Solved

How to enable a specific port on a Cisco Pix 506

Posted on 2010-09-16
25
489 Views
Last Modified: 2012-05-10
Hi there, this should be pretty straightforward, but I need to enable port 445 (for accessing windows administrative share connections to PCs OUTSIDE of our network). I have connected via serial connection, and am sitting at the pixfirewall> terminal prompt but am clueless what to do from here!
0
Comment
Question by:Slimshaneey
  • 10
  • 9
  • 5
  • +1
25 Comments
 
LVL 5

Expert Comment

by:StefanKamp
Comment Utility
Enable SMB over TCP is not security best practice,
but to answer your question:
!
ip nat inside source static tcp 192.168.0.1 445 interface WAN1 445
!
Modify 192.168.0.1 to the ip address of the server, modify WAN1 to the outside interfacename.
0
 
LVL 5

Expert Comment

by:StefanKamp
Comment Utility
sorry, to be more complete,
Connect serial cabel

enable
configure terminal
ip nat inside source static tcp 192.168.0.1 445 interface WAN1 445
exit
write
0
 
LVL 11

Author Comment

by:Slimshaneey
Comment Utility
How would I find the WAN1 name?

And this enables both inbound and outbound SMB connections?
0
 
LVL 11

Author Comment

by:Slimshaneey
Comment Utility
Also, is there a way to back up/ restore the ruleset if I mess this up?
0
 
LVL 5

Expert Comment

by:StefanKamp
Comment Utility
Find out the available interfaces by searching in the configuration:
connect the serial cable

enable
show running-config

find out the interface which is configured with a static IP outside the range of your local network, or an interface which is obtaining its address through DHCP
0
 
LVL 5

Expert Comment

by:StefanKamp
Comment Utility
Sure, before you begin:
enable
write

Then:
enable
configure terminal
ip nat inside source static tcp 192.168.0.1 445 interface WAN1 445
exit

Test your configuration if it works (your modification is applied instantly), if not: restart your PIX (with the powerbutton) or type reload in de CLI.

If it works, than perform "write".
0
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
We are talking pix here, not IOS. The "ip nat" command doesnt exist.


To answer your question we need to see your current config. Strip off all sensitive information and post it here. "show run" will give you the config.

/Kvistofta
0
 
LVL 11

Author Comment

by:Slimshaneey
Comment Utility
OK, tried it and had a couple of errors.

When I typed "write" it was asking what I wanted to write to. I chose flash?

Also, typing the command you listed, it said nat was an invalid keyword....

Pix software version 6.3 FYI
0
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
See my previous comment. How to configure this depends upon your current configuration. We can give you general guidelines of how to do nat and open the traffic in the access-list but it clearly depends on  what is already configured.

/Kvistofta
0
 
LVL 5

Expert Comment

by:StefanKamp
Comment Utility
Yes, that is my bad, i was talking Cisco IOS and not PIX. "ip nat" does not exist on PIX. As kvistofta already said, you'll have to post your current config by issueing the "show run" command as it is not easy to throw you a bunch of commands
0
 
LVL 11

Author Comment

by:Slimshaneey
Comment Utility
OK, cool, is there an easy way (Bearing in mind Im connected via serial connection and using putty on a widows machine that is not net connected) to output the show run command to a file? Or is it a case of Copy Paste?


Im sorry if this is a series of stupid questions. I've inherited a setup that has no documentation, Im more used to dealing with Netgear and Juniper firewalls that have web frontends (Shouldnt the 506 have a frontend like that too? PDM or something? Is that something that needs to be enabled?)
0
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
the easiest way is to do "show run" and copy the output from putty, and then pasting it here.

/Kvistofta
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 5

Expert Comment

by:StefanKamp
Comment Utility
Yes, should have a front end, discussed here:
http://www.petri.co.il/forums/showthread.php?t=17006
0
 
LVL 11

Author Comment

by:Slimshaneey
Comment Utility
Here is the output from show run (edited for security!)


:
PIX Version 6.3(5)
interface ethernet0 10full
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
  port-object eq www
  port-object eq https
  port-object eq ftp
access-list external permit tcp any host 2xx.x6.x4.xx5 object-group webservices
access-list external permit tcp any host 2xx.x6.x4.xx5 eq smtp
access-list outbound permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2xx.x6.x4.xx5 10.0.10.2 netmask 255.255.255.255 0 0
access-group external in interface outside
access-group outbound in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 167 total points
Comment Utility
conf t
access-l external permit tcp any  host 2xx.x6.x4.xx5 eq 445
static (inside,outside) 2xx.x6.x4.xx5  netmask 255.255.255.255 0 0
wr mem

If you do not want to allow this from anyone on internet, replace "any with "1.2.3.4 255.255.255.0" or "host 1.2.3.4" depending on who you want to allow access from.

Again: opening SMB from internet is probably the worst thing you can do when it comes to security breaches. Still, if this is your intent and you are aware of what you are doing, the commands above will open that traffic.

/Kvistofta

0
 
LVL 11

Author Comment

by:Slimshaneey
Comment Utility
OK, the security stuff I have looked at and it is pretty serious. How do I modify that command to only allow between our network and specific ip address, ie I will set this up on a per server basis. So the 2xx.x6 ip is our WAN ip, and I want to be able to access the shares on machine with ip 88.99.111.222 (not the actual ip!)
0
 
LVL 5

Expert Comment

by:StefanKamp
Comment Utility
access-list external permit tcp host <ipaddress> host 2xx.x6.x4.xx5 eq 445
0
 
LVL 11

Author Comment

by:Slimshaneey
Comment Utility
Awesome thanks.

One last thing, Im confused by what this command does, not sure what is meant by INSIDE SERVER IP

static (inside,outside) 2xx.x6.x4.xx5 <INSIDE SERVER IP> netmask 255.255.255.255 0 0

Can someone explain that?
0
 
LVL 5

Expert Comment

by:StefanKamp
Comment Utility
He means that you have to declare the inside server IP, your server ip would probably be in 10.0.10.*
0
 
LVL 11

Author Comment

by:Slimshaneey
Comment Utility
Why would I need to configure an inside server? Im trying to access the shares from my workstation (or any workstation inside the netywork) to an external server that isnt on our network?
0
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
So it is not about inbound traffic? For outbound traffic your firewall is already wide open.

/Kvistofta
0
 
LVL 11

Author Comment

by:Slimshaneey
Comment Utility
Really? That cant be, the remote server is configured to accept ALL traffic from our ip address, yet I cant connect to administrative shares to  any machines outside the network (I can do internally). Other machines externally CAN connect to the admin shares on those servers.
0
 
LVL 5

Assisted Solution

by:StefanKamp
StefanKamp earned 166 total points
Comment Utility
Well, I believe that we are not aware of the fact that you want to connect to a SMB service hosted somewhere else, and not providing SMB access to one of your server in your own environment. The problem is not the pix then.

!
access-list outbound permit ip any any
!
means, all ip address may connect to any address through any port outside.
0
 
LVL 5

Assisted Solution

by:shirkan
shirkan earned 167 total points
Comment Utility
Yep. these lines (not chronological order)

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outbound in interface inside
access-list outbound permit ip any any

permit everything !!!!!! from your inside interface(LAN presumably)  to the outside world
via the ip address of your outside interface (which is set to dhcp - by using the command - show ip - it will show your ip on that interface.)

so if you are trying to go from inside to outside - everything will go through

so if it does not your problem is on the other end (unless you handed them the wrong ip from your outside interface)
0
 
LVL 11

Author Closing Comment

by:Slimshaneey
Comment Utility
Thanks for the help, never got this resolved, no idea what the problem is!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now