09-16-2010 01:54 AM - edited 03-11-2019 11:41 AM
Hi, I need to open a port on a PIX 515.
Please can someone explain what I should be entering including the commands.
For the purposes of the explanation (so I can understand it ) I've given the different elements the following ips
Port = PPPPP
Destination IP that the machine s on my network will be contacting: XXX.XXX.XXX.XXX
The workstation on my network YYY.YYY.YYY.YYY
PIX IP: ZZZ.ZZZ.ZZZ.ZZZ
I have logged onto the PIX via Hyperterminal.
Thanks for your help.
09-16-2010 07:57 AM
Are you seeing hits on the rule in your acl applied to the inside interface ?
How does the software work ? ie. it is a normal client/server app or does it do something funny like try to initiate a connection back to your clients ?
Have you spoken to the company hosting the software to see if they can see requests coming from your public IP ?
My previous question about general internet access was to make sure NAT is setup correctly. Perhaps you could post the NAT config ?
Jon
09-16-2010 08:17 AM
PIX# show NAT
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 10.10.0.0 255.255.255.0 0 0
PIX(config)# show access-list inside_outbound_nat0_acl
access-list inside_outbound_nat0_acl turbo-configured; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip 10.10.0.0 255.255.255.0 10
.10.0.0 255.255.255.0 (hitcnt=110)
Is show NAT the right command?
09-16-2010 08:23 AM
salixcapital wrote:
PIX# show NAT
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 10.10.0.0 255.255.255.0 0 0
PIX(config)# show access-list inside_outbound_nat0_acl
access-list inside_outbound_nat0_acl turbo-configured; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip 10.10.0.0 255.255.255.0 10
.10.0.0 255.255.255.0 (hitcnt=110)
Is show NAT the right command?
Yes, as long as you have something like -
global (outside) 1 interface or
global (outside) 1
Jon
09-16-2010 08:25 AM
so does that look correct in my case?
Will i just post the entire 'write term'?
09-16-2010 08:48 AM
It looks fine. Can you internal users access internet web sites ??
Other than that you can run debug on the pix to see if the packet is leaving your pix and if you are receiving anything in return eg.
debug packet outside dst
debug packet outside src
However be careful with debug. You don't want to run it during peak hours, best to test out of core hours.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: