pix 501 - port 4125

static (inside,outside) tcp x.x.x.x 4125 192.168.0.5 4125 netmask

255.255.255.255 Acess-list outside_in permit tcp any host x.x.x.x eq 4125

This assumes the public IP is x.x.x.x and the internal machine is

192.168.0.5

HTH

Chad

Chad Mahoney wrote: > static (inside,outside) tcp x.x.x.x 4125 192.168.0.5 4125 netmask

If not done already, you also have to apply that ACL to an interface:

access-group outside_in in interface outside

HTH

You have a minimum of 5 public IPs for your "home" unit, but you don't know how to add a simple port pinhole ??

My guy is away in vacation, and I really do not want anyone messing with my stuff. Does it help you?

Chad

Greatly appreciate the help. So all I do is add that line to the file? and how do I load it to the pix itself?

Chad

Would this be the final file? How do I load it? Building configuration... : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password SCqvwtzcGzhJS2ll encrypted passwd SCqvwtzcGzhJS2ll encrypted hostname FW-Pix501 domain-name homeco-inside.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list nonat permit ip 192.168.50.0 255.255.255.0 192.168.51.0

255.255.255.0 access-list stunnel permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0 access-list 101 permit tcp any host xx.xx.xxx.163 eq smtp access-list 101 permit tcp any host xx.xx.xxx.163 eq pop3 access-list 101 permit tcp any host xx.xx.xxx.163 eq www pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside xx.xx.xxx.162 255.255.255.0 ip address inside 192.168.50.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnpool 192.168.51.100-192.168.51.150 mask 255.255.255.0 pdm location 192.168.50.0 255.255.255.0 inside pdm location 192.168.51.0 255.255.255.0 inside pdm location 192.168.50.0 255.255.255.255 inside pdm location 192.168.50.2 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 900 global (outside) 1 xx.xx.xxx.164-xx.xx.xxx.165 netmask 255.255.255.0 global (outside) 1 xx.xx.xxx.166 nat (inside) 0 access-list nonat nat (inside) 1 192.168.50.0 255.255.255.0 0 0 static (inside,outside) xx.xx.xxx.163 192.168.50.2 netmask 255.255.255.255 0 0 static (inside,outside) tcp xx.xx.xxx.163 4125 192.168.50.2 4125 netmask 255.255.255.255 Acess-list outside_in permit tcp any host xx.xx.xxx.163 eq 4125 access-group 101 in interface outside access-group outside_in in interface outside route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.50.0 255.255.255.255 inside http 192.168.50.0 255.255.255.0 inside http 192.168.51.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set tset esp-aes-256 esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set tset crypto map staticmap 10 ipsec-isakmp dynamic dynmap crypto map staticmap interface outside isakmp enable outside isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup LC-Vpn address-pool vpnpool vpngroup LC-Vpn split-tunnel stunnel vpngroup LC-Vpn idle-time 84600 vpngroup LC-Vpn password ******** telnet 192.168.50.0 255.255.255.0 inside telnet 192.168.51.0 255.255.255.0 inside telnet timeout 5 ssh 192.168.50.0 255.255.255.0 inside ssh 192.168.51.0 255.255.255.0 inside ssh timeout 5 management-access inside console timeout 0 terminal width 80 Cryptochecksum:d3e7ba389c67a926a81e37cf936b2ba3 : end [OK]

"My guy" ?? You indicated that -you- configured the unit with the wizard. And it's highly unusual for someone to have multiple IPs at home unless they know how to configure their networking device. And the port you want opened is the -server- port for Microsoft's Small Business Server Remote Web Workplace. You are already running a mail server, a web server, and a pop3 remote web server on one of your systems, and are running a VPN server; anyone who had managed to get that far by themselves in the wizard would have little difficulty opening one more port.

We are volunteers here, donating our time and expertise to answer questions. And we answer questions for amateurs and we often answer questions for businesses, out of a sense of professional commardery. But when the facts stated don't add up, then we can start to get the impression that we are being scammed for some free consulting, which is disappointing and discouraging.

WTF is your problem, really? For an ignorant like you: I have small home business, with all of the above you listed. The last I checked it was legal. I configured the 501 a year ago when i had almost nothing using the wizard, it took me few hours and since then, my out of home (garage) business grew up enough to hire someone to take care of my computer crap. I have to leave tomorrow on a business trip and I am not allowed to bring my laptop into the facility I am going to, so RWW comes handy, since I need access to my bidding material on my network. Now I need help, and an idiot like yourself, which obviously does not know the answer jumps like a goat. Scam? What Scam? What exactly did you smoke today? check my business out,

No it is not running so can I get you to shut up now? or provide real help???

When you last asked the same question, on June 27, some idiot provided step by step instructions on how to make the change, including instructions on how to save the change.

Let's see... "Sad part is that I manage a a Windows network with a load of devices but cannot shave on the company beard if you know what i mean." (June 14, 2007)

"I need to create a VPN tunnel between two concentrators, one in LA one in Minneapolis. [...] The purpose is to be able to browse the parent company Intranet." (June 14, 2007)

"I configured the 501 a year ago" (Aug 2, 2007) "I am new to this groups/Cisco devices" (June 14, 2007) [re CCNA] "I am taking the test in the end of July" (June 14, 2007)

Hmmm, small business -owner- who hires someone "to take care of the computer crap", or Windows network manager for someone else's company? Business owner who leaves the network alone when possible, or recent CCNA attempter? New to Cisco devices, or started working with them a year ago? Small business or a business big enough that there is a "parent company"? Left the pix untouched for a year, or worked with the PIX extensively enough to debug a VPN tunnel between concentrators?

Well since you have existing ACL's defined you can append to them:

# conf t # static (inside,outside) tcp xx.xx.xxx.163 4125 192.168.50.2 4125 netmask 255.255.255.255 #Acess-list 101 permit tcp any host x.x.x.x eq 4125 #Access-group 101 in interface outside #write memory #reload

After this test the service. It should work fine with the existing ACL defined under 101.

HTH

True, since I tried to get rid of my guy, who I felt was f****ng me around. I was not going to pay 1100 or 2000 to open "pinhole" .Anything else I can answer for you?