cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2675
Views
0
Helpful
19
Replies

PIX 515: Help adding a line to the access list

salixcapital
Level 1
Level 1

Hi, I need to open a port on a PIX 515.

Please can someone explain what I should be entering including the commands.


For the purposes of the explanation (so I can understand it ) I've given the different elements the following ips

Port = PPPPP

Destination IP that the machine s on my network will be contacting: XXX.XXX.XXX.XXX

The workstation on my network YYY.YYY.YYY.YYY

PIX IP: ZZZ.ZZZ.ZZZ.ZZZ

I have logged onto the PIX via Hyperterminal.

Thanks for your help.

19 Replies 19

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Hmmmmmm wouldn't it be better to use ASDM or PDM if you don't know how to do it from CLI?

What's the software version?

7.0+ versions support "line" argument when defining access-list entries.

Marcin

I'm on 6.3

I can access the list and add the entry (i think) but how do i then save it? Does the firewall need a power cycle for it to work or will 'reload' work?

I don't see why a reload would be needed.

I've checked comm reff for 6.3

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/ab.html#wp1067755

it does support "line" argeument.

access-list NAME line X permit/deny etc etc....

write term brings up an long access list for in and out but show access-lists in only has two lines in it. How can this be?

Show us the running config :-)

the entries come in in the in and out access lists but the port is still closed

This firewall has been inherited from an umbrella company that we no longer work with so i'm guessing a lot of the entries are redundant


access-list acl_in permit tcp any any eq www

access-list acl_in permit tcp any any eq ftp

access-list acl_in permit tcp any any eq ftp-data

access-list acl_in permit tcp any any eq https

access-list acl_in remark Cearbhall: CITADEL

access-list acl_in permit tcp any any eq 504

access-list acl_in permit tcp any any eq 3389

access-list acl_in permit udp any any eq domain log

access-list acl_in permit tcp host Sloop any eq smtp

access-list acl_in permit udp any any range 8194 8294

access-list acl_in remark Cearbhall, 14-Jan. SIP UDP Range

access-list acl_in permit udp any any range 10000 32766

access-list acl_in permit tcp any any eq 15443

access-list acl_in permit tcp any any eq 16443

access-list acl_in permit tcp any any eq 17443

access-list acl_in permit tcp any any eq 18443

access-list acl_in permit udp any any eq 4901

access-list acl_in permit tcp any any eq 5060

access-list acl_in permit udp any any eq 5060

access-list acl_in permit udp any any eq 5061

access-list acl_in permit udp any any eq 5004

access-list acl_in permit udp any any range 16348 32766

access-list acl_in permit udp any any eq 5961

access-list acl_in permit udp any any eq 7311

access-list acl_in permit udp any any eq 7312

access-list acl_in permit udp any any eq 7315

access-list acl_in permit udp any any range 7200 7205

access-list acl_in permit udp any any range 5800 5900

access-list acl_in permit tcp any any eq pop3

access-list acl_in remark Cearbhall. 17-Jan

access-list acl_in permit tcp any any eq imap4

access-list acl_in permit tcp any any eq pcanywhere-data

access-list acl_in permit tcp any any eq 5632

access-list acl_in permit tcp any any eq 32761

access-list acl_in permit tcp any any range 7070 7071

access-list acl_in permit tcp any any eq 554

access-list acl_in remark SAMBA at TCP/139

access-list acl_in permit tcp any any range 135 netbios-ssn

access-list acl_in permit tcp any any range 1225 1226

access-list acl_in permit tcp any any eq pptp

access-list acl_in permit tcp any any range 2189 2196

access-list acl_in permit tcp any any eq 13678

access-list acl_in permit tcp any any eq 7443

access-list acl_in permit udp any any eq 7443

access-list acl_in permit tcp any any eq 27524

access-list acl_in permit tcp any any range 8194 8294

access-list acl_in permit tcp any any eq smtp

access-list acl_in permit tcp any any eq telnet

access-list acl_in permit tcp any any eq 4899

access-list acl_in permit tcp any any eq citrix-ica

access-list acl_in permit tcp any any range 5800 5900

access-list acl_in permit tcp any any range 3230 3235

access-list acl_in permit udp any any eq 1720

access-list acl_in permit tcp any any eq h323

access-list acl_in permit tcp any any eq 11000

access-list acl_in permit tcp any any eq 4600

access-list acl_in permit udp any any eq 4600

access-list acl_in permit tcp any any range 4001 4002

access-list acl_in permit tcp any any eq 2147

access-list acl_in permit udp any any range 3230 3253

access-list acl_in permit tcp any any eq 8080

access-list acl_in permit tcp any any eq 1503

access-list acl_in permit tcp any any range 3230 3253

access-list acl_in permit tcp any any eq nntp

access-list acl_in permit tcp any any eq 1863

access-list acl_in permit tcp any any range 27030 27039

access-list acl_in permit udp any any range 27000 27015

access-list acl_in permit udp any any eq 1200

access-list acl_in permit tcp any any eq 81

access-list acl_in permit tcp any any eq 465

access-list acl_in permit tcp any any eq 995

access-list acl_in permit udp any any eq 62515

access-list acl_in permit tcp any any eq 10000

access-list acl_in permit udp any any eq 4500

access-list acl_in permit tcp any any range 5101 5102

access-list acl_in permit udp any any range 5101 5102

access-list acl_in permit tcp any any eq 37777

access-list acl_in permit udp any any eq 37777

access-list acl_in permit tcp any any eq aol

access-list acl_in permit udp any any eq isakmp

access-list acl_in permit esp any any

access-list acl_in permit tcp any any eq 38000

access-list acl_in remark Allow ICMP TO DMZ

access-list acl_in permit icmp 10.10.0.0 255.255.255.0 host 10.10.1.95

access-list acl_in permit tcp 10.10.0.0 255.255.255.0 host 10.10.1.95 eq telnet

access-list acl_in permit tcp 10.10.0.0 255.255.255.0 host 10.10.1.95 eq ssh

access-list acl_in permit udp any any eq tftp

access-list acl_in remark MONDAY

access-list acl_in permit udp any any range 5060 5064

access-list acl_in permit tcp any any eq domain log

access-list acl_in permit udp any any eq ntp

access-list acl_in permit tcp any any eq ssh

access-list acl_in permit tcp any any eq 2443

access-list acl_in permit tcp any any eq 2000

access-list acl_in permit tcp any any eq 585

access-list acl_in permit tcp any any eq 998

access-list acl_in permit icmp any any

access-list acl_in permit udp any any eq 5036

access-list acl_in permit udp any any eq 4569

access-list acl_in permit udp any any range 48129 65534

access-list acl_in permit tcp any any eq 12328

access-list acl_out permit tcp any host 83.71.190.91 eq www

access-list acl_out permit tcp any host 83.71.190.91 range 3230 3235

access-list acl_out permit udp any host 83.71.190.91 range 3230 3247

access-list acl_out permit tcp any host 83.71.190.91 eq h323

access-list acl_out permit tcp any host 83.71.190.91 range 3230 3253

access-list acl_out remark AWFUL SECURITY. TIDY UP. 22-JAN

access-list acl_out permit ip any host Barge

access-list acl_out remark AWFUL SECURITY - Tidy up. 22-JAN

access-list acl_out permit icmp any host Barge

access-list acl_out remark TFTP Server (for SIP downloads, etc)

access-list acl_out permit udp any eq tftp any

access-list acl_out remark TFTP Server (for SIP downloads, etc) - Ceatbhall 14-J

an

access-list acl_out permit udp any any eq tftp

access-list acl_out remark Cisco 7960 Phone settings.

access-list acl_out permit udp any any range 16384 32766

access-list acl_out permit tcp any eq ssh any

access-list acl_out remark Cearbhall, MONDAY

access-list acl_out remark Cearbhall, JAN 16 - WEBMIN

access-list acl_out permit tcp any eq 10000 any

access-list acl_out remark Cearbhall, JAN 16 - WUsage

access-list acl_out permit tcp any eq 2396 any

access-list acl_out remark Cearbhall, JAN 14

access-list acl_out permit tcp any eq https any

access-list acl_out remark Cearbhall, JAN 14

access-list acl_out permit tcp any eq www any

access-list acl_out remark Cearbhall, JAN-17

access-list acl_out permit tcp any eq imap4 any

access-list acl_out remark MONDAY

access-list acl_out remark MONDAY

access-list acl_out remark MONDAY - ssh

access-list acl_out permit tcp any eq ssh any eq ssh

access-list acl_out permit tcp any any eq 504

access-list acl_out permit tcp any any eq 2000

access-list acl_out permit tcp any any eq 2443

access-list acl_out permit tcp any any eq imap4

access-list acl_out permit tcp any any eq 465

access-list acl_out permit tcp any any eq 585

access-list acl_out permit tcp any any eq 998

access-list acl_out permit tcp any any eq https

access-list acl_out permit icmp any any

access-list acl_out permit udp any any eq domain

access-list acl_out permit udp any any range 10000 32766

access-list acl_out permit udp any any eq 5004

access-list acl_out permit udp any any eq 5036

access-list acl_out permit udp any any eq 4569

access-list acl_out permit icmp any host 87.198.182.67

access-list acl_out permit tcp any host 87.198.182.67 eq telnet

access-list acl_out permit tcp any host 87.198.182.67 eq www

access-list acl_out permit tcp any host 87.198.182.67 eq domain

access-list acl_out permit tcp any host 87.198.182.67 eq ssh

access-list acl_out permit tcp any host 87.198.182.67 eq smtp

access-list acl_out permit tcp any host 87.198.182.67 eq https

access-list acl_out remark Allow IMAP4 IN TO DMZ SERVER SLOOP

access-list acl_out permit tcp any host 87.198.182.67 eq imap4

access-list acl_out remark Allow POP3 IN TO DMZ SERVER SLOOP

access-list acl_out permit tcp any host 87.198.182.67 eq pop3

access-list acl_out remark Allow CITADEL IN TO DMZ SERVER SLOOP

access-list acl_out permit tcp any host 87.198.182.67 eq 504

access-list acl_out remark Allow FTP IN TO DMZ SERVER SLOOP

access-list acl_out permit tcp any host 87.198.182.67 eq ftp

access-list acl_out remark Allow TFTP IN TO DMZ SERVER SLOOP - Cearbhall 14-Jan

access-list acl_out permit udp any host 87.198.182.67 eq tftp

access-list acl_out remark Allow FTP-DATA IN TO DMZ SERVER SLOOP

access-list acl_out permit tcp any host 87.198.182.67 eq ftp-data

access-list acl_out remark MONDAY

access-list acl_out permit tcp any host 87.198.182.67 range 5060 5064

access-list acl_out remark MONDAY

access-list acl_out permit udp any host 87.198.182.67 range 16348 32766

access-list acl_out permit udp any host 87.198.182.67 range 5060 5064

access-list acl_out permit udp any any range 48129 65534

access-list acl_out permit tcp any any eq 12328

access-list DMZ_access_in permit tcp host 10.10.1.95 any eq telnet

access-list DMZ_access_in permit tcp host 10.10.1.95 eq www any

access-list DMZ_access_in remark Cearbhall. 18-Jan (FUNAMBOL)

access-list DMZ_access_in permit tcp host 10.10.1.95 eq 8080 any

access-list DMZ_access_in remark Cearbhall. 18-Jan (SAMBA)

access-list DMZ_access_in permit tcp host 10.10.1.95 eq 8080 any range 137 netbi

os-ssn

access-list DMZ_access_in remark Cearbhall. 18-Jan (SAMBA)

access-list DMZ_access_in permit udp host 10.10.1.95 any range netbios-ns 139

access-list DMZ_access_in remark Cearbhall. 18-Jan (SAMBA)

access-list DMZ_access_in permit udp host 10.10.1.95 any eq 445

access-list DMZ_access_in remark Cearbhall. 18-Jan (SAMBA)

access-list DMZ_access_in permit tcp host 10.10.1.95 object-group Sloop any eq 4

45

access-list DMZ_access_in remark Cearbhall. 24-Jan (LDAP)

access-list DMZ_access_in permit tcp host 10.10.1.95 any eq ldap

access-list DMZ_access_in permit tcp host 10.10.1.95 eq https any

access-list DMZ_access_in remark Cearbhall. 14-Jan

access-list DMZ_access_in permit tcp host 10.10.1.95 any eq imap4

access-list DMZ_access_in remark Cearbhall. 14-Jan Part II

access-list DMZ_access_in permit tcp host 10.10.1.95 eq imap4 any

access-list DMZ_access_in permit tcp host 10.10.1.95 eq domain any

access-list DMZ_access_in permit tcp host 10.10.1.95 10.10.0.0 255.255.255.0 eq

telnet

access-list DMZ_access_in permit tcp host 10.10.1.95 10.10.0.0 255.255.255.0 eq

ssh log

access-list DMZ_access_in permit tcp host 10.10.1.95 eq ssh any

access-list DMZ_access_in permit icmp host 10.10.1.95 any

access-list DMZ_access_in remark Allow ALL OUT from  DMZ to SERVER SLOOP

access-list DMZ_access_in permit ip host 10.10.1.95 any

access-list DMZ_access_in permit ip host 10.10.1.95 10.10.0.0 255.255.255.0

access-list DMZ_access_in remark COD 22_JAN (Allow ICMP from DMZ - Inside)

access-list DMZ_access_in permit tcp any any eq imap4

access-list DMZ_access_in permit tcp any any eq 465

access-list DMZ_access_in permit tcp any any eq 585

access-list DMZ_access_in permit tcp any any eq 998

access-list DMZ_access_in permit tcp any any eq smtp

access-list DMZ_access_in permit icmp any any

access-list DMZ_access_in permit udp any any eq domain

access-list DMZ_access_in permit udp any any range 10000 32766

access-list DMZ_access_in permit tcp any any range 5059 5064

access-list DMZ_access_in permit udp any any eq tftp

access-list DMZ_access_in permit udp any any range 16384 32766

access-list DMZ_access_in permit udp any any eq 5004

access-list DMZ_access_in permit udp any any eq 4569

access-list DMZ_access_in permit udp any any eq 5036

access-list acl-in remark Cearbhall SSH 26-JAN

access-list acl-in permit tcp any any eq ssh

The only access-lists you should be worried about, are the ones applied anywhere.

If you're looking on interface ACLs check the access-groups:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/ab.html#wp1025611

Marcin

PIX(config)# show interface

interface ethernet0 "outside" is up, line protocol is up

  Hardware is i82559 ethernet, address is 0003.6bf7.2e54

  IP address 87.198.182.66, subnet mask 255.255.255.240

  MTU 1500 bytes, BW 100000 Kbit full duplex

        760661 packets input, 189581999 bytes, 0 no buffer

        Received 119 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        447171 packets output, 44433633 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        0 lost carrier, 0 no carrier

        input queue (curr/max blocks): hardware (128/128) software (0/18)

        output queue (curr/max blocks): hardware (0/34) software (0/1)

interface ethernet1 "inside" is up, line protocol is up

  Hardware is i82559 ethernet, address is 0003.6bf7.2e55

  IP address 10.10.0.7, subnet mask 255.255.255.0

  MTU 1500 bytes, BW 100000 Kbit full duplex

        581199 packets input, 53428322 bytes, 0 no buffer

        Received 1004 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        871046 packets output, 211157320 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        0 lost carrier, 0 no carrier

        input queue (curr/max blocks): hardware (128/128) software (0/69)

        output queue (curr/max blocks): hardware (1/70) software (0/1)

interface ethernet2 "DMZ" is up, line protocol is down

  Hardware is i82559 ethernet, address is 0002.b3cd.97df

  IP address 10.10.1.1, subnet mask 255.255.255.0

  MTU 1500 bytes, BW 10000 Kbit half duplex

        0 packets input, 0 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        1323 packets output, 79380 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

<--- More --->

acl_in and acl_out are the 2 access lists that i need to implement.

What interface should they be added to and which commands should i enter to do so?

Thanks, i'm new to all this.

PIX1# show access-group

access-group acl_out in interface outside

access-group acl_in in interface inside

access-group DMZ_access_in in interface DMZ

They seem to be implemented but the port is still closed (port 12328)

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

What is the direction of the traffic? Are you trying to open the port from inside clients to the internet (server is on the internet) or are you trying to open the port for internet clients (Server is in your network)? If you are trying to do the later, then you need to have a NAT statement mapping the server to a publicly routable IP.

static (inside,dmz) tcp interface 12368 12368 netmask 255.255.255.255

If you would like to use a different IP than the interface IP, then

static (inside,dmz) tcp xxx.yyy.zzz.kkk 12368 12368 netmask 255.255.255.255

Your access-list is already allowing the traffic. So, once you have the NAT statement, it should work fine.

Regards,

NT

I'm trying to open the port so users on my network can use a demo of some trading software which needs to access a remote server across the internet

Can you users access the Internet normally via this pix ?

Are you sure the port is TCP and not UDP ?

Jon

I've added both to see if it would make a difference and it didn't.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: