08-05-2004 05:13 AM - edited 03-09-2019 08:19 AM
I have been requested to open UDP ports: 4004, 4005, & 5067.
Plus, TCP port 5066.
How would I do this on a PIX515E?
08-05-2004 05:16 AM
Look for an access group statement referencing the outside interface. That will tell you what access-list is bound to the outside interface. That is the access-list you need to edit.
If you do not have access-group or access-list statements, you should look for conduit statements.
What application are those ports for?
08-05-2004 07:05 AM
This is for an IP based Soft phone for remote users. They connect their PC to their ISP, open a VPN tunnel to my Network, and the destination would be the PBX NIC card IP address. But would the source IP address be the ISP assigned address? Or the internal private IP address assigned by the VPN concentrator?
08-05-2004 06:12 AM
You need to find out the source and destination addresses that require these ports.
e.g. if a host on 1.1.1.1 needs to access these ports on server 2.2.2.2 residing on a DMZ then you would create an access-list as follows
access-list outside permit udp host 1.1.1.1 host 2.2.2.2 eq 4004
access-list outside permit udp host 1.1.1.1 host 2.2.2.2 eq 4005
access-list outside permit udp host 1.1.1.1 host 2.2.2.2 eq 5067
access-list outside permit tcp host 1.1.1.1 host 2.2.2.2 eq 5066
Then you need to apply this access-list to your interface, so assuming you allow these connections to a DMZ from the outise then
access-group outside in interface outside
I would advise that you find out exactly what these ports are for and why they need to be opened before making any changes, if these ports are to opened to permit access from the outside (internet facing) then your server should ideally be on a DMZ
Rgds
Paddy
08-05-2004 07:11 AM
This is for an IP based Soft phone for remote users. They connect their PC to their ISP, open a VPN tunnel to my Network, and the destination would be the PBX NIC card IP address. But would the source IP address be the ISP assigned address? Or the internal private IP address assigned by the VPN concentrator?
08-05-2004 12:50 PM
I would hope it's the address assigned by the VPN concentrator, if it was a public address and your users were connecting to multiple different ISPs then you would have a problem allowing connections in from a multitude of different addresses.
Rgds
Paddy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide