Can't get UDP port opened!

Alf Martinsen · ‎05-22-2006

Hi

Have a cable modem, connect my pc in and of course can get a specific UDP port opened. But when i connect my 501, all my ports are shielded, and that of course is good. How do i open UDP XXXXX from outside and in to my network and a specific host?

can't get the access rule to work.

a.kiprawih · ‎05-22-2006

Hi,

By default, PIX deny any inbound access, except if permitted via ACL.

The rules to allow outside to access inside host/server is to use ACL to allow permitted services for inbound connection, static address mapping of internal server to external/public IP (assigned by ISP) and to have proper routing to external/internet.

In your case, you need to map your internal server, e.g 10.1.1.10 to a public IP, x.x.x.10 using static command, as follow:

static (inside,outside) x.x.x.10 10.1.1.10 netmask 255.255.255.255 a b

a-maximum connection allowed (optional, default 0)

b-embryonic (half-open) level (optional, default 0)

#Then, open access-list to only allow specific type of TCP/UDP services, e.g DNS (UDP 53), and deny others.

access-list outside permit udp any host x.x.x.10 eq 53

access-list outside deny ip any any

#Bind the ACL to the outside interface:

access-group outside in interface outside

#Define/verify routing:

route outside 0.0.0.0 0.0.0.0 x.x.x.1

*x.x.x.1 is the IP of the internet gateway

Static Map and Config guide:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

*Look under "Using ACLs on PIX Versions 5.0.1 and Later"

PIX Config guide:

a.http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278e.html

b.http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html

Rgds,

AK