Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX 6.3 Dynamic UDP port application support

We have a PIX525 running 6.3(4). We are trying to get applications that run on dynamic UDP ports to work with out success. We have added all statements to our outside ACL but they dont seem to have any effect.

1 REPLY
Bronze

Re: PIX 6.3 Dynamic UDP port application support

Hi there,

I've just had a squiz at the config.

The outside access-list COD_4 is allowing udp traffic on ports 1500, 3005, 3101, 28960 and 50101 to the interface on the outside of the pix.

You're natting all traffic from the inside to the outside networks so that the source of a packet that is leaving the pix is the outside ip address of the pix (63.198.92.162).  This is normal.

Can you tell me a few things first:

1.  Is the device that you're trying to access located on the outside of the pix?

2.  Is the device your initiating access from on the inside of the pix?

if yes to the above 2 questions, the COD_4 access list should be amended to have the source port as the udp ports.  ie something like:

access-list COD_4 permit udp host UDP_HOST eq 1500 interface outside
access-list COD_4 permit udp host UDP_HOST eq 3005 interface outside
access-list COD_4 permit udp host UDP_HOST eq 3101 interface outside
access-list COD_4 permit udp host UDP_HOST eq 28960 inteface outside
access-list COD_4 permit udp host UDP_HOST eq 50101 interface outside

This is because the traffic being initiated from the inside will have the destination port as the udp ports above which means traffic returning from the destination host, through the pix to the source host will have the source ports of the udp port numbers above.

Having said that, if the traffic is being initiated from a host on the outside of the pix, and the traffic is trying to traverse the pix from outside to inside, then your access-list is correct (although it might be a good idea to put an explicit deny ip any any log on the end, just to see drops).  What you're missing in that regard would be static port forwards which tell the pix where to send the traffic on the inside interface once it has entered the outside interface.

For example, lets assume that an outside host wants to get to udp port 1500 on a server hidden behind the pix (in this exampl 172.16.0.10).  The outside host would need to connect to the pix's outside address with destination port 1500.  The pix needs to be told where to then send the request on the inside network.

static (inside,outside) udp interface 1500 172.16.0.10 1500 netmask 255.255.255.255 0 0

That command tells the pix to translate any udp queries hitting the outside interface on port 1500 to translate the destination address to the device 172.16.0.10 and send it on its way to the inside interface.

Hope that helps, if it does can you please rate the post?

Brad

313
Views
0
Helpful
1
Replies
CreatePlease to create content