Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 515 Port Question

Status
Not open for further replies.
aree

aree

IS-IT--Management
May 6, 2003
10
US
hi,
I've been told to open the following port on the pix515 firewall, does anyone have any clue on how to do this?

In: TCP on port 80, 554, 1755. The Windows Media server uses the TCP In ports to accept an incoming HTTP connection (port 80), RTSP connection (port 554), or MMS connection (port 1755) from Windows Media Player and other clients.

In: UDP on port 1755, 5005. The Windows Media server uses UDP In port 1755 to receive resend requests from clients streaming by using MMSU and UDP In port 5005 to receive resend requests from clients streaming by using RTSPU.

Out: UDP between ports 1024-5000. The Windows Media server uses UDP Out ports 1024-5000 to send data to Windows Media Player and other clients.

Thanks in advance!
 
Sort by date Sort by votes
The config you have at the moment on the platform, does it use access-lists or coduit statments?

You dont say if you are looking for specific IP addresses to be allowed as either source or destination. Personally I will not open incoming ports unless they are VERY specificaly defined.
 
Upvote 0 Downvote
hi Iainh,
yes we use access-list and it is for a specific ip address. i'm not sure how the "in" and "out" works in the access-list and access-group.

Thanks
 
Upvote 0 Downvote
At present the PIX only supports inbound access-lists, going by the command they are looking to change this. therefore you simply apply access from outside hosts to inside hosts to the outside interface and to control access from your internal networ apply these to the internal interfaces. Hope this make sence.

The ACLs work on source ip address then destination and then destination port. When they are applied to the outside interface they are looking at the destination address of the packet as it is sent from the remote host and therefore this is to the NAT'd IP address (i.e. the real world IP address you inside host maps to).

Ok try this:

access-list outside_inside permit tcp host (ouside host IP address) host (your outside NAT'd address) eq 80
access-list outside_inside permit tcp host (ouside host IP address) host (your outside NAT'd address) eq 554
access-list outside_inside permit tcp host (ouside host IP address) host (your outside NAT'd address) eq 1755
access-list outside_inside permit udp host (ouside host IP address) host (your outside NAT'd address) eq 1755
access-list inside_outside permit tcp host (inside host IP address) host (ouside host IP address) range 1024 5000

access-group outside_inside in interface outside

access-group inside_outside in interface inside
 
Upvote 0 Downvote
Just a Cautionary message, I may be telling my Granny how to suck eggs, but dont forget there is an implicit deny at the end of both ACLs and therefore anything you do not PERMIT specifically will be DENIED.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
693
XLNTech1
XLNTech1
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
850
intel233
intel233
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
214
xwray
xwray
Impersonator
  • Locked
  • Question
UDP Hacking port 53
Replies
1
Views
365
RodneyMcSnow
RodneyMcSnow
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
262
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top