08-06-2004 06:08 AM - edited 03-09-2019 08:20 AM
Dear All,
Currently I have a PIX 515E. The users are connected to the inside interface and there are a few public servers connected to the external (outside) interface.
The users use HummingBird Xceed client to control these servers..
However for some reason the PIX firewall stops these connections..
Would appreciate if anyone could help with the rulebase for the same
Thanks in advance
Warm Regards
Rohit
08-08-2004 05:27 PM
X-Windows usually starts another connection from server to client, which is being blocked by the PIX. Usually this connection is on port 6000 or the like.
Read up on the "established" command (and the XDMCP part specifically) to allow these connections to come back in:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1028903
If you want to be sure that this is the problem, enable logging on the PIX, then start an outbound connection, the logs should show this outbound connection being built, then a different inbound connection being denied straight away. This deny log message will tell you the destination port that you need to allow back in, but it'll probably be in the 6000 range.
08-10-2004 12:04 AM
There are also problems around NAT as well as the server (X Client) sometimes needs a export DISPLAY=x.x.x.x, with x.x.x.x being the NAT'd IP address.
One of the best ways we've found for using X through firewalls and NAT is to use SSH and tunnel the X sessions. This works well and is far more secure. Every SSH Client I've used has a tick box option to enable this, and quite often you have to enable the X Windows option on your SSH server daemon configuration.
PuTTY is freely available if SSH client costs are a problem, but make sure you get the latest version.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide