Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
604
Views
0
Helpful
1
Replies

Port 9999 through PIX

upuli.jayasuriya
Level 1
Level 1

‎12-12-2005 03:32 PM - edited ‎02-21-2020 12:35 AM

One of our site offices have a PIX 506E firewall and connectivity through the PIX is all well, except for port 9999.

The access-list applied on outside interface (inbound) is below.

access-list acl_out line 1 permit icmp any any (hitcnt=5)

access-list acl_out line 2 deny ip 192.168.0.0 255.255.0.0 any (hitcnt=0)

access-list acl_out line 3 permit ip any host 10.0.16.11 (hitcnt=163)

access-list acl_out line 4 permit tcp any host 10.0.16.230 eq 9999 (hitcnt=0)

access-list acl_out line 5 permit ip any host 10.0.16.156 (hitcnt=2)

We need to allow telnet to 10.0.16.230 on port 9999. WHen tried, the hit counter goes up but the PC returns the following message.

C:\>telnet 10.0.16.230 9999

Connecting To 10.0.16.230...Could not open connection to the host, on port 9999: Connect failed

However, if tried to telnet on 9999 internally it works fine.

Can anyone see anything that i am doing wrong. Is there any fixup protocols associated that I may need to disable to get this working.

Many Thanks.

0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎12-12-2005 05:06 PM

You also need a static command for that host, since this traffic is from lower->higher interfaces.

You cna also run the "capture" command on both the inside and outside interfaces to see the traffic and make sure it's 1) getting through the PIX and 2) getting a reply back from the inside host. The "capture" command is detailed here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1053548

You can define two different ACL's, one for traffic hitting the outside int to/from the PC you're telneting from, and one for traffic hitting the inside int to/from the 10.0.16.230 server. Then run two capture commands, one specifying the first ACL and assigned to the outside int, the other specifying the second ACL and assigned to the inside int. Then after it fails check both captures and you should see the whoel SYN/SYN-ACK/ACK handshake go back and forth. You'll also be able to see where it is failing, and whether it's the inside host or the PIX at fault.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card