Solved: How to open a RTP port range 50000 to 60000 in PIX Firewall 515

habeebuddin786 · ‎05-19-2011

Hello Folks,

I got a request to open up port on firewall for three hosts externally accessing. I am new to the security. Please help me in configruing the ports on firewall 515 cisco PIX.

Following is the exmple of one host

1) ---- video1.xx.com ---> 10.1.1.1 ------ internal ports TCP/UDP (5060/6060), RTP (50000-60000) TCP8080

----> 63.200.215.50 ------- External ports TCP/UDP (5060/6060), RTP (50000-60000) TCP8080

I thought of these following step:

static (inside,outside) 63.200.215.50 10.1.1.1 netmask 255.255.255.255 0 0

!

access-list outside permit tcp any host 63.200.215.50 eq 4060

access-list outside permit udp any host 63.200.215.50 eq 4060

access-list outside permit tcp any host 63.200.215.50 eq 5060

access-list outside permit udp any host 63.200.215.50 eq 5060

access-list outside permit tcp any host 63.200.215.50 eq 8080

!

Can someone validate the above config, whether this will work and moreover i want to know how to give the range for protocol RTP (50000-60000).

Will the fixup protocol can do something with RTP range.

Currently I am seeing the fixup protocol in PIX is:

fw01# sh fixup

fixup protocol dns maximum-length 4096

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

Any help or guide would be greatly appreciated.

Thanks

Ahmed

varrao · ‎05-19-2011

Hi Habib,

I did check the comand ref again and in PIX 6.3 you do have the range option in ACL:

http://www.cisco.com/en/US/customer/docs/security/pix/pix63/command/reference/ab.html#wp1067755

The synatxt would be

access-list test extended permit ip any any range 50000 60000

Let me know if this works.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎05-19-2011

Hi Habeeb,

The config looks fine, but not sure what zPIX software version are using. Nevertheless here is a config guides, kindly select yours and you can check whether it has teh range option after the ACL command, because this command depends on the version of software that you use.

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/prod_command_reference_list.html

Thanks,

Varun

Thanks,
Varun Rao

habeebuddin786 · ‎05-19-2011

Hi Varun,

Thanks for your quick help.

The software version using on the PIX is 6.3(5)114.

I checked through the given link on 6.3 version, but unable to find the range to give the rtp ports in ACL rule.

Even tried to give Fixup protocol rtp 50000-60000, getting error as bad protocol.

Is any other way you can suggest?

Thanks

-Ahmed

varrao · ‎05-19-2011

Hi Habib,

I did check the comand ref again and in PIX 6.3 you do have the range option in ACL:

http://www.cisco.com/en/US/customer/docs/security/pix/pix63/command/reference/ab.html#wp1067755

The synatxt would be

access-list test extended permit ip any any range 50000 60000

Let me know if this works.

Thanks,

Varun

Thanks,
Varun Rao

Maykol Rojas · ‎05-19-2011

If the Application for SIP is RFC compliant, you shouldnt need to open those ports.

Mike