Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Adding open ports

Status
Not open for further replies.
caryfields

caryfields

MIS
Dec 5, 2001
14
US
I was just given the job of configuring our evaluation unit (515) and I have never used anything from Cisco before. I downloaded the docs and the CLI seems easy enough to understand once I look at an example in the book. But I can't find how to open a range of ports. Like we have a custom program that some guy in our Finance dept uses that uses 8194-8294. How do I open this up so he can get out on these ports, but not allow anyone to get in on them?

Thanks all!
 
Sort by date Sort by votes
Try:
access-list finance-acl permit tcp any host "users.ip.addr.ess" range 8194 8294

But remember, if it these protocols are initiated on the inside interface of the PIX then they will be allowed back in due to stateful inspection. Meaning, if your user starts the connection from the internal LAN then it will be allowed back in on the same TCP session. However, if these ports are initiated on the outside into the finance guys PC then you will have to some translations.
 
Upvote 0 Downvote
I've also heard a rumor from some guys at work that any port above 1024 is automatically openned whenever an inside user accesses it. Is that true? If this Finance guy is only going In > Out then do I even need to open up a port?
 
Upvote 0 Downvote
HI.

The PIX uses something called ASA that one of its features are the security levels.

By default, any traffic from inside to outside is permitted (after you configure translation: NAT & GLOBAL commands).
So you don't need to open specific ports.

Any connection initiated from outside is blocked by default.

You can override the defaults using access-lists in both directions.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
No, if all the traffic is originated from the inside interface going out. Basically, it is piggybacking on the TCP session when it comes back in the outside interface of the PIX. A good way to look at it is - "Consider the source" wherever it is sourced from it will be allowed back in. There is an exception - if you have access-list on both the inside and outside interfaces with a "deny ip any any" at the end of the ACL. Then you might have some problems. To answer question about the ports above 1023 - the same rule applies - if it is initiated from the inside it will be let back in. Out of the box the PIX by default allows everything out and nothing in that is not originated from the inside interface.
 
Upvote 0 Downvote
Ok, sounds good. You say by default it is setup this way. How can I tell? Which setting controls this?
 
Upvote 0 Downvote
caryfields,

The default way it passes traffic is in the IOS but you can alter that of course. To start passing traffic through the PIX you need two commands:
nat (inside) 1 0 0
global (outside) 1 interface
and making sure your interfaces are up and you should be able to pass traffic. From there you can restrict (with ACL) as much as you need. To reiterate what I said earlier - anything initiated on the inside interface can come back in via statefull inspection.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
285
Sameer258
Sameer258
RMurr34
  • Locked
  • Question
ASA Config - Open port 3389 for all IPs
Replies
1
Views
105
iggsterman
iggsterman
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
80
hall5942
hall5942
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
75
hall5942
hall5942
JThekiso
  • Locked
  • Question
Not able to open SAMINC
Replies
0
Views
38
JThekiso
JThekiso

Part and Inventory Search

Sponsor

Back
Top