Question

Locked

can't open port 53 tcp and 443 tcp on pix even with acls

By mtamjidi ·
Hello all,
i faced a situation and that is: even i open ports tcp53 and tcp443 on my pix using access-lists, after i scan ports on the server from internal or outside, the ports are closed and only certain ports are open. my server is on dmz and i want to open the ports for outside and inside
i already opened other ports such as smtp and www for my server but only 443,53 are not opening with the usual way. i guess this is somehow related to inspection rules; does anybody khnow a way to do this?

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

what are you scanning with?

by robo_dev In reply to can't open port 53 tcp an ...

do you have a rule to forward these ports?

it might be helpful to post the relevant parts of your configuration (don't post your internal IP or passwords :) )

Collapse -

the config is as follows

by mtamjidi In reply to what are you scanning wit ...

Hello, the pix config is as follows and i scan ports with advanced ip scan and i also tries to bypass the fire wall. i put the server online near router and the ports was open but when i activate the pix in the path, the ports was closed and only certain ports was open. i faced this problem with an asa5540 too. i opened the whole traffic(permit IP any any) but only certain ports was open and not all ports.


: Saved
:
PIX Version 8.0(4)
!
hostname gheidar-pix
domain-name www.khiau.ac.ir
names
name 10.10.10.2 cache
name 172.16.16.4 sabtenam
name 217.218.226.69 sabtenam-public
name 172.16.16.2 web
name 217.218.226.68 webpublic
name 172.16.16.3 dmzclient
name 217.218.226.67 dmzclientpublic
name 172.16.16.5 accounting
name 217.218.226.71 accounting-public
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 217.218.226.70 255.255.255.192
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 172.16.16.254 255.255.255.0
!
interface Ethernet3
nameif management
security-level 75
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet4
nameif intf4
security-level 8
no ip address
!
interface Ethernet5
nameif intf5
security-level 10
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name www.khiau.ac.ir
object-group icmp-type icmp-group1
icmp-object echo
icmp-object information-reply
icmp-object information-request
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp eq domain
service-object tcp eq https
object-group service DM_INLINE_TCP_1 tcp
port-object eq domain
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq domain
port-object eq https
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit object-group TCPUDP any host webpublic eq domain
access-list outside_access_in extended permit object-group TCPUDP any host webpublic eq www
access-list outside_access_in extended permit object-group TCPUDP any host sabtenam-public eq domain
access-list outside_access_in extended permit object-group TCPUDP any host sabtenam-public eq www
access-list inside_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp any host sabtenam-public eq https
access-list dmz_access_in extended permit object-group TCPUDP any host sabtenam-public eq domain
access-list dmz_access_in extended permit object-group TCPUDP any host sabtenam-public eq www
access-list dmz_access_in extended permit object-group TCPUDP any host webpublic eq www
access-list dmz_access_in extended permit object-group TCPUDP any any eq domain
access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in extended permit object-group TCPUDP any any eq www
access-list global_mpc extended permit object-group DM_INLINE_SERVICE_1 any any
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
access-list global_mpc_1 extended permit tcp any any object-group DM_INLINE_TCP_2
!
tcp-map https
reserved-bits clear
synack-data allow
invalid-ack allow
seq-past-window allow
no ttl-evasion-protection
urgent-flag allow
!
pager lines 23
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
mtu intf4 1500
mtu intf5 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip verify reverse-path interface management
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-613.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 217.218.226.80-217.218.226.90 netmask 255.255.255.192
global (outside) 10 217.218.226.91 netmask 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
static (dmz,outside) sabtenam-public sabtenam netmask 255.255.255.255
static (dmz,outside) webpublic web netmask 255.255.255.255 dns
static (dmz,outside) dmzclientpublic dmzclient netmask 255.255.255.255
static (dmz,inside) sabtenam-public sabtenam netmask 255.255.255.255 dns
static (dmz,outside) accounting-public accounting netmask 255.255.255.255
static (dmz,inside) accounting-public accounting netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 217.218.226.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 217.218.230.89 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 dmz
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 217.218.230.89 255.255.255.255 outside
ssh timeout 5
ssh version 1
console timeout 0
management-access management
no threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map global-class
match access-list global_mpc_1
class-map inspection_default
match access-list global_mpc
match default-inspection-traffic
!
!
policy-map type inspect dns MY_DNS_INSPECT_MAP
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ctiqbe
inspect dcerpc
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect icmp
inspect icmp error
inspect ipsec-pass-thru
inspect mgcp
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect snmp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect waas
inspect xdmcp
inspect dns MY_DNS_INSPECT_MAP
class global-class
set connection advanced-options https
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fb26ed695bdc22fec644263c201a270e
: end

Back to Networks Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums