Opening TCP Port 2001 on Cisco Pix 501

Unanswered Question
May 11th, 2010

Hi Everyone,

I have a cisco pix 501 sitting on our network, everything is working as should and to be honest its a great little firewall.

Following a recent upgrade to some in house software we now require TCP port 2001 to be open, and im not 100% sure how to do this on the pix.

A bit of setup information with have a broadband connection which we have a netgear modem providing connection, this has a firewall of which port 2001 is open and is pointed to the cisco pix outside ip address. the pix is connected to the netgear modem which provides the pix with its ouside address via dhcp, the netgear is locked to only provide the pix and cant allocate any other dhcp addresses.

The pix is connected to our switch of which we have sbs 2008 connected to, the sbs server is the dhcp and dns server for the inertnal network, the firewall on the sbs server has port 2001 open, i have tested the netgear and server ports are open with a scanning tool and everything seems ok.

Now i have the hard bit of the pix ! i have an external address 80.176.xxx.xxx ( the netgear modem ip is 192.168.254.254) - the pix connects to the netgear and is given the ip of 192.168.254.2, so a forward rule is setup on the netgear to forward tcp port 2001 from 80.176.xxx.xxx to 192.168.254.2 (pix), the pix displays on boot the ouside address is set to 192.168.254.2 so that bits ok, how can i now let any comms from port 2001 through the pix to my server of 192.168.3.10, plus it needs to have access in both direction ie from and to on port 2001.

The port2001 needs to be open for remote access to wireless pda's, we have an application that speaks to and from pda's that are out on the road.

Im sure someone can help but as this is a live system i cant shut things down to play and learn.

Thanks in advance

stuart

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Tue, 05/11/2010 - 06:08

Assuming that your server 192.168.3.10 is connected to the PIX inside interface, here is what you should configure:

static (inside,outside) tcp interface 2001 192.168.3.10 2001 netmask 255.255.255.255

On your outside interface ACL, you would  need to add the following config:

access-list permit tcp any host 192.168.254.2 eq 2001

Also remember to "clear xlate" for the new static statement to work.

Hope that helps.

stuartcook180 Tue, 05/11/2010 - 06:59

Hi halijenn,

thanks for your quick reply, im a bit lost on the acl side of things, you say -

On your outside interface ACL, you would  need to add the following config:

access-list permit tcp any host 192.168.254.2 eq 2001

im stuck at the im not sure what this is ? or if i need to create it?

the only command similar i can see from the console is :-

access-list inside_outbound_nat0_acl  permit ip any 192.168.3.128 255.255.255.192

so do it take it that the line you are saying it add should read

access-list inside_outbound permit tcp any host 192.168.254.2 eq 2001 ?

regards

stuart

Jennifer Halim Tue, 05/11/2010 - 14:56

For traffic from outside to inside, you would need to permit it via access-list. To check if you already have any access-list applied on the outside interface, please run: sh run access-group

If you have an access-list applied to the outside interface from the "sh run access-group" command, then use the same access-list name to add the traffic. Otherwise, please configure the following new access-list:

access-list outside-acl permit tcp any host 192.168.254.2  eq 2001

access-group outside-acl in interface outside

Further to that, I am suspicious of where ACL inside_outbound_nat0_acl is applied. If you can share the output of "sh run nat" that would be great, as there might be changes that needs to be done to the static translation if the ACL inside_outbound_nat0_acl is applied as NAT exemption in the PIX.

stuartcook180 Wed, 05/12/2010 - 07:53

Hi Halijenn,

Hmm i think im trying to read to much into it, anyway here is the current config . Hope fully you can make more sense of it.

stuart

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 192.168.3.96 255.255.255.240
access-list inside_outbound_nat0_acl permit ip any 192.168.3.128 255.255.255.192

access-list outside permit icmp any any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.3.128 255.255.255.192

access-list pda permit tcp any host 192.168.254.2 eq 2001 -------------------------------------------********* i added this line ********
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp retry 4
ip address inside 192.168.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ssgvpn 192.168.3.150-192.168.3.160
pdm location 192.168.3.10 255.255.255.255 inside
pdm location 192.168.3.144 255.255.255.240 outside
pdm location 192.168.3.96 255.255.255.240 outside
pdm location 192.168.3.5 255.255.255.255 inside
pdm location 192.168.3.19 255.255.255.255 inside
pdm location 192.168.3.0 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.168.3.128 255.255.255.192 outside
pdm location 192.168.3.0 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 2001 192.168.3.10 2001 netmask 255.255.255 ---------------------------****** line also added *********
.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.254.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.10 255.255.255.255 inside
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup ssgremote dns-server 192.168.3.10 158.152.1.58
vpngroup ssgremote wins-server 192.168.3.10
vpngroup ssgremote default-domain securitygroup.local
vpngroup ssgremote idle-time 1800
vpngroup ssgremote password ********
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.3.0 255.255.255.255 inside
ssh timeout 15
management-access inside
console timeout 0
vpdn enable outside
dhcpd address 192.168.3.11-192.168.3.30 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username spare password 0eP33BzIfohZaQ4T encrypted privilege 15
username barry password lRoHa1IDh/.QEotQ encrypted privilege 15
username mick password pR5o9PdERRNwi74B encrypted privilege 15
username dave password hI2TZdKJ891kT9In encrypted privilege 15
username stuart password zg3TY7BAWEY8PNZ7 encrypted privilege 15
username gordon password qMRZ/tl0agJA9jn2 encrypted privilege 15
terminal width 80
Cryptochecksum:f869ce160b05f3574bc4c68a89cce67d
: end
[OK]
pixfirewall(config)#

Jennifer Halim Wed, 05/12/2010 - 21:16

You have created a new ACL called pda, however, your outside ACL is called outside.

Please kindly add the following instead:

access-list outside permit tcp any host 192.168.254.2 eq 2001

stuartcook180 Tue, 05/11/2010 - 07:23

Hi Halijen,

To try and understand what you kindly posted as a resolution i thought i would have a read of the manual, in the manual they also seem to list a command access-group in interface outside ? is this also required ?

regards

stuart

hobbe Thu, 05/13/2010 - 01:54

Hi

The pix only supports one access-list to reside on incomming traffic on a interface.

Wich access-list is used is controlled by the Access-group command.

if you check your configuration it states:

-------

access-group outside in interface outside

-------

This means that the access-list that is applied on the incoming traffic of the outside interface name is outside.

it is what comes standard with the pix if i am not mistaken.

As an example you could have named your access-list to incoming, then the access-group command would have been

------

access-group incoming in interface outside

------

and since noone knows what your access-list name is they state it like this .

They could just as easy have put

acl is short for access-list

an access-list is read from the top down and the first hit of a rule will apply and no other rule gets the chance.

if the matching goes through all of the rows in an access-list and there is no one that applies the packet is dropped ie not allowed through.

remember the access-list is only applied to incoming traffic on the outside interface, it does not affect outgoing traffic ie traffic that is leaving the pix.

HTH

Actions

This Discussion