opening ports on 515e

[scottcamp]

I am using a cisco firewall 515e and need to unblock some ports. I have a listing of the ports (tcp,udp and an ESP) that need either inbound access, outbound access, or both. Im using software version 7.2(1)24. When I try and configure the access list to allow these ports it messes up the internet connection.

I'm also trying to do this same thing for an 871 with IOS config, advanced ip services version 12.4(11)T2

I looked on cisco site and thouoght I found the document to do this, but I may have missed something.

for example, on the 515, I'm entering the line access-list acl_out permit tcp any any eq port#

What possibly am I doing wrong?
Thanks

[petronius]

Please post your config file (you can X out your public IP's for privacy...eg xxx.xxx.xxx.227)

[scottcamp]

Here's the nitty Gritty of it, with changes to the IP's...

______________________________________________________________

PIX Version 7.2(1)24
!
hostname myFW
domain-name mydomain.com
enable password XXXXXXXXXXX encrypted
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.255
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.19.3 255.255.255.0
!
interface Ethernet2
shutdown
nameif intf2
security-level 10
no ip address
!
passwd xxxxxxxxx encrypted
boot system flash:/pix721-24.bin
ftp mode passive
clock timezone est -5
dns server-group DefaultDNS
domain-name mydomain.com
same-security-traffic permit intra-interface
access-list acl_out extended permit icmp any any
access-list acl_out extended permit tcp any host xxx.xxx.xxx.xxx eq https
access-list acl_out extended permit udp any host xxx.xxx.xxx.xxx eq 443
access-list acl_out extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list acl_out extended permit udp any host xxx.xxx.xxx.xxx eq www
access-list acl_out extended permit tcp any host xxx.xxx.xxx.xxx eq imap4
access-list acl_out extended permit udp any host xxx.xxx.xxx.xxx eq 143
access-list acl_out extended permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list acl_out extended permit udp any host xxx.xxx.xxx.xxx eq 25
access-list acl_out extended permit tcp any any eq 7800
access-list 100 remark access-list for nonat
access-list 100 extended permit ip 192.168.19.0 255.255.255.0 192.168.24.0 255.255.255.0
access-list 100 remark access-list entries for VPN client to not be NATED
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 192.168.19.0 255.255.255.0
access-list 100 extended permit ip 192.168.19.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list 120 extended permit ip 192.168.24.0 255.255.255.0 192.168.19.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 1000000
logging monitor debugging
logging buffered debugging
logging trap debugging
logging host inside 192.168.19.40
no logging message 713906
no logging message 305012
no logging message 305011
no logging message 710005
no logging message 710003
no logging message 715075
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 715036
no logging message 609002
no logging message 609001
no logging message 302016
no logging message 302021
no logging message 302020
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip local pool dealer 172.16.100.1-172.16.100.254
icmp permit any outside
asdm image flash:/asdm-501.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.xxx 192.168.19.33 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.xxx 192.168.19.39 netmask 255.255.255.255
access-group acl_out in interface outside
access-group test in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 172.16.100.0 255.255.255.0 192.168.19.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy password internal
group-policy password attributes
vpn-idle-timeout 30
group-policy default-domain internal
group-policy default-domain attributes
vpn-idle-timeout 30
group-policy 1company internal
group-policy 1company attributes
wins-server value 192.168.19.31
vpn-idle-timeout 30
group-policy remote internal
group-policy remote attributes
wins-server value 192.168.19.31
vpn-idle-timeout 30
group-policy company internal
group-policy company attributes
wins-server value 192.168.19.31
vpn-idle-timeout 30
username myusername password xxxxxxxxxxxxxxxx encrypted
url-server (inside) vendor smartfilter host 192.168.19.40 port 4005 timeout 30 protocol TCP connections 5
filter url except 192.168.19.73 255.255.255.255 0.0.0.0 0.0.0.0
filter url http 192.168.0.0 255.255.0.0 0.0.0.0 0.0.0.0 longurl-truncate
http server enable
snmp-server host inside 192.168.19.49 poll community WOMROSTRING
snmp-server host inside 192.168.19.217 poll community umtyfrat78
snmp-server host inside 192.168.19.38 poll community umtyfrat78
no snmp-server location
no snmp-server contact
snmp-server community umtyfrat78
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
crypto dynamic-map cisco 4 match address outside_cryptomap_dyn_30
crypto dynamic-map cisco 4 set transform-set 3des
crypto map partner-map 20 match address 120
crypto map partner-map 20 set peer xxx.xxx.xxx.xxx
crypto map partner-map 20 set transform-set 3des
crypto map partner-map 65535 ipsec-isakmp dynamic cisco
crypto map partner-map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10
tunnel-group DefaultRAGroup general-attributes
address-pool (outside) dealer
authentication-server-group (outside) LOCAL
tunnel-group default-domain type ipsec-ra
tunnel-group default-domain general-attributes
authentication-server-group (outside) LOCAL
default-group-policy default-domain
tunnel-group password type ipsec-ra
tunnel-group password general-attributes
authentication-server-group (outside) LOCAL
default-group-policy password
tunnel-group remote type ipsec-ra
tunnel-group remote general-attributes
address-pool dealer
authentication-server-group (outside) LOCAL
default-group-policy remote
tunnel-group remote ipsec-attributes
pre-shared-key X
tunnel-group company type ipsec-ra
tunnel-group company general-attributes
address-pool dealer
authentication-server-group (outside) LOCAL
default-group-policy company
tunnel-group company ipsec-attributes
pre-shared-key X
tunnel-group 1company type ipsec-ra
tunnel-group 1company general-attributes
address-pool dealer
authentication-server-group (outside) LOCAL
default-group-policy 1company
tunnel-group 1company ipsec-attributes
pre-shared-key X
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key X
telnet 192.168.19.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 1
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
url-block block 40
ntp server 192.5.41.40 source outside prefer
ntp server 18.26.4.105 source outside
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[petronius]

Ok, I'll look at your config and try to have it reposted by tonight or early tomorrow morning (PST)

[Cellus]

Hmm intriguing. I'm no PIX guru by a long shot, but did you try putting the extended portion in the entry (eg. access-list acl_out extended permit tcp any any eq port#)? Remember that Extended IP Access List may only "assume" it is extended if assigned among the list number range of 100-199. Since you are "defining" a custom access group, you probably need to set the extended parameter or else it may just be assuming it is a Standard IP Access List entry. I'm a little rusty with my Cisco, but that could be it if you are forgetting to explicitly set the extended parameter.

Addendum: Since you are trying to make an access list entry using ports, it needs to be an extended IP access list entry. A standard access list entry only permits/denies based on IP only - to be able to be more granular and use ports, you must use an extended IP access list. Since you are not using number ranges but a custom access group, I bet you dollars to donuts that is what you are missing.

Were you the one who originally put in those access list entries and only just now had problems, or did you "inherit" it?

By the way, it would be a very good idea to completely backup everything on both firewall and router before you fiddle with the config.

Tip: set logging synchronous on your vtty so that when you are typing things in the console terminal, output does not cause visual corruption and garble up what you are typing. This is especially useful if you have debugging going. It'll drive you insane trying to see what the heck you are typing and what is being outputted otherwise.

[scottcamp]

I'm sorry...I left that out, I do put extended in there.

I did "inherit" this so to speak. I'm not a cisco guy, but I need to figure this out, The company doesn't want to bring in someone right now for $125 hr....

And I never wr mem until I know it works, and I document any changes I make to the config in the first place, so if it does screw up, i know exactly what i changed...

[petronius]

1st, remove all the udp entries from your access list since they are "connectionless" (packets are not answered).

Also, remember that outbound traffic never needs to be "allowed" once you have a global statement. The firewall is "stateful" and it knows not to block source traffic since it is predicated by its rules.

Lastly, turn off "nat-control" (pix<config>#no nat-control) temporarily

Make those changes as well as the "extended" acl-out change and then post back the results.

Cheers

[scottcamp]

Those udp ports are all connected tot he exchange server here in house...how will that affect users from getting their mail from the outside?

[petronius]

The udp entries aren't going away, we will add them back in later. Let's simplify this convo a bit though. Exactly what services are you trying to enable (eg, mail, ftp, web etc)?

[scottcamp]

These are the protocols that this software needs in oder to function:

Protocol Direction Port

esp in/out
icmp echo out (to a specific IP)
icmp reply in (to a specific IP)
TCP out (to a specific IP) 21
http out 80
udp in/out (to a specific range of IP's) 500
TCP in/out (to a specific IP) 709
TCP out (to a specific IP) 1800
UDP in (to a specific range of IP's) 4500
TCP out (to a specific range of IP's) 5080



Obviously, some are known working ones already, like 21 and 80