09-16-2010 01:54 AM - edited 03-11-2019 11:41 AM
Hi, I need to open a port on a PIX 515.
Please can someone explain what I should be entering including the commands.
For the purposes of the explanation (so I can understand it ) I've given the different elements the following ips
Port = PPPPP
Destination IP that the machine s on my network will be contacting: XXX.XXX.XXX.XXX
The workstation on my network YYY.YYY.YYY.YYY
PIX IP: ZZZ.ZZZ.ZZZ.ZZZ
I have logged onto the PIX via Hyperterminal.
Thanks for your help.
09-16-2010 02:50 AM
Hmmmmmm wouldn't it be better to use ASDM or PDM if you don't know how to do it from CLI?
What's the software version?
7.0+ versions support "line" argument when defining access-list entries.
Marcin
09-16-2010 03:03 AM
I'm on 6.3
I can access the list and add the entry (i think) but how do i then save it? Does the firewall need a power cycle for it to work or will 'reload' work?
09-16-2010 03:11 AM
I don't see why a reload would be needed.
I've checked comm reff for 6.3
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/ab.html#wp1067755
it does support "line" argeument.
access-list NAME line X permit/deny etc etc....
09-16-2010 03:24 AM
write term brings up an long access list for in and out but show access-lists in only has two lines in it. How can this be?
09-16-2010 03:31 AM
Show us the running config :-)
09-16-2010 03:42 AM
the entries come in in the in and out access lists but the port is still closed
09-16-2010 03:44 AM
This firewall has been inherited from an umbrella company that we no longer work with so i'm guessing a lot of the entries are redundant
access-list acl_in permit tcp any any eq www
access-list acl_in permit tcp any any eq ftp
access-list acl_in permit tcp any any eq ftp-data
access-list acl_in permit tcp any any eq https
access-list acl_in remark Cearbhall: CITADEL
access-list acl_in permit tcp any any eq 504
access-list acl_in permit tcp any any eq 3389
access-list acl_in permit udp any any eq domain log
access-list acl_in permit tcp host Sloop any eq smtp
access-list acl_in permit udp any any range 8194 8294
access-list acl_in remark Cearbhall, 14-Jan. SIP UDP Range
access-list acl_in permit udp any any range 10000 32766
access-list acl_in permit tcp any any eq 15443
access-list acl_in permit tcp any any eq 16443
access-list acl_in permit tcp any any eq 17443
access-list acl_in permit tcp any any eq 18443
access-list acl_in permit udp any any eq 4901
access-list acl_in permit tcp any any eq 5060
access-list acl_in permit udp any any eq 5060
access-list acl_in permit udp any any eq 5061
access-list acl_in permit udp any any eq 5004
access-list acl_in permit udp any any range 16348 32766
access-list acl_in permit udp any any eq 5961
access-list acl_in permit udp any any eq 7311
access-list acl_in permit udp any any eq 7312
access-list acl_in permit udp any any eq 7315
access-list acl_in permit udp any any range 7200 7205
access-list acl_in permit udp any any range 5800 5900
access-list acl_in permit tcp any any eq pop3
access-list acl_in remark Cearbhall. 17-Jan
access-list acl_in permit tcp any any eq imap4
access-list acl_in permit tcp any any eq pcanywhere-data
access-list acl_in permit tcp any any eq 5632
access-list acl_in permit tcp any any eq 32761
access-list acl_in permit tcp any any range 7070 7071
access-list acl_in permit tcp any any eq 554
access-list acl_in remark SAMBA at TCP/139
access-list acl_in permit tcp any any range 135 netbios-ssn
access-list acl_in permit tcp any any range 1225 1226
access-list acl_in permit tcp any any eq pptp
access-list acl_in permit tcp any any range 2189 2196
access-list acl_in permit tcp any any eq 13678
access-list acl_in permit tcp any any eq 7443
access-list acl_in permit udp any any eq 7443
access-list acl_in permit tcp any any eq 27524
access-list acl_in permit tcp any any range 8194 8294
access-list acl_in permit tcp any any eq smtp
access-list acl_in permit tcp any any eq telnet
access-list acl_in permit tcp any any eq 4899
access-list acl_in permit tcp any any eq citrix-ica
access-list acl_in permit tcp any any range 5800 5900
access-list acl_in permit tcp any any range 3230 3235
access-list acl_in permit udp any any eq 1720
access-list acl_in permit tcp any any eq h323
access-list acl_in permit tcp any any eq 11000
access-list acl_in permit tcp any any eq 4600
access-list acl_in permit udp any any eq 4600
access-list acl_in permit tcp any any range 4001 4002
access-list acl_in permit tcp any any eq 2147
access-list acl_in permit udp any any range 3230 3253
access-list acl_in permit tcp any any eq 8080
access-list acl_in permit tcp any any eq 1503
access-list acl_in permit tcp any any range 3230 3253
access-list acl_in permit tcp any any eq nntp
access-list acl_in permit tcp any any eq 1863
access-list acl_in permit tcp any any range 27030 27039
access-list acl_in permit udp any any range 27000 27015
access-list acl_in permit udp any any eq 1200
access-list acl_in permit tcp any any eq 81
access-list acl_in permit tcp any any eq 465
access-list acl_in permit tcp any any eq 995
access-list acl_in permit udp any any eq 62515
access-list acl_in permit tcp any any eq 10000
access-list acl_in permit udp any any eq 4500
access-list acl_in permit tcp any any range 5101 5102
access-list acl_in permit udp any any range 5101 5102
access-list acl_in permit tcp any any eq 37777
access-list acl_in permit udp any any eq 37777
access-list acl_in permit tcp any any eq aol
access-list acl_in permit udp any any eq isakmp
access-list acl_in permit esp any any
access-list acl_in permit tcp any any eq 38000
access-list acl_in remark Allow ICMP TO DMZ
access-list acl_in permit icmp 10.10.0.0 255.255.255.0 host 10.10.1.95
access-list acl_in permit tcp 10.10.0.0 255.255.255.0 host 10.10.1.95 eq telnet
access-list acl_in permit tcp 10.10.0.0 255.255.255.0 host 10.10.1.95 eq ssh
access-list acl_in permit udp any any eq tftp
access-list acl_in remark MONDAY
access-list acl_in permit udp any any range 5060 5064
access-list acl_in permit tcp any any eq domain log
access-list acl_in permit udp any any eq ntp
access-list acl_in permit tcp any any eq ssh
access-list acl_in permit tcp any any eq 2443
access-list acl_in permit tcp any any eq 2000
access-list acl_in permit tcp any any eq 585
access-list acl_in permit tcp any any eq 998
access-list acl_in permit icmp any any
access-list acl_in permit udp any any eq 5036
access-list acl_in permit udp any any eq 4569
access-list acl_in permit udp any any range 48129 65534
access-list acl_in permit tcp any any eq 12328
access-list acl_out permit tcp any host 83.71.190.91 eq www
access-list acl_out permit tcp any host 83.71.190.91 range 3230 3235
access-list acl_out permit udp any host 83.71.190.91 range 3230 3247
access-list acl_out permit tcp any host 83.71.190.91 eq h323
access-list acl_out permit tcp any host 83.71.190.91 range 3230 3253
access-list acl_out remark AWFUL SECURITY. TIDY UP. 22-JAN
access-list acl_out permit ip any host Barge
access-list acl_out remark AWFUL SECURITY - Tidy up. 22-JAN
access-list acl_out permit icmp any host Barge
access-list acl_out remark TFTP Server (for SIP downloads, etc)
access-list acl_out permit udp any eq tftp any
access-list acl_out remark TFTP Server (for SIP downloads, etc) - Ceatbhall 14-J
an
access-list acl_out permit udp any any eq tftp
access-list acl_out remark Cisco 7960 Phone settings.
access-list acl_out permit udp any any range 16384 32766
access-list acl_out permit tcp any eq ssh any
access-list acl_out remark Cearbhall, MONDAY
access-list acl_out remark Cearbhall, JAN 16 - WEBMIN
access-list acl_out permit tcp any eq 10000 any
access-list acl_out remark Cearbhall, JAN 16 - WUsage
access-list acl_out permit tcp any eq 2396 any
access-list acl_out remark Cearbhall, JAN 14
access-list acl_out permit tcp any eq https any
access-list acl_out remark Cearbhall, JAN 14
access-list acl_out permit tcp any eq www any
access-list acl_out remark Cearbhall, JAN-17
access-list acl_out permit tcp any eq imap4 any
access-list acl_out remark MONDAY
access-list acl_out remark MONDAY
access-list acl_out remark MONDAY - ssh
access-list acl_out permit tcp any eq ssh any eq ssh
access-list acl_out permit tcp any any eq 504
access-list acl_out permit tcp any any eq 2000
access-list acl_out permit tcp any any eq 2443
access-list acl_out permit tcp any any eq imap4
access-list acl_out permit tcp any any eq 465
access-list acl_out permit tcp any any eq 585
access-list acl_out permit tcp any any eq 998
access-list acl_out permit tcp any any eq https
access-list acl_out permit icmp any any
access-list acl_out permit udp any any eq domain
access-list acl_out permit udp any any range 10000 32766
access-list acl_out permit udp any any eq 5004
access-list acl_out permit udp any any eq 5036
access-list acl_out permit udp any any eq 4569
access-list acl_out permit icmp any host 87.198.182.67
access-list acl_out permit tcp any host 87.198.182.67 eq telnet
access-list acl_out permit tcp any host 87.198.182.67 eq www
access-list acl_out permit tcp any host 87.198.182.67 eq domain
access-list acl_out permit tcp any host 87.198.182.67 eq ssh
access-list acl_out permit tcp any host 87.198.182.67 eq smtp
access-list acl_out permit tcp any host 87.198.182.67 eq https
access-list acl_out remark Allow IMAP4 IN TO DMZ SERVER SLOOP
access-list acl_out permit tcp any host 87.198.182.67 eq imap4
access-list acl_out remark Allow POP3 IN TO DMZ SERVER SLOOP
access-list acl_out permit tcp any host 87.198.182.67 eq pop3
access-list acl_out remark Allow CITADEL IN TO DMZ SERVER SLOOP
access-list acl_out permit tcp any host 87.198.182.67 eq 504
access-list acl_out remark Allow FTP IN TO DMZ SERVER SLOOP
access-list acl_out permit tcp any host 87.198.182.67 eq ftp
access-list acl_out remark Allow TFTP IN TO DMZ SERVER SLOOP - Cearbhall 14-Jan
access-list acl_out permit udp any host 87.198.182.67 eq tftp
access-list acl_out remark Allow FTP-DATA IN TO DMZ SERVER SLOOP
access-list acl_out permit tcp any host 87.198.182.67 eq ftp-data
access-list acl_out remark MONDAY
access-list acl_out permit tcp any host 87.198.182.67 range 5060 5064
access-list acl_out remark MONDAY
access-list acl_out permit udp any host 87.198.182.67 range 16348 32766
access-list acl_out permit udp any host 87.198.182.67 range 5060 5064
access-list acl_out permit udp any any range 48129 65534
access-list acl_out permit tcp any any eq 12328
access-list DMZ_access_in permit tcp host 10.10.1.95 any eq telnet
access-list DMZ_access_in permit tcp host 10.10.1.95 eq www any
access-list DMZ_access_in remark Cearbhall. 18-Jan (FUNAMBOL)
access-list DMZ_access_in permit tcp host 10.10.1.95 eq 8080 any
access-list DMZ_access_in remark Cearbhall. 18-Jan (SAMBA)
access-list DMZ_access_in permit tcp host 10.10.1.95 eq 8080 any range 137 netbi
os-ssn
access-list DMZ_access_in remark Cearbhall. 18-Jan (SAMBA)
access-list DMZ_access_in permit udp host 10.10.1.95 any range netbios-ns 139
access-list DMZ_access_in remark Cearbhall. 18-Jan (SAMBA)
access-list DMZ_access_in permit udp host 10.10.1.95 any eq 445
access-list DMZ_access_in remark Cearbhall. 18-Jan (SAMBA)
access-list DMZ_access_in permit tcp host 10.10.1.95 object-group Sloop any eq 4
45
access-list DMZ_access_in remark Cearbhall. 24-Jan (LDAP)
access-list DMZ_access_in permit tcp host 10.10.1.95 any eq ldap
access-list DMZ_access_in permit tcp host 10.10.1.95 eq https any
access-list DMZ_access_in remark Cearbhall. 14-Jan
access-list DMZ_access_in permit tcp host 10.10.1.95 any eq imap4
access-list DMZ_access_in remark Cearbhall. 14-Jan Part II
access-list DMZ_access_in permit tcp host 10.10.1.95 eq imap4 any
access-list DMZ_access_in permit tcp host 10.10.1.95 eq domain any
access-list DMZ_access_in permit tcp host 10.10.1.95 10.10.0.0 255.255.255.0 eq
telnet
access-list DMZ_access_in permit tcp host 10.10.1.95 10.10.0.0 255.255.255.0 eq
ssh log
access-list DMZ_access_in permit tcp host 10.10.1.95 eq ssh any
access-list DMZ_access_in permit icmp host 10.10.1.95 any
access-list DMZ_access_in remark Allow ALL OUT from DMZ to SERVER SLOOP
access-list DMZ_access_in permit ip host 10.10.1.95 any
access-list DMZ_access_in permit ip host 10.10.1.95 10.10.0.0 255.255.255.0
access-list DMZ_access_in remark COD 22_JAN (Allow ICMP from DMZ - Inside)
access-list DMZ_access_in permit tcp any any eq imap4
access-list DMZ_access_in permit tcp any any eq 465
access-list DMZ_access_in permit tcp any any eq 585
access-list DMZ_access_in permit tcp any any eq 998
access-list DMZ_access_in permit tcp any any eq smtp
access-list DMZ_access_in permit icmp any any
access-list DMZ_access_in permit udp any any eq domain
access-list DMZ_access_in permit udp any any range 10000 32766
access-list DMZ_access_in permit tcp any any range 5059 5064
access-list DMZ_access_in permit udp any any eq tftp
access-list DMZ_access_in permit udp any any range 16384 32766
access-list DMZ_access_in permit udp any any eq 5004
access-list DMZ_access_in permit udp any any eq 4569
access-list DMZ_access_in permit udp any any eq 5036
access-list acl-in remark Cearbhall SSH 26-JAN
access-list acl-in permit tcp any any eq ssh
09-16-2010 04:32 AM
The only access-lists you should be worried about, are the ones applied anywhere.
If you're looking on interface ACLs check the access-groups:
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/ab.html#wp1025611
Marcin
09-16-2010 05:09 AM
PIX(config)# show interface
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0003.6bf7.2e54
IP address 87.198.182.66, subnet mask 255.255.255.240
MTU 1500 bytes, BW 100000 Kbit full duplex
760661 packets input, 189581999 bytes, 0 no buffer
Received 119 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
447171 packets output, 44433633 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/18)
output queue (curr/max blocks): hardware (0/34) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0003.6bf7.2e55
IP address 10.10.0.7, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
581199 packets input, 53428322 bytes, 0 no buffer
Received 1004 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
871046 packets output, 211157320 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/69)
output queue (curr/max blocks): hardware (1/70) software (0/1)
interface ethernet2 "DMZ" is up, line protocol is down
Hardware is i82559 ethernet, address is 0002.b3cd.97df
IP address 10.10.1.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1323 packets output, 79380 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
<--- More --->
acl_in and acl_out are the 2 access lists that i need to implement.
What interface should they be added to and which commands should i enter to do so?
Thanks, i'm new to all this.
09-16-2010 05:16 AM
PIX1# show access-group
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group DMZ_access_in in interface DMZ
They seem to be implemented but the port is still closed (port 12328)
09-16-2010 05:34 AM
Hello,
What is the direction of the traffic? Are you trying to open the port from inside clients to the internet (server is on the internet) or are you trying to open the port for internet clients (Server is in your network)? If you are trying to do the later, then you need to have a NAT statement mapping the server to a publicly routable IP.
static (inside,dmz) tcp interface 12368
If you would like to use a different IP than the interface IP, then
static (inside,dmz) tcp xxx.yyy.zzz.kkk 12368
Your access-list is already allowing the traffic. So, once you have the NAT statement, it should work fine.
Regards,
NT
09-16-2010 05:39 AM
I'm trying to open the port so users on my network can use a demo of some trading software which needs to access a remote server across the internet
09-16-2010 07:51 AM
Can you users access the Internet normally via this pix ?
Are you sure the port is TCP and not UDP ?
Jon
09-16-2010 07:54 AM
I've added both to see if it would make a difference and it didn't.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide