Tivo access through PIX

Unanswered Question
Dec 27th, 2007

I got a Tivo for Christmas and I'm trying to open the appropriate ports on my PIX 501 to allow it to communicate with the Tivo service. The Tivo knowlege base says I need to open these ports for inbound and outboud access:

- TCP 37,2190,4430, 7287-7288, 8000, 8080-8090

- UDP 123, 2190

I'm trying to set up an access list that only allows access over these ports to my Tivo box (internal IP 192.168.1.11) and prohibits access to other hosts on my inside interface over those same ports.

I tried to set up an access-list using the following config commands, but it's not working.

names

name 192.168.1.2 Neptune

name 192.168.1.11 Tivo01

access-list acl-in permit tcp any host Tivo01 eq 37

access-list acl-in permit tcp any host Tivo01 eq 2190

access-list acl-in permit tcp any host Tivo01 eq 4430

access-list acl-in permit tcp any host Tivo01 range 7287 7288

access-list acl-in permit tcp any host Tivo01 eq 8000

access-list acl-in permit tcp any host Tivo01 range 8080 8089

access-list acl-in permit udp any host Tivo01 eq ntp

access-list acl-in permit udp any host Tivo01 eq 2190

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl-in in interface outside

route outside 0.0.0.0 0.0.0.0 69.73.72.1 1

A debug trace when I attempt to connect from the tivo box to the tivo service includes the following suspicious entry:

710005: UDP request discarded from 192.168.1.11/2190 to inside:192.168.1.255/2190

Any thoughts on what's going on? A missing routing entry perhaps?? It almost looks like the Tivo's UDP request is getting broadcast to hosts on my internal LAN, but not getting routed outside??

BTW: Normal web traffic (inside clients hitting external web servers) works with no problems.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Thu, 12/27/2007 - 13:40

Hi Christopher

I am assuming Tivo01 is not in outside interface so you cannot write ACLs as above. Also no translations (Static etc) exists

Is public IP going to be conneted for reaching Tivo01? Is Tivo01 in inside interface? Do you have another public IP then interface IP?

Regards

christopherfrancis Thu, 12/27/2007 - 14:06

The Tivo is on the Inside interface (192.168.1.x subnet). The Tivo's IP is 192.168.1.11. The PIX has a public external IP of 69.73.xx.xx. It's internal (gateway) address is 192.168.1.1.

I was expecting that the PIX would route outgoing requests from the Tivo to it's outside interface, but it appears to be dropping them. Not sure why. Similarly, I had expected the PIX to translaste/route responses from the Tivo server on the outside network to the correct internal (NAT'd) IP.

I suspect I've got a routing issue, but I'm not sure what I need to do to solve it.

cisco24x7 Thu, 12/27/2007 - 19:04

Chris,

do this and it will work for you:

1- nat (inside) 1 0 0

2- global (outside) 1 interface

3- access-list test permit ip any any log

4- access-group test in interface inside

step 3 & 4 is optional but I put them in

there for testing.

cisco24x7 Thu, 12/27/2007 - 19:05

forget to add another step:

5- access-group test in interface outside.

this will make sure your firewall is

wide-open. Once you get it working, start

locking down the firewall.

christopherfrancis Sun, 12/30/2007 - 15:08

I'm sure it will work if I open everything up. What I'm trying to do is figure out how to make it work without doing that.

I think I've narrowed it down to an issue with ICMP. Apparently the Tivo box tries to Ping the Tivo server to verify connectivity before launching into the rest of its "conversation".

So I'm now trying to set up the PIX to allow the Tivo to Ping through the firewall, but am still running into problems.

Here's what my access list looks like now:

access-list acl-in permit tcp any host Tivo01 eq 37

access-list acl-in permit tcp any host Tivo01 eq 2190

access-list acl-in permit tcp any host Tivo01 eq 4430

access-list acl-in permit tcp any host Tivo01 range 7287 7288

access-list acl-in permit tcp any host Tivo01 eq 8000

access-list acl-in permit tcp any host Tivo01 range 8080 8089

access-list acl-in permit udp any host Tivo01 eq ntp

access-list acl-in permit udp any host Tivo01 eq 2190

access-list acl-in permit icmp any host Tivo01 echo

access-list acl-in permit icmp any host Tivo01 echo-reply

access-group acl-in in interface outside

cisco24x7 Sun, 12/30/2007 - 17:35

Do this:

logging enable

logging timestamp

logging buffer-size 1048576

logging buffered informational

logging trap informational

logging mail informational

access-list acl-in permit tcp any host Tivo01 eq 37 log

access-list acl-in permit tcp any host Tivo01 eq 2190 log

access-list acl-in permit tcp any host Tivo01 eq 4430 log

access-list acl-in permit tcp any host Tivo01 range 7287 7288 log

access-list acl-in permit tcp any host Tivo01 eq 8000 log

access-list acl-in permit tcp any host Tivo01 range 8080 8089 log

access-list acl-in permit udp any host Tivo01 eq ntp log

access-list acl-in permit udp any host Tivo01 eq 2190 log

access-list acl-in permit icmp any host Tivo01 echo log

access-list acl-in permit icmp any host Tivo01 echo-reply log

access-list acl-in deny ip any any log

access-group acl-in in interface outside

After that, on the Pix, do the following:

CiscoPix# sh log | i Deny

This will tell you what is being dennied

on the outside interface. You will then

have to open additional port(s) for it to

work.

I would start from there.

CCIE Security

husycisco Mon, 12/31/2007 - 00:44

David,

Above ACLs have no use for allowing inbound connections. Tivo01 is a host in inside interface not outside.

Christopher,

For allowing outbound connection from Tivo, you need the following ACE in ACL which is grouped to your inside interface (if exists)

First, chek if you have an ACL grouped to inside interface

sh run access-group

If you see an xxxx (considering xxxx as your acl name if exists) as following

access-group xxxx in interface inside

then you need to add following

access-list xxxx permit tcp Tivo01 eq 37 any

access-list xxxx permit tcp Tivo01 eq 2190 any

Same for your other ports

And for inbound connection, which should be established to your outside interface in this case, you should first create statics as following

static (inside,outside) tcp interface 37 Tivo01 37 netmask 255.255.255.255

static (inside,outside) tcp interface 2190 Tivo01 2190 netmask 255.255.255.255

Same for other ports. (I suggest a dedicated public IP instead interface IP)

Then, allow the port traffic to interface as

access-list acl-in permit tcp any interface outside eq 37

access-list acl-in permit tcp any interface outside eq 2190

Same for other ports.

Keep in mind that, you dont have to allow inbound connection from a host in public, if the session is started from a host in your inside network.

If you still have problems, please post me your config.

Regards

Actions

This Discussion