Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
4791
Views
0
Helpful
0
Comments

How to permit PCAnywhere connections through a PIX/ASA Firewall

TCC_2
Level 10
Level 10

‎06-18-2009 03:52 PM - edited ‎03-08-2019 06:04 PM

Core issue

In some situations, it may be necessary to permit access to a device through a PIX/ASA Firewall using PCAnywhere. By default, such connections are denied, so you must configure the PIX/ASA to allow PCAnywhere traffic to be permitted from the outside interface to the inside interface.

Resolution

In most PIX/ASA scenarios, the inside interface and network uses private addressing, while the outside interface and network uses public addressing. Therefore, a static mapping must be created to establish the relationship between the outside and inside addresses. Moreover, an Access Control List (ACL) must define the traffic that is permitted through the PIX/ASA.

PCAnywhere uses ports 5631 (Data port or Transmission Control Protocol [TCP]) and 5632 (Status port or User Datagram Protocol [UDP]) to communicate. Therefore, these ports must be explicitly permitted on the PIX.

Consider the example of a device on the inside interface of the firewall with an IP address of 10.1.1.10, which is mapped to an external (global) IP address of 151.1.1.8. In this case, traffic destined for 151.1.1.8 arrives at the firewall, is translated to 10.1.1.10, and is passed to the inside interface.

Based on the above factors, the configuration necessary for this scenario follows:

static(inside,outside) 151.1.1.8 10.1.1.10 netmask 255.255.255.255
! --- The static mapping between 151.1.1.8 (outside address) and 10.1.1.10 (inside address).
access-list 101 permit tcp any host 151.1.1.8 eq 5631
! --- Permits TCP traffic to 151.1.1.8, port 5631.
access-list 101 permit udp any host 151.1.1.8 eq 5632
! --- Permits UDP traffic to 151.1.1.8, port 5632.
access-group 101 in interface outside
! --- Apply ACL 101 to the outside interface.

To configure the same in PDM refer to Cisco PIX Device Manager 3.0.

Problem Type

Connectivity through the device

How to (General Information)

Product Family

ASA Hardware & Software

Firewall - PIX 500 series

PIX Software Version

PIX version 7.x

PIX version 4.x

PIX version 5.x

PIX version 6.x

PIX Device Manager Software Version

3.0

ASA Software Version

7.0

7.1

7.2

PIX Model

PIX 500 Series Firewall

ASA Models

ASA 5500

ASA 5510

ASA 5520

ASA 5540

Features & Tasks

Remote PC access

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents