match address outside_cryptomap_dyn_30
crypto dynamic-map dynmap 30 set transform-set ESP-3DES-SHA
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp enable inside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
telnet inside
telnet timeout 5
ssh outside
ssh outside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80

Does anyone have any suggestion that might help refine the port distribution.
Question by:mikeplastic
  • 2

Expert Comment

ID: 24135935

the following config should do the job for you

conf t
no access-list acl-out permit ip any host <-- this removes the any rule
access-list acl-out permit tcp any host eq 5566 <-- allows only TCP port 5566
access-list acl-out permit udp any host range 5000 6200 <-- allows UDP range 5000 to 6200

These ports will already be forwarded to your internal IP phone system as your static NAT is configured correctly. All ports will be open outbound as there is no existing ACL attached to your inside interface  - traffic passing from a higher to lower security level will be allowed by default.

also double check this rule

access-list acl-out permit udp any host eq 3389

its not likely that you need to have UDP 3389 allowed to this sever. RDP works off TCP 3389 only


Author Comment

ID: 24137439
Thank you!  I will be testing this within 1 week!!

Accepted Solution

Markus Braun earned 2000 total points
ID: 24138082
Everything Andrew says is right, i just wanted to add this

static (inside,outside) netmask 0 0
access-group acl-out in interface outside
access-list acl-out permit ip any host

with these lines you have practically rendered the firewall useless since you allow everything from the internet to hit the server at

also i would suggest you come up with an access-list for the inside interface, so you can control what goes out to the internet.
Everything open from the LAN side also means everything open for any virus, trojan, backdoor etc

Author Comment

ID: 24187932
I am still testing so I do not have results.  I cannot get the PIX to access the internet.  I am going to put out another case on that and then come back to this.

Featured Post

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Why do some people recommend buying business VoIP from an ISP? What are the benefits to my company? What are the costs?
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question