Opening a port on a Pix 515e

[ebouza70]

Good afternoon to all,

I am new to this so please be patient. I have remote users that connect to our network using VPN on our Cisco 515e Pix. They are complaining that they are not able to work with Archicad. How do I go about to open the port that Archicad uses to verify that there are available network keys. I have tried running show run to see if the pix is blocking that port and I do not see that port in the show run information. Can someone please help me with opening that port in the pix? Thanks in advance.

Thanks,

Erick

 

[Supergrrover]

Via the VPN, unless you have restriction ACLs everything IP is open. What ports and protocols does the App use?
Post a scrubbed config - mask the 2nd and 3rd octets of the public IP and mask all passwords.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[ebouza70]

Supergrrover,

Thank you for responding so quickly, I don't believe I have that port 22347 closed, but like I stated in my first posting the remote users are complaining. So here is my config, hope you can help me with this issue. Thanks in advance for all your help.

Result of the command: "show run"

: Saved
:
PIX Version 7.2(2)
!
hostname example
domain-name example.net
enable password encrypted
no names
name 64.xxx.xxx.xxx example
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a
name 10.xxx.xxx.xxx n/a description LM
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 66.xxx.xxx.xxx 255.xxx.xxx.xxx
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.xxx.xxx.xxx 255.xxx.xxx.xxx
!
passwd xxx.xxx.xxx n/a
banner motd
boot system flash:/pix722.bin
ftp mode example
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name example.net
object-group network examplevpn
network-object 10.xxx.xxx.xxx 255.255.xxx.xxx
access-list alert-interval 3600
access-list outside_access_in extended permit tcp any host 66.xxx.xxx.xxx n/a
access-list outside_access_in extended permit tcp any host 66.xxx.xxx.xxx n/a
access-list outside_access_in extended permit tcp any host 66.xxx.xxx.xxx n/a
access-list outside_access_in extended permit tcp any host 66.xxx.xxx.xxx n/a
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any host 216.xxx.xxx.xxx n/a
access-list outside_access_in extended permit tcp any host 66.xxx.xxx.xxx n/a
access-list outside_access_in extended permit tcp any host 66.xxx.xxx.xxx n/a
access-list outside_access_in extended permit tcp any host 66.xxx.xxx.xxx n/a
access-list outside_access_in extended permit tcp any host 66.xxx.xxx.xxx n/a
access-list outside_access_in extended permit tcp any host 66.xxx.xxx.xxx n/a
access-list outside_access_in extended permit tcp any host 66.xxx.xxx.xxx n/a
access-list outside_access_in extended permit tcp any host 66.xxx.xxx.xxx n/a
access-list outside_access_in extended permit tcp any host 66.xxx.xxx.xxx n/a
access-list outside_access_in extended permit tcp any host 66.xxx.xxx.xxx n/a
access-list outside_access_in extended permit tcp any host 66.xxx.xxx.xxx n/a
access-list inside_outbound_nat0_acl extended permit ip any 10.xxx.xxx.xxx 255.255.xxx.xxx
access-list inside_outbound_nat0_acl extended permit ip any 10.xxx.xxx.xxx 255.255.xxx.xxx
access-list outside_cryptomap_dyn_40 extended permit ip any 10.xxx.xxx.xxx 255.255.xxx.xxx
access-list outside_cryptomap_dyn_10_1 extended permit ip any 10.xxx.xxx.xxx 255.255.xxx.xxx
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging buffered warnings
logging trap debugging
logging asdm notifications
logging recipient-address example@example.com level errors
mtu outside 1500
mtu inside 1500
ip local pool examplepool 10.xxx.xxx.xxx-10.xxx.xxx.xxx
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
static (inside,outside) 66.xxx.xxx.xxx 10.xxx.xxx.xxx netmask 255.xxx.xxx.xxx
static (inside,outside) 66.xxx.xxx.xxx 10.xxx.xxx.xxx netmask 255.xxx.xxx.xxx
static (inside,outside) 66.xxx.xxx.xxx 10.xxx.xxx.xxx netmask 255.xxx.xxx.xxx
static (inside,outside) 216.xxx.xxx.xxx 10.xxx.xxx.xxx netmask 255.xxx.xxx.xxx
static (inside,outside) 66.xxx.xxx.xxx 10.xxx.xxx.xxx netmask 255.xxx.xxx.xxx
static (inside,outside) 66.xxx.xxx.xxx 10.xxx.xxx.xxx netmask 255.xxx.xxx.xxx
static (inside,outside) 216.xxx.xxx.xxx 10.xxx.xxx.xxx netmask 255.xxx.xxx.xxx
static (inside,outside) 66.xxx.xxx.xxx 10.xxx.xxx.xxx netmask 255.xxx.xxx.xxx
static (inside,outside) 66.xxx.xxx.xxx 10.xxx.xxx.xxx netmask 255.xxx.xxx.xxx
static (inside,outside) 66.xxx.xxx.xxx 10.xxx.xxx.xxx netmask 255.xxx.xxx.xxx
static (inside,outside) 66.xxx.xxx.xxx 10.xxx.xxx.xxx netmask 255.xxx.xxx.xxx
static (inside,outside) 66.xxx.xxx.xxx 10.xxx.xxx.xxx netmask 255.xxx.xxx.xxx
access-group outside_access_in in interface outside
route outside xxx.xxx.xxx.xxx xxx.xxx.xxx.x 66.xxx.xxx.xxx 1
route inside 10.xxx.xxx.xxx 255.255.xxx.xxx 10.xxx.xxx.xxx 1
route inside 10.xxx.xxx.xxx 255.255.xxx.xxx 10.xxx.xxx.xxx 1
route inside 10.xxx.xxx.xxx 255.255.xxx.xxx 10.xxx.xxx.xxx 1
route inside 10.xxx.xxx.xxx 255.255.xxx.xxx 10.xxx.xxx.xxx 1
route inside 10.xxx.xxx.xxx 255.255.xxx.xxx 10.xxx.xxx.xxx 1
route inside 10.xxx.xxx.xxx 255.255.xxx.xxx 10.xxx.xxx.xxx 1
route inside 10.xxx.xxx.xxx 255.255.255.xxx 10.xxx.xxx.xxx 1
route inside 10.xxx.xxx.xxx 255.255.255.xxx 10.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy example internal
group-policy example attributes
dns-server value 10.xxx.xxx.xxx
vpn-idle-timeout 30
pfs enable
default-domain value example.net

aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 10.xxx.xxx.xxx 255.xxx.xxx.xxx inside
http 10.xxx.xxx.xxx 255.xxx.xxx.xxx inside
http 10.xxx.xxx.xxx 255.xxx.xxx.xxx inside
http 10.xxx.xxx.xxx 255.xxx.xxx.xxx inside
http 10.xxx.xxx.xxx 255.xxx.xxx.xxx inside
http 10.xxx.xxx.xxx 255.xxx.xxx.xxx inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10_1
crypto dynamic-map outside_dyn_map 10 set pfs
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) LOCAL
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group bavpn type ipsec-ra
tunnel-group bavpn general-attributes
address-pool bapool
authentication-server-group (outside) LOCAL
default-group-policy bavpn
tunnel-group bavpn ipsec-attributes
pre-shared-key *
telnet 10.xxx.xxx.xxx 255.xxx.xxx.xxx inside
telnet 10.xxx.xxx.xxx 255.xxx.xxx.xxx inside
telnet timeout 5
ssh xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx outside
ssh xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside
ssh timeout 30
ssh version 1
console timeout 0
dhcpd dns 10.xxx.xxx.xxx
dhcpd lease 7200
dhcpd ping_timeout 1500
dhcpd domain example.net
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end

 

[Supergrrover]

It is hard to tell because you masked the internal IPs, but it looks ok. Is the server on one of the internally routed networks? If so you will need to add them to your NAT exemption and interesting traffic ACLs.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[ebouza70]

Supergrrover,

Yes the server is in the internal routed network. How do I add it to the NAT exemption? What is interesting traffic ACL's? Thanks again for all your help.

Thanks,
Erick

 

[Supergrrover]

These are they -
access-list inside_outbound_nat0_acl extended permit ip any 10.xxx.xxx.xxx 255.255.xxx.xxx
access-list inside_outbound_nat0_acl extended permit ip any 10.xxx.xxx.xxx 255.255.xxx.xxx
access-list outside_cryptomap_dyn_40 extended permit ip any 10.xxx.xxx.xxx 255.255.xxx.xxx
access-list outside_cryptomap_dyn_10_1 extended permit ip any 10.xxx.xxx.xxx 255.255.xxx.xxx

You want the ACLs to have a source of your internal network (all of them, one per line) and a destination of the IP pool of the VPN.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[ebouza70]

Supergrrover,

So I imagine that it will look something like this?
access-list inside_outbound_nat0_acl extended permit ip any 10.201.150.1 255.255.255.252 10.201.21.50? And the samething for all the others.

Where the source to the internal network would be 10.201.150.1 and the destination to the VPN pool is 10.201.21.50?

I thank you for the help you are giving me, this Cisco ling is a little confusing to me right now.

Thanks,
Erick