How to enable a specific port on a Cisco Pix 506

Enable SMB over TCP is not security best practice,
but to answer your question:
!
ip nat inside source static tcp 192.168.0.1 445 interface WAN1 445
!
Modify 192.168.0.1 to the ip address of the server, modify WAN1 to the outside interfacename.

sorry, to be more complete,
Connect serial cabel

enable
configure terminal
ip nat inside source static tcp 192.168.0.1 445 interface WAN1 445
exit
write

How would I find the WAN1 name?

And this enables both inbound and outbound SMB connections?

Also, is there a way to back up/ restore the ruleset if I mess this up?

Find out the available interfaces by searching in the configuration:
connect the serial cable

enable
show running-config

find out the interface which is configured with a static IP outside the range of your local network, or an interface which is obtaining its address through DHCP

Sure, before you begin:
enable
write

Then:
enable
configure terminal
ip nat inside source static tcp 192.168.0.1 445 interface WAN1 445
exit

Test your configuration if it works (your modification is applied instantly), if not: restart your PIX (with the powerbutton) or type reload in de CLI.

If it works, than perform "write".

We are talking pix here, not IOS. The "ip nat" command doesnt exist.


To answer your question we need to see your current config. Strip off all sensitive information and post it here. "show run" will give you the config.

/Kvistofta

OK, tried it and had a couple of errors.

When I typed "write" it was asking what I wanted to write to. I chose flash?

Also, typing the command you listed, it said nat was an invalid keyword....

Pix software version 6.3 FYI

See my previous comment. How to configure this depends upon your current configuration. We can give you general guidelines of how to do nat and open the traffic in the access-list but it clearly depends on  what is already configured.

/Kvistofta

Yes, that is my bad, i was talking Cisco IOS and not PIX. "ip nat" does not exist on PIX. As kvistofta already said, you'll have to post your current config by issueing the "show run" command as it is not easy to throw you a bunch of commands

OK, cool, is there an easy way (Bearing in mind Im connected via serial connection and using putty on a widows machine that is not net connected) to output the show run command to a file? Or is it a case of Copy Paste?


Im sorry if this is a series of stupid questions. I've inherited a setup that has no documentation, Im more used to dealing with Netgear and Juniper firewalls that have web frontends (Shouldnt the 506 have a frontend like that too? PDM or something? Is that something that needs to be enabled?)

the easiest way is to do "show run" and copy the output from putty, and then pasting it here.

/Kvistofta

Yes, should have a front end, discussed here:
http://www.petri.co.il/forums/showthread.php?t=17006

Here is the output from show run (edited for security!)


:
PIX Version 6.3(5)
interface ethernet0 10full
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
  port-object eq www
  port-object eq https
  port-object eq ftp
access-list external permit tcp any host 2xx.x6.x4.xx5 object-group webservices
access-list external permit tcp any host 2xx.x6.x4.xx5 eq smtp
access-list outbound permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2xx.x6.x4.xx5 10.0.10.2 netmask 255.255.255.255 0 0
access-group external in interface outside
access-group outbound in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

OK, the security stuff I have looked at and it is pretty serious. How do I modify that command to only allow between our network and specific ip address, ie I will set this up on a per server basis. So the 2xx.x6 ip is our WAN ip, and I want to be able to access the shares on machine with ip 88.99.111.222 (not the actual ip!)

access-list external permit tcp host <ipaddress> host 2xx.x6.x4.xx5 eq 445

Awesome thanks.

One last thing, Im confused by what this command does, not sure what is meant by INSIDE SERVER IP

static (inside,outside) 2xx.x6.x4.xx5 <INSIDE SERVER IP> netmask 255.255.255.255 0 0

Can someone explain that?

He means that you have to declare the inside server IP, your server ip would probably be in 10.0.10.*

Why would I need to configure an inside server? Im trying to access the shares from my workstation (or any workstation inside the netywork) to an external server that isnt on our network?

So it is not about inbound traffic? For outbound traffic your firewall is already wide open.

/Kvistofta

Really? That cant be, the remote server is configured to accept ALL traffic from our ip address, yet I cant connect to administrative shares to  any machines outside the network (I can do internally). Other machines externally CAN connect to the admin shares on those servers.

Thanks for the help, never got this resolved, no idea what the problem is!