cisco pix 525

kevleets38re · ‎12-02-2011

Hi All

i need to check that ports 443 and 8443 are open on my DMZ VLAN IP Address 10.1.24.30

please could some post the commands i need to use whilst using telnet to access my firewall

Many Thanks

Kevin Lee

varrao · ‎12-02-2011

Hi Kevin,

You can use the following commands on the CLI:

show run access-list | in eq 443

show run access-list | in eq 8443

This shoudl tell you if you ahve any access-list which allows these ports. Moreover you can also check:

show run static

To see if you have any translation for the traffic or not.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

kevleets38re · ‎12-02-2011

thanks for the response

when i type show run access-list | in eq 443 and press enter i get nothing just goes to next line

does this mean the ports are blocked?

varrao · ‎12-02-2011

Hi Kevin,

Can you provide me the output of "show run access-group"

In general, if you do not get any output it means that the pot is not open, moreover you can also search by ip address, lets say you want to open the port for ip address 1.1.1.1, then search:

show arun access-list | in 1.1.1.1

it will tell yu if there are any ports open gfor the IP.

Thanks,

Varun

Thanks,
Varun Rao

kevleets38re · ‎12-02-2011

here is the output from the command show run access-group

User Access Verification

Password:

Type help or '?' for a list of available commands.

uk-000-pix-01> ena

Password: ***********

uk-000-pix-01# show run access-group

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password DFtm/2Q.o6oMVwUh encrypted

passwd DFtm/2Q.o6oMVwUh encrypted

hostname uk-000-pix-01

domain-name uca.co.uk

clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 10.1.24.5 uk-000-exch-003

name 10.1.24.6 uk-000-mm-001

name 10.1.24.7 uk-000-mm-002

name 10.1.24.8 uk-000-web-001

name 10.1.24.9 uk-000-isa-001

name 10.1.24.10 uk-000-isa-002

name 10.1.10.0 VPNVLAN

name 10.1.8.0 StudentVLAN110

name 10.1.22.0 Internet

name 10.1.4.0 StudentVLAN100

name 10.1.12.0 StudentVLAN120

name 10.0.0.0 ServerVlan20

name 10.1.6.0 StudentVLAN105

name 10.1.20.0 ServiceVLAN

name 10.1.2.0 VLAN2NotUsed

name 10.1.24.0 DMZVLAN60

name 10.1.36.0 PIXVLAN500

name 10.1.28.0 TelephonyVLAN80

name 10.1.24.41 uk-000-ras-001

name 10.1.24.29 uk-000-web-003

name 10.1.24.30 uk-000-cmis-004

name 10.1.14.0 THINCLIENT125

name 10.0.4.0 StudentVlan130

name 10.0.6.0 MacVlan25

object-group service FirstClass tcp

description Required for Mike Griffiths FirstClass MLE Client

port-object eq 510

access-list in permit ip host 10.1.9.4 any

access-list in permit tcp StudentVLAN105 255.255.254.0 any eq 1394

access-list in remark MacVLAN25 Outbound

access-list in permit ip MacVlan25 255.255.254.0 any

access-list in remark ServerVLAN20 out

access-list in permit ip ServerVlan20 255.255.254.0 any

access-list in remark DMZVLAN60 out

access-list in permit ip DMZVLAN60 255.255.254.0 any

access-list in remark Internal PIX VLAN500 out

access-list in permit ip PIXVLAN500 255.255.254.0 any

access-list in permit ip VLAN2NotUsed 255.255.254.0 any

access-list in remark Cisco Telephoney VLAN80 out

access-list in permit ip TelephonyVLAN80 255.255.254.0 any

access-list in remark Block Everything else

access-list in deny ip any any

access-list out permit ip any host 10.1.9.4

access-list out remark OWA Access

access-list out permit tcp any host 10.51.144.22 eq https

access-list out remark Inbound Email

access-list out permit tcp any host 10.51.144.24 eq smtp

access-list out remark Inbound Email

access-list out permit tcp any host 10.51.144.23 eq smtp

access-list out remark PPTP VPN access to W2000 RAS server

access-list out permit tcp any host 10.51.144.41 eq pptp

access-list out remark PPTP VPN access to W2000 RAS server

access-list out permit gre any host 10.51.144.41

access-list out remark Sharepoint Intranet

access-list out permit tcp any host 10.51.144.29 eq www

access-list out remark Sharepoint Intranet

access-list out permit tcp any host 10.51.144.29 eq https

access-list out remark Electronic Registration

access-list out permit tcp any host 10.51.144.30 eq www

access-list out remark Electronic Registration

access-list out permit tcp any host 10.51.144.30 eq https

access-list out remark Testing

access-list out permit icmp any any echo-reply

access-list out remark Testing

access-list out permit icmp any any echo

access-list out remark Testing

access-list out permit icmp any any unreachable

access-list out remark Testing

access-list out permit icmp any any time-exceeded

access-list out remark Testing

access-list out permit icmp any any source-quench

access-list out permit tcp any host 10.51.144.28 eq 3389

access-list out remark HTTP to 10.51.144.31

access-list out permit tcp any host 10.51.144.31 eq www

access-list out remark RDP to 10.51.144.31

access-list out permit tcp any host 10.51.144.31 eq 3389

access-list out remark Inbound to MacVLAN25

access-list inside_outbound_nat0_acl permit ip any PIXVLAN500 255.255.255.192

access-list outside_cryptomap_dyn_20 permit ip any PIXVLAN500 255.255.255.192

pager lines 24

logging on

logging timestamp

logging buffered debugging

icmp permit any outside

mtu outside 1500

mtu inside 1500

ip address outside 10.51.144.21 255.255.240.0

ip address inside 10.1.36.4 255.255.254.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool supportpool 10.1.36.30-10.1.36.40

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 10.51.144.40

failover ip address inside 10.1.36.5

pdm location 10.1.36.20 255.255.255.255 inside

pdm location 10.1.36.30 255.255.255.255 inside

pdm location ServerVlan20 255.255.254.0 inside

pdm location VLAN2NotUsed 255.255.254.0 inside

pdm location StudentVLAN100 255.255.254.0 inside

pdm location StudentVLAN105 255.255.254.0 inside

pdm location StudentVLAN110 255.255.254.0 inside

pdm location VPNVLAN 255.255.254.0 inside

pdm location StudentVLAN120 255.255.254.0 inside

pdm location ServiceVLAN 255.255.254.0 inside

pdm location Internet 255.255.254.0 inside

pdm location uk-000-exch-003 255.255.255.255 inside

pdm location uk-000-mm-001 255.255.255.255 inside

pdm location uk-000-mm-002 255.255.255.255 inside

pdm location uk-000-web-001 255.255.255.255 inside

pdm location uk-000-isa-001 255.255.255.255 inside

pdm location uk-000-isa-002 255.255.255.255 inside

pdm location 10.1.24.28 255.255.255.255 inside

pdm location uk-000-web-003 255.255.255.255 inside

pdm location uk-000-cmis-004 255.255.255.255 inside

pdm location 10.1.24.31 255.255.255.255 inside

pdm location 10.1.24.32 255.255.255.255 inside

pdm location 10.1.24.33 255.255.255.255 inside

pdm location 10.1.24.34 255.255.255.255 inside

pdm location 10.1.24.35 255.255.255.255 inside

pdm location 10.1.24.36 255.255.255.255 inside

pdm location 10.1.24.37 255.255.255.255 inside

pdm location 10.1.24.38 255.255.255.255 inside

pdm location 10.1.24.39 255.255.255.255 inside

pdm location uk-000-ras-001 255.255.255.255 inside

pdm location DMZVLAN60 255.255.254.0 inside

pdm location 10.1.26.0 255.255.254.0 inside

pdm location TelephonyVLAN80 255.255.254.0 inside

pdm location 10.1.30.0 255.255.254.0 inside

pdm location THINCLIENT125 255.255.254.0 inside

pdm location StudentVlan130 255.255.254.0 inside

pdm location MacVlan25 255.255.254.0 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.51.144.23 uk-000-mm-001 netmask 255.255.255.255 0 0

static (inside,outside) 10.51.144.22 uk-000-exch-003 netmask 255.255.255.255 0 0

static (inside,outside) 10.51.144.24 uk-000-mm-002 netmask 255.255.255.255 0 0

static (inside,outside) 10.51.144.26 uk-000-web-001 netmask 255.255.255.255 0 0

static (inside,outside) 10.51.144.25 uk-000-isa-001 netmask 255.255.255.255 0 0

static (inside,outside) 10.51.144.27 uk-000-isa-002 netmask 255.255.255.255 0 0

static (inside,outside) 10.51.144.28 10.1.24.28 netmask 255.255.255.255 0 0

static (inside,outside) 10.51.144.29 uk-000-web-003 netmask 255.255.255.255 0 0

static (inside,outside) 10.51.144.30 uk-000-cmis-004 netmask 255.255.255.255 0 0

static (inside,outside) 10.51.144.31 10.1.24.31 netmask 255.255.255.255 0 0

static (inside,outside) 10.51.144.32 10.1.24.32 netmask 255.255.255.255 0 0

static (inside,outside) 10.51.144.33 10.1.24.33 netmask 255.255.255.255 0 0

static (inside,outside) 10.51.144.34 10.1.24.34 netmask 255.255.255.255 0 0

static (inside,outside) 10.51.144.35 10.1.24.35 netmask 255.255.255.255 0 0

static (inside,outside) 10.51.144.36 10.1.24.36 netmask 255.255.255.255 0 0

static (inside,outside) 10.51.144.37 10.1.24.37 netmask 255.255.255.255 0 0

static (inside,outside) 10.51.144.38 10.1.24.38 netmask 255.255.255.255 0 0

static (inside,outside) 10.51.144.39 10.1.24.39 netmask 255.255.255.255 0 0

static (inside,outside) 10.51.144.41 uk-000-ras-001 netmask 255.255.255.255 0 0

access-group out in interface outside

access-group in in interface inside

route outside 0.0.0.0 0.0.0.0 10.51.144.1 1

route inside ServerVlan20 255.255.254.0 10.1.36.1 1

route inside 10.0.2.0 255.255.254.0 10.1.36.1 1

route inside StudentVlan130 255.255.254.0 10.1.36.1 1

route inside MacVlan25 255.255.254.0 10.1.36.1 1

route inside VLAN2NotUsed 255.255.254.0 10.1.36.1 1

route inside StudentVLAN100 255.255.254.0 10.1.36.1 1

route inside StudentVLAN105 255.255.254.0 10.1.36.1 1

route inside StudentVLAN110 255.255.254.0 10.1.36.1 1

route inside VPNVLAN 255.255.254.0 10.1.36.1 1

route inside StudentVLAN120 255.255.254.0 10.1.36.1 1

route inside THINCLIENT125 255.255.254.0 10.1.36.1 1

route inside ServiceVLAN 255.255.254.0 10.1.36.1 1

route inside Internet 255.255.254.0 10.1.36.1 1

route inside DMZVLAN60 255.255.254.0 10.1.36.1 1

route inside 10.1.26.0 255.255.254.0 10.1.36.1 1

route inside TelephonyVLAN80 255.255.254.0 10.1.36.1 1

route inside 10.1.30.0 255.255.254.0 10.1.36.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.1.36.20 255.255.255.255 inside

http ServerVlan20 255.255.254.0 inside

no snmp-server location

no snmp-server contact

snmp-server community r34dm3

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup support address-pool supportpool

vpngroup support idle-time 1800

vpngroup support password ********

telnet ServiceVLAN 255.255.254.0 inside

telnet PIXVLAN500 255.255.254.0 inside

telnet ServerVlan20 255.255.254.0 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

terminal width 80

Cryptochecksum:57f956c09b7730949707861f66ba5570

: end

uk-000-pix-01#

varrao · ‎12-02-2011

For what Ip address do you want to open the ports, in your config:

access-list out permit ip any host 10.1.9.4

access-list out remark OWA Access

access-list out permit tcp any host 10.51.144.22 eq https

access-list out remark Inbound Email

access-list out permit tcp any host 10.51.144.24 eq smtp

access-list out remark Inbound Email

access-list out permit tcp any host 10.51.144.23 eq smtp

access-list out remark PPTP VPN access to W2000 RAS server

access-list out permit tcp any host 10.51.144.41 eq pptp

access-list out remark PPTP VPN access to W2000 RAS server

access-list out permit gre any host 10.51.144.41

access-list out remark Sharepoint Intranet

access-list out permit tcp any host 10.51.144.29 eq www

access-list out remark Sharepoint Intranet

access-list out permit tcp any host 10.51.144.29 eq https

access-list out remark Electronic Registration

access-list out permit tcp any host 10.51.144.30 eq www

access-list out remark Electronic Registration

access-list out permit tcp any host 10.51.144.30 eq https

access-list out remark Testing

access-list out permit icmp any any echo-reply

access-list out remark Testing

access-list out permit icmp any any echo

access-list out remark Testing

access-list out permit icmp any any unreachable

access-list out remark Testing

access-list out permit icmp any any time-exceeded

access-list out remark Testing

access-list out permit icmp any any source-quench

access-list out permit tcp any host 10.51.144.28 eq 3389

access-list out remark HTTP to 10.51.144.31

access-list out permit tcp any host 10.51.144.31 eq www

access-list out remark RDP to 10.51.144.31

access-list out permit tcp any host 10.51.144.31 eq 3389

access-list out remark Inbound to MacVLAN25

I can see 443 is open for 10.51.144.30, 10.51.144.29, 10.51.144.22 and 10.1.9.4.

Are these the IP's for which you want to open the ports for???????

Thanks,

Varun

Thanks,
Varun Rao

kevleets38re · ‎12-02-2011

i want to open it for internal ip address 10.1.24.30

thanks for you help

kev

varrao · ‎12-02-2011

You would need these commands then:

access-list out permit tcp any host 10.1.24.30 eq 443

access-list out permit tcp any host 10.1.24.30 eq 8443

That's all you need.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

kevleets38re · ‎12-02-2011

thanks but those commands didnt work, when i type them i get type help or ? for a list available commands

varrao · ‎12-02-2011

Can you send a screenshot of it, the commands are correct, you just need to amke sure you are in the config terminal to issue the commands.

Thanks,

Varun

Thanks,
Varun Rao

kevleets38re · ‎12-02-2011

hi varun

i re did those commands in configure mode and i think it worked because when i did it a second time(i forgot to send to output file) i get this

User Access Verification

Password:

Type help or '?' for a list of available commands.

uk-000-pix-01> enable

Password: ***********

uk-000-pix-01# configure termial

Usage: configure terminal

uk-000-pix-01# configure terminal

uk-000-pix-01(config)# access-list out permit tcp any host 10.1.24.30 eq 443

ACE not added. Possible duplicate entry

has that port been allowed succesfully now

thanks

kev

varrao · ‎12-02-2011

Do "show access-list out" and check if you seen any access-list already been added, you can also add teh access-list for port 8443.

Thanks,

Varun

Thanks,
Varun Rao

ju_mobile · ‎12-02-2011

Varun,

a number of the rules are there.

access-list out remark Electronic Registration

access-list out permit tcp any host 10.51.144.30 eq www

access-list out remark Electronic Registration

access-list out permit tcp any host 10.51.144.30 eq https

I would advise that you run a "show access-list out", this will give you a full output of all the ace's for your perusal. If you wish to add the rule the you can either add the rule at the top, the bottom or where so ever you wish. The command you need is:

access-list out line x permit tcp any host 10.51.144.30 eq 8443

where is x is the line number of the ace you wish to insert it in. However, I would reccomend that you create a group "tcp_web"

with the ports, 80, 443 and 8443 and then apply the acl against the object group.

Ju