How to open ports? 1

[tylan]

Is this even possible? My client said that a web application provider needs ports opened. They have a PIX 506e. I don't think you can open a port - in general - don't you have to forward it?

Here's what they asked me:

The ports that are requested by the application to be open are as follows:

80 HTTP http web access
1209 tcp/ip (outbound only)
443 tcp/ip (both ways)
1494 tcp/ip (both ways)
1604 udp (both ways)

Thanks in advance!

 

[jneiberger]

All they're asking for is that the PIX be configured to allow access on those ports.

 

[tylan]

What commands would you use for that? When I see that I think of access-lit permit and static commands. What would be the right commands to allow access on those ports?

 

[jneiberger]

I'm not the right person to ask for PIX stuff. I know the old static and conduit commands, but I haven't played much with them since they moved to access lists. It sounds like you already know the answer, though. Look up the appropriate command references for the software you're running. It should be fairly simple, either conduit statements or access lists, depending on the release.

 

[KiscoKid]

For outside access to the inside, you'll need to static NAT the inside hosts.

In addition you will also need to cet up access lists and apply an access group to the outside and inside interface (if required).

Out of the box, PIX allows all inside traffic out without restriction.So if this is the case here, you don't need to do anything to permit the protocols you've listed outbound. You can verify if you have what access-groups are applied by using the 'show access-group' command. It will tell you the name of the group and which interface it is applied to. I'll assume the following:

1. you have one access group applied to both the inside and outside.
2.your internal web server is on 192.168.1.1 and that the outside host is on 212.45.65.1.
3. You have a pool of public addresses available to allow people to see your internal device(s). This pool will be 100.100.100.0/29 in this example.

Your PIX config will be as follows:



ip address outside 100.100.100.1 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0


name 192.168.1.2 webserver

access-list outside_access_in permit tcp host 212.44.65.1 host 192.168.1.2 eq www
access-list outside_access_in permit tcp host 212.44.65.1 host 192.168.1.2 eq 443
access-list outside_access_in permit tcp host 212.44.65.1 host 192.168.1.2 eq 1494
access-list outside_access_in permit udp host 212.44.65.1 host 192.168.1.2 eq 1604
access-list inside_access_out permit tcp host 192.168.1.2 host 212.44.65.1 eq www
access-list inside_access_out permit tcp host 192.168.1.2 host 212.44.65.1 eq 1209
access-list inside_access_out permit tcp host 192.168.1.2 host 212.44.65.1 eq 443
access-list inside_access_out permit tcp host 192.168.1.2 host 212.44.65.1 eq 1494
access-list inside_access_out permit udp host 192.168.1.2 host 212.44.65.1 eq 1604

access-group outside_access_in in interface outside
access-group inside_access_out in interface inside

static (inside,outside) 100.100.100.2 webserver netmask 255.255.255.255

 

[tylan]

Assumption number 2 is a little off. The client is trying to reach an external site. That's why I thought that the request was not correct. This is from a 3rd party telling my client that they need to do that their firewall in order to access a web service known as "Plato Web Learning Network".

 

[tylan]

Didn't finish that last post...

They have implied that those ports need opened to any/all computers that would access the web site. I'm familiar with the access-list commands you have shown, and that's a one-to-one relationship. I don't know (and don't think) you can have an open port with a one to many relationship. I disagree that this would even be necessary, but first I need to see if it's even possible.

I do understand that NAT basically does that for all traffic. Client goes to a site on 80, and the site returns the info to a different port on the firewall. That's we don't all have to look at the same site!

So, is it possible to make a one-to-many open port or a dynamic open port?

 

[KiscoKid]

You can open a port to many by adjusting the rules above to something like

access-list inside_access_out permit tcp any host 212.44.65.1 eq www

This allows anyone on the inside to access host 212.44.65.1 on port 80

 

[tylan]

OK, that makes sense. The original post said about opening ports both ways. How would I make those statements true for a foreign web site?

Like this?
access-list outside_access_in permit tcp any any eq 443

That looks like a giant hole!

 

[KiscoKid]

You're right.. that's a huge hold. It lets anyone on the outside talk to anything on the inside on port 443.

Only way I know to open a port both ways is to have two access list statements.. as such

access-list inside_access_out permit tcp any host 212.44.65.1 eq 443

access-list outside_access_in permit tcp host 212.44.65.1 any eq 443

This allows anyone on inside to talk to the external host only on port 443. Similarly the host on the outside can talk to anyone on the inside on port 443.

 

[tylan]

That sounds better. Find the web server's foreign IP, and define it explicitly.

I would only have to define the inbound traffic, right? Since you said "Out of the box, PIX allows all inside traffic out without restriction.

 

[KiscoKid]

Yeh most people allow their inside network out without any restriction so yes technically you need only define the access list that controls access from the outside to the inside (outside_access_in in my examples)

 

[tylan]

I really appreciate your help. I now know how to make those 'holes' in the PIX.

I highly doubt that a web application will need those ports open, but nevertheless, I now can set it up for the client. More than likely those ports are the ones that the 3rd party (who is hosting the app) had to open on his firewall for the web server. I noticed that you are an ISP. In your experience have you seen many web sites that require the end user to open ports as I was asked?

 

[KiscoKid]

It is unusual for a web app to need access to the clients that want to access it. I can only assume it must download/require a program to be installed on the host client hence the inbound traffic requirement.

 

[tylan]

After further investigating....
access-list outside_access_in permit tcp host 212.44.65.1 any eq 443

From our ISP...
All that rule would do is allow traffic from that host IP to that port. It wouldn't actually forward anything to the internal machines. Without an internal destination IP, all that statement would do here is add a rule to allow traffic that didn't really do anything or go anywhere.

KiscoKid,
I appreciate your help, but I think it isn't possible to open a single inbound port to all computers on your network. It would be no problem if I had a specific destination on the inside.

 

[KiscoKid]

Let me just clarify what that rule is doing:

It is allowing the external host on 212.44.65.1 to access any internal host but it is limited to TCP port 443.

The PIX does need a route for the inside and outside networks to actually allow the traffic to pass - which I presume is what your ISP is talking about.

If your PIX has an inside address of, say, 192.168.1.1 and the inside hosts you want to be accessible via port 443 are also on 192.168.1.x, then the PIX already knows how to get to the hosts, i.e. the routing is in place. However if the hosts are on a different subnet to the PIX, say 10.1.1.0, the PIX will need a route for 10.1.1.0 and will have to point it to an internal router to route tha
traffic for it.

Similarly you need a route on the outside too. As the outside is usually facing the Internet and thus there are millions of different subnets out there, people usually add a default route (0.0.0.0 0.0.0.0) to point to their external ISP router.

I hope this makes sense. Let me know if you need further clarification.

 

[tylan]

Keeping in mind the original post...

Our 3rd party claimed that those ports needed to be open for a Web based application to work - - on any/all computer(s) on the network.

Any traffic coming through the pix would be initiated by one of our internal clients. (That's why I thought the 3rd party was wrong.) From my limited knowledge the client may go out on 80 or 443, but the traffic from the web server comes back on a different port - specific to that computer. That allows different people to look at different web sites.

If we opened 443 as our earlier examples, how would two computers running the web app be able to have two different data streams going through the same port?

 

[KiscoKid]

The PIX will automatically allow YCP traffic back in that has been initiated from the outside. However this kind of reply TCP traffic does not use well known or even prediactable TCP ports - it is always random.

The fact the 3rd party have requested that specific ports be available from the outside tells me they need more than to simply allow standard TCP reponse traffic, they need their web server to initiate connections to the inside.

 

[ascotta]

As an aside, as I am trying to let outside traffic access a machine on port 8088, I am interested in your responses here. The web traffic you are referring to is Citrix ICA traffic, I recognise the port numbers. I would be getting clarification on this from them as I think only 443 is required if they are using https. If not then 1494 is the only one needed. 1604 is now redundant for Citrix, or rather not needed. 1209 is an unknown one to me.

[blue] A perspective from the other side!![/blue]

Cheers
Scott