Member Login

Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

How to open ports?

How to open ports?

Is this even possible?  My client said that a web application provider needs ports opened.  They have a PIX 506e.  I don't think you can open a port - in general - don't you have to forward it?

Here's what they asked me:

The ports that are requested by the application to be open are as follows:

        80 HTTP http web access
        1209 tcp/ip (outbound only)
        443 tcp/ip (both ways)
        1494 tcp/ip (both ways)
        1604 udp (both ways)

Thanks in advance!

RE: How to open ports?

All they're asking for is that the PIX be configured to allow access on those ports.

RE: How to open ports?

What commands would you use for that?  When I see that I think of access-lit permit and static commands.  What would be the right commands to allow access on those ports?

RE: How to open ports?

I'm not the right person to ask for PIX stuff. I know the old static and conduit commands, but I haven't played much with them since they moved to access lists. It sounds like you already know the answer, though. Look up the appropriate command references for the software you're running. It should be fairly simple, either conduit statements or access lists, depending on the release.

RE: How to open ports?

For outside access to the inside, you'll need to static NAT the inside hosts.

In addition you will also need to cet up access lists and apply an access group to the outside and inside interface (if required).

Out of the box, PIX allows all inside traffic out without restriction.So if this is the case here, you don't need to do anything to permit the protocols you've listed outbound. You can verify if you have what access-groups are applied by using the 'show access-group' command. It will tell you the name of the group and which interface it is applied to. I'll assume the following:

1. you have one access group applied to both the inside and outside.
2.your internal web server is on and that the outside host is on
3. You have a pool of public addresses available to allow people to see your internal device(s). This pool will be in this example.

Your PIX config will be as follows:

ip address outside

ip address inside

name webserver

access-list outside_access_in permit tcp host host eq www
access-list outside_access_in permit tcp host host eq 443
access-list outside_access_in permit tcp host host eq 1494
access-list outside_access_in permit udp host host eq 1604
access-list inside_access_out permit tcp host host eq www
access-list inside_access_out permit tcp host host eq 1209
access-list inside_access_out permit tcp host host eq 443
access-list inside_access_out permit tcp host host eq 1494
access-list inside_access_out permit udp host host eq 1604

access-group outside_access_in in interface outside
access-group inside_access_out in interface inside

static (inside,outside) webserver netmask

RE: How to open ports?

Assumption number 2 is a little off.  The client is trying to reach an external site.  That's why I thought that the request was not correct.  This is from a 3rd party telling my client that they need to do that their firewall in order to access a web service known as "Plato Web Learning Network".

RE: How to open ports?

Didn't finish that last post...

They have implied that those ports need opened to any/all computers that would access the web site.  I'm familiar with the access-list commands you have shown, and that's a one-to-one relationship.  I don't know (and don't think) you can have an open port with a one to many relationship.  I disagree that this would even be necessary, but first I need to see if it's even possible.

I do understand that NAT basically does that for all traffic.  Client goes to a site on 80, and the site returns the info to a different port on the firewall.  That's we don't all have to look at the same site!

So, is it possible to make a one-to-many open port or a dynamic open port?

RE: How to open ports?

You can open a port to many by adjusting the rules above to something like

access-list inside_access_out permit tcp any host eq www

This allows anyone on the inside to access host on port 80

RE: How to open ports?

OK, that makes sense.  The original post said about opening ports both ways.  How would I make those statements true for a foreign web site?

Like this?
access-list outside_access_in permit tcp any any eq 443

That looks like a giant hole!

RE: How to open ports?

You're right.. that's a huge hold. It lets anyone on the outside talk to anything on the inside on port 443.

Only way I know to open a port both ways is to have two access list statements.. as such

access-list inside_access_out permit tcp any host eq 443

access-list outside_access_in permit tcp host any eq 443

This allows anyone on inside to talk to the external host only on port 443. Similarly the host on the outside can talk to anyone on the inside on port 443.

RE: How to open ports?

That sounds better.  Find the web server's foreign IP, and define it explicitly.  

I would only have to define the inbound traffic, right?  Since you said "Out of the box, PIX allows all inside traffic out without restriction."

RE: How to open ports?

Yeh most people allow their inside network out without any restriction so yes technically you need only define the access list that controls access from the outside to the inside (outside_access_in in my examples)

RE: How to open ports?

I really appreciate your help.  I now know how to make those 'holes' in the PIX.

I highly doubt that a web application will need those ports open, but nevertheless, I now can set it up for the client.    More than likely those ports are the ones that the 3rd party (who is hosting the app) had to open on his firewall for the web server. I noticed that you are an ISP.  In your experience have you seen many web sites that require the end user to open ports as I was asked?

RE: How to open ports?

It is unusual for a web app to need access to the clients that want to access it. I can only assume it must download/require a program to be installed on the host client hence the inbound traffic requirement.

RE: How to open ports?

After further investigating....
access-list outside_access_in permit tcp host any eq 443

From our ISP...
All that rule would do is allow traffic from that host IP to that port. It wouldn't actually forward anything to the internal machines. Without an internal destination IP, all that statement would do here is add a rule to allow traffic that didn't really do anything or go anywhere.

I appreciate your help, but I think it isn't possible to open a single inbound port to all computers on your network.  It would be no problem if I had a specific destination on the inside.

RE: How to open ports?

Let me just clarify what that rule is doing:

It is allowing the external host on to access any internal host but it is limited to TCP port 443.

The PIX does need a route for the inside and outside networks to actually allow the traffic to pass - which I presume is what your ISP is talking about.

If your PIX has an inside address of, say, and the inside hosts you want to be accessible via port 443 are also on 192.168.1.x, then the PIX already knows how to get to the hosts, i.e. the routing is in place. However if the hosts are on a different subnet to the PIX, say, the PIX will need a route for and will have to point it to an internal router to route tha
traffic for it.

Similarly you need a route on the outside too. As the outside is usually facing the Internet and thus there are millions of different subnets out there, people usually add a default route ( to point to their external ISP router.

I hope this makes sense. Let me know if you need further clarification.

RE: How to open ports?

Keeping in mind the original post...

Our 3rd party claimed that those ports needed to be open for a Web based application to work - - on any/all computer(s) on the network.

Any traffic coming through the pix would be initiated by one of our internal clients.  (That's why I thought the 3rd party was wrong.)  From my limited knowledge the client may go out on 80 or 443, but the traffic from the web server comes back on a different port - specific to that computer.  That allows different people to look at different web sites.

If we opened 443 as our earlier examples, how would two computers running the web app be able to have two different data streams going through the same port?

RE: How to open ports?

The PIX will automatically allow YCP traffic back in that has been initiated from the outside. However this kind of reply TCP traffic does not use well known or even prediactable TCP ports - it is always random.

The fact the 3rd party have requested that specific ports be available from the outside tells me they need more than to simply allow standard TCP reponse traffic, they need their web server to initiate connections to the inside.

RE: How to open ports?

As an aside, as I am trying to let outside traffic access a machine on port 8088, I am interested in your responses here. The web traffic you are referring to is Citrix ICA traffic, I recognise the port numbers. I would be getting clarification on this from them as I think only 443 is required if they are using https. If not then 1494 is the only one needed. 1604 is now redundant for Citrix, or rather not needed. 1209 is an unknown one to me.

A perspective from the other side!!


Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!


Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close