cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
657
Views
0
Helpful
5
Replies

Newbie question : Open Ports on Pix 501

antveil99
Level 1
Level 1

How can I open a port on a Pix 501 ? I tried to add a access-list with a port number. After that, I tested it with a port scanner and the port is not open. I thought that adding an access-list will open the port.

Thanks !

5 Replies 5

mostiguy
Level 6
Level 6

Only if you are not using NAT. If you are using NAT or PAT, you will need a static statement to forward the port, or an IP, to the inside host

I am using NAT. Here's the situation : The users connect by VPN and obtains addresses like 10.0.1.x. I need them to access to a server inside the Pix that has a private ip address like 192.168.100.10 on port 19000 let say. For now, I don't have a static statement for the server ip address like

static (inside,outside) Pix_public_ip_address 192.168.100.10 255.255.255.255

Are they making a vpn connection to the pix? If so:

you don't need a static

you want to disable nat between the ip address pools on the inside interface (the server ,etc), and the ip local pool assigned to vpn clients.

SO there is no nat between the server and the vpn clients. The clients should be able to access the server normally. If they cannot, it may be a name resolution issue. Can the clients ping the server by ip address?

The clients connect through the PIX and authenticate themselves on a RAS Server. This RAS Server is the DSN Server as well. When the client is connected the client's ip address of the dns server is the ip address of the RAS Server. Here's an exemple :

VPN Client ip configuration:

ip address : 10.10.10.1

primary DNS : 192.168.100.5

So the client can ping the primary DNS ip address successfully. It can access ressources on that server. But any other ip addresses are not pingable. I want to give access to a server with ip address like 192.168.100.8 but the clients can't even ping it. I guess the Pix has an access-list that deny ping when the Clients are connected through VPN.

Here is something that I just remembered. If I am connected through the VPN and I want to remotetly control a computer on the lan, I can. I can take control of a computer ( with Remote desktop ) with a ip address of 192.168.100.50, but I don't ping it.

Is it just a ping issue ?

Thanks for your responses !

I just added the configuration in the attachment. Maybe it would be easier to understand.

What I want is that the VPN Client with ip addresses like 10.x.x.x can access a server with ip addresse like 192.168.100.10 on a particuliar port. For now, when I'm connected with VPN I can't ping the server 192.168.100.10. I added an access-list like :

access-list 100 tcp permit 10.10.10.x 255.255.255.0 192.168.100.10 eq port_number

Any ideas ?

Thanks in advance !

Review Cisco Networking for a $25 gift card