I have a vendor who needs to communicate with a piece of our equipment on a port that's not open. What's the CLI to open a port and to foward a port?

Thanks.

12/16/2005 2:04:23 PM

Do you really get paid at your job?

12/16/2005 2:06:52 PM

Yes but I wasn't hired as a sys admin I was hired as a cold fusion programmer. I got dropped in the seat and I'm dealing with things. I don't have any cisco training and typically had RMSource do the work but since I'm learning more about the Cisco Firewall and I'm able to look at the settings I'd like to know what the CLI command is to open/close and foward a port.

12/16/2005 2:09:51 PM

Did you mean: forward

12/16/2005 2:12:36 PM

Listing the Cisco router model would help...or atleast the IOS version.

12/16/2005 2:12:42 PM

http://www.chinalinuxpub.com/doc/www.siliconvalleyccie.com/cisco-hn/dsl-pix.htm

12/16/2005 2:15:15 PM

Ah whups forward.

It's a Cisco Pix 506E and the user manual doesn't list any CLI command examples, Cisco's site is no help either. Don't get me started on their tech support.

Basically I have PDM and CLI access. All I'm looking for is the command string that opens a port and one that fowards the port. I'm not sure if it's the same. If you know the command using port 80 as an example would be great.

12/16/2005 2:15:39 PM

Yeah their tech support sucks shit. Good that there are good online resources.

12/16/2005 2:18:04 PM

Found it on a site. Thanks for the above link but that didn't tell me stuff I didn't already know.

12/16/2005 2:18:13 PM

You know, your original request is about as vague as you can get. If you are going to ask a very simple question, yet not understand what you are doing then you are going to get non stellar support mostly because the person has no idea what you are asking.

A PIX can be a real nightmare if all you have ever seen is a linksys GUI. NAT and port forwarding on a home router are very simplified. Simplified to the point that even the terminology is not very descriptive. The real answer is there are many ways to do this, and you can still run into other issues that would make your correct NAT config still fail. I'm glad you found the answer to your question.

It makes me very curious however how your config looks in general. For "port forwarding" though this has all the info you ever wanted:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_3/fwsm_cfg/nat.htm
That link gives a lot of examples, but it really depends on what you have already and what you really want.


Anyhow, how did you get your achieved desire? Static? Dynamic? Nat? Pat? Policy? Was it an ACL that was tripping you up? The CLI for the PIX is not the best for sure. I think 7.0 probably helped a lot, but I haven't used it. 3.1 For the FWSM isn't out yet and 2.x is based on 6.x PIX code.

*I've never used PDM so I can't comment on that*

12/16/2005 10:06:11 PM

save your self some money and just get yourself an Adtran netvanta router/firewall </company plug>

12/16/2005 11:08:30 PM

sorry i didn't respond sooner.

I used Command Line. The PDM lets me look at site statistics, that's about it. It has a gui interface for command line that I use. Lets me cut and paste things easier. Either way is fine. I've been told by those who use Pix firewalls to not use the PDM except for simple things. I WILL NOT upgrade to 7.0 as every single person I know that runs a pix firewall says it's got hella bugs. We upped to PIX Version 6.3(5) to get rid of the Java engine bug. Of course now there's error's in the pdm when it's started but I'm told those will be there because of our configuration. I honestly don't know enough to go poking around too much.

(XXX is the port).
I opened the port using this...
access-list inbound permit tcp any host 65.23.115.45 eq XXX

Then fowarded it using a Static (since the ip never changes)
static (inside,outside) tcp 65.23.115.45 XXX 192.168.0.98 XXX netmask 255.255.255.255 0 0

I WOULD really like a nice book that's basically a beginners guide to Cisco firewalls. Generally documentation from Cisco is like reading a McDonalds Menu in Swahili.

12/17/2005 1:44:49 AM

I don't know the pix platform, so I'll refrain from commenting, but if you want real help, go here:

http://forums.cisco.com/eforum/servlet/NetProf?page=main

Assuming you have a CCO account.

12/17/2005 8:27:11 AM

^^ Don't know of a good book. I would hit up Barnes & Noble or something and look at a couple of chapters and see if it is what you are looking for. I never looked through the PIX documents. I will say though starting out a lot of it was kinda confusing, but the more you use it and see things, when you go back it will make much more sense.

That is a good way to do it (for the static). It wasn't clear in the first post (to me) if you already had nat in place (if you did for that translation), etc. It is also a bit different if you are used to checkpoint or the like (only messed with checkpoint briefly, and then consumer stuff).

For the ACL though, have you done a sh access-l inbound counters? I'd be curious if it was actually hitting that ace. There might be a more general rule it is already hitting (though this statement doesn't hurt anything if a wider permit statement appears before it).

I'm glad that worked for you, but you still could have run into issues depending on what previous config was already there. Such as if you were using AAA or if you already had a static defined that covered that translation (statics are first, not best match unlike ACL's or other NAT statements).

12/19/2005 10:03:17 PM

^ Hmm I'm not sure what you mean in most of your statements.

The Cisco Firewall is also our gateway. We have 4 IP's, 1 public and in use, the others are not in use.

I believe everything in static in the loose sense of what I understand "static" to mean when talking about Cisco Pix. The items I'm opening ports for and forwarding to are statically assigned items outside the leasing range of the DHCP server.

That clear that up?

12/19/2005 11:37:10 PM

Configure a one-to-one address translation rule by mapping a local IP address to a global IP address, or a local port to a global port.

[no] static [(local_ifc,global_ifc)] {global_ip | interface} {local_ip [netmask mask] | access-list acl_name} [dns] [norandomseq] [max_conns [emb_limit]]

[no] static [(local_ifc,global_ifc)] {tcp | udp} {global_ip | interface} global_port {local_ip local_port [netmask mask] | access-list acl_name} [dns] [norandomseq] [max_conns [emb_limit]]

From the pix firewall command reference.

[Edited on December 20, 2005 at 6:09 PM. Reason : .]

12/20/2005 6:08:55 PM

To redirect Telnet traffic from the PIX Firewall outside interface to the inside host at 10.1.1.15, enter:

static (inside,outside) tcp interface telnet 10.1.1.15 telnet netmask 255.255.255.255


To redirect FTP traffic from the PIX Firewall outside interface to the inside host at 10.1.1.30, enter:

static (inside,outside) tcp interface ftp 10.1.1.30 ftp netmask 255.255.255.255

OR

You can also do it with a port number: (HTTP)
static (inside,outside) tcp 209.165.201.15 8080 10.1.1.7 www netmask 255.255.255.255 0 0

[Edited on December 20, 2005 at 6:16 PM. Reason : .]

12/20/2005 6:12:20 PM

^ and ^^. Yup that's what I didn't know at the time. Friend of mine got me in touch with someone who manages a bunch of Cisco Pix's. He set me straight. I appreciate the above though and it does help additionally.

12/21/2005 8:43:19 AM