1. Home
  2. Cisco Systems
  3. Opening a port

Opening a port

I hope not to get flamed here. I have a pix 515e ios 6.3(3). I have a machine that I need to access port 8082 from the outside. I created a access list for it but somehow think I need a nat for it which is totally confusing me. Here is most of my conf

PIX Version 6.3(3) interface ethernet0 100full interface ethernet1 auto interface ethernet2 auto shutdown interface ethernet3 auto shutdown interface ethernet4 auto shutdown interface ethernet5 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security4 nameif ethernet3 intf3 security6 nameif ethernet4 intf4 security8 nameif ethernet5 intf5 security10 enable password vOtpcIryL8coK1xI encrypted passwd ZSFSZ58TFmg2m3.3 encrypted hostname pixfirewall domain-name usaniagara.local clock timezone EST -5 clock summer-time EDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 no fixup protocol rsh 514 fixup protocol rsh 3389-3390 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.10.40.12 RAIDUS name 10.10.40.10 server2 name 63.139.41.28 server object-group service rdp tcp description rdp port-object range 3389 3389 object-group service rdpboth tcp-udp port-object range 3389 3389 access-list inside_outbound_nat0_acl permit ip any 10.10.100.0

255.255.255.224 access-list inside_outbound_nat0_acl permit ip any 192.168.50.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip any 10.10.40.0 255.255.255.0 access-list outside_cryptomap_dyn_20 permit ip any 10.10.100.0 255.255.255.224 access-list acl permit tcp any host 63.139.41.26 eq 3389 access-list inside_authentication_LOCAL permit tcp any interface outside access-list outside_access_in permit tcp any object-group rdp host server object-group rdp access-list outside_access_in permit ip host server 63.139.41.0 255.255.255.0 access-list outside_access_in permit tcp any eq www host server eq www access-list outside_access_in permit icmp any any echo-reply access-list outside_access_in permit tcp any eq 8082 host server eq 8082 pager lines 24 mtu outside 1500 mtu inside 1500 mtu intf2 1500 mtu intf3 1500 mtu intf4 1500 mtu intf5 1500 ip address outside 63.139.41.26 255.255.255.248 ip address inside 10.10.40.5 255.255.255.0 no ip address intf2 no ip address intf3 no ip address intf4 no ip address intf5 ip audit info action alarm ip audit attack action alarm ip local pool remote 192.168.50.10-192.168.50.50 ip local pool remote2 10.10.100.10-10.10.100.50 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address intf2 no failover ip address intf3 no failover ip address intf4 no failover ip address intf5 pdm location 10.10.100.0 255.255.255.224 outside pdm location RAIDUS 255.255.255.255 inside pdm location 192.168.50.0 255.255.255.0 outside pdm location 10.10.40.0 255.255.255.0 outside pdm location 63.139.41.27 255.255.255.255 outside pdm location 63.139.41.0 255.255.255.0 outside pdm location 63.139.0.0 255.255.0.0 outside pdm location server2 255.255.255.255 inside pdm location server 255.255.255.255 outside pdm location 63.139.41.29 255.255.255.255 outside pdm location 10.10.40.70 255.255.255.255 inside pdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 10 0.0.0.0 0.0.0.0 0 0 static (inside,outside) server server2 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 63.139.41.25 1 route outside server 255.255.255.255 63.139.41.25 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa authentication match inside_authentication_LOCAL inside LOCAL http server enable http 0.0.0.0 0.0.0.0 outside http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-pptp sysopt connection permit-l2tp crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 20 authentication rsa-sig isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400

Any help would be greatly appreciated.

-Sam

Reply to
samothyev
Loading thread data ...

You should upgrade that. There are security problems known for

6.3(3), 6.3(4), 6.3(5) and even within the last couple of days 6.3(5)112 has been replaced by a newer version. If you are the registered owner of the device, the upgrade is free.

You do not appear to be using that acl named 'acl'.

object-group rdp

Here and

here and

here, you appear to have misconfigured your access list in the same way each time. The port number on the "left hand side" represents the source port of the transaction, and the port number on the "right hand side" represents the destination port of the transaction, with source and destination chosen according to which way the traffic is flowing through the firewall. In this case, as you have used access-group to apply this to the outside interface, the source is the external source and the destination is the public IP of the local resource (i.e., this ACL is tested before NAT is done -- it will test the packets as arriving on the ethernet port.) In each of the three lines I marked, you have declared that the source and destination ports must be the same. That's not going to happen: for each of those three services, the source port is going to be a random port number from 1024 to

65535 (in pathological cases it could even be 1 through 1023, if someone decided to violate all common conventions.) Thus, for each of the three lines, you should omit the source port in order to allow it to vary. For example,

access-list outside_access_in permit tcp any host server eq 8082

There you declare that internal host 10.10.40.10 should be visible to the outside world as 63.139.41.28, so that when the PIX receives a packet addressed to 63.139.41.28, it should check the security and then forward it to 10.10.40.10 if allowed by the outside acl. But look again at your outside acl: you have this line:

That line would be for the case of an -outside- system with IP

63.139.41.28 trying to send to another system in 63.139.41/24 that was being handled by the PIX. The only other system in 63.139.41/24 that you have configured to be served by the PIX is the PIX itself, 63.139.41.26... and if you see packets originating from 63.139.41.28 (supposedly an inside host, according to your static) arriving at the PIX outside interface, then either those packets are forged or you are attempting to route packets out from inside and bounce them off a router and back to the inside, which is never a good idea even if it sometimes works. So it seems unlikely that this ACL line should be present.

Note that with the way you have configured the PIX, the PIX -will- do "proxy arp" -- that is, if some system on the outside asks where

63.139.41.28 is, the PIX will respond with its own MAC address. However, proxy arp is not particularily reliable, so it is much safer to ensure that your next-hop router *routes* 63.139.41.28 to the outside IP of the PIX.

I don't see L2TP configured, and 'mode transport' is only for L2TP.

At one point the documentation implied that 3DES should use SHA (and that DES should use MD5). I haven't been able to find that implication since. It wouldn't hurt to add 3DES SHA, though, and with a higher priority, as it is more secure. Similarily you should consider AES-128 SHA Group 5, which is faster and more secure than 3DES.

Incidently, your nat and static lines are fine; it's the ACL that is misconfigured.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.