Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX: How-to: restricting ports used for PAT

Reply
Thread Tools

PIX: How-to: restricting ports used for PAT

 
 
guru@progon.net
Guest
Posts: n/a
 
      07-20-2004
Hello...

I need to restrict the port range used for NAT/PAT to 8192..65535.
PIX 525 with 6.3(.3) is used.

Any suggestions?

Details:

pixfirewall# sh xlat
10 in use, 47 most used
PAT Global x.y.z.194(1025) Local 10.32.32.141(1036)
PAT Global x.y.z.194(165) Local 10.32.16.181(123)
PAT Global x.y.z.194(5) Local 10.32.3.5(123)
PAT Global x.y.z.194(121) Local 10.32.32.131(123)
PAT Global x.y.z.194(4) Local 10.32.3.1(123)

Low port as 4,5,... are causing problems as some services won't talk
to these port...

Best regards...
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      07-20-2004
In article <(E-Mail Removed)>,
http://www.velocityreviews.com/forums/(E-Mail Removed) <(E-Mail Removed)> wrote:
:I need to restrict the port range used for NAT/PAT to 8192..65535.
IX 525 with 6.3(.3) is used.

:Any suggestions?

There is no provided way to do that.

etails:

ixfirewall# sh xlat
:10 in use, 47 most used
AT Global x.y.z.194(1025) Local 10.32.32.141(1036)
AT Global x.y.z.194(165) Local 10.32.16.181(123)
AT Global x.y.z.194(5) Local 10.32.3.5(123)
AT Global x.y.z.194(121) Local 10.32.32.131(123)
AT Global x.y.z.194(4) Local 10.32.3.1(123)

:Low port as 4,5,... are causing problems as some services won't talk
:to these port...

Notice that the low ports are only used to talk to low ports (< 1024).
The PIX uses three different PAT port pools, reserving low ports
for talking to low ports, reserving the middle range for talking to
the middle range, and reserving the high range for talking to the
high range. I do not recall exactly where the boundry between the middle
and high range is -- it is a much less important boundary than the
1023 boundary, and is often overlooked. The high range is, as I recall,
completely reserved for user-defined and dynamic allocations,
whereas the midrange is allowed to have a mix of dynamic allocations and
registered services. (In other words, if you use a high enough port
number than the standards say that you are guaranteed not to clash with
any officially registered service, whereas ports in the mid-range are
still subject to reservation through the official IANA process and
if you use one of them, you risk clashing with an official service.)


If the remote machines won't listen to low-numbered ports when talking
to low-numbered ports then they are, as best i recall, operating
out of spec. But of course there's always the problem that if you
don't yourself happen to be using (say) 137, that you might
get dynamically allocated 137 and someone might filter on that in
order to block apparent NETBIOS. The work-around to that is to
add in specific PAT translations for the ports you don't want
dynamically allocated, and then block the access to those ports via
ACLs so you don't accidently leak anything in either direction on
those ports.
--
Studies show that the average reader ignores 106% of all statistics
they see in .signatures.
 
Reply With Quote
 
 
 
 
guru@progon.net
Guest
Posts: n/a
 
      07-20-2004
On 20 Jul 2004 15:25:32 GMT, http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter
Roberson) wrote:

>There is no provided way to do that.


Ok, thank you anyway...

>If the remote machines won't listen to low-numbered ports when talking
>to low-numbered ports then they are, as best i recall, operating
>out of spec.


My problem is NTP. NTP only accepts port 123 form the reserved
range:

if (!(SRCPORT(&rbufp->recv_srcadr) == NTP_PORT ||
SRCPORT(&rbufp->recv_srcadr) >= IPPORT_RESERVED)) {
sys_badlength++;
return;

Best regards...

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      07-20-2004
In article <(E-Mail Removed)>,
(E-Mail Removed) <(E-Mail Removed)> wrote:
:My problem is NTP. NTP only accepts port 123 form the reserved
:range:

: if (!(SRCPORT(&rbufp->recv_srcadr) == NTP_PORT ||
: SRCPORT(&rbufp->recv_srcadr) >= IPPORT_RESERVED)) {
: sys_badlength++;
: return;

I have never seen an instance in which our PIX allocated a non-
reserved port when connecting to NTP. I believe it could happen in
theory if all the reserved ports were full, but we've never had
all the reserved ports fill up simultaneously.

rsh/rexec is another one that only accepts reserved ports. Makes it
difficult to tunnel my software updates through ssh [the update
script uses rsh to "dd" out of the middle of package files.]
--
I predict that you will not trust this prediction.
 
Reply With Quote
 
Rod Dorman
Guest
Posts: n/a
 
      07-20-2004
In article <cdjdhc$j0g$(E-Mail Removed)>,
Walter Roberson <(E-Mail Removed)-cnrc.gc.ca> wrote:
> ...
>Notice that the low ports are only used to talk to low ports (< 1024).
>The PIX uses three different PAT port pools, reserving low ports
>for talking to low ports, reserving the middle range for talking to
>the middle range, and reserving the high range for talking to the
>high range. I do not recall exactly where the boundry between the middle
>and high range is -- it is a much less important boundary than the
>1023 boundary, and is often overlooked. The high range is, as I recall,
>completely reserved for user-defined and dynamic allocations,


Good memory.

For those that like links see
http://www.iana.org/assignments/port-numbers

The Well Known Ports are those from 0 through 1023.
The Registered Ports are those from 1024 through 49151
The Dynamic and/or Private Ports are those from 49152 through 65535

--
-- Rod --
rodd(at)polylogics(dot)com
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to route multiple ports to one port (NAT/PAT) velcroak@hotmail.com Cisco 4 03-02-2008 03:09 PM
Recommendations Please for a PCI card w/ two USB 2 Ports and FireWaire Ports Mike Digital Photography 27 02-26-2006 12:54 AM
Static PAT overrides Dynamic Pat - Pix 515e BinSur Cisco 4 01-13-2006 09:44 AM
UDP ports using PAT (NAT overload) - Help! Greg Grimes Cisco 8 10-08-2004 05:49 PM
UDP source ports using PAT (NAT overload) Greg Grimes Cisco 3 08-16-2004 10:26 PM



Advertisments