Opening ports 5631 and 80

[mbarrow]

Hello,

Can anyone please help me as I have been trying (unsuccessfully) for the last week to get access to a pcanywhere host and intranet. I've looked up past posts and i'm not getting anywhere.

Current Config

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password ******** encrypted
passwd ******** encrypted
hostname ******
domain-name *******
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.5.170 mailserver1
name 192.168.5.113 mailserver2
object-group network mailservers
network-object host mailserver1
network-object host mailserver2
object-group service allowed_ports tcp
port-object eq smtp
access-list 100 permit tcp any object-group mailservers object-group allowed_ports
access-list 100 deny icmp any any
access-list 100 permit tcp any eq pcanywhere-data host 80.4.185.--- eq pcanywhere-data
access-list 100 permit udp any eq pcanywhere-status host 80.4.185.--- eq pcanywhere-status
access-list 100 permit tcp any eq

http://www host

80.4.185.--- eq www
pager lines 24
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 80.4.185.--- 255.255.255.224
ip address inside 192.168.5.102 255.255.255.0
ip address dmz 192.168.8.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.5.6 255.255.255.255 inside
pdm location 192.168.5.104 255.255.255.255 inside
pdm location mailserver2 255.255.255.255 inside
pdm location mailserver1 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.2.22 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.9.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 80.4.185.---
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
static (inside,outside) 80.4.185.--- mailserver1 netmask 255.255.255.255 0 0
static (inside,outside) 80.4.185.--- mailserver2 netmask 255.255.255.255 0 0
static (inside,outside) 80.4.185.--- 192.168.5.104 netmask 255.255.255.255 0 0
static (inside,outside) 80.4.185.--- 192.168.5.6 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 80.4.185.--- 1
route inside 192.168.1.0 255.255.255.0 192.168.5.3 1
route inside 192.168.2.0 255.255.255.0 192.168.5.1 1
route inside 192.168.9.0 255.255.255.0 192.168.5.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.5.6 255.255.255.255 inside
http 192.168.2.22 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt security fragguard
no sysopt route dnat
telnet 192.168.5.6 255.255.255.255 inside
telnet 192.168.2.22 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:********
: end
trghco-pix515#

 

[themut]

Remove the following ACL entries:

access-list 100 permit tcp any eq pcanywhere-data host 80.4.185.--- eq pcanywhere-data
access-list 100 permit udp any eq pcanywhere-status host 80.4.185.--- eq pcanywhere-status
access-list 100 permit tcp any eq

http://www host

80.4.185.--- eq www

configure the lines below instead:

access-list 100 permit tcp any host 80.4.185.--- eq www
access-list 100 permit tcp any host 80.4.185.--- eq 5631
access-list 100 permit udp any host 80.4.185.--- eq 5632

Next, you need to clear the xlate table (clear xlate) be aware this command will drop all your current connections. Hope this helps!

 

[mbarrow]

Thanks for the reply. The pcanywhere host and the intranet that i am trying to connect to are on the same internal IP address, what effect will this have on the access-list? Can it be done?

 

[themut]

Does traffic from the host pass through the pix to get to the intranet? If so, the access could permit pc-anywhere traffic from any outside host to 80.4.185.X.
If traffic does not pass trhough the pix, then the access list will do nothing for you.

 

[mbarrow]

Thanks again for the reply. Forget about the host, I want to get access to my intranet via the internet. I've tried: -

access-list 100 permit tcp any host 80.4.185.--- eq www

And i've cleared the xlate table but still not getting access. I can't ping the static IP address, but when i type show access-list the hitcnt adds by one every time i try to access the intranet via the web (Page can not be displayed). Does this mean it's getting as far as the pix then stopping?

Again thaks for the help.

 

[bwilliam13]

You need a static or conduit that maps a public ip address to the host you're trying to PC Anywhere to. Then, you need to keep the access list entry to specifically allow PC Anywhere traffic to that host. As an example:

static (inside,outside) 80.4.185.104 192.168.5.104 netmask 255.255.255.255 0 0
access-list outside permit tcp any host 80.4.185.104 eq 5631
access-list outside permit udp any host 80.4.185.104 eq 5632
access-list inside permit tcp any host 192.168.5.104 eq 5631
access-list inside permit udp any host 192.168.5.104 eq 5632

Also, I think PCAnywhere uses a range of ports in the 5600 to 5700 range. You may need to use a range of tcp/udp ports instead of just one.