12-02-2011 05:09 AM - edited 03-11-2019 02:58 PM
Hi All
i need to check that ports 443 and 8443 are open on my DMZ VLAN IP Address 10.1.24.30
please could some post the commands i need to use whilst using telnet to access my firewall
Many Thanks
Kevin Lee
12-02-2011 05:15 AM
Hi Kevin,
You can use the following commands on the CLI:
show run access-list | in eq 443
show run access-list | in eq 8443
This shoudl tell you if you ahve any access-list which allows these ports. Moreover you can also check:
show run static
To see if you have any translation for the traffic or not.
Hope that helps.
Thanks,
Varun
12-02-2011 05:39 AM
thanks for the response
when i type show run access-list | in eq 443 and press enter i get nothing just goes to next line
does this mean the ports are blocked?
12-02-2011 05:45 AM
Hi Kevin,
Can you provide me the output of "show run access-group"
In general, if you do not get any output it means that the pot is not open, moreover you can also search by ip address, lets say you want to open the port for ip address 1.1.1.1, then search:
show arun access-list | in 1.1.1.1
it will tell yu if there are any ports open gfor the IP.
Thanks,
Varun
12-02-2011 06:08 AM
here is the output from the command show run access-group
User Access Verification
Password:
Type help or '?' for a list of available commands.
uk-000-pix-01> ena
Password: ***********
uk-000-pix-01# show run access-group
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password DFtm/2Q.o6oMVwUh encrypted
passwd DFtm/2Q.o6oMVwUh encrypted
hostname uk-000-pix-01
domain-name uca.co.uk
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 10.1.24.5 uk-000-exch-003
name 10.1.24.6 uk-000-mm-001
name 10.1.24.7 uk-000-mm-002
name 10.1.24.8 uk-000-web-001
name 10.1.24.9 uk-000-isa-001
name 10.1.24.10 uk-000-isa-002
name 10.1.10.0 VPNVLAN
name 10.1.8.0 StudentVLAN110
name 10.1.22.0 Internet
name 10.1.4.0 StudentVLAN100
name 10.1.12.0 StudentVLAN120
name 10.0.0.0 ServerVlan20
name 10.1.6.0 StudentVLAN105
name 10.1.20.0 ServiceVLAN
name 10.1.2.0 VLAN2NotUsed
name 10.1.24.0 DMZVLAN60
name 10.1.36.0 PIXVLAN500
name 10.1.28.0 TelephonyVLAN80
name 10.1.24.41 uk-000-ras-001
name 10.1.24.29 uk-000-web-003
name 10.1.24.30 uk-000-cmis-004
name 10.1.14.0 THINCLIENT125
name 10.0.4.0 StudentVlan130
name 10.0.6.0 MacVlan25
object-group service FirstClass tcp
description Required for Mike Griffiths FirstClass MLE Client
port-object eq 510
access-list in permit ip host 10.1.9.4 any
access-list in permit tcp StudentVLAN105 255.255.254.0 any eq 1394
access-list in remark MacVLAN25 Outbound
access-list in permit ip MacVlan25 255.255.254.0 any
access-list in remark ServerVLAN20 out
access-list in permit ip ServerVlan20 255.255.254.0 any
access-list in remark DMZVLAN60 out
access-list in permit ip DMZVLAN60 255.255.254.0 any
access-list in remark Internal PIX VLAN500 out
access-list in permit ip PIXVLAN500 255.255.254.0 any
access-list in permit ip VLAN2NotUsed 255.255.254.0 any
access-list in remark Cisco Telephoney VLAN80 out
access-list in permit ip TelephonyVLAN80 255.255.254.0 any
access-list in remark Block Everything else
access-list in deny ip any any
access-list out permit ip any host 10.1.9.4
access-list out remark OWA Access
access-list out permit tcp any host 10.51.144.22 eq https
access-list out remark Inbound Email
access-list out permit tcp any host 10.51.144.24 eq smtp
access-list out remark Inbound Email
access-list out permit tcp any host 10.51.144.23 eq smtp
access-list out remark PPTP VPN access to W2000 RAS server
access-list out permit tcp any host 10.51.144.41 eq pptp
access-list out remark PPTP VPN access to W2000 RAS server
access-list out permit gre any host 10.51.144.41
access-list out remark Sharepoint Intranet
access-list out permit tcp any host 10.51.144.29 eq www
access-list out remark Sharepoint Intranet
access-list out permit tcp any host 10.51.144.29 eq https
access-list out remark Electronic Registration
access-list out permit tcp any host 10.51.144.30 eq www
access-list out remark Electronic Registration
access-list out permit tcp any host 10.51.144.30 eq https
access-list out remark Testing
access-list out permit icmp any any echo-reply
access-list out remark Testing
access-list out permit icmp any any echo
access-list out remark Testing
access-list out permit icmp any any unreachable
access-list out remark Testing
access-list out permit icmp any any time-exceeded
access-list out remark Testing
access-list out permit icmp any any source-quench
access-list out permit tcp any host 10.51.144.28 eq 3389
access-list out remark HTTP to 10.51.144.31
access-list out permit tcp any host 10.51.144.31 eq www
access-list out remark RDP to 10.51.144.31
access-list out permit tcp any host 10.51.144.31 eq 3389
access-list out remark Inbound to MacVLAN25
access-list inside_outbound_nat0_acl permit ip any PIXVLAN500 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any PIXVLAN500 255.255.255.192
pager lines 24
logging on
logging timestamp
logging buffered debugging
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside 10.51.144.21 255.255.240.0
ip address inside 10.1.36.4 255.255.254.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool supportpool 10.1.36.30-10.1.36.40
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 10.51.144.40
failover ip address inside 10.1.36.5
pdm location 10.1.36.20 255.255.255.255 inside
pdm location 10.1.36.30 255.255.255.255 inside
pdm location ServerVlan20 255.255.254.0 inside
pdm location VLAN2NotUsed 255.255.254.0 inside
pdm location StudentVLAN100 255.255.254.0 inside
pdm location StudentVLAN105 255.255.254.0 inside
pdm location StudentVLAN110 255.255.254.0 inside
pdm location VPNVLAN 255.255.254.0 inside
pdm location StudentVLAN120 255.255.254.0 inside
pdm location ServiceVLAN 255.255.254.0 inside
pdm location Internet 255.255.254.0 inside
pdm location uk-000-exch-003 255.255.255.255 inside
pdm location uk-000-mm-001 255.255.255.255 inside
pdm location uk-000-mm-002 255.255.255.255 inside
pdm location uk-000-web-001 255.255.255.255 inside
pdm location uk-000-isa-001 255.255.255.255 inside
pdm location uk-000-isa-002 255.255.255.255 inside
pdm location 10.1.24.28 255.255.255.255 inside
pdm location uk-000-web-003 255.255.255.255 inside
pdm location uk-000-cmis-004 255.255.255.255 inside
pdm location 10.1.24.31 255.255.255.255 inside
pdm location 10.1.24.32 255.255.255.255 inside
pdm location 10.1.24.33 255.255.255.255 inside
pdm location 10.1.24.34 255.255.255.255 inside
pdm location 10.1.24.35 255.255.255.255 inside
pdm location 10.1.24.36 255.255.255.255 inside
pdm location 10.1.24.37 255.255.255.255 inside
pdm location 10.1.24.38 255.255.255.255 inside
pdm location 10.1.24.39 255.255.255.255 inside
pdm location uk-000-ras-001 255.255.255.255 inside
pdm location DMZVLAN60 255.255.254.0 inside
pdm location 10.1.26.0 255.255.254.0 inside
pdm location TelephonyVLAN80 255.255.254.0 inside
pdm location 10.1.30.0 255.255.254.0 inside
pdm location THINCLIENT125 255.255.254.0 inside
pdm location StudentVlan130 255.255.254.0 inside
pdm location MacVlan25 255.255.254.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.51.144.23 uk-000-mm-001 netmask 255.255.255.255 0 0
static (inside,outside) 10.51.144.22 uk-000-exch-003 netmask 255.255.255.255 0 0
static (inside,outside) 10.51.144.24 uk-000-mm-002 netmask 255.255.255.255 0 0
static (inside,outside) 10.51.144.26 uk-000-web-001 netmask 255.255.255.255 0 0
static (inside,outside) 10.51.144.25 uk-000-isa-001 netmask 255.255.255.255 0 0
static (inside,outside) 10.51.144.27 uk-000-isa-002 netmask 255.255.255.255 0 0
static (inside,outside) 10.51.144.28 10.1.24.28 netmask 255.255.255.255 0 0
static (inside,outside) 10.51.144.29 uk-000-web-003 netmask 255.255.255.255 0 0
static (inside,outside) 10.51.144.30 uk-000-cmis-004 netmask 255.255.255.255 0 0
static (inside,outside) 10.51.144.31 10.1.24.31 netmask 255.255.255.255 0 0
static (inside,outside) 10.51.144.32 10.1.24.32 netmask 255.255.255.255 0 0
static (inside,outside) 10.51.144.33 10.1.24.33 netmask 255.255.255.255 0 0
static (inside,outside) 10.51.144.34 10.1.24.34 netmask 255.255.255.255 0 0
static (inside,outside) 10.51.144.35 10.1.24.35 netmask 255.255.255.255 0 0
static (inside,outside) 10.51.144.36 10.1.24.36 netmask 255.255.255.255 0 0
static (inside,outside) 10.51.144.37 10.1.24.37 netmask 255.255.255.255 0 0
static (inside,outside) 10.51.144.38 10.1.24.38 netmask 255.255.255.255 0 0
static (inside,outside) 10.51.144.39 10.1.24.39 netmask 255.255.255.255 0 0
static (inside,outside) 10.51.144.41 uk-000-ras-001 netmask 255.255.255.255 0 0
access-group out in interface outside
access-group in in interface inside
route outside 0.0.0.0 0.0.0.0 10.51.144.1 1
route inside ServerVlan20 255.255.254.0 10.1.36.1 1
route inside 10.0.2.0 255.255.254.0 10.1.36.1 1
route inside StudentVlan130 255.255.254.0 10.1.36.1 1
route inside MacVlan25 255.255.254.0 10.1.36.1 1
route inside VLAN2NotUsed 255.255.254.0 10.1.36.1 1
route inside StudentVLAN100 255.255.254.0 10.1.36.1 1
route inside StudentVLAN105 255.255.254.0 10.1.36.1 1
route inside StudentVLAN110 255.255.254.0 10.1.36.1 1
route inside VPNVLAN 255.255.254.0 10.1.36.1 1
route inside StudentVLAN120 255.255.254.0 10.1.36.1 1
route inside THINCLIENT125 255.255.254.0 10.1.36.1 1
route inside ServiceVLAN 255.255.254.0 10.1.36.1 1
route inside Internet 255.255.254.0 10.1.36.1 1
route inside DMZVLAN60 255.255.254.0 10.1.36.1 1
route inside 10.1.26.0 255.255.254.0 10.1.36.1 1
route inside TelephonyVLAN80 255.255.254.0 10.1.36.1 1
route inside 10.1.30.0 255.255.254.0 10.1.36.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.36.20 255.255.255.255 inside
http ServerVlan20 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server community r34dm3
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup support address-pool supportpool
vpngroup support idle-time 1800
vpngroup support password ********
telnet ServiceVLAN 255.255.254.0 inside
telnet PIXVLAN500 255.255.254.0 inside
telnet ServerVlan20 255.255.254.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:57f956c09b7730949707861f66ba5570
: end
uk-000-pix-01#
12-02-2011 06:18 AM
For what Ip address do you want to open the ports, in your config:
access-list out permit ip any host 10.1.9.4
access-list out remark OWA Access
access-list out permit tcp any host 10.51.144.22 eq https
access-list out remark Inbound Email
access-list out permit tcp any host 10.51.144.24 eq smtp
access-list out remark Inbound Email
access-list out permit tcp any host 10.51.144.23 eq smtp
access-list out remark PPTP VPN access to W2000 RAS server
access-list out permit tcp any host 10.51.144.41 eq pptp
access-list out remark PPTP VPN access to W2000 RAS server
access-list out permit gre any host 10.51.144.41
access-list out remark Sharepoint Intranet
access-list out permit tcp any host 10.51.144.29 eq www
access-list out remark Sharepoint Intranet
access-list out permit tcp any host 10.51.144.29 eq https
access-list out remark Electronic Registration
access-list out permit tcp any host 10.51.144.30 eq www
access-list out remark Electronic Registration
access-list out permit tcp any host 10.51.144.30 eq https
access-list out remark Testing
access-list out permit icmp any any echo-reply
access-list out remark Testing
access-list out permit icmp any any echo
access-list out remark Testing
access-list out permit icmp any any unreachable
access-list out remark Testing
access-list out permit icmp any any time-exceeded
access-list out remark Testing
access-list out permit icmp any any source-quench
access-list out permit tcp any host 10.51.144.28 eq 3389
access-list out remark HTTP to 10.51.144.31
access-list out permit tcp any host 10.51.144.31 eq www
access-list out remark RDP to 10.51.144.31
access-list out permit tcp any host 10.51.144.31 eq 3389
access-list out remark Inbound to MacVLAN25
I can see 443 is open for 10.51.144.30, 10.51.144.29, 10.51.144.22 and 10.1.9.4.
Are these the IP's for which you want to open the ports for???????
Thanks,
Varun
12-02-2011 06:23 AM
i want to open it for internal ip address 10.1.24.30
thanks for you help
kev
12-02-2011 06:30 AM
You would need these commands then:
access-list out permit tcp any host 10.1.24.30 eq 443
access-list out permit tcp any host 10.1.24.30 eq 8443
That's all you need.
Hope that helps.
Thanks,
Varun
12-02-2011 06:39 AM
thanks but those commands didnt work, when i type them i get type help or ? for a list available commands
12-02-2011 06:41 AM
Can you send a screenshot of it, the commands are correct, you just need to amke sure you are in the config terminal to issue the commands.
Thanks,
Varun
12-02-2011 06:54 AM
hi varun
i re did those commands in configure mode and i think it worked because when i did it a second time(i forgot to send to output file) i get this
User Access Verification
Password:
Password:
Type help or '?' for a list of available commands.
uk-000-pix-01> enable
Password: ***********
uk-000-pix-01# configure termial
Usage: configure terminal
uk-000-pix-01# configure terminal
uk-000-pix-01(config)# access-list out permit tcp any host 10.1.24.30 eq 443
ACE not added. Possible duplicate entry
has that port been allowed succesfully now
thanks
kev
12-02-2011 07:29 AM
Do "show access-list out" and check if you seen any access-list already been added, you can also add teh access-list for port 8443.
Thanks,
Varun
12-02-2011 07:17 PM
Varun,
a number of the rules are there.
access-list out remark Electronic Registration
access-list out permit tcp any host 10.51.144.30 eq www
access-list out remark Electronic Registration
access-list out permit tcp any host 10.51.144.30 eq https
I would advise that you run a "show access-list out", this will give you a full output of all the ace's for your perusal. If you wish to add the rule the you can either add the rule at the top, the bottom or where so ever you wish. The command you need is:
access-list out line x permit tcp any host 10.51.144.30 eq 8443
where is x is the line number of the ace you wish to insert it in. However, I would reccomend that you create a group "tcp_web"
with the ports, 80, 443 and 8443 and then apply the acl against the object group.
Ju
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide