Enabling Ports for Specific IP Help needed.

[rwieting]

I am new to the firewall config. Please be kind.
We have a PIX 515 running 6.3(3)
Here is what we need to do. We connect to a website and login to it. This connects to a server so we can retrieve records. We need to have ports 5099 and 8421 open for the connection to work. I would like to only have those ports open to the specific IP of the outside server. I would prefer not to have these two ports open to anyone. This server is outside of our network and does not belong to us.

I tried this, but it held up inbound email.
#object-group service ports_allowed tcp-udp
#description Allowed ports ingress to all internal hosts
#port-object eq 5099
#port-object eq 8421

#access-list 101 permit tcp host 66.X.X.X any object-group ports_allowed
#access-list 101 permit udp host 66.X.X.X any object-group ports_allowed
#access-group 101 in interface outside

Please let me know if you need additional information. I would appreciate any help you could provide.
Thanks.

 

[lgarner]

If that's all you put in, you will be blocking everything *except* the designated traffic. Like with Cisco routers, there is always an implicit "deny ip any any" at the end of every ACL.

I'm not sure how inbound email made it before, if there was no outside ACL permitting it. What you need is something like:

#access-list 101 permit tcp host 66.X.X.X any object-group ports_allowed
#access-list 101 permit udp host 66.X.X.X any object-group ports_allowed
#access-list 101 deny tcp any any object-group ports_allowed
#access-list 101 deny udp any any object-group ports_allowed
#access-list 101 permit tcp any <mail server> eq smtp
... other permitted traffic ...

 

[rwieting]

I've included my config from the firewall. I thought this might help more with how things are currently. Thanks again for your help.

PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10
enable password encrypted
passwd encrypted
hostname Pix
domain-name mysite.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 2048
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
No fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.9 web
name 192.168.1.16 otherweb
name 192.168.1.7 email
access-list Inbound permit icmp any any echo-reply
access-list Inbound permit icmp any any time-exceeded
access-list Inbound permit icmp any any unreachable
access-list Inbound permit tcp any host My.Public.Mail.IP eq smtp
access-list Inbound permit tcp any host My.Public.Mail.IP eq www
access-list Inbound permit tcp any host My.Public.Mail.IP eq https
access-list Inbound permit tcp any host My.Public.Web1.IP eq www
access-list Inbound permit tcp any host My.Public.Web1.IP eq https
access-list Inbound permit tcp any host My.Public.Web2.IP eq www
access-list Inbound permit tcp any host My.Public.Web2.IP eq https
access-list Inbound permit tcp any host My.Public.Web3.IP eq www
access-list Inbound permit tcp any host My.Public.VPN.IP eq pptp
access-list Inbound permit gre any host My.Public.VPN.IP
access-list DMZ-Inbound permit tcp 192.168.2.20 255.255.255.252 host 192.168.1.1
2 eq 3306
access-list DMZ-Inbound permit tcp 192.168.2.20 255.255.255.252 host 192.168.1.1
3 eq 3306
access-list DMZ-Inbound permit tcp 192.168.2.20 255.255.255.252 host 192.168.1.4
5 eq 3306
access-list DMZ-Inbound permit udp 192.168.2.20 255.255.255.252 host 192.168.1.1
2 eq 3306
access-list DMZ-Inbound permit udp 192.168.2.20 255.255.255.252 host 192.168.1.1
3 eq 3306
access-list DMZ-Inbound permit udp 192.168.2.20 255.255.255.252 host 192.168.1.4
5 eq 3306
access-list DMZ-Inbound permit tcp 192.168.2.20 255.255.255.252 host 192.168.1.2
range 9105 9107
access-list DMZ-Inbound permit udp 192.168.2.20 255.255.255.252 host 192.168.1.2
eq domain
access-list DMZ-Inbound permit tcp 192.168.2.20 255.255.255.252 host 192.168.1.2
eq domain
access-list DMZ-Inbound permit tcp 192.168.2.20 255.255.255.252 host 192.168.1.2
0 range 135 netbios-ssn
access-list DMZ-Inbound permit udp 192.168.2.20 255.255.255.252 host 192.168.1.2
0 range 135 139
access-list DMZ-Inbound permit tcp 192.168.2.20 255.255.255.252 host 192.168.1.2
0 eq 445
access-list DMZ-Inbound permit udp 192.168.2.20 255.255.255.252 host 192.168.1.2
0 eq 445
access-list DMZ-Inbound permit tcp 192.168.2.20 255.255.255.252 host email range
135 netbios-ssn
access-list DMZ-Inbound permit udp 192.168.2.20 255.255.255.252 host email range
135 139
access-list DMZ-Inbound permit tcp 192.168.2.20 255.255.255.252 host email eq 44
5
access-list DMZ-Inbound permit udp 192.168.2.20 255.255.255.252 host email eq 44
5
access-list DMZ-Inbound permit tcp 192.168.2.20 255.255.255.252 host email eq sm
tp
access-list DMZ-Inbound permit icmp 192.168.2.0 255.255.255.0 192.168.1.0 255.25
5.255.0 echo-reply
access-list DMZ-Inbound permit icmp 192.168.2.0 255.255.255.0 192.168.1.0 255.25
5.255.0 time-exceeded
access-list DMZ-Inbound permit icmp 192.168.2.0 255.255.255.0 192.168.1.0 255.25
5.255.0 unreachable
access-list DMZ-Inbound deny ip any 10.0.0.0 255.0.0.0
access-list DMZ-Inbound deny ip any 172.16.0.0 255.240.0.0
access-list DMZ-Inbound deny ip any 192.168.0.0 255.255.0.0
access-list DMZ-Inbound permit ip any any
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 remark Outbound Exchange traffic
access-list 101 permit ip host email any
pager lines 23
logging on
logging timestamp
logging buffered warnings
logging trap warnings
logging history warnings
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside My.Public.Pix.IP 255.255.255.240
ip address inside 192.168.1.3 255.255.255.0
ip address DMZ 192.168.2.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address DMZ
pdm location 192.168.1.2 255.255.255.255 inside
pdm location email 255.255.255.255 inside
pdm location 192.168.1.8 255.255.255.255 inside
pdm location 192.168.1.11 255.255.255.255 inside
pdm location 192.168.1.15 255.255.255.255 inside
pdm location 192.168.1.19 255.255.255.255 inside
pdm location 192.168.1.20 255.255.255.255 inside
pdm location 192.168.1.21 255.255.255.255 inside
pdm location 192.168.1.24 255.255.255.255 inside
pdm location 192.168.1.40 255.255.255.255 inside
pdm location 192.168.1.41 255.255.255.255 inside
pdm location 192.168.1.45 255.255.255.255 inside
pdm location 192.168.1.53 255.255.255.255 inside
pdm location 192.168.1.100 255.255.255.255 inside
pdm location 192.168.1.187 255.255.255.255 inside
pdm location 192.168.1.204 255.255.255.255 inside
pdm location 172.16.1.250 255.255.255.255 inside
pdm location 192.168.1.4 255.255.255.255 inside
pdm location 192.168.1.43 255.255.255.255 inside
pdm location 192.168.1.12 255.255.255.255 inside
pdm location 192.168.1.13 255.255.255.255 inside
pdm location 192.168.1.22 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.168.2.20 255.255.255.255 DMZ
pdm location 192.168.2.21 255.255.255.255 DMZ
pdm location 192.168.2.22 255.255.255.255 DMZ
pdm location 192.168.2.20 255.255.255.252 DMZ
pdm history enable
arp timeout 14400
global (outside) 1 My.Public.Mail.IP
global (outside) 2 interface
nat (inside) 0 access-list 100
nat (inside) 1 access-list 101 0 0
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 2 192.168.2.0 255.255.255.0 0 0
static (inside,outside) tcp My.Public.Mail.IP smtp email smtp netmask 255.255.255.2
55 0 0
static (inside,outside) tcp My.Public.Mail.IP https 192.168.1.20 https netmask 255.
255.255.255 0 0
static (inside,outside) tcp My.Public.Mail.IP

http://www 192.168.1.22

9081 netmask 255.255
.255.255 0 0
static (inside,outside) My.Public.other.IP 192.168.1.8 netmask 255.255.255.255 0 0
static (inside,outside) My.Public.VPN.IP 192.168.1.11 netmask 255.255.255.255 0 0

static (DMZ,outside) My.Public.Web1.IP 192.168.2.21 netmask 255.255.255.255 0 0
static (DMZ,outside) My.Public.Web3.IP 192.168.2.22 netmask 255.255.255.255 0 0
static (DMZ,outside) My.Public.Web2.IP 192.168.2.20 netmask 255.255.255.255 0 0
static (inside,DMZ) 192.168.1.12 192.168.1.12 netmask 255.255.255.255 0 0
access-group Inbound in interface outside
access-group DMZ-Inbound in interface DMZ
route outside 0.0.0.0 0.0.0.0 My.ISP.Router.IP 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 192.5.41.209 source outside
http server enable
http 192.168.1.41 255.255.255.255 inside
http 192.168.1.3 255.255.255.255 inside
http 192.168.1.40 255.255.255.255 inside
http 192.168.1.43 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community PIX:
no snmp-server enable traps
tftp-server inside 192.168.1.41 config.txt
floodguard enable
service resetinbound
telnet 192.168.1.11 255.255.255.255 inside
telnet 192.168.1.53 255.255.255.255 inside
telnet 192.168.1.100 255.255.255.255 inside
telnet 192.168.1.2 255.255.255.255 inside
telnet 192.168.1.45 255.255.255.255 inside
telnet 172.16.1.250 255.255.255.255 inside
telnet 192.168.1.4 255.255.255.255 inside
telnet timeout 15
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:
: end

 

[lgarner]

I can't quickly see where it wouldn't work. You should add your new statements to access-list Inbound, not 101, and add one or more static statements to direct the inbound traffic to the right server.

 

[rwieting]

Thanks for your help. I will add the new statements to the inbound access-list. I'm not sure I understand about the static part though. What server would I have it going to if users are opening up a web page to connect to this outside server?

 

[lgarner]

Perhaps I misunderstand the goal. I think I need more detail.

"We connect to a website and login to it."
--- nothing required, this is allowed by default.

"This connects to a server so we can retrieve records."
--- What connects? The user workstations to another server, or the server to an inside resource. I think this is what's confusing me.

"We need to have ports 5099 and 8421 open for the connection to work."
-- Is the connection inbound to an inside server which is listening on these ports? Or is the server outside, and you want to restrict outbound traffic?

 

[rwieting]

Users are sitting at their own workstations. They connect to a public website that has nothing to do with my company. On this public website, we have restricted access that requires a login to use. We are able to login but nothing happens. I believe it is a browser based terminal emulation.
I've called their tech support and they just say to "open up ports 5099 and 8421 on your firewall, this is required in order to pass traffic."

This is what they put on their instructions.
[If you are behind a network Firewall, you may get an error contacting the Bluezone License manager. Please talk to whomever setup your firewall and let them know that ports 5099 & 8421 on ip 66.X.X.X need to be opened for Information System to work.]

Sorry about before, hope this is more clear.
Thanks again.