Solved: Re: Permit Inbound Access on ports 8889 and 12124

jessyl · ‎01-11-2007

Hello,

We want to allow inbound access on ports 8889 and 12124. We have a Cisco PIX 515E.

We succeed in allow inbound access on port 22 by creating a static route, an access group and a access-list.

We create the same things for the ports 8889 and 12124 but it doesn't run.

Could you help us ?

Thanks in advance.

Jon Marshall · ‎01-11-2007

Hi Jessy

Are the ports on the same server as the ssh access ?.

When you say a static route what exactly do you mean. If you were goiing from outside to in you would need to create static NAT entries for the servers on the inside of the pix as well as allowing through on an access-list.

Could you send copy of the config with any sensitive bits removed

Jon

View solution in original post

Jon Marshall · ‎01-11-2007

Hi Jessy

Are the ports on the same server as the ssh access ?.

When you say a static route what exactly do you mean. If you were goiing from outside to in you would need to create static NAT entries for the servers on the inside of the pix as well as allowing through on an access-list.

Could you send copy of the config with any sensitive bits removed

Jon

jessyl · ‎01-11-2007

Hi Jon,

The ports are on the same server as the ssh access.

I send you a copy of our config.

Thanks.

Jon Marshall · ‎01-12-2007

Hi Jessy

Can't see a lot wrong with this. Whenever i have done port forwarding I usually have the access-list referencing the actual host address rather than the "interface outside" statement you have used but that's about it.

ie

access-list list outside_access_in permit tcp any host x.x.x.x eq 8889 etc. where host is your pix outside interface address.

Have you done a debug on the inside interface to see if packets are being sent and received back from 192.168.10.18 ie

debug packet inside dst 192.168.10.18

debug packet inside src 192.168.10.18

HTH

jessyl · ‎01-12-2007

Hi Jon,

When we reference our outside interface address rather than the "interface outside", the PIX changes automatically the statement with the "interface outside".

We have done a debug packet for the ports 12124 and 22.

We must permit inbound access for these ports for an external enterprise which says us that the request used for these ports is an HTTP request. Does this remark change something ?

I hope that you understand me well because I'm french and it isn't easy for me to explain you

exactly my problem ;).

Thanks.

Jessy

Jon Marshall · ‎01-12-2007

Hi Jessy

Had a quick look at the debugs. The 12124 debug. 192.168.10.18 is sending back an ack/rst to the external host.

Can you connect to this port internally. How do you do that. Is it with a specific piece of software or do you use a web browser with a url and port number eg

http://servername:12124

Jon

jessyl · ‎01-15-2007

Hi Jon,

It must be a specific software. We didn't have an accurate answer from the company.

But I think that we must permit outbound traffic on port 12124 and 8889 for the host 192.168.10.18. Isn't it ?

Thanks.

Jessy

Jon Marshall · ‎01-15-2007

Jessy

In the vast majority of cases you shouldn't have to open up the ports both ways as the pix is a stateful firewall so if you allow access in then the return traffic should be allowed.

I think it's important to check if you can access the servers on those ports internally to make sure that is not an application problem.

Jon

jessyl · ‎01-17-2007

Hi Jon,

I just want to tell you that it's OK....

We couldn't access the server on those ports internally.... The external company had to open those ports... We have had several interlocutors who didn't be agree.

We had to permit return traffic on thoses ports too.

Thanks for your help.

Jessy

Jon Marshall · ‎01-17-2007

Hi Jessy

Glad you got it sorted in the end

Jon