- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2007 07:19 AM - edited 03-11-2019 02:18 AM
Hello,
We want to allow inbound access on ports 8889 and 12124. We have a Cisco PIX 515E.
We succeed in allow inbound access on port 22 by creating a static route, an access group and a access-list.
We create the same things for the ports 8889 and 12124 but it doesn't run.
Could you help us ?
Thanks in advance.
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2007 07:26 AM
Hi Jessy
Are the ports on the same server as the ssh access ?.
When you say a static route what exactly do you mean. If you were goiing from outside to in you would need to create static NAT entries for the servers on the inside of the pix as well as allowing through on an access-list.
Could you send copy of the config with any sensitive bits removed
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2007 07:26 AM
Hi Jessy
Are the ports on the same server as the ssh access ?.
When you say a static route what exactly do you mean. If you were goiing from outside to in you would need to create static NAT entries for the servers on the inside of the pix as well as allowing through on an access-list.
Could you send copy of the config with any sensitive bits removed
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2007 07:43 AM
Hi Jon,
The ports are on the same server as the ssh access.
I send you a copy of our config.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2007 12:16 AM
Hi Jessy
Can't see a lot wrong with this. Whenever i have done port forwarding I usually have the access-list referencing the actual host address rather than the "interface outside" statement you have used but that's about it.
ie
access-list list outside_access_in permit tcp any host x.x.x.x eq 8889 etc. where host is your pix outside interface address.
Have you done a debug on the inside interface to see if packets are being sent and received back from 192.168.10.18 ie
debug packet inside dst 192.168.10.18
debug packet inside src 192.168.10.18
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2007 03:11 AM
Hi Jon,
When we reference our outside interface address rather than the "interface outside", the PIX changes automatically the statement with the "interface outside".
We have done a debug packet for the ports 12124 and 22.
We must permit inbound access for these ports for an external enterprise which says us that the request used for these ports is an HTTP request. Does this remark change something ?
I hope that you understand me well because I'm french and it isn't easy for me to explain you
exactly my problem ;).
Thanks.
Jessy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2007 04:28 AM
Hi Jessy
Had a quick look at the debugs. The 12124 debug. 192.168.10.18 is sending back an ack/rst to the external host.
Can you connect to this port internally. How do you do that. Is it with a specific piece of software or do you use a web browser with a url and port number eg
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2007 12:26 AM
Hi Jon,
It must be a specific software. We didn't have an accurate answer from the company.
But I think that we must permit outbound traffic on port 12124 and 8889 for the host 192.168.10.18. Isn't it ?
Thanks.
Jessy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2007 01:51 AM
Jessy
In the vast majority of cases you shouldn't have to open up the ports both ways as the pix is a stateful firewall so if you allow access in then the return traffic should be allowed.
I think it's important to check if you can access the servers on those ports internally to make sure that is not an application problem.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2007 02:34 AM
Hi Jon,
I just want to tell you that it's OK....
We couldn't access the server on those ports internally.... The external company had to open those ports... We have had several interlocutors who didn't be agree.
We had to permit return traffic on thoses ports too.
Thanks for your help.
Jessy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2007 02:43 AM
Hi Jessy
Glad you got it sorted in the end
Jon
