How complicated is it to open a port?

- H
- Holz
  
  Contact options for registered users
posted
16 years ago

Thu, Jun 28, 2007 12:21 AM

Hi all

I need to open port 4125 on pix 515 for SBS RWW access . Am I better off calling our consultant or try following some manual?

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Thu, Jun 28, 2007 5:12 AM

Log on to the PIX. enable . Command configure terminal Now, show access-group and look for one that includes the word "outside", such as

access-group out2in in interface outside

The word after 'access-group' is the name of the access control list which is currently controlling what is allowed in. In the below, each place that out2in appears, replace it with the name you found on the access-group .

Command

access-list out2in permit tcp any interface outside eq 4125

static (inside,outside) tcp interface 4125 SERVERINTERNALIP 4125

Now test access to the service, using the outside address of your PIX as the public destination IP; it will be forwarded to the SERVERINTERNALIP that you designated.

When your testing is satisfactory, command

write memory

and you can then log off, as you are done.

The instructions are slightly different if you have a specific public IP that you want service to go to instead of the PIX outside IP.

access-list out2in permit tcp any host SERVERPUBLICIP eq 4125 static (inside,outside) tcp SERVERPUBLICIP 4125 SERVERINTERNALIP 4125

The above instructions presume you are running PIX 6.2 or later. If you are running an earlier PIX version, then the first possibility (using the interface IP) is not available.

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Thu, Jun 28, 2007 5:16 AM

Correction,

static (inside,outside) tcp interface 4125 SERVERINTERNALIP 4125 netmask

255.255.255.255

Correction,

static (inside,outside) tcp SERVERPUBLICIP 4125 SERVERINTERNALIP 4125 netmask

255.255.255.255

- H
- Holz
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Thu, Jun 28, 2007 5:31 AM

Walter

Thanks for the detailed response. I want access to the entire subnet, so I guess it should be: static (inside,outside) tcp interface 4125 192.168.45.0 4125 netmask

255.255.255.0?

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Thu, Jun 28, 2007 5:49 AM

If you are thinking of opening your entire network to incoming SBS RWW access then you need to go back to your first idea: Hire a consultant -- a consultant to do a complete risk / benefit analysis. (And if they don't say "Don't do it!" then you -probably- hired the wrong consultant!)

- H
- Holz
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Thu, Jun 28, 2007 2:05 PM

Go it..:-) So you believe it is better to open for specific computers only?

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Thu, Jun 28, 2007 2:27 PM

And if you have more than one or two, I'd add a VPN. (Yeah, I know that with RWW part of the point is that you aren't supposed to need a VPN, but I wouldn't want to trust a Microsoft Small Business Service product to secure a whole series of important computers, not without much more detailed research into its risks.)