12-02-2008 09:27 AM - edited 02-21-2020 03:08 AM
I have a pic 506e and i need to open up port 2122 to accept incoming commections to the internal IP of 10.9.2.202 I have posted my config below.
any ideas?
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname ABVALVE
domain-name extechla.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.9.2.202 E1505
name 10.9.2.252 Printer
access-list outside_acl permit tcp any interface outside eq 3389
access-list outside_acl permit tcp any interface outside eq 5001
no pager
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.9.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location E1505 255.255.255.255 inside
pdm location Printer 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 E1505 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5001 Printer 5001 netmask 255.255.255.255 0 0
access-group outside_acl in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.9.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.9.2.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address E1505-10.9.2.250 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 200
Cryptochecksum:xxx
: end
12-02-2008 09:33 AM
Simple
static (inside,outside) tcp interface 2122 10.9.2.202 2122 netmask 255.255.255.255
access-list outside_acl permit tcp any interface outside eq 2122
access-group outside_acl in interface outside
12-03-2008 04:56 PM
Danny, were you able to open up the necesary 2122 tcp port you had asked, just want to make sure you are ok with configuration or if you need more help, just let us know.
Rgds
Jorge
12-04-2008 01:30 AM
i understand
this line:
static (inside,outside) tcp interface 2122 10.9.2.202 2122 netmask 255.255.255.255
and this line:
access-list outside_acl permit tcp any interface outside eq 2122
I don't understand
this line:
access-group outside_acl in interface outside
my confusion is: as reading this last line that you are telling the "access-group outside_acl" to use "interface outside" for all the incoming connections... but the rdp port 3389 and the media port 5001 are working even now without this line?
elaborate please...
12-04-2008 03:26 PM
When you issue access-group outside_acl in interface outside after the access-list outside_acl permit tcp any interface outside eq 2122, you are applying the newly created line in access list outcide_acl to the outside interface, if you don't apply it the outside interface most likely will not allow tcp 2122 towards the natted address.
3389, 5001 are working because at some point in time the outside_acl access list for those ports were also apply to the outside interface in the same fasion.
Rgds
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide