Hi all
I need to open port 4125 on pix 515 for SBS RWW access . Am I better off calling our consultant or try following some manual?
Hi all
I need to open port 4125 on pix 515 for SBS RWW access . Am I better off calling our consultant or try following some manual?
Log on to the PIX. enable . Command configure terminal Now, show access-group and look for one that includes the word "outside", such as
access-group out2in in interface outside
The word after 'access-group' is the name of the access control list which is currently controlling what is allowed in. In the below, each place that out2in appears, replace it with the name you found on the access-group .
Command
access-list out2in permit tcp any interface outside eq 4125
static (inside,outside) tcp interface 4125 SERVERINTERNALIP 4125
Now test access to the service, using the outside address of your PIX as the public destination IP; it will be forwarded to the SERVERINTERNALIP that you designated.
When your testing is satisfactory, command
write memory
and you can then log off, as you are done.
The instructions are slightly different if you have a specific public IP that you want service to go to instead of the PIX outside IP.
access-list out2in permit tcp any host SERVERPUBLICIP eq 4125 static (inside,outside) tcp SERVERPUBLICIP 4125 SERVERINTERNALIP 4125
The above instructions presume you are running PIX 6.2 or later. If you are running an earlier PIX version, then the first possibility (using the interface IP) is not available.
Correction,
static (inside,outside) tcp interface 4125 SERVERINTERNALIP 4125 netmask
255.255.255.255
Correction,
static (inside,outside) tcp SERVERPUBLICIP 4125 SERVERINTERNALIP 4125 netmask
255.255.255.255
Walter
Thanks for the detailed response. I want access to the entire subnet, so I guess it should be: static (inside,outside) tcp interface 4125 192.168.45.0 4125 netmask
255.255.255.0?
If you are thinking of opening your entire network to incoming SBS RWW access then you need to go back to your first idea: Hire a consultant -- a consultant to do a complete risk / benefit analysis. (And if they don't say "Don't do it!" then you -probably- hired the wrong consultant!)
Go it..:-) So you believe it is better to open for specific computers only?
And if you have more than one or two, I'd add a VPN. (Yeah, I know that with RWW part of the point is that you aren't supposed to need a VPN, but I wouldn't want to trust a Microsoft Small Business Service product to secure a whole series of important computers, not without much more detailed research into its risks.)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.