10-31-2002 08:56 AM - edited 03-09-2019 12:54 AM
Hell-o,
My question is regarding the PIX515e. We have a Windows ISA firewall server we want to retire. I need to move the ports that have been opened from this ISA box to the PIX. On the ISA it simply says 'send/receive tcp port 5510' for example. Is there a way on the PIX to apply this port very simply. Without having to create a static entry? A way to just simple say open a specific port number?
Any suggestions, thoughts or advise greatly welcome,
TIA,
Gary
Solved! Go to Solution.
10-31-2002 12:11 PM
Who is starting the connection, the high security interface to low or low security interface to high? If it's high to low, don't do anything, it will allow it by default. If it is low to high you need 1) a static and 2) an access-list. The acl doesn't have to reference IPs, but it should (security reasons - the whole point of the PIX). For example:
1) static (inside, outside) x.x.x.x 10.10.10.10 netmask 255.255.255.255 (or use a range of IPs)
or
static (inside, outside) 10.10.10.10 10.10.10.10 (if nat disabled)
and
2) access-list 102 permit tcp any any eq 5510
or
access-list 102 permit tcp any host x.x.x.x eq 5510 (better)
or
access-list 102 permit tcp host y.y.y.y host x.x.x.x eq 5510 (best)
access-group 102 in interface outside
Hope it helps.
Steve
10-31-2002 09:16 AM
Gary,
I'm new at the Pix myself, but I believe you can do this through the access-list, nat and static commands. Assuming you're going from the inside to outside interface (and vice-versa), if you're not wanting to convert the IP addresses, use the
nat (inside) 0 0 0
command to tell the Pix not to NAT traffic coming from the inside interface. To allow lower security level interfaces to talk to higher-level security interfaces, use the static command, ie
static (inside,outside)
where ip = your ip address (or addresses) and mask = the appropriate netmask (255.255.255.255 for a single host).
Next use the access-list command to open up the port for the particular IP (or network) for the outside interface. For instance,
For a host:
access-list outside_ACL permit tcp any host
For a network:
access-list outside_ACL permit tcp any
Then bind the access-list to an interface:
access-group outside_ACL in interface outside
Hope this helps (and is correct -- we've had our 515E for a little over a week and a half -- just finished my config).
Have a good day,
Tim
10-31-2002 11:19 AM
Hell-o Tim,
Thanks for the feedback. It is difficult for me to explain exactly what I am asking.
I do understand the static and acl commands. What I am trying to ask is how can I simple say, pass a specific port number without referencing a specific ip address or if possible, no ip address at all. Just pass port xxxx.
With the ISA firewall microsoft server, if a user tells me they need tcp/udp to pass thru its firewall via port xxxx. I just tell it to pass port xxxx with udp/tcp without any mention of an ip address.
TIA,
Gary
10-31-2002 12:11 PM
Who is starting the connection, the high security interface to low or low security interface to high? If it's high to low, don't do anything, it will allow it by default. If it is low to high you need 1) a static and 2) an access-list. The acl doesn't have to reference IPs, but it should (security reasons - the whole point of the PIX). For example:
1) static (inside, outside) x.x.x.x 10.10.10.10 netmask 255.255.255.255 (or use a range of IPs)
or
static (inside, outside) 10.10.10.10 10.10.10.10 (if nat disabled)
and
2) access-list 102 permit tcp any any eq 5510
or
access-list 102 permit tcp any host x.x.x.x eq 5510 (better)
or
access-list 102 permit tcp host y.y.y.y host x.x.x.x eq 5510 (best)
access-group 102 in interface outside
Hope it helps.
Steve
10-31-2002 09:18 AM
Gary,
I forgot -- the access-list I gave you was for incoming connections. For outbound:
For network:
access-list outside_ACL permit tcp
For host:
access-list outside_ACL permit tcp host
Put all the access-list statements together, then bind them to the interface using access-group.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide