Solved: Re: Passing a specific port number

admin_2 · ‎10-31-2002

Hell-o,

My question is regarding the PIX515e. We have a Windows ISA firewall server we want to retire. I need to move the ports that have been opened from this ISA box to the PIX. On the ISA it simply says 'send/receive tcp port 5510' for example. Is there a way on the PIX to apply this port very simply. Without having to create a static entry? A way to just simple say open a specific port number?

Any suggestions, thoughts or advise greatly welcome,

TIA,

Gary

steve.barlow · ‎10-31-2002

Who is starting the connection, the high security interface to low or low security interface to high? If it's high to low, don't do anything, it will allow it by default. If it is low to high you need 1) a static and 2) an access-list. The acl doesn't have to reference IPs, but it should (security reasons - the whole point of the PIX). For example:

1) static (inside, outside) x.x.x.x 10.10.10.10 netmask 255.255.255.255 (or use a range of IPs)

or

static (inside, outside) 10.10.10.10 10.10.10.10 (if nat disabled)

and

2) access-list 102 permit tcp any any eq 5510

or

access-list 102 permit tcp any host x.x.x.x eq 5510 (better)

or

access-list 102 permit tcp host y.y.y.y host x.x.x.x eq 5510 (best)

access-group 102 in interface outside

Hope it helps.

Steve

View solution in original post

Steve M. · ‎10-31-2002

Gary,

I'm new at the Pix myself, but I believe you can do this through the access-list, nat and static commands. Assuming you're going from the inside to outside interface (and vice-versa), if you're not wanting to convert the IP addresses, use the

nat (inside) 0 0 0

command to tell the Pix not to NAT traffic coming from the inside interface. To allow lower security level interfaces to talk to higher-level security interfaces, use the static command, ie

static (inside,outside) netmask

where ip = your ip address (or addresses) and mask = the appropriate netmask (255.255.255.255 for a single host).

Next use the access-list command to open up the port for the particular IP (or network) for the outside interface. For instance,

For a host:

access-list outside_ACL permit tcp any host eq 5510

For a network:

access-list outside_ACL permit tcp any eq 5510

Then bind the access-list to an interface:

access-group outside_ACL in interface outside

Hope this helps (and is correct -- we've had our 515E for a little over a week and a half -- just finished my config).

Have a good day,

Tim

Report Inappropriate Content · ‎10-31-2002

Hell-o Tim,

Thanks for the feedback. It is difficult for me to explain exactly what I am asking.

I do understand the static and acl commands. What I am trying to ask is how can I simple say, pass a specific port number without referencing a specific ip address or if possible, no ip address at all. Just pass port xxxx.

With the ISA firewall microsoft server, if a user tells me they need tcp/udp to pass thru its firewall via port xxxx. I just tell it to pass port xxxx with udp/tcp without any mention of an ip address.