Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Basic TCP commands

I'm using a PIX 501 and need to turn on some tcp ports. I need to open ports 80, 443, 25, 110 and 3389. I also need to do one to one ip address translation and then be able to verify it. Any help would be greatly appreciated.

2 REPLIES

Re: Basic TCP commands

Here is a setup with a dynmaic IP for the outside interface.

Replace the 192.168.1.x by the internal servers or workstations real IP address.

access-list acl_out permit tcp any interface outside eq http

access-list acl_out permit tcp any interface outside eq 443

access-list acl_out permit tcp any interface outside eq 25

access-list acl_out permit tcp any interface outside eq 110

access-list acl_out permit tcp any interface outside eq 3389

access-group acl_out in interface outside

static (inside,outside) tcp interface http 192.168.1.x http netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 192.168.1.x 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 110 192.168.1.x 110 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 443 192.168.1.x 443 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 25 192.168.1.x 25 netmask 255.255.255.255 0 0

clear xlate

Let me know if your are looking for an example with a static public IP (NAT) my example is with Port Adress Translation (PAT).

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1112434

sincerely

Patrick

Gold

Re: Basic TCP commands

I presume you need to allow access to the TCP ports mentioned in your post, if so, here is the configuration.

Access list applied to the outside interface of the PIX for the relevant TCP ports:

access-list outside_in permit tcp any host eq 25

access-list outside_in permit tcp any host eq 80

access-list outside_in permit tcp any host eq 110

access-list outside_in permit tcp any host eq 443

access-list outside_in permit tcp any host eq 3389

access-group outside_in in interface outside

Now we need to translate those TCP services to your internal server by using port static translation.

static (inside,outside) tcp 25 25 netmask 255.255.255.255 0 0

static (inside,outside) tcp 80 80 netmask 255.255.255.255 0 0

static (inside,outside) tcp 110 110 netmask 255.255.255.255 0 0

static (inside,outside) tcp 443 443 netmask

255.255.255.255 0 0

Static (inside,outside) tcp 3389 3389 netmask 255.255.255.255 0 0

If you only have one public IP address available to you then you can use the keyword ?interface? within your static translation i.e.

static (inside,outside) tcp interface 25 25 netmask 255.255.255.255 0 0

Also, make sure that your mail MX record corresponds to the correct public IP address that you have on your outside access-list for mail.

Of course, all of the above is configured in configuration mode and make sure that you save with: write mem and also issue: clear xlate

Please rate posts if it helps,

181
Views
0
Helpful
2
Replies