Established for RPC doesn't work

[minxca]

Hi,

I'm using PIX 506, 6.0. I create fixup protocol for RPC (135) and use established tcp 0 135 permitto tcp 135 permitfrom tcp 1024-65535
On Exchange server( NT4-Exchange 5.5, I add the registry to use port 5000 and 5001.
When I tested, the client can't contact the exchange server.
After add access list for port 5000-5001, it works. Is my configuration right? Why Established command does not work?

Thanks,
Winoto

 

[yizhar]

HI.

Please provide more info about your scenario.

You should not use "established".
The pix does stateful inspection, which eliminates the use of established in most cases.

Allowing all the ports you specified is not so secure. You should look for alternate options.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[minxca]

Hi Yizhar,

Thanks for your reply, here is my config, I have to use RPC, because they don't want POP3.


PIX Version 6.0(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password VjAYAuXOneghqltw encrypted
passwd VjAYAuXOneghqltw encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list 102 permit tcp any host 192.168.1.10 eq smtp
access-list 102 permit tcp any host 192.168.1.10 eq pop3
access-list 102 permit tcp any host 192.168.1.10 eq 135
access-list 102 permit tcp any host 192.168.1.10 range 5000 5002
access-list 102 permit udp any host 192.168.1.10 eq domain
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.10 255.255.255.0
ip address inside 192.168.5.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 600
global (outside) 1 interface
static (inside,outside) interface 192.168.5.2 netmask 255.255.255.255 0 0
access-group 102 in interface outside
established tcp 0 135 permitto tcp 135 permitfrom tcp 1024-65535
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
service resetinbound
isakmp identity address
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:40e2ea8f21dc820322e9c6c9f2481ade

Thanks,
Winoto

 

[yizhar]

HI.

> Thanks for your reply, here is my config, I have to use RPC, because they don't want POP3.
So you can use MAPI/RPC over VPN.
Then, block all other ports, except 25 for incoming mail.

> ip address outside 192.168.1.10 255.255.255.0
So you have NAT on the router also. This can make the task more complicated.
You should plan to use public ip addresses on the pix - ask your ISP what your options are.

> static (inside,outside) interface 192.168.5.2
You should not use static with the interface ip address, unless you are using port forwarding (static ... tcp ...)

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar