Carbon Copy Ports does not work through PIX 5.5

[anthony4513]

Hello all,

Carbon Copy 5.60
PIX 515
Ports that was open: TCP 1680 / UDP 1680


Here's the problem: I have been trying to get Carbon Copy to
go through the PIX 515 firewall for two weeks now. The
only way that it'llwork is to open all ports from the
inside interface (laptop that will be remoting the server)
going to the lower security interface (DMZ_WEB725).

I have configured the security level on DMZ_WEB725 to allow port 1680 destination to enter. The problem is the laptop that is remoting the server is using random ports.

Below is the ACL and syslog error message. If anyone out there has ever configure Carbon copy 5.60 to successfully go through the firewall please give desperately needed advice.

********* ACL on "INSIDE" Interface Security Level 100*****

access-list inside_in permit icmp 10.1.35.0 255.255.255.0 172.16.3.0 255.255.255.0
access-list inside_in permit icmp 10.1.35.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list inside_in permit tcp 10.1.35.0 255.255.255.0 172.17.2.0 255.255.255.0 eq ssh
access-list inside_in permit tcp 10.1.35.0 255.255.255.0 172.16.3.0 255.255.255.0 eq 3389
access-list inside_in permit tcp 10.1.35.0 255.255.255.0 172.17.2.0 255.255.255.0 eq 3389
access-list inside_in permit tcp 10.1.35.0 255.255.255.0 172.16.3.0 255.255.255.0 eq ssh
access-list inside_in permit tcp 10.1.35.0 255.255.255.0 172.16.3.0 255.255.255.0 eq 1680
access-list inside_in permit udp 10.1.35.0 255.255.255.0 172.16.3.0 255.255.255.0 eq 1680
access-list inside_in permit tcp 10.1.35.0 255.255.255.0 172.17.2.0 255.255.255.0 eq 1680
access-list inside_in permit udp 10.1.35.0 255.255.255.0 172.17.2.0 255.255.255.0 eq 1680

****** ACL on interface DMZ_WEB725 Security Level 40 *****

access-list dmz_web725_in permit tcp 172.16.3.0 255.255.255.0 172.17.3.0 255.255.255.0 eq 137
access-list dmz_web725_in permit udp 172.16.3.0 255.255.255.0 172.17.3.0 255.255.255.0 eq netbios-ns
access-list dmz_web725_in permit tcp 172.16.3.0 255.255.255.0 172.17.3.0 255.255.255.0 eq 138
access-list dmz_web725_in permit udp 172.16.3.0 255.255.255.0 172.17.3.0 255.255.255.0 eq netbios-dgm
access-list dmz_web725_in permit tcp 172.16.3.0 255.255.255.0 172.17.3.0 255.255.255.0 eq netbios-ssn
access-list dmz_web725_in permit udp 172.16.3.0 255.255.255.0 172.17.3.0 255.255.255.0 eq 139
access-list dmz_web725_in permit tcp 172.16.3.0 255.255.255.0 172.17.3.0 255.255.255.0 eq 445
access-list dmz_web725_in permit tcp 172.16.3.0 255.255.255.0 172.17.3.0 255.255.255.0 eq sqlnet
access-list dmz_web725_in permit udp 172.16.3.0 255.255.255.0 172.17.3.0 255.255.255.0 eq 1521
access-list dmz_web725_in permit tcp 172.16.3.0 255.255.255.0 172.17.3.0 255.255.255.0 eq 1526
access-list dmz_web725_in permit udp 172.16.3.0 255.255.255.0 172.17.3.0 255.255.255.0 eq 1526
access-list dmz_web725_in permit tcp 172.16.3.0 255.255.255.0 172.17.3.0 255.255.255.0 eq sunrpc
access-list dmz_web725_in permit udp 172.16.3.0 255.255.255.0 172.17.3.0 255.255.255.0 eq sunrpc
access-list dmz_web725_in permit icmp 172.16.3.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list dmz_web725_in permit icmp 172.16.3.0 255.255.255.0 10.1.35.0 255.255.255.0
access-list dmz_web725_in permit tcp 172.16.3.0 255.255.255.0 eq 1680 10.1.35.0 255.255.255.0
access-list dmz_web725_in permit udp 172.16.3.0 255.255.255.0 eq 1680 10.1.35.0 255.255.255.0
access-list dmz_web725_in permit tcp 172.16.3.0 255.255.255.0 10.1.35.0 255.255.255.0 eq 3389
access-list dmz_web725_in permit tcp 172.16.3.0 255.255.255.0 10.1.35.0 255.255.255.0 eq ssh

************SYS LOG ERROR MESSAGE **************


609001: Built local-host inside:10.1.35.94
305009: Built static translation from inside:10.1.35.94 to DMZ_WEB725:10.1.35.94
302013: Built outbound TCP connection 1436 for DMZ_WEB725:172.16.3.10/1680 (172.16.3.10/1680) to inside:10.1.35.94/4211 (10.1.35.94/4211)
302014: Teardown TCP connection 1436 for DMZ_WEB725:172.16.3.10/1680 to inside:10.1.35.94/4211 duration 0:00:00 bytes 0 TCP Reset-O
302013: Built outbound TCP connection 1437 for DMZ_WEB725:172.16.3.10/1680 (172.16.3.10/1680) to inside:10.1.35.94/4211 (10.1.35.94/4211)
302014: Teardown TCP connection 1437 for DMZ_WEB725:172.16.3.10/1680 to inside:10.1.35.94/4211 duration 0:00:00 bytes 0 TCP Reset-O
302013: Built outbound TCP connection 1438 for DMZ_WEB725:172.16.3.10/1680 (172.16.3.10/1680) to inside:10.1.35.94/4211 (10.1.35.94/4211)
302014: Teardown TCP connection 1438 for DMZ_WEB725:172.16.3.10/1680 to inside:10.1.35.94/4211 duration 0:00:00 bytes 0 TCP Reset-O
302015: Built outbound UDP connection 1439 for DMZ_WEB725:172.16.3.10/1680 (172.16.3.10/1680) to inside:10.1.35.94/1680 (10.1.35.94/1680)
106023: Deny udp src inside:10.1.35.94/4212 dst DMZ_WEB725:172.16.3.10/1066 by access-group "inside_in"
111009: User 'enable_15' executed cmd: show logging
106023: Deny udp src inside:10.1.35.94/4212 dst DMZ_WEB725:172.16.3.10/1066 by access-group "inside_in"
106023: Deny tcp src DMZ_DATA800:172.17.2.24/8193 dst outside:10.28.78.230/6101 by access-group "dmz_data800_in"
106023: Deny udp src inside:10.1.35.94/4212 dst DMZ_WEB725:172.16.3.10/1066 by access-group "inside_in"
106023: Deny udp src inside:10.1.35.94/4212 dst DMZ_WEB725:172.16.3.10/1066 by access-group "inside_in"
111009: User 'enable_15' executed cmd: show logging
106023: Deny udp src inside:10.1.35.94/4212 dst DMZ_WEB725:172.16.3.10/1066 by access-group "inside_in"
106023: Deny udp src inside:10.1.35.94/4212 dst DMZ_WEB725:172.16.3.10/1066 by access-group "inside_in"
111009: User 'enable_15' executed cmd: show logging
106023: Deny udp src inside:10.1.35.94/4212 dst DMZ_WEB725:172.16.3.10/1066 by access-group "inside_in"
106023: Deny udp src inside:10.1.35.94/4212 dst DMZ_WEB725:172.16.3.10/1066 by access-group "inside_in"
106023: Deny udp src inside:10.1.35.94/4212 dst DMZ_WEB725:172.16.3.10/1066 by access-group "inside_in"
106023: Deny tcp src DMZ_DATA800:172.17.2.24/8193 dst outside:10.28.78.230/6101 by access-group "dmz_data800_in"
111009: User 'enable_15' executed cmd: show logging
106023: Deny udp src inside:10.1.35.94/4212 dst DMZ_WEB725:172.16.3.10/1066 by access-group "inside_in"
106023: Deny udp src inside:10.1.35.94/4212 dst DMZ_WEB725:172.16.3.10/1066 by access-group "inside_in"
106023: Deny udp src inside:10.1.35.94/4212 dst DMZ_WEB725:172.16.3.10/1066 by access-group "inside_in"




Thank you,

Anthony

 

[tbissett]

If your Carbon Copy server is at IP address 172.16.3.10, it looks you need to add a rule to your inside_in access-list to permit udp/1066 to the DMZ