In some situations, it may be necessary to permit access to a device through a PIX/ASA Firewall using PCAnywhere. By default, such connections are denied, so you must configure the PIX/ASA to allow PCAnywhere traffic to be permitted from the outside interface to the inside interface.
In most PIX/ASA scenarios, the inside interface and network uses private addressing, while the outside interface and network uses public addressing. Therefore, a static mapping must be created to establish the relationship between the outside and inside addresses. Moreover, an Access Control List (ACL) must define the traffic that is permitted through the PIX/ASA.
PCAnywhere uses ports 5631 (Data port or Transmission Control Protocol [TCP]) and 5632 (Status port or User Datagram Protocol [UDP]) to communicate. Therefore, these ports must be explicitly permitted on the PIX.
Consider the example of a device on the inside interface of the firewall with an IP address of 10.1.1.10, which is mapped to an external (global) IP address of 126.96.36.199. In this case, traffic destined for 188.8.131.52 arrives at the firewall, is translated to 10.1.1.10, and is passed to the inside interface.
Based on the above factors, the configuration necessary for this scenario follows:
static(inside,outside) 184.108.40.206 10.1.1.10 netmask 255.255.255.255! --- The static mapping between 220.127.116.11 (outside address) and 10.1.1.10 (inside address).access-list 101 permit tcp any host 18.104.22.168 eq 5631! --- Permits TCP traffic to 22.214.171.124, port 5631.access-list 101 permit udp any host 126.96.36.199 eq 5632! --- Permits UDP traffic to 188.8.131.52, port 5632.access-group 101 in interface outside! --- Apply ACL 101 to the outside interface.
Hi all,We’ve deployed FTD HA managed by FMC. Last week the primary unit had failed and we are running with only secondary FTD.And we are now planning to replace the primary unit with new FTD. Are there any ways to replace the unit without breaking the HA ...
Hello, can someone please help me with a configuration guide with requirements for integration of AD with FTD (FMC) using ISE as Identity source for captive portal authentication. Regards,Juan Carlos Arias
Hi All I want to ask a thing related this ? we have FTD/FMC and along with treat/malware license and we want to block files according to SHA-256 , SHA1 and MD5 signatures. There is no problem with SHA-256 because we can add custom fi...
I have configured my access switch interfaces with DOT1X authentication from Radius server. And my end host connected with these interfaces are getting their IP from DHCP server. But since my end host clients are not able to authenticate successfully, hen...
I have a HA cluster of FTD (Active/Standby). On FMC, the monitoring is complaining failures in screenshot below for the Standby FTD. Everything is healthy on the Active primary FTD and FMC... I do not see any blockings or DNS issues...Any suggestions? The...