PIX 515: Help adding a line to the access list

Unanswered Question
Sep 16th, 2010
User Badges:

Hi, I need to open a port on a PIX 515.


Please can someone explain what I should be entering including the commands.


For the purposes of the explanation (so I can understand it ) I've given the different elements the following ips



Port = PPPPP


Destination IP that the machine s on my network will be contacting: XXX.XXX.XXX.XXX


The workstation on my network YYY.YYY.YYY.YYY


PIX IP: ZZZ.ZZZ.ZZZ.ZZZ


I have logged onto the PIX via Hyperterminal.


Thanks for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Thu, 09/16/2010 - 02:50
User Badges:
  • Cisco Employee,

Hmmmmmm wouldn't it be better to use ASDM or PDM if you don't know how to do it from CLI?

What's the software version?


7.0+ versions support "line" argument when defining access-list entries.


Marcin

salixcapital Thu, 09/16/2010 - 03:03
User Badges:

I'm on 6.3


I can access the list and add the entry (i think) but how do i then save it? Does the firewall need a power cycle for it to work or will 'reload' work?

salixcapital Thu, 09/16/2010 - 03:24
User Badges:

write term brings up an long access list for in and out but show access-lists in only has two lines in it. How can this be?

salixcapital Thu, 09/16/2010 - 03:42
User Badges:

the entries come in in the in and out access lists but the port is still closed

salixcapital Thu, 09/16/2010 - 03:44
User Badges:


This firewall has been inherited from an umbrella company that we no longer work with so i'm guessing a lot of the entries are redundant


access-list acl_in permit tcp any any eq www

access-list acl_in permit tcp any any eq ftp

access-list acl_in permit tcp any any eq ftp-data

access-list acl_in permit tcp any any eq https

access-list acl_in remark Cearbhall: CITADEL

access-list acl_in permit tcp any any eq 504

access-list acl_in permit tcp any any eq 3389

access-list acl_in permit udp any any eq domain log

access-list acl_in permit tcp host Sloop any eq smtp

access-list acl_in permit udp any any range 8194 8294

access-list acl_in remark Cearbhall, 14-Jan. SIP UDP Range

access-list acl_in permit udp any any range 10000 32766

access-list acl_in permit tcp any any eq 15443

access-list acl_in permit tcp any any eq 16443

access-list acl_in permit tcp any any eq 17443

access-list acl_in permit tcp any any eq 18443

access-list acl_in permit udp any any eq 4901

access-list acl_in permit tcp any any eq 5060

access-list acl_in permit udp any any eq 5060

access-list acl_in permit udp any any eq 5061

access-list acl_in permit udp any any eq 5004

access-list acl_in permit udp any any range 16348 32766

access-list acl_in permit udp any any eq 5961

access-list acl_in permit udp any any eq 7311

access-list acl_in permit udp any any eq 7312

access-list acl_in permit udp any any eq 7315

access-list acl_in permit udp any any range 7200 7205

access-list acl_in permit udp any any range 5800 5900

access-list acl_in permit tcp any any eq pop3

access-list acl_in remark Cearbhall. 17-Jan

access-list acl_in permit tcp any any eq imap4

access-list acl_in permit tcp any any eq pcanywhere-data

access-list acl_in permit tcp any any eq 5632

access-list acl_in permit tcp any any eq 32761

access-list acl_in permit tcp any any range 7070 7071

access-list acl_in permit tcp any any eq 554

access-list acl_in remark SAMBA at TCP/139

access-list acl_in permit tcp any any range 135 netbios-ssn

access-list acl_in permit tcp any any range 1225 1226

access-list acl_in permit tcp any any eq pptp

access-list acl_in permit tcp any any range 2189 2196

access-list acl_in permit tcp any any eq 13678

access-list acl_in permit tcp any any eq 7443

access-list acl_in permit udp any any eq 7443

access-list acl_in permit tcp any any eq 27524

access-list acl_in permit tcp any any range 8194 8294

access-list acl_in permit tcp any any eq smtp

access-list acl_in permit tcp any any eq telnet

access-list acl_in permit tcp any any eq 4899

access-list acl_in permit tcp any any eq citrix-ica

access-list acl_in permit tcp any any range 5800 5900

access-list acl_in permit tcp any any range 3230 3235

access-list acl_in permit udp any any eq 1720

access-list acl_in permit tcp any any eq h323

access-list acl_in permit tcp any any eq 11000

access-list acl_in permit tcp any any eq 4600

access-list acl_in permit udp any any eq 4600

access-list acl_in permit tcp any any range 4001 4002

access-list acl_in permit tcp any any eq 2147

access-list acl_in permit udp any any range 3230 3253

access-list acl_in permit tcp any any eq 8080

access-list acl_in permit tcp any any eq 1503

access-list acl_in permit tcp any any range 3230 3253

access-list acl_in permit tcp any any eq nntp

access-list acl_in permit tcp any any eq 1863

access-list acl_in permit tcp any any range 27030 27039

access-list acl_in permit udp any any range 27000 27015

access-list acl_in permit udp any any eq 1200

access-list acl_in permit tcp any any eq 81

access-list acl_in permit tcp any any eq 465

access-list acl_in permit tcp any any eq 995

access-list acl_in permit udp any any eq 62515

access-list acl_in permit tcp any any eq 10000

access-list acl_in permit udp any any eq 4500

access-list acl_in permit tcp any any range 5101 5102

access-list acl_in permit udp any any range 5101 5102

access-list acl_in permit tcp any any eq 37777

access-list acl_in permit udp any any eq 37777

access-list acl_in permit tcp any any eq aol

access-list acl_in permit udp any any eq isakmp

access-list acl_in permit esp any any

access-list acl_in permit tcp any any eq 38000

access-list acl_in remark Allow ICMP TO DMZ

access-list acl_in permit icmp 10.10.0.0 255.255.255.0 host 10.10.1.95

access-list acl_in permit tcp 10.10.0.0 255.255.255.0 host 10.10.1.95 eq telnet


access-list acl_in permit tcp 10.10.0.0 255.255.255.0 host 10.10.1.95 eq ssh

access-list acl_in permit udp any any eq tftp

access-list acl_in remark MONDAY

access-list acl_in permit udp any any range 5060 5064

access-list acl_in permit tcp any any eq domain log

access-list acl_in permit udp any any eq ntp

access-list acl_in permit tcp any any eq ssh

access-list acl_in permit tcp any any eq 2443

access-list acl_in permit tcp any any eq 2000

access-list acl_in permit tcp any any eq 585

access-list acl_in permit tcp any any eq 998

access-list acl_in permit icmp any any

access-list acl_in permit udp any any eq 5036

access-list acl_in permit udp any any eq 4569

access-list acl_in permit udp any any range 48129 65534

access-list acl_in permit tcp any any eq 12328


access-list acl_out permit tcp any host 83.71.190.91 eq www

access-list acl_out permit tcp any host 83.71.190.91 range 3230 3235

access-list acl_out permit udp any host 83.71.190.91 range 3230 3247

access-list acl_out permit tcp any host 83.71.190.91 eq h323

access-list acl_out permit tcp any host 83.71.190.91 range 3230 3253

access-list acl_out remark AWFUL SECURITY. TIDY UP. 22-JAN

access-list acl_out permit ip any host Barge

access-list acl_out remark AWFUL SECURITY - Tidy up. 22-JAN

access-list acl_out permit icmp any host Barge

access-list acl_out remark TFTP Server (for SIP downloads, etc)

access-list acl_out permit udp any eq tftp any

access-list acl_out remark TFTP Server (for SIP downloads, etc) - Ceatbhall 14-J

an

access-list acl_out permit udp any any eq tftp

access-list acl_out remark Cisco 7960 Phone settings.

access-list acl_out permit udp any any range 16384 32766

access-list acl_out permit tcp any eq ssh any

access-list acl_out remark Cearbhall, MONDAY

access-list acl_out remark Cearbhall, JAN 16 - WEBMIN

access-list acl_out permit tcp any eq 10000 any

access-list acl_out remark Cearbhall, JAN 16 - WUsage

access-list acl_out permit tcp any eq 2396 any

access-list acl_out remark Cearbhall, JAN 14

access-list acl_out permit tcp any eq https any

access-list acl_out remark Cearbhall, JAN 14

access-list acl_out permit tcp any eq www any

access-list acl_out remark Cearbhall, JAN-17

access-list acl_out permit tcp any eq imap4 any

access-list acl_out remark MONDAY

access-list acl_out remark MONDAY

access-list acl_out remark MONDAY - ssh

access-list acl_out permit tcp any eq ssh any eq ssh

access-list acl_out permit tcp any any eq 504

access-list acl_out permit tcp any any eq 2000

access-list acl_out permit tcp any any eq 2443

access-list acl_out permit tcp any any eq imap4

access-list acl_out permit tcp any any eq 465

access-list acl_out permit tcp any any eq 585

access-list acl_out permit tcp any any eq 998

access-list acl_out permit tcp any any eq https

access-list acl_out permit icmp any any

access-list acl_out permit udp any any eq domain

access-list acl_out permit udp any any range 10000 32766

access-list acl_out permit udp any any eq 5004

access-list acl_out permit udp any any eq 5036

access-list acl_out permit udp any any eq 4569

access-list acl_out permit icmp any host 87.198.182.67

access-list acl_out permit tcp any host 87.198.182.67 eq telnet

access-list acl_out permit tcp any host 87.198.182.67 eq www

access-list acl_out permit tcp any host 87.198.182.67 eq domain

access-list acl_out permit tcp any host 87.198.182.67 eq ssh

access-list acl_out permit tcp any host 87.198.182.67 eq smtp

access-list acl_out permit tcp any host 87.198.182.67 eq https

access-list acl_out remark Allow IMAP4 IN TO DMZ SERVER SLOOP

access-list acl_out permit tcp any host 87.198.182.67 eq imap4

access-list acl_out remark Allow POP3 IN TO DMZ SERVER SLOOP

access-list acl_out permit tcp any host 87.198.182.67 eq pop3

access-list acl_out remark Allow CITADEL IN TO DMZ SERVER SLOOP

access-list acl_out permit tcp any host 87.198.182.67 eq 504

access-list acl_out remark Allow FTP IN TO DMZ SERVER SLOOP

access-list acl_out permit tcp any host 87.198.182.67 eq ftp

access-list acl_out remark Allow TFTP IN TO DMZ SERVER SLOOP - Cearbhall 14-Jan

access-list acl_out permit udp any host 87.198.182.67 eq tftp

access-list acl_out remark Allow FTP-DATA IN TO DMZ SERVER SLOOP

access-list acl_out permit tcp any host 87.198.182.67 eq ftp-data

access-list acl_out remark MONDAY

access-list acl_out permit tcp any host 87.198.182.67 range 5060 5064

access-list acl_out remark MONDAY

access-list acl_out permit udp any host 87.198.182.67 range 16348 32766

access-list acl_out permit udp any host 87.198.182.67 range 5060 5064

access-list acl_out permit udp any any range 48129 65534

access-list acl_out permit tcp any any eq 12328


access-list DMZ_access_in permit tcp host 10.10.1.95 any eq telnet

access-list DMZ_access_in permit tcp host 10.10.1.95 eq www any

access-list DMZ_access_in remark Cearbhall. 18-Jan (FUNAMBOL)

access-list DMZ_access_in permit tcp host 10.10.1.95 eq 8080 any

access-list DMZ_access_in remark Cearbhall. 18-Jan (SAMBA)

access-list DMZ_access_in permit tcp host 10.10.1.95 eq 8080 any range 137 netbi

os-ssn

access-list DMZ_access_in remark Cearbhall. 18-Jan (SAMBA)

access-list DMZ_access_in permit udp host 10.10.1.95 any range netbios-ns 139

access-list DMZ_access_in remark Cearbhall. 18-Jan (SAMBA)

access-list DMZ_access_in permit udp host 10.10.1.95 any eq 445

access-list DMZ_access_in remark Cearbhall. 18-Jan (SAMBA)

access-list DMZ_access_in permit tcp host 10.10.1.95 object-group Sloop any eq 4

45

access-list DMZ_access_in remark Cearbhall. 24-Jan (LDAP)

access-list DMZ_access_in permit tcp host 10.10.1.95 any eq ldap

access-list DMZ_access_in permit tcp host 10.10.1.95 eq https any

access-list DMZ_access_in remark Cearbhall. 14-Jan

access-list DMZ_access_in permit tcp host 10.10.1.95 any eq imap4

access-list DMZ_access_in remark Cearbhall. 14-Jan Part II

access-list DMZ_access_in permit tcp host 10.10.1.95 eq imap4 any

access-list DMZ_access_in permit tcp host 10.10.1.95 eq domain any

access-list DMZ_access_in permit tcp host 10.10.1.95 10.10.0.0 255.255.255.0 eq

telnet

access-list DMZ_access_in permit tcp host 10.10.1.95 10.10.0.0 255.255.255.0 eq

ssh log

access-list DMZ_access_in permit tcp host 10.10.1.95 eq ssh any

access-list DMZ_access_in permit icmp host 10.10.1.95 any

access-list DMZ_access_in remark Allow ALL OUT from  DMZ to SERVER SLOOP

access-list DMZ_access_in permit ip host 10.10.1.95 any

access-list DMZ_access_in permit ip host 10.10.1.95 10.10.0.0 255.255.255.0

access-list DMZ_access_in remark COD 22_JAN (Allow ICMP from DMZ - Inside)

access-list DMZ_access_in permit tcp any any eq imap4

access-list DMZ_access_in permit tcp any any eq 465

access-list DMZ_access_in permit tcp any any eq 585

access-list DMZ_access_in permit tcp any any eq 998

access-list DMZ_access_in permit tcp any any eq smtp

access-list DMZ_access_in permit icmp any any

access-list DMZ_access_in permit udp any any eq domain

access-list DMZ_access_in permit udp any any range 10000 32766

access-list DMZ_access_in permit tcp any any range 5059 5064

access-list DMZ_access_in permit udp any any eq tftp

access-list DMZ_access_in permit udp any any range 16384 32766

access-list DMZ_access_in permit udp any any eq 5004

access-list DMZ_access_in permit udp any any eq 4569

access-list DMZ_access_in permit udp any any eq 5036

access-list acl-in remark Cearbhall SSH 26-JAN

access-list acl-in permit tcp any any eq ssh

salixcapital Thu, 09/16/2010 - 05:09
User Badges:


PIX(config)# show interface

interface ethernet0 "outside" is up, line protocol is up

  Hardware is i82559 ethernet, address is 0003.6bf7.2e54

  IP address 87.198.182.66, subnet mask 255.255.255.240

  MTU 1500 bytes, BW 100000 Kbit full duplex

        760661 packets input, 189581999 bytes, 0 no buffer

        Received 119 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        447171 packets output, 44433633 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        0 lost carrier, 0 no carrier

        input queue (curr/max blocks): hardware (128/128) software (0/18)

        output queue (curr/max blocks): hardware (0/34) software (0/1)

interface ethernet1 "inside" is up, line protocol is up

  Hardware is i82559 ethernet, address is 0003.6bf7.2e55

  IP address 10.10.0.7, subnet mask 255.255.255.0

  MTU 1500 bytes, BW 100000 Kbit full duplex

        581199 packets input, 53428322 bytes, 0 no buffer

        Received 1004 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        871046 packets output, 211157320 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        0 lost carrier, 0 no carrier

        input queue (curr/max blocks): hardware (128/128) software (0/69)

        output queue (curr/max blocks): hardware (1/70) software (0/1)

interface ethernet2 "DMZ" is up, line protocol is down

  Hardware is i82559 ethernet, address is 0002.b3cd.97df

  IP address 10.10.1.1, subnet mask 255.255.255.0

  MTU 1500 bytes, BW 10000 Kbit half duplex

        0 packets input, 0 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        1323 packets output, 79380 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

<--- More --->


acl_in and acl_out are the 2 access lists that i need to implement.


What interface should they be added to and which commands should i enter to do so?


Thanks, i'm new to all this.

salixcapital Thu, 09/16/2010 - 05:16
User Badges:


PIX1# show access-group

access-group acl_out in interface outside

access-group acl_in in interface inside

access-group DMZ_access_in in interface DMZ


They seem to be implemented but the port is still closed (port 12328)

Nagaraja Thanthry Thu, 09/16/2010 - 05:34
User Badges:
  • Cisco Employee,

Hello,


What is the direction of the traffic? Are you trying to open the port from inside clients to the internet (server is on the internet) or are you trying to open the port for internet clients (Server is in your network)? If you are trying to do the later, then you need to have a NAT statement mapping the server to a publicly routable IP.


static (inside,dmz) tcp interface 12368 12368 netmask 255.255.255.255


If you would like to use a different IP than the interface IP, then


static (inside,dmz) tcp xxx.yyy.zzz.kkk 12368 12368 netmask 255.255.255.255


Your access-list is already allowing the traffic. So, once you have the NAT statement, it should work fine.


Regards,


NT

salixcapital Thu, 09/16/2010 - 05:39
User Badges:

I'm trying to open the port so users on my network can use a demo of some trading software which needs to access a remote server across the internet

Jon Marshall Thu, 09/16/2010 - 07:51
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Can you users access the Internet normally via this pix ?


Are you sure the port is TCP and not UDP ?


Jon

salixcapital Thu, 09/16/2010 - 07:54
User Badges:

I've added both to see if it would make a difference and it didn't.

Jon Marshall Thu, 09/16/2010 - 07:57
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Are you seeing hits on the rule in your acl applied to the inside interface ?


How does the software work ? ie. it is a normal client/server app or does it do something funny like try to initiate a connection back to your clients ?


Have you spoken to the company hosting the software to see if they can see requests coming from your public IP ?


My previous question about general internet access was to make sure NAT is setup correctly. Perhaps you could post the NAT config ?


Jon

salixcapital Thu, 09/16/2010 - 08:17
User Badges:


PIX# show NAT

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ) 1 10.10.0.0 255.255.255.0 0 0




PIX(config)# show access-list inside_outbound_nat0_acl

access-list inside_outbound_nat0_acl turbo-configured; 1 elements

access-list inside_outbound_nat0_acl line 1 permit ip 10.10.0.0 255.255.255.0 10

.10.0.0 255.255.255.0 (hitcnt=110)



Is show NAT the right command?

Jon Marshall Thu, 09/16/2010 - 08:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

salixcapital wrote:



PIX# show NAT

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ) 1 10.10.0.0 255.255.255.0 0 0




PIX(config)# show access-list inside_outbound_nat0_acl

access-list inside_outbound_nat0_acl turbo-configured; 1 elements

access-list inside_outbound_nat0_acl line 1 permit ip 10.10.0.0 255.255.255.0 10

.10.0.0 255.255.255.0 (hitcnt=110)



Is show NAT the right command?


Yes, as long as you have something like -


global (outside) 1 interface or


global (outside) 1


Jon

salixcapital Thu, 09/16/2010 - 08:25
User Badges:

so does that look correct in my case?


Will i just post the entire 'write term'?

Jon Marshall Thu, 09/16/2010 - 08:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

It looks fine. Can you internal users access internet web sites ??


Other than that you can run debug on the pix to see if the packet is leaving your pix and if you are receiving anything in return eg.


debug packet outside dst     <-- this should show you packets leaving your pix when an internal client tries to connect to the remote server


debug packet outside src   <--- this should show you packets arriving at the outside interface of your pix from the remote server


However be careful with debug. You don't want to run it during peak hours, best to test out of core hours.


Jon

Actions

This Discussion