PIX firewall and Ichat

[StuartA03]

I am running a PIX firewall, I am trying to get Ichat working and i
have followed the specification from the apple website about unlocking
certain udp and tcp ports. I have also statically assigned one of my
internal IP addresses to an Internal IP address. The problem i have is
Ichat is looking at my internal IP address, not the External one.

Has anyone else had this problem??

 

[dopehead]

I am amazed at programmers doing inet sw still don't get it, M$ have been doing this stuff for years the wrong way, and still make stupid mistakes like taking ip adresses and putting them in the data portion of packets.

Oh, you had a problem....sorry i don't know Ichat....suggestion change chat software.

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[themut]

Syslogs at debugging level will tell you if the PIX is blocking any ports. I don't know Ichat either but it seems like it needs a UPNP compliant NAT device and the PIX is not UPNP compliant. Here's a link that explains how to setup a syslog server, in case you need it:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094030.shtml

The commands below are all the commands needed on the PIX to configure a syslog server:

logging trap debugging
logging host inside <syslog-server-ip>
logging on

You can search the web for a syslog server, use the keywords &quot;syslog daemon&quot;. Kiwi is a pretty good free syslog server.

 

[StuartA03]

do you think it may be because i am running version 5.2 of the software, do you think that upgrading to 6.2 would help??

 

[themut]

You should definitely upgrade to 6.2(3) or higher. Previous versions have quite a few bugs for multimedia applications.

 

[blueh2o]

STUARTA03:
Have you had any success with having the ICHAT work through the PIX?
I don't think that upgrading to 6.2 would help you. I am having the same problems and am on 6.2.

NAT applied on the client with all the ports opened from accessible ANY machine outside.

Am considering creating an outside VLAN extended to the port that the client is on and configuring it with outside IP to bypass the firewall all together.

 

[StuartA03]

yeah i am still having the problems, I am new to pix so im not sure of what im doing, but i dot really want to create any address which is going to bypass the firewall, my problem is still that the UDP SIP address i thought i made available isnt.

 

[dopehead]

Hmnm, how about sharing the config that you have now where it doesn't work. The info on ichat states that i can run behind nat and then some ports that need to be open : UDP, 5060, 16384, 16403. Have you done this ?

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[StuartA03]

what i have done is statically assign one of my internal addresses to one of my external addresses, and then tried to unlock the ports for that external address using the access-list acl-out upd and/or tcp command.

 

[dopehead]

Still, to avoid any confusion post your acl and your statics here.

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[StuartA03]

here it is

static (inside,outside) ‘Outside Address’ ‘Inside Address’ netmask xxx.xxx.xxx.xxx x x
access-list acl-out permit tcp any host ‘Outside Address’ eq 5190
access-list acl-out permit tcp any host ‘Outside Address’ eq 5060
access-list acl-out permit udp any host ‘Outside Address’ eq 5060
access-list acl-out permit udp any host ‘Outside Address’ eq 5190
access-list acl-out permit udp any host ‘Outside Address’ range 16384 16403

not that the ' marks are just for readability.

 

[dopehead]

And acl-out is applied with an access-group on the outside interface like this : access-group acl-out in interface outside ? do you see any hits on the acls with the &quot;show access-list&quot; command ?

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[StuartA03]

This is what my show access-list tells me.

access-list acl-out permit tcp any host 'outside address' eq 5190 (hitcnt=0)
access-list acl-out permit tcp any host 'outside address' eq 5298 (hitcnt=0)
access-list acl-out permit udp any host 'outside address' eq 5060 (hitcnt=0)
access-list acl-out permit udp any host 'outside address' eq 5190 (hitcnt=0)
access-list acl-out permit udp any host 'outside address' eq 5297 (hitcnt=0)
access-list acl-out permit udp any host 'outside address' eq 5298 (hitcnt=0)
access-list acl-out permit udp any host 'outside address' eq 5353 (hitcnt=0)
access-list acl-out permit udp any host 'outside address' eq 5678 (hitcnt=0)
access-list acl-out permit udp any host 'outside address' range 16384 16403 (hitcnt=0)

 

[dopehead]

Hmm, no hits on any of those ports. Are you sure the 'outside address' in the acl matches the 'outside address' that you are nat'ing it to ?

Network Systems Engineer
CCNA/CQS/CCSP

 

[StuartA03]

What do you mean nat'ing to, the outside addess in the static command matched the outside address in the acl out command...