1. Home
  2. Cisco Systems
  3. Opening Ports

Opening Ports

Hi All,

I have a PIX 515 and I copied my config here in the post. I need to have two way TCP traffic between an outside IP and going to all internal computers. One of the ports I need is 443. I'm thinking I need an "access-list acl_out..." that lists the IP that I want incoming

443 traffic from. I don't want it allowed for the whole Internet...just a specific IP.

Thanks.

Paul

PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ1 security50 enable password encrypted passwd encrypted hostname pix domain-name pix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 1.141.1.11 IPO name 1.141.1.29 email name external.ip.address exchange name 1.0.0.0 vpn_mobile access-list acl_out permit tcp any host external.ip.address eq www access-list acl_out permit tcp any host external.ip.address eq https access-list acl_out permit tcp any host external.ip.address eq smtp access-list acl_out permit icmp any any access-list acl_out permit tcp any interface outside access-list acl_out permit tcp any eq pop3 host external.ip.address eq pop3 access-list acl_out permit tcp any eq smtp host external.ip.address eq smtp access-list acl_out permit tcp any eq ftp host external.ip.address eq ftp access-list dmz_out permit icmp any any access-list dmz_out permit tcp host 10.0.0.3 host 1.1.1.1 range 12100

12109 access-list inside_outbound_nat0_acl permit ip any vpn_mobile 255.0.0.0

access-list outside_cryptomap_dyn_20 permit ip any vpn_mobile 255.0.0.0

pager lines 24 logging on logging timestamp logging monitor informational logging trap errors logging history errors logging host inside 1.141.2.223 mtu outside 1500 mtu inside 1500 mtu DMZ1 1500 ip address outside external.ip.address 255.255.255.224 ip address inside 1.141.1.254 255.0.0.0 ip address DMZ1 10.0.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool mobile 1.141.4.1-1.141.4.15 pdm location 1.141.2.217 255.255.255.255 inside pdm location 10.0.0.3 255.255.255.255 DMZ1 pdm location 1.141.2.141 255.255.255.255 inside pdm location 1.1.1.1 255.255.255.255 inside pdm location 10.0.0.0 255.0.0.0 DMZ1 pdm location external.ip.address 255.255.255.255 outside pdm location 10.0.0.2 255.255.255.255 DMZ1 pdm location 10.0.0.1 255.255.255.255 inside pdm location vpn_mobile 255.255.255.0 inside pdm location 10.0.0.3 255.255.255.255 inside pdm location external.ip.address 255.255.255.255 outside pdm location external.ip.address 255.255.255.255 outside pdm location 1.141.1.50 255.255.255.255 inside pdm location 1.141.2.225 255.255.255.255 inside pdm location 1.141.2.53 255.255.255.255 inside pdm location IPO 255.255.255.255 inside pdm location email 255.255.255.255 inside pdm location exchange 255.255.255.255 outside pdm location vpn_mobile 255.0.0.0 outside pdm location 1.141.2.7 255.255.255.255 inside pdm location 1.141.2.165 255.255.255.255 inside pdm location 1.141.2.223 255.255.255.255 inside pdm logging warnings 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 vpn_mobile 255.0.0.0 0 0 static (DMZ1,outside) tcp external.ip.address www 10.0.0.3 www netmask

255.255.255.255 0 0 static (DMZ1,outside) tcp external.ip.address https 10.0.0.3 https netmask 255.255.255.255 0 0 static (inside,outside) tcp external.ip.address smtp 1.1.1.1 smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 3389 IPO 3389 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 444 email 444 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 4125 email 4125 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface https email https netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pptp email pptp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface nntp email nntp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pop3 email pop3 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp email smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface ftp email ftp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www email www netmask 255.255.255.255 0 0 static (inside,DMZ1) vpn_mobile vpn_mobile netmask 255.0.0.0 0 0 access-group acl_out in interface outside access-group dmz_out in interface DMZ1 route outside 0.0.0.0 0.0.0.0 external.ip.address 1 timeout xlate 3:00:00 timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 1.141.2.225 255.255.255.255 inside http 1.141.2.53 255.255.255.255 inside http 1.141.1.50 255.255.255.255 inside http 1.141.2.223 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server inside 1.141.2.223 /tftp-root/ floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup mobile address-pool mobile vpngroup mobile dns-server email IPO vpngroup mobile default-domain kfdom01 vpngroup mobile split-tunnel outside_cryptomap_dyn_20 vpngroup mobile split-dns domain-name ipo1 vpngroup mobile idle-time 1800 vpngroup mobile password telnet xxx.xxx.xxx.xxx 255.255.255.255 inside telnet xxx.xxx.xxx.xxx 255.255.255.255 inside telnet xxx.xxx.xxx.xxx 255.255.255.255 inside telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:xxxxxxxxxxxxxxxx
Reply to
dexteroc
Loading thread data ...

You haven't explained what you mean by "two way TCP traffic". I asked you for clarification of this in your "Access-lists" thread but you did not reply. We can't tell you how to change your configuration until we have a clear understanding of what you are trying to accomplish.

Reply to
Walter Roberson

Thanks Walter...Let me try again. My understanding is that outgoing is always open so I guess I should have said I need to allow 443 traffic from a specific IP in through the firewall. We have a couple programs that talk on certain ports one being 443 and another being 22339 and when I telnet to the internet IP's at those ports, nothing happens so I assumed that the firewall is not allowing the traffic in. I need to be able to talk to 68.45.121.23 on 443 and 68.45.121.24 on 22339. Did I explain it right this time?

Thanks.

Paul.

Reply to
dexteroc

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.