PIX: How-to: restricting ports used for PAT

Discussion in 'Cisco' started by guru@progon.net, Jul 20, 2004.

  1. Guest

    Hello...

    I need to restrict the port range used for NAT/PAT to 8192..65535.
    PIX 525 with 6.3(.3) is used.

    Any suggestions?

    Details:

    pixfirewall# sh xlat
    10 in use, 47 most used
    PAT Global x.y.z.194(1025) Local 10.32.32.141(1036)
    PAT Global x.y.z.194(165) Local 10.32.16.181(123)
    PAT Global x.y.z.194(5) Local 10.32.3.5(123)
    PAT Global x.y.z.194(121) Local 10.32.32.131(123)
    PAT Global x.y.z.194(4) Local 10.32.3.1(123)

    Low port as 4,5,... are causing problems as some services won't talk
    to these port...

    Best regards...
     
    , Jul 20, 2004
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    :I need to restrict the port range used for NAT/PAT to 8192..65535.
    :pIX 525 with 6.3(.3) is used.

    :Any suggestions?

    There is no provided way to do that.

    :Details:

    :pixfirewall# sh xlat
    :10 in use, 47 most used
    :pAT Global x.y.z.194(1025) Local 10.32.32.141(1036)
    :pAT Global x.y.z.194(165) Local 10.32.16.181(123)
    :pAT Global x.y.z.194(5) Local 10.32.3.5(123)
    :pAT Global x.y.z.194(121) Local 10.32.32.131(123)
    :pAT Global x.y.z.194(4) Local 10.32.3.1(123)

    :Low port as 4,5,... are causing problems as some services won't talk
    :to these port...

    Notice that the low ports are only used to talk to low ports (< 1024).
    The PIX uses three different PAT port pools, reserving low ports
    for talking to low ports, reserving the middle range for talking to
    the middle range, and reserving the high range for talking to the
    high range. I do not recall exactly where the boundry between the middle
    and high range is -- it is a much less important boundary than the
    1023 boundary, and is often overlooked. The high range is, as I recall,
    completely reserved for user-defined and dynamic allocations,
    whereas the midrange is allowed to have a mix of dynamic allocations and
    registered services. (In other words, if you use a high enough port
    number than the standards say that you are guaranteed not to clash with
    any officially registered service, whereas ports in the mid-range are
    still subject to reservation through the official IANA process and
    if you use one of them, you risk clashing with an official service.)


    If the remote machines won't listen to low-numbered ports when talking
    to low-numbered ports then they are, as best i recall, operating
    out of spec. But of course there's always the problem that if you
    don't yourself happen to be using (say) 137, that you might
    get dynamically allocated 137 and someone might filter on that in
    order to block apparent NETBIOS. The work-around to that is to
    add in specific PAT translations for the ports you don't want
    dynamically allocated, and then block the access to those ports via
    ACLs so you don't accidently leak anything in either direction on
    those ports.
    --
    Studies show that the average reader ignores 106% of all statistics
    they see in .signatures.
     
    Walter Roberson, Jul 20, 2004
    #2
    1. Advertising

  3. Guest

    On 20 Jul 2004 15:25:32 GMT, -cnrc.gc.ca (Walter
    Roberson) wrote:

    >There is no provided way to do that.


    Ok, thank you anyway...

    >If the remote machines won't listen to low-numbered ports when talking
    >to low-numbered ports then they are, as best i recall, operating
    >out of spec.


    My problem is NTP. NTP only accepts port 123 form the reserved
    range:

    if (!(SRCPORT(&rbufp->recv_srcadr) == NTP_PORT ||
    SRCPORT(&rbufp->recv_srcadr) >= IPPORT_RESERVED)) {
    sys_badlength++;
    return;

    Best regards...
     
    , Jul 20, 2004
    #3
  4. In article <>,
    <> wrote:
    :My problem is NTP. NTP only accepts port 123 form the reserved
    :range:

    : if (!(SRCPORT(&rbufp->recv_srcadr) == NTP_PORT ||
    : SRCPORT(&rbufp->recv_srcadr) >= IPPORT_RESERVED)) {
    : sys_badlength++;
    : return;

    I have never seen an instance in which our PIX allocated a non-
    reserved port when connecting to NTP. I believe it could happen in
    theory if all the reserved ports were full, but we've never had
    all the reserved ports fill up simultaneously.

    rsh/rexec is another one that only accepts reserved ports. Makes it
    difficult to tunnel my software updates through ssh [the update
    script uses rsh to "dd" out of the middle of package files.]
    --
    I predict that you will not trust this prediction.
     
    Walter Roberson, Jul 20, 2004
    #4
  5. Rod Dorman Guest

    In article <cdjdhc$j0g$>,
    Walter Roberson <-cnrc.gc.ca> wrote:
    > ...
    >Notice that the low ports are only used to talk to low ports (< 1024).
    >The PIX uses three different PAT port pools, reserving low ports
    >for talking to low ports, reserving the middle range for talking to
    >the middle range, and reserving the high range for talking to the
    >high range. I do not recall exactly where the boundry between the middle
    >and high range is -- it is a much less important boundary than the
    >1023 boundary, and is often overlooked. The high range is, as I recall,
    >completely reserved for user-defined and dynamic allocations,


    Good memory.

    For those that like links see
    http://www.iana.org/assignments/port-numbers

    The Well Known Ports are those from 0 through 1023.
    The Registered Ports are those from 1024 through 49151
    The Dynamic and/or Private Ports are those from 49152 through 65535

    --
    -- Rod --
    rodd(at)polylogics(dot)com
     
    Rod Dorman, Jul 20, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Greg Grimes
    Replies:
    3
    Views:
    4,173
    Greg Grimes
    Aug 16, 2004
  2. Greg Grimes
    Replies:
    8
    Views:
    1,077
    Rod Dorman
    Oct 8, 2004
  3. BinSur
    Replies:
    4
    Views:
    5,843
    BinSur
    Jan 13, 2006
  4. Replies:
    4
    Views:
    738
    Barry Margolin
    Mar 2, 2008
  5. Giuen
    Replies:
    0
    Views:
    1,160
    Giuen
    Sep 12, 2008
Loading...

Share This Page