Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
690
Views
0
Helpful
2
Replies

Basic TCP commands

mistercooley
Level 1
Level 1

‎12-20-2006 11:02 AM - edited ‎03-11-2019 02:11 AM

I'm using a PIX 501 and need to turn on some tcp ports. I need to open ports 80, 443, 25, 110 and 3389. I also need to do one to one ip address translation and then be able to verify it. Any help would be greatly appreciated.

Labels:
0 Helpful
2 Replies 2

Patrick Iseli
Level 7
Level 7

‎12-20-2006 01:04 PM

Here is a setup with a dynmaic IP for the outside interface.

Replace the 192.168.1.x by the internal servers or workstations real IP address.

access-list acl_out permit tcp any interface outside eq http

access-list acl_out permit tcp any interface outside eq 443

access-list acl_out permit tcp any interface outside eq 25

access-list acl_out permit tcp any interface outside eq 110

access-list acl_out permit tcp any interface outside eq 3389

access-group acl_out in interface outside

static (inside,outside) tcp interface http 192.168.1.x http netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 192.168.1.x 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 110 192.168.1.x 110 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 443 192.168.1.x 443 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 25 192.168.1.x 25 netmask 255.255.255.255 0 0

clear xlate

Let me know if your are looking for an example with a static public IP (NAT) my example is with Port Adress Translation (PAT).

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1112434

sincerely

Patrick

0 Helpful

jmia
Level 7
Level 7

‎12-20-2006 01:34 PM

I presume you need to allow access to the TCP ports mentioned in your post, if so, here is the configuration.

Access list applied to the outside interface of the PIX for the relevant TCP ports:

access-list outside_in permit tcp any host eq 25

access-list outside_in permit tcp any host eq 80

access-list outside_in permit tcp any host eq 110

access-list outside_in permit tcp any host eq 443

access-list outside_in permit tcp any host eq 3389

access-group outside_in in interface outside

Now we need to translate those TCP services to your internal server by using port static translation.

static (inside,outside) tcp 25 25 netmask 255.255.255.255 0 0

static (inside,outside) tcp 80 80 netmask 255.255.255.255 0 0

static (inside,outside) tcp 110 110 netmask 255.255.255.255 0 0

static (inside,outside) tcp 443 443 netmask

255.255.255.255 0 0

Static (inside,outside) tcp 3389 3389 netmask 255.255.255.255 0 0

If you only have one public IP address available to you then you can use the keyword ?interface? within your static translation i.e.

static (inside,outside) tcp interface 25 25 netmask 255.255.255.255 0 0

Also, make sure that your mail MX record corresponds to the correct public IP address that you have on your outside access-list for mail.

Of course, all of the above is configured in configuration mode and make sure that you save with: write mem and also issue: clear xlate

Please rate posts if it helps,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card