I have two new 515 boxes that I upgraded from an old 520. I have kept some of the config, including this established command below.
established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
This was put in the pix config before I joined the company and no-one seems to know its purpose! I am worried about taking it out incase i break something! Digging around the cisco site I have found that it may be something to do with our exchange server. Anyway, I am running version 6 Pix and cannot get the PDM working because it doesnt like this command! Anyone help?
This probably was used for the communication from the Exchange Server. There is a certain amount of risk when you allow any host that is connected on port 135 to make a new connection on some unknown high port. Check out this link from Microsoft that explains the communication for Exchange. It will help you to nail down and isolate the ports required for this communication, depending on your implementation of Exchange Server.
that is a very interesting article but I think the point of my problem was missed! The Pix is configured for use with the Exchange Server, and has the established command statement to allow back connections. However, my problem is with the PDM. When I try to load the PDM (v1.0.2), I get errors that point to the PDM not supporting this established command. The message I get when starting up PDM is below:
PDM does not support the established command in your configuration. Use the CLI to fix the unsupported command and then refresh PDM with the modified PIX Configuration.
Has anyone else seen this error message when running PDM?
I wouldn't have thought the PDM software, would understand "established" command since it is pretty advanced feature, just like the PDM doesn't currently understand / support VPN configuration information.
if the established command only used to support your
exchange server, you can reconfigure the exchange server to use static ports (ms kb id Q270836 and Q148732), after this change your access-lists to permit these connections. at this point you can remove the established command.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...