Re: changing udp ports in a pix on replies

mrrussell · ‎11-26-2004

Hi, I'm checking out whether changing UDP ports is possible on a PIX 525(6.3(4)). A RADIUS request sent from host on DMZ network with UDP port 1812 through the PIX to the RADIUS Server on inside network. RADIUS server replies on 1647 but DMZ host expects UDP port 1812 (same as request). Can this be done? I'm also questioning elsewhere why the RADIUS server would reply on a different port to the request.

Thanks

Mick

ehirsel · ‎11-26-2004

I would start by examining the radius server configuration. I would expect that UDP ports 1645 and 1646 are used (old IETF/RFC radius ports), or UDP ports 1812/1813 (new ietf/rfc ports). Not 1647.

Is there another router or NAT device between your PIX and the radius server?

I think that the radius server is using an /etc/services (or %systemroot%\drivers\etc\services for ms win os) entry to determine which ports to listen on and/or reply from. Is the radius server have more than one nic?

You can config the pix to do port-based nat, however it looks like you have not done that, yet the reply is using a different port. So I would look at another device having an issue, before I would change the PIX config.

Let me know what you find.

mrrussell · ‎11-29-2004

Hi, I'm sure the old IETF/RFC radius port is 1647. We know its the Radius server at fault but we are lobbying within our organisation to get a new proxy module written to support the new ports with some difficulty as its not under our control. I'm not keen to swap ports on a PIX, but just establishing how it could be done.

Thanks

ehirsel · ‎12-01-2004

Try this static:

static (in, out) udp x.x.x.x 1812 y.y.y.y 1647 netmask 255.255.255.255

where x.x.x.x is the how the dmz server sees the radius server ip address, and y.y.y.y is the acutal ip address of the radius server. The addresses can be the same, depending upon how you have the client configured.

Let me know if this helps.