Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
272
Views
0
Helpful
2
Replies

opening range of ports in Pix

binoyjosephstanly
Level 1
Level 1

‎12-23-2005 07:31 AM - edited ‎02-21-2020 12:36 AM

Dear all,

i am setting up an exchange front end server in dmz and backend server in inside area of pix. i require to open a range of ports (say 1024-1600) for RPC using accesslists from dmz to inside. Plz help me

thanks

savad

0 Helpful
2 Replies 2

erictaylor
Level 1
Level 1

‎12-23-2005 07:49 AM

Try this:

1) define access-list:

access-list dmz2in extended permit tcp host frontend-server-ip host backend-server-ip range 1024-1600

2) apply access-list

access-group dmz2in in interface dmz

Note: dmz would be the name of you dmz interface

example (under version 7.0)-

interface Ethernet2

speed 100

duplex full

nameif dmz

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to erictaylor

‎12-23-2005 08:09 AM

You might miss some ports, here is a example for that kind of setup, Note this was configured for a WOA with SMTP and POP Relay !

Mail Exchange with AD rights from DMZ

---------------------------------------

object-group service WOA-DC-TCP tcp

port-object eq ldap

port-object eq 3268

port-object eq 88

port-object eq domain

port-object eq 135

port-object range 1024 65535

port-object eq 445

object-group service WOA-DC-UDP udp

port-object eq 88

port-object eq domain

port-object eq netbios-ns

port-object eq 389

access-list outside permit tcp any host WOARelayPublicIP eq www

access-list outside permit tcp any host WOARelayPublicIP eq smtp

access-list outside permit tcp any host WOARelayPublicIP eq pop3

access-group outside in interface outside

access-list dmz permit tcp host WOA-Relay-DMZ-IP any eq smtp

access-list dmz permit tcp host WOA-Relay-DMZ-IP any eq pop3

access-list dmz permit udp host WOA-Relay-DMZ-IP host DC1-Inside-IP eq ntp

access-list dmz permit udp host WOA-Relay-DMZ-IP host NTP-Server-Pub eq ntp

access-list dmz permit tcp host WOA-Relay-DMZ-IP host DC1-Inside-IP object-group WOA-DC-TCP

access-list dmz permit udp host WOA-Relay-DMZ-IP host DC1-Inside-IP object-group WOA-DC-UDP

access-list dmz permit tcp host WOA-Relay-DMZ-IP host DC2-Inside-IP object-group WOA-DC-TCP

access-list dmz permit udp host WOA-Relay-DMZ-IP host DC2-Inside-IP object-group WOA-DC-UDP

access-list dmz permit tcp host WOA-Relay-DMZ-IP host Exchange-Inside-IP eq www

access-list dmz permit tcp host WOA-Relay-DMZ-IP host Exchange-Inside-IP eq 445

access-list dmz permit tcp host WOA-Relay-DMZ-IP host Exchange-Inside-IP eq 691

access-list dmz permit icmp any any

access-list dmz permit ip host WOA-Relay-DMZ-IP any

access-list dmz deny ip any any log

access-group dmz in interface dmz

static (dmz,outside) WOARelayPublicIP WOA-Relay-DMZ-IP netmask 255.255.255.255 0 0

static (inside,dmz) InsideNetwork InsideNetwork netmask 255.255.255.0 0 0

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card