opening a port on my PIX-506E

Discussion in 'Cisco' started by Kremlar, Dec 6, 2006.

  1. Kremlar

    Kremlar Guest

    Sorry in advance for my ignorance, as I'm not very familiar with programming
    a Cisco router - but I'm hoping someone here can point me in the right
    direction!

    We have a Cisco PIX-506E that already forwards some traffic to our server
    (HTTP port 80, SMTP port 25, etc..).

    We now need to forward SSL (port 443) traffic to our server, however, and
    I'm not quite sure the commands to do it.

    Can anyone clue me in?

    Thanks in advance!!!
    Kremlar, Dec 6, 2006
    #1
    1. Advertising

  2. Kremlar

    Jax Guest

    On Tue, 05 Dec 2006 19:00:28 -0500, Kremlar wrote:

    > Sorry in advance for my ignorance, as I'm not very familiar with programming
    > a Cisco router - but I'm hoping someone here can point me in the right
    > direction!
    >
    > We have a Cisco PIX-506E that already forwards some traffic to our server
    > (HTTP port 80, SMTP port 25, etc..).
    >
    > We now need to forward SSL (port 443) traffic to our server, however, and
    > I'm not quite sure the commands to do it.
    >
    > Can anyone clue me in?
    >
    > Thanks in advance!!!



    it depends on whether or not your pix is using conduits or access-lists.
    post any part of your config that begins with either:
    conduit....
    access-list...
    access-group...
    static...
    Jax, Dec 6, 2006
    #2
    1. Advertising

  3. Kremlar

    Kremlar Guest

    Looks like it's access lists....

    Here's part:

    access-list acl_inbound permit tcp any eq 2910 any
    access-list acl_inbound permit tcp any eq 135 any eq 135
    access-list acl_inbound permit tcp any eq 6 any eq 6
    access-list acl_inbound permit tcp any eq 1625 any eq 1625
    access-list acl_inbound permit tcp any eq 1635 any eq 1635

    Here's another part:

    static (inside,outside) tcp interface 1635 10.0.0.2 1635 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface www 10.0.0.2 www netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 500 10.0.0.2 500 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 123 10.0.0.2 123 netmask
    255.255.255.255 0 0

    Thanks!!!!



    "Jax" <> wrote in message
    news:p...
    > On Tue, 05 Dec 2006 19:00:28 -0500, Kremlar wrote:
    >
    >> Sorry in advance for my ignorance, as I'm not very familiar with
    >> programming
    >> a Cisco router - but I'm hoping someone here can point me in the right
    >> direction!
    >>
    >> We have a Cisco PIX-506E that already forwards some traffic to our server
    >> (HTTP port 80, SMTP port 25, etc..).
    >>
    >> We now need to forward SSL (port 443) traffic to our server, however, and
    >> I'm not quite sure the commands to do it.
    >>
    >> Can anyone clue me in?
    >>
    >> Thanks in advance!!!

    >
    >
    > it depends on whether or not your pix is using conduits or access-lists.
    > post any part of your config that begins with either:
    > conduit....
    > access-list...
    > access-group...
    > static...
    Kremlar, Dec 6, 2006
    #3
  4. Kremlar

    Brian V Guest

    "Kremlar" <> wrote in message
    news:OGqdh.25052$...
    > Looks like it's access lists....
    >
    > Here's part:
    >
    > access-list acl_inbound permit tcp any eq 2910 any
    > access-list acl_inbound permit tcp any eq 135 any eq 135
    > access-list acl_inbound permit tcp any eq 6 any eq 6
    > access-list acl_inbound permit tcp any eq 1625 any eq 1625
    > access-list acl_inbound permit tcp any eq 1635 any eq 1635
    >
    > Here's another part:
    >
    > static (inside,outside) tcp interface 1635 10.0.0.2 1635 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface www 10.0.0.2 www netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface 500 10.0.0.2 500 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface 123 10.0.0.2 123 netmask
    > 255.255.255.255 0 0
    >
    > Thanks!!!!
    >
    >
    >
    > "Jax" <> wrote in message
    > news:p...
    >> On Tue, 05 Dec 2006 19:00:28 -0500, Kremlar wrote:
    >>
    >>> Sorry in advance for my ignorance, as I'm not very familiar with
    >>> programming
    >>> a Cisco router - but I'm hoping someone here can point me in the right
    >>> direction!
    >>>
    >>> We have a Cisco PIX-506E that already forwards some traffic to our
    >>> server
    >>> (HTTP port 80, SMTP port 25, etc..).
    >>>
    >>> We now need to forward SSL (port 443) traffic to our server, however,
    >>> and
    >>> I'm not quite sure the commands to do it.
    >>>
    >>> Can anyone clue me in?
    >>>
    >>> Thanks in advance!!!

    >>
    >>
    >> it depends on whether or not your pix is using conduits or access-lists.
    >> post any part of your config that begins with either:
    >> conduit....
    >> access-list...
    >> access-group...
    >> static...

    >
    >
    >


    Did you edit the ACL and statics for posting to the group? Are those the
    full lists? If those are the full list and are unedited you are not
    currently getting emails or WWW through this firewall, that traffic is
    simply not in the permit list nor is there a static for it.

    Assuming you edited the list and that 10.0.0.2 is the device you want to
    allow https to.
    Telnet, SSH whatever to the Pix and paste in the following from enable mode.
    conf t
    static (inside,outside) tcp interface 443 10.0.0.2 443 netmask
    access-list acl_inbound permit tcp any any eq 443
    wr mem
    logout
    Brian V, Dec 6, 2006
    #4
  5. Kremlar

    Kremlar Guest

    Awesome - thanks!

    "Brian V" <> wrote in message
    news:...
    >
    > "Kremlar" <> wrote in message
    > news:OGqdh.25052$...
    >> Looks like it's access lists....
    >>
    >> Here's part:
    >>
    >> access-list acl_inbound permit tcp any eq 2910 any
    >> access-list acl_inbound permit tcp any eq 135 any eq 135
    >> access-list acl_inbound permit tcp any eq 6 any eq 6
    >> access-list acl_inbound permit tcp any eq 1625 any eq 1625
    >> access-list acl_inbound permit tcp any eq 1635 any eq 1635
    >>
    >> Here's another part:
    >>
    >> static (inside,outside) tcp interface 1635 10.0.0.2 1635 netmask
    >> 255.255.255.255 0 0
    >> static (inside,outside) tcp interface www 10.0.0.2 www netmask
    >> 255.255.255.255 0 0
    >> static (inside,outside) tcp interface 500 10.0.0.2 500 netmask
    >> 255.255.255.255 0 0
    >> static (inside,outside) tcp interface 123 10.0.0.2 123 netmask
    >> 255.255.255.255 0 0
    >>
    >> Thanks!!!!
    >>
    >>
    >>
    >> "Jax" <> wrote in message
    >> news:p...
    >>> On Tue, 05 Dec 2006 19:00:28 -0500, Kremlar wrote:
    >>>
    >>>> Sorry in advance for my ignorance, as I'm not very familiar with
    >>>> programming
    >>>> a Cisco router - but I'm hoping someone here can point me in the right
    >>>> direction!
    >>>>
    >>>> We have a Cisco PIX-506E that already forwards some traffic to our
    >>>> server
    >>>> (HTTP port 80, SMTP port 25, etc..).
    >>>>
    >>>> We now need to forward SSL (port 443) traffic to our server, however,
    >>>> and
    >>>> I'm not quite sure the commands to do it.
    >>>>
    >>>> Can anyone clue me in?
    >>>>
    >>>> Thanks in advance!!!
    >>>
    >>>
    >>> it depends on whether or not your pix is using conduits or
    >>> access-lists.
    >>> post any part of your config that begins with either:
    >>> conduit....
    >>> access-list...
    >>> access-group...
    >>> static...

    >>
    >>
    >>

    >
    > Did you edit the ACL and statics for posting to the group? Are those the
    > full lists? If those are the full list and are unedited you are not
    > currently getting emails or WWW through this firewall, that traffic is
    > simply not in the permit list nor is there a static for it.
    >
    > Assuming you edited the list and that 10.0.0.2 is the device you want to
    > allow https to.
    > Telnet, SSH whatever to the Pix and paste in the following from enable
    > mode.
    > conf t
    > static (inside,outside) tcp interface 443 10.0.0.2 443 netmask
    > access-list acl_inbound permit tcp any any eq 443
    > wr mem
    > logout
    >
    >
    Kremlar, Dec 6, 2006
    #5
  6. Kremlar

    Chad Mahoney Guest

    Kremlar wrote:
    > Looks like it's access lists....
    >
    > Here's part:
    >
    > access-list acl_inbound permit tcp any eq 2910 any
    > access-list acl_inbound permit tcp any eq 135 any eq 135
    > access-list acl_inbound permit tcp any eq 6 any eq 6
    > access-list acl_inbound permit tcp any eq 1625 any eq 1625
    > access-list acl_inbound permit tcp any eq 1635 any eq 1635
    >
    > Here's another part:
    >
    > static (inside,outside) tcp interface 1635 10.0.0.2 1635 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface www 10.0.0.2 www netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface 500 10.0.0.2 500 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface 123 10.0.0.2 123 netmask
    > 255.255.255.255 0 0
    >
    > Thanks!!!!
    >


    static (inside,outside) tcp interface 443 internal_ip_of_server 443
    netmask 255.255.255.255 0 0

    access-list acl_inbound permit tcp any eq 443 any eq 443


    Although your ACL's look badly written, I would write them as:

    access-list acl_inbound permit tcp any host
    External_Interface_of_firewall eq 443

    External_Interface_of_firewall = IP of outside interface.

    Also by implementing this rule you will no longer be able to manage the
    firewall externally via the PDM.
    Chad Mahoney, Dec 7, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rodney Hall
    Replies:
    9
    Views:
    8,365
    Walter Roberson
    Jan 13, 2005
  2. Replies:
    5
    Views:
    7,677
    Walter Roberson
    May 3, 2005
  3. Replies:
    6
    Views:
    6,669
    Walter Roberson
    Aug 8, 2005
  4. Cristian Croitoru

    Port translation with PIX 506E

    Cristian Croitoru, Jan 24, 2006, in forum: Cisco
    Replies:
    3
    Views:
    2,270
    Walter Roberson
    Jan 24, 2006
  5. Pix 506e forward port

    , Apr 23, 2007, in forum: Cisco
    Replies:
    1
    Views:
    508
    Walter Roberson
    Apr 24, 2007
Loading...

Share This Page