Showing results for 
Search instead for 
Did you mean: 

HummingBird Xceed Client


Dear All,

Currently I have a PIX 515E. The users are connected to the inside interface and there are a few public servers connected to the external (outside) interface.

The users use HummingBird Xceed client to control these servers..

However for some reason the PIX firewall stops these connections..

Would appreciate if anyone could help with the rulebase for the same

Thanks in advance

Warm Regards


2 Replies 2

Cisco Employee
Cisco Employee

X-Windows usually starts another connection from server to client, which is being blocked by the PIX. Usually this connection is on port 6000 or the like.

Read up on the "established" command (and the XDMCP part specifically) to allow these connections to come back in:

If you want to be sure that this is the problem, enable logging on the PIX, then start an outbound connection, the logs should show this outbound connection being built, then a different inbound connection being denied straight away. This deny log message will tell you the destination port that you need to allow back in, but it'll probably be in the 6000 range.

There are also problems around NAT as well as the server (X Client) sometimes needs a export DISPLAY=x.x.x.x, with x.x.x.x being the NAT'd IP address.

One of the best ways we've found for using X through firewalls and NAT is to use SSH and tunnel the X sessions. This works well and is far more secure. Every SSH Client I've used has a tick box option to enable this, and quite often you have to enable the X Windows option on your SSH server daemon configuration.

PuTTY is freely available if SSH client costs are a problem, but make sure you get the latest version.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers