Solved

How to enable a specific port on a Cisco Pix 506

Posted on 2010-09-16
25
491 Views
Last Modified: 2012-05-10
Hi there, this should be pretty straightforward, but I need to enable port 445 (for accessing windows administrative share connections to PCs OUTSIDE of our network). I have connected via serial connection, and am sitting at the pixfirewall> terminal prompt but am clueless what to do from here!
0
Comment
Question by:Slimshaneey
  • 10
  • 9
  • 5
  • +1
25 Comments
 
LVL 5

Expert Comment

by:StefanKamp
ID: 33690124
Enable SMB over TCP is not security best practice,
but to answer your question:
!
ip nat inside source static tcp 192.168.0.1 445 interface WAN1 445
!
Modify 192.168.0.1 to the ip address of the server, modify WAN1 to the outside interfacename.
0
 
LVL 5

Expert Comment

by:StefanKamp
ID: 33690134
sorry, to be more complete,
Connect serial cabel

enable
configure terminal
ip nat inside source static tcp 192.168.0.1 445 interface WAN1 445
exit
write
0
 
LVL 11

Author Comment

by:Slimshaneey
ID: 33690140
How would I find the WAN1 name?

And this enables both inbound and outbound SMB connections?
0
 
LVL 11

Author Comment

by:Slimshaneey
ID: 33690156
Also, is there a way to back up/ restore the ruleset if I mess this up?
0
 
LVL 5

Expert Comment

by:StefanKamp
ID: 33690163
Find out the available interfaces by searching in the configuration:
connect the serial cable

enable
show running-config

find out the interface which is configured with a static IP outside the range of your local network, or an interface which is obtaining its address through DHCP
0
 
LVL 5

Expert Comment

by:StefanKamp
ID: 33690188
Sure, before you begin:
enable
write

Then:
enable
configure terminal
ip nat inside source static tcp 192.168.0.1 445 interface WAN1 445
exit

Test your configuration if it works (your modification is applied instantly), if not: restart your PIX (with the powerbutton) or type reload in de CLI.

If it works, than perform "write".
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33690263
We are talking pix here, not IOS. The "ip nat" command doesnt exist.


To answer your question we need to see your current config. Strip off all sensitive information and post it here. "show run" will give you the config.

/Kvistofta
0
 
LVL 11

Author Comment

by:Slimshaneey
ID: 33690295
OK, tried it and had a couple of errors.

When I typed "write" it was asking what I wanted to write to. I chose flash?

Also, typing the command you listed, it said nat was an invalid keyword....

Pix software version 6.3 FYI
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33690326
See my previous comment. How to configure this depends upon your current configuration. We can give you general guidelines of how to do nat and open the traffic in the access-list but it clearly depends on  what is already configured.

/Kvistofta
0
 
LVL 5

Expert Comment

by:StefanKamp
ID: 33690330
Yes, that is my bad, i was talking Cisco IOS and not PIX. "ip nat" does not exist on PIX. As kvistofta already said, you'll have to post your current config by issueing the "show run" command as it is not easy to throw you a bunch of commands
0
 
LVL 11

Author Comment

by:Slimshaneey
ID: 33690360
OK, cool, is there an easy way (Bearing in mind Im connected via serial connection and using putty on a widows machine that is not net connected) to output the show run command to a file? Or is it a case of Copy Paste?


Im sorry if this is a series of stupid questions. I've inherited a setup that has no documentation, Im more used to dealing with Netgear and Juniper firewalls that have web frontends (Shouldnt the 506 have a frontend like that too? PDM or something? Is that something that needs to be enabled?)
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33690373
the easiest way is to do "show run" and copy the output from putty, and then pasting it here.

/Kvistofta
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 5

Expert Comment

by:StefanKamp
ID: 33690383
Yes, should have a front end, discussed here:
http://www.petri.co.il/forums/showthread.php?t=17006
0
 
LVL 11

Author Comment

by:Slimshaneey
ID: 33690467
Here is the output from show run (edited for security!)


:
PIX Version 6.3(5)
interface ethernet0 10full
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
  port-object eq www
  port-object eq https
  port-object eq ftp
access-list external permit tcp any host 2xx.x6.x4.xx5 object-group webservices
access-list external permit tcp any host 2xx.x6.x4.xx5 eq smtp
access-list outbound permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2xx.x6.x4.xx5 10.0.10.2 netmask 255.255.255.255 0 0
access-group external in interface outside
access-group outbound in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 167 total points
ID: 33690498
conf t
access-l external permit tcp any  host 2xx.x6.x4.xx5 eq 445
static (inside,outside) 2xx.x6.x4.xx5  netmask 255.255.255.255 0 0
wr mem

If you do not want to allow this from anyone on internet, replace "any with "1.2.3.4 255.255.255.0" or "host 1.2.3.4" depending on who you want to allow access from.

Again: opening SMB from internet is probably the worst thing you can do when it comes to security breaches. Still, if this is your intent and you are aware of what you are doing, the commands above will open that traffic.

/Kvistofta

0
 
LVL 11

Author Comment

by:Slimshaneey
ID: 33690529
OK, the security stuff I have looked at and it is pretty serious. How do I modify that command to only allow between our network and specific ip address, ie I will set this up on a per server basis. So the 2xx.x6 ip is our WAN ip, and I want to be able to access the shares on machine with ip 88.99.111.222 (not the actual ip!)
0
 
LVL 5

Expert Comment

by:StefanKamp
ID: 33690588
access-list external permit tcp host <ipaddress> host 2xx.x6.x4.xx5 eq 445
0
 
LVL 11

Author Comment

by:Slimshaneey
ID: 33690604
Awesome thanks.

One last thing, Im confused by what this command does, not sure what is meant by INSIDE SERVER IP

static (inside,outside) 2xx.x6.x4.xx5 <INSIDE SERVER IP> netmask 255.255.255.255 0 0

Can someone explain that?
0
 
LVL 5

Expert Comment

by:StefanKamp
ID: 33690624
He means that you have to declare the inside server IP, your server ip would probably be in 10.0.10.*
0
 
LVL 11

Author Comment

by:Slimshaneey
ID: 33690747
Why would I need to configure an inside server? Im trying to access the shares from my workstation (or any workstation inside the netywork) to an external server that isnt on our network?
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33690791
So it is not about inbound traffic? For outbound traffic your firewall is already wide open.

/Kvistofta
0
 
LVL 11

Author Comment

by:Slimshaneey
ID: 33690835
Really? That cant be, the remote server is configured to accept ALL traffic from our ip address, yet I cant connect to administrative shares to  any machines outside the network (I can do internally). Other machines externally CAN connect to the admin shares on those servers.
0
 
LVL 5

Assisted Solution

by:StefanKamp
StefanKamp earned 166 total points
ID: 33691212
Well, I believe that we are not aware of the fact that you want to connect to a SMB service hosted somewhere else, and not providing SMB access to one of your server in your own environment. The problem is not the pix then.

!
access-list outbound permit ip any any
!
means, all ip address may connect to any address through any port outside.
0
 
LVL 5

Assisted Solution

by:shirkan
shirkan earned 167 total points
ID: 33691301
Yep. these lines (not chronological order)

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outbound in interface inside
access-list outbound permit ip any any

permit everything !!!!!! from your inside interface(LAN presumably)  to the outside world
via the ip address of your outside interface (which is set to dhcp - by using the command - show ip - it will show your ip on that interface.)

so if you are trying to go from inside to outside - everything will go through

so if it does not your problem is on the other end (unless you handed them the wrong ip from your outside interface)
0
 
LVL 11

Author Closing Comment

by:Slimshaneey
ID: 33742223
Thanks for the help, never got this resolved, no idea what the problem is!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now