05-19-2011 11:46 AM - edited 03-11-2019 01:35 PM
Hello Folks,
I got a request to open up port on firewall for three hosts externally accessing. I am new to the security. Please help me in configruing the ports on firewall 515 cisco PIX.
Following is the exmple of one host
1) ---- video1.xx.com ---> 10.1.1.1 ------ internal ports TCP/UDP (5060/6060), RTP (50000-60000) TCP8080
----> 63.200.215.50 ------- External ports TCP/UDP (5060/6060), RTP (50000-60000) TCP8080
I thought of these following step:
static (inside,outside) 63.200.215.50 10.1.1.1 netmask 255.255.255.255 0 0
!
access-list outside permit tcp any host 63.200.215.50 eq 4060
access-list outside permit udp any host 63.200.215.50 eq 4060
access-list outside permit tcp any host 63.200.215.50 eq 5060
access-list outside permit udp any host 63.200.215.50 eq 5060
access-list outside permit tcp any host 63.200.215.50 eq 8080
!
Can someone validate the above config, whether this will work and moreover i want to know how to give the range for protocol RTP (50000-60000).
Will the fixup protocol can do something with RTP range.
Currently I am seeing the fixup protocol in PIX is:
fw01# sh fixup
fixup protocol dns maximum-length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
Any help or guide would be greatly appreciated.
Thanks
Ahmed
Solved! Go to Solution.
05-19-2011 12:19 PM
Hi Habib,
I did check the comand ref again and in PIX 6.3 you do have the range option in ACL:
http://www.cisco.com/en/US/customer/docs/security/pix/pix63/command/reference/ab.html#wp1067755
The synatxt would be
access-list test extended permit ip any any range 50000 60000
Let me know if this works.
Thanks,
Varun
05-19-2011 11:55 AM
Hi Habeeb,
The config looks fine, but not sure what zPIX software version are using. Nevertheless here is a config guides, kindly select yours and you can check whether it has teh range option after the ACL command, because this command depends on the version of software that you use.
http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/prod_command_reference_list.html
Thanks,
Varun
05-19-2011 12:11 PM
Hi Varun,
Thanks for your quick help.
The software version using on the PIX is 6.3(5)114.
I checked through the given link on 6.3 version, but unable to find the range to give the rtp ports in ACL rule.
Even tried to give Fixup protocol rtp 50000-60000, getting error as bad protocol.
Is any other way you can suggest?
Thanks
-Ahmed
05-19-2011 12:19 PM
Hi Habib,
I did check the comand ref again and in PIX 6.3 you do have the range option in ACL:
http://www.cisco.com/en/US/customer/docs/security/pix/pix63/command/reference/ab.html#wp1067755
The synatxt would be
access-list test extended permit ip any any range 50000 60000
Let me know if this works.
Thanks,
Varun
05-19-2011 12:51 PM
If the Application for SIP is RFC compliant, you shouldnt need to open those ports.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide