Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Client wants to open all ports on all global IPs, for his home IP address.

I have a client who wants to allow access to his office network for all the devices on the LAN at his house, which connects to the Internet via DSL. He doesn't want to purchase any new hardware that can create a VPN tunnel to the PIX. Instead he suggested this:

" Since I have a static IP address here, couldn't we just open all ports on

all the global IPs at the PIX to any packets with my static address? I assume the only security hole this would create is someone figuring out my static IP address and spoofing it ? Correct ? Are there any other security risk this creates? Other than unencrypted traffic? "

Does anyone have suggestions on how to respond to this ?

New Member

Re: Client wants to open all ports on all global IPs, for his ho

there are 2 major problems with that , 1- if his IP address is assigned via dhcp for his home internet access then the address will change from time to time and 2 what security is he running at home. if his machine is compromised at home they have full rights to the network

New Member

Re: Client wants to open all ports on all global IPs, for his ho

I'm definitely testing my networking knowledge here, so correct me if I'm wrong:

If your client has a static IP on his home LAN, he probably IS using DHCP so all the devices on his network can access the internet, unless he has actually purchased multiple statics. However, I believe this is a mute point because either way, when he leaves his local LAN, he will assume the static IP.

As far as what security he is running at home, does it really matter in this case? Since we are talking about opening up his office network, not his home network. But totally off topic, he needs to be running some kind of firewall at home.

To answer the original question, *I think* your client is pretty much correct in that spoofing his IP would practically be the only hole into his office network, however this is a pretty big hole and I would feel rather unsecure in doing it. I would AT LEAST just open up the ports he needs to his static IP address(es) on his LAN.

One more thing: If he has a PIX at the office, why can't VPN tunneling be used without investing any more money? I am currently using the *free* Cisco VPN client v3.5.1 with my PIX for tunneling in from home. Just a thought ;-)

Anyone else know of any issues with doing this?


CreatePlease to create content