Solved

How to enable a specific port on a Cisco Pix 506

Posted on 2010-09-16
25
498 Views
Last Modified: 2012-05-10
Hi there, this should be pretty straightforward, but I need to enable port 445 (for accessing windows administrative share connections to PCs OUTSIDE of our network). I have connected via serial connection, and am sitting at the pixfirewall> terminal prompt but am clueless what to do from here!
0
Comment
Question by:Slimshaneey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 9
  • 5
  • +1
25 Comments
 
LVL 5

Expert Comment

by:StefanKamp
ID: 33690124
Enable SMB over TCP is not security best practice,
but to answer your question:
!
ip nat inside source static tcp 192.168.0.1 445 interface WAN1 445
!
Modify 192.168.0.1 to the ip address of the server, modify WAN1 to the outside interfacename.
0
 
LVL 5

Expert Comment

by:StefanKamp
ID: 33690134
sorry, to be more complete,
Connect serial cabel

enable
configure terminal
ip nat inside source static tcp 192.168.0.1 445 interface WAN1 445
exit
write
0
 
LVL 11

Author Comment

by:Slimshaneey
ID: 33690140
How would I find the WAN1 name?

And this enables both inbound and outbound SMB connections?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 11

Author Comment

by:Slimshaneey
ID: 33690156
Also, is there a way to back up/ restore the ruleset if I mess this up?
0
 
LVL 5

Expert Comment

by:StefanKamp
ID: 33690163
Find out the available interfaces by searching in the configuration:
connect the serial cable

enable
show running-config

find out the interface which is configured with a static IP outside the range of your local network, or an interface which is obtaining its address through DHCP
0
 
LVL 5

Expert Comment

by:StefanKamp
ID: 33690188
Sure, before you begin:
enable
write

Then:
enable
configure terminal
ip nat inside source static tcp 192.168.0.1 445 interface WAN1 445
exit

Test your configuration if it works (your modification is applied instantly), if not: restart your PIX (with the powerbutton) or type reload in de CLI.

If it works, than perform "write".
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33690263
We are talking pix here, not IOS. The "ip nat" command doesnt exist.


To answer your question we need to see your current config. Strip off all sensitive information and post it here. "show run" will give you the config.

/Kvistofta
0
 
LVL 11

Author Comment

by:Slimshaneey
ID: 33690295
OK, tried it and had a couple of errors.

When I typed "write" it was asking what I wanted to write to. I chose flash?

Also, typing the command you listed, it said nat was an invalid keyword....

Pix software version 6.3 FYI
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33690326
See my previous comment. How to configure this depends upon your current configuration. We can give you general guidelines of how to do nat and open the traffic in the access-list but it clearly depends on  what is already configured.

/Kvistofta
0
 
LVL 5

Expert Comment

by:StefanKamp
ID: 33690330
Yes, that is my bad, i was talking Cisco IOS and not PIX. "ip nat" does not exist on PIX. As kvistofta already said, you'll have to post your current config by issueing the "show run" command as it is not easy to throw you a bunch of commands
0
 
LVL 11

Author Comment

by:Slimshaneey
ID: 33690360
OK, cool, is there an easy way (Bearing in mind Im connected via serial connection and using putty on a widows machine that is not net connected) to output the show run command to a file? Or is it a case of Copy Paste?


Im sorry if this is a series of stupid questions. I've inherited a setup that has no documentation, Im more used to dealing with Netgear and Juniper firewalls that have web frontends (Shouldnt the 506 have a frontend like that too? PDM or something? Is that something that needs to be enabled?)
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33690373
the easiest way is to do "show run" and copy the output from putty, and then pasting it here.

/Kvistofta
0
 
LVL 5

Expert Comment

by:StefanKamp
ID: 33690383
Yes, should have a front end, discussed here:
http://www.petri.co.il/forums/showthread.php?t=17006
0
 
LVL 11

Author Comment

by:Slimshaneey
ID: 33690467
Here is the output from show run (edited for security!)


:
PIX Version 6.3(5)
interface ethernet0 10full
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
  port-object eq www
  port-object eq https
  port-object eq ftp
access-list external permit tcp any host 2xx.x6.x4.xx5 object-group webservices
access-list external permit tcp any host 2xx.x6.x4.xx5 eq smtp
access-list outbound permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2xx.x6.x4.xx5 10.0.10.2 netmask 255.255.255.255 0 0
access-group external in interface outside
access-group outbound in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 167 total points
ID: 33690498
conf t
access-l external permit tcp any  host 2xx.x6.x4.xx5 eq 445
static (inside,outside) 2xx.x6.x4.xx5  netmask 255.255.255.255 0 0
wr mem

If you do not want to allow this from anyone on internet, replace "any with "1.2.3.4 255.255.255.0" or "host 1.2.3.4" depending on who you want to allow access from.

Again: opening SMB from internet is probably the worst thing you can do when it comes to security breaches. Still, if this is your intent and you are aware of what you are doing, the commands above will open that traffic.

/Kvistofta

0
 
LVL 11

Author Comment

by:Slimshaneey
ID: 33690529
OK, the security stuff I have looked at and it is pretty serious. How do I modify that command to only allow between our network and specific ip address, ie I will set this up on a per server basis. So the 2xx.x6 ip is our WAN ip, and I want to be able to access the shares on machine with ip 88.99.111.222 (not the actual ip!)
0
 
LVL 5

Expert Comment

by:StefanKamp
ID: 33690588
access-list external permit tcp host <ipaddress> host 2xx.x6.x4.xx5 eq 445
0
 
LVL 11

Author Comment

by:Slimshaneey
ID: 33690604
Awesome thanks.

One last thing, Im confused by what this command does, not sure what is meant by INSIDE SERVER IP

static (inside,outside) 2xx.x6.x4.xx5 <INSIDE SERVER IP> netmask 255.255.255.255 0 0

Can someone explain that?
0
 
LVL 5

Expert Comment

by:StefanKamp
ID: 33690624
He means that you have to declare the inside server IP, your server ip would probably be in 10.0.10.*
0
 
LVL 11

Author Comment

by:Slimshaneey
ID: 33690747
Why would I need to configure an inside server? Im trying to access the shares from my workstation (or any workstation inside the netywork) to an external server that isnt on our network?
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33690791
So it is not about inbound traffic? For outbound traffic your firewall is already wide open.

/Kvistofta
0
 
LVL 11

Author Comment

by:Slimshaneey
ID: 33690835
Really? That cant be, the remote server is configured to accept ALL traffic from our ip address, yet I cant connect to administrative shares to  any machines outside the network (I can do internally). Other machines externally CAN connect to the admin shares on those servers.
0
 
LVL 5

Assisted Solution

by:StefanKamp
StefanKamp earned 166 total points
ID: 33691212
Well, I believe that we are not aware of the fact that you want to connect to a SMB service hosted somewhere else, and not providing SMB access to one of your server in your own environment. The problem is not the pix then.

!
access-list outbound permit ip any any
!
means, all ip address may connect to any address through any port outside.
0
 
LVL 5

Assisted Solution

by:shirkan
shirkan earned 167 total points
ID: 33691301
Yep. these lines (not chronological order)

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outbound in interface inside
access-list outbound permit ip any any

permit everything !!!!!! from your inside interface(LAN presumably)  to the outside world
via the ip address of your outside interface (which is set to dhcp - by using the command - show ip - it will show your ip on that interface.)

so if you are trying to go from inside to outside - everything will go through

so if it does not your problem is on the other end (unless you handed them the wrong ip from your outside interface)
0
 
LVL 11

Author Closing Comment

by:Slimshaneey
ID: 33742223
Thanks for the help, never got this resolved, no idea what the problem is!
0

Featured Post

Get HTML5 Certified

Want to be a web developer? You'll need to know HTML. Prepare for HTML5 certification by enrolling in July's Course of the Month! It's free for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question