Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Newbie help Cisco 501 pix 1

Status
Not open for further replies.
Domini86

Domini86

Technical User
Dec 14, 2009
8
0
0
SI
Hi all,

Im Domini and i need some help whit Cisco 501 pix.
What i want to know is, why when i, for example open utorrent and leave it downloading and uploading for cca. 30 minutes, and then i close it.
i see in my loggs some connections get passed Cisco to my pc, on port used by utorrent, while he is closed.
In pix i have rules for utorrent

access-list name permit tcp any interface outside eq 51096
access-list name deny tcp any interface outside eq 51096 ( maybe wrong syntax, i dont remember all )

why then connections get passed firewall to my pc when they should be blocked or rejecked or droped?
 
Sort by date Sort by votes
Your first statement permits the connection. With torrents, perhaps people are downloading from you?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Hi

We missunderstood each other a little, what i want to know is
why when application like utorrent is closed, connections get passed cisco ( ruleset ).
Example Utorrent is listening on port 30000,
I download short movie and i close utorrent.
"Utorrent" is closed but in my logging app i still see connections passed on port 30000 !


How come?
-----------------------
access-list name permit tcp any interface outside eq 30000
access-list name deny tcp any interface outside eq 30000

In first rule we allowed connections for utorrent on port 30000,
in second rule we denied connections on port 30000 for utorrent,

so when utorrent is closed, connections to port 30000 should be denied right?

Like on Linux Iptables, or Win Comodo, Outpost .....


Tnx for your time


Cya

Domini
 
Upvote 0 Downvote
It doesn't work that way. The first acl element it matches gets processed. The other elements after don't count. You have the allow first so it will always allow. Which is what you want or no torrent. To disallow just close the program at the pc. You willl still get traffic passed but the pc won't respond. Or you could change the acl everytime you want to open and close torrent. A bit tedious.

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Tnx for your respond Supergrrover,

Could somebody point me to some good strict ruleset for 501pix?
Current acl i have i buld my self whit help from howtos and stuff

I denyed some private prefixes for interfaces like 172.x.x.x, 0.0.0.0,169.x.x.x,255.255.255.255 ..., and ports from 1 - 1030 , not all, just one s i dont need, example i didnt denyed port 80 ;)
And i allowed ports i need, example for CallofDuty MW 2 port 28960, ...
Yea i add all deny rules to be last in my acl ruleset is this ok?
Added only rules for "in interface outside" no rules for "in interface inside".

I dont know if this is enough, ...

Like rule for syncookie protect if its possible to have in pix, ... ( it is in iptables on debian i use )
I would really like to secure my network as much is possible whit pix 501, i disabled telnet, allowed ssh only from one PC on my network, enabled reverse on both interfaces outside and inside, ...

Im total newbie on pix

Tnx in advanced,

Domini

P.S.Happy New Year 2010, a lot of luck, happynes, love and friendship to all yall on tek-tips, auch... yea and a lot of money ;)
 
Upvote 0 Downvote
Hey

I need to configure my pix501 to allow connections from the net (port 25) to my exchange server.

so from what i understand i need an access rule on the outside interface to somehow NAT to inside interface & exhcnage host.

how i have my network configured, is as below:
ADSL modem with static IP - & internal IP is 192.168.1.254
which connects to outside interface of my pix (192.168.1.64)

my inside network is on the 192.168.10.0/24 subnet

i need to allow traffic from my adsl through the outside interface of pix and forwared to my exhcange server 192.168.10.23.

My dns is setup and running corectly as i have checked using the is it says dns is fine however port 25 is closed.

from my internal network i can email out to any domain fine.

on my internal network i can telnet fine to exchange sever.

Any assistance would be appreciated. thanks
 
Upvote 0 Downvote
You're almost there...what you need to do is allow tcp port 25 through your ACL, and then use a static NAT statement that will point back to your exchange server.

Example: Exchange user----ISP----ADSL---Router----internal net


When traffic hits the PIX on tcp port 25, it will be forwarded to your Exchnage server.

CCNA, CCNP, Sec+
 
Upvote 0 Downvote
However, wanttolearn2010, please open your own post rather than piggybacking off of someone else's.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
156
intel233
intel233
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
105
MottoK
MottoK
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
55
PauS0n
PauS0n
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
145
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top