Unsecured firewall?

Unanswered Question
Jan 24th, 2008
User Badges:


This has to be an easy one...

I have it connected to DSL on a subnet

The main IP (113) needs to be stealthed with ssh open, 114 need asterisk on tcp 5060 open, everything else stealthed, 118 has a web server.

After 10 very difficult days with a new 877, I still cannot get the firewall to stealth mode only all ports closed. Also I cannot seem to be able to allow any 80 or 5060 traffic in.

The bits of my config are:

interface Dialer0

description Internet

ip address

ip access-group 150 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname [email protected]

ppp chap password 7 mypassword

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 5060 5060 extendable

ip nat inside source static tcp 80 80 extendable

logging trap debugging

access-list 1 remark NAT ACCESS

access-list 1 permit

access-list 23 remark MANAGEMENT LIST

access-list 23 permit

access-list 150 remark INBOUND CONNECTIONS

access-list 150 permit tcp any host eq www

access-list 150 permit ip any host

access-list 150 deny ip any

access-list 150 deny ip any

access-list 150 deny ip any

access-list 150 deny ip any

access-list 150 deny ip host any

access-list 150 deny ip host any

access-list 150 permit ip any any

dialer-list 1 protocol ip permit

no cdp run

(I still cannot find any docs on cisco.com that are in any way comprehensible)

BTW, SDM doesn't seem to work so I am forced into the rather cryptic CLI



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jsivulka Wed, 01/30/2008 - 07:35
User Badges:
  • Bronze, 100 points or more

Basically what you will need to do varies a little depending on your setup but you will need to set up access-list to allow ports 5060,80, 137, 138, and 139 through the PIX. Here is a design guide on it


On your config I take it is probally your WINS. I'm not sure who is the pdc and who is the wins Your acls are a little confusing beacuse you have the same network in both parts of the acl

Since I can not open the VSD's that you sent I am not sure what you are referenceing with the addresses


This Discussion