Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

opening range of ports in Pix

Dear all,

i am setting up an exchange front end server in dmz and backend server in inside area of pix. i require to open a range of ports (say 1024-1600) for RPC using accesslists from dmz to inside. Plz help me

thanks

savad

2 REPLIES
New Member

Re: opening range of ports in Pix

Try this:

1) define access-list:

access-list dmz2in extended permit tcp host frontend-server-ip host backend-server-ip range 1024-1600

2) apply access-list

access-group dmz2in in interface dmz

Note: dmz would be the name of you dmz interface

example (under version 7.0)-

interface Ethernet2

speed 100

duplex full

nameif dmz

Re: opening range of ports in Pix

You might miss some ports, here is a example for that kind of setup, Note this was configured for a WOA with SMTP and POP Relay !

Mail Exchange with AD rights from DMZ

---------------------------------------

object-group service WOA-DC-TCP tcp

port-object eq ldap

port-object eq 3268

port-object eq 88

port-object eq domain

port-object eq 135

port-object range 1024 65535

port-object eq 445

object-group service WOA-DC-UDP udp

port-object eq 88

port-object eq domain

port-object eq netbios-ns

port-object eq 389

access-list outside permit tcp any host WOARelayPublicIP eq www

access-list outside permit tcp any host WOARelayPublicIP eq smtp

access-list outside permit tcp any host WOARelayPublicIP eq pop3

access-group outside in interface outside

access-list dmz permit tcp host WOA-Relay-DMZ-IP any eq smtp

access-list dmz permit tcp host WOA-Relay-DMZ-IP any eq pop3

access-list dmz permit udp host WOA-Relay-DMZ-IP host DC1-Inside-IP eq ntp

access-list dmz permit udp host WOA-Relay-DMZ-IP host NTP-Server-Pub eq ntp

access-list dmz permit tcp host WOA-Relay-DMZ-IP host DC1-Inside-IP object-group WOA-DC-TCP

access-list dmz permit udp host WOA-Relay-DMZ-IP host DC1-Inside-IP object-group WOA-DC-UDP

access-list dmz permit tcp host WOA-Relay-DMZ-IP host DC2-Inside-IP object-group WOA-DC-TCP

access-list dmz permit udp host WOA-Relay-DMZ-IP host DC2-Inside-IP object-group WOA-DC-UDP

access-list dmz permit tcp host WOA-Relay-DMZ-IP host Exchange-Inside-IP eq www

access-list dmz permit tcp host WOA-Relay-DMZ-IP host Exchange-Inside-IP eq 445

access-list dmz permit tcp host WOA-Relay-DMZ-IP host Exchange-Inside-IP eq 691

access-list dmz permit icmp any any

access-list dmz permit ip host WOA-Relay-DMZ-IP any

access-list dmz deny ip any any log

access-group dmz in interface dmz

static (dmz,outside) WOARelayPublicIP WOA-Relay-DMZ-IP netmask 255.255.255.255 0 0

static (inside,dmz) InsideNetwork InsideNetwork netmask 255.255.255.0 0 0

sincerely

Patrick

126
Views
0
Helpful
2
Replies