PcAnywhere Ports open but still cannot use 1

[UTTech]

Please bear with me as I am a newbie at firewalls!!!!!

I have Cisco PIX 501E
I went into the Cisco PIX Device Manager 3.0 (GUI), under Configuration and added the following:

Source Host/Network
Interface: outside
IP Address: 0.0.0.0
Subnet Mask: 0.0.0.0

Destination Host/Network
Interface: inside
IP Address: 0.0.0.0
Subnet Mask: 0.0.0.0

Protocol and Service
TCP Service = 5631
UDP Service = 5632

Destination Port
Service range 5631-5632

I cannot access another site running PCAnywhere Host from my workstation. Thank you for your help.

 

[ChrisAC]

You are only allowing ANYONE on the outside to connect to ANY host on the inside of your network on those ports.

By default the PIX allows all outbound traffic from the LAN to the internet, so it shouldn't stop you from connecting out, unless and ACL has been applied inbound to the LAN port. Can you post the config (minus your real address)?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[UTTech]

Under Access Rules, I have the following:

Permit:
Source = any
Destination = any
Interface = inside
Service = ip

Deny:
Source = any
Destination = any
Interface = outside
Service = icmp

Under System Properties:
Interface Name = inside
Security Level = 100
IP Address = xx.xxx.xx.x (internal)
Subnet Mask = xxx.xxx.xxx.xxx

Interface Name = outside
Security Level = 0
IP Address = xxx.xx.xxx.xx (public)
Subnet mask = xxx.xxx.xxx.xxx

I hope this is what you are asking for.

 

[UTTech]

Anyone else has any thoughts??

 

[N0ktar]

Don't use PDM, just login through the console and add two lines to your access-list.
access-list inbound permit tcp any host 172.xxx.xxx.xxx eq pcanywhere-data
access-list inbound permit udp any host 172.xxx.xxx.xxx eq pcanywhere-status

 

[UTTech]

So if I add the 2 lines, this will enable connection to any pcanywhere host outside of our network? Do I have to specify the host's ip address?

 

[UTTech]

Ok, I added the two lines but still cannot access any hosts outside of our network using PCAnywhere. I added:

access-list inbound permit tcp any host 172.xx.xx.xxx eq pcanywhere-data
access-list inbound permit udp any host 172.xx.xx.xxx eq pcanywhere-status

I used our public ip address....

Thanks for your help!

 

[ChrisAC]

Can you post your config so that we can see what you are trying to achieve?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[UTTech]

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

hostname hostname
domain-name domainname.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list outside_access_in deny icmp any any
access-list inbound permit tcp any host 207.xx.xx.xxx eq pcanywhere-data
access-list inbound permit udp any host 207.xx.xx.xxx eq pcanywhere-status
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 207.xx.xx.xxx 255.255.xxx.xxx
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 192.168.1.11 255.255.255.255 inside
pdm location 0.0.0.0 0.0.0.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.xx.xx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd dns xx.xxx.xx.x xx.xxx.xx.xx
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
: end
[OK]

 

[N0ktar]

First of all, the naming convention for the access list is discretionary but consistent. I gave you only an example, calling the access-list "inbound". Your first access-list statement, however, calls it "outside_access_in". If this is the name you whish to use or the access-list, than change all the "inbound" values to "outside_access_in".

 

[ChrisAC]

As you are trying to connect from INSIDE your network to a host on the OUTSIDE and you have no ACL that is applied from the inside to the outside, your config will let ALL outbound traffic out. Therefore I would say that your problem lies elsewhere.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[UTTech]

Yes I am trying to connect to a PCAnywhere host outside from inside. I noticed that if I delete the "deny ICMP", it works. However I do not want to disable that.

 

[UTTech]

If I do disable "deny any ICMP", what will that do? How do I check to see what ports are open and closed?