How do I open a port on a Pix firewall?

I have been giving a little help to a local non-profit organisination, and have arranged with an ISP to give them an adsl line with a fixed IP address. The ISP people installed a Cisco Pix firewall which has 4 machines plugged into it.

I am installing some software on one of the machines, which gives access to a libraray catalogue from their website.

To enable acess, port 3030 needs to be opened on the firewall, but when I phoned the ISP, I got the answer "Sorry, you havent paid for a maintenance contract ". I have the passwords to telnet into the firewall but have absolutley no idea where to go from there. Telnet and firewall config is a closed book to me.

Could anyone give me an idea on how to open this port. The Firewall is a PIX 510 with version 6.2 software on it. I have loooked at info on the cisco site, but it might as well be written ancient greek.

Thanks

 

Do you have the Cisco PIX Firewall Manager (PFM) that uses a browser and gives you GUI controls for the firewall? If so it will certainly simplify future maint. stuff you need to do.

If you do have it, open a browser window and connect to the PFM. http://<ip address>:8080
where: <ip address> is the IP address of the machine on which the PFM is installed.

Otherwise,
1. TELNET to the device
2. Enter your login password
3. Put the Cisco PIX Firewall into "Enabled" mode by entering enable and your enable password. You'll know it worked if the prompt changes to end with a #
4. Then write term to display the current config of the device and post it here. Need to make sure that a little port tweaking is all you need.

You might also want to read thru http://www.sans.org/rr/firewall/cisco_pix.php to give yourself a little more background on basic setup of these things.

Or better yet, ask the ISP folks if you could use a simpler router/firewall and if so, get a Linksys or DLink or one of the others made for SOHO use. The $50 they spend will be well worth it unless you want to devote a fair part of your life to free Cisco tweaking to keep them running like they want.

 

Thanks for the reply. I dont have a PFM installed on the admin machine, but I have the CD that came with the firewall box, I suppose it will be on there, but I can't work out how to install it. It seems to a bin file, but I don't know what to do with it.

Anyway, the output of the write term command is:

Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***********encrypted
passwd **************encrypted
hostname *****
domain-name ********.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 217.23.174.74 255.255.255.248
ip address inside 192.168.255.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 217.23.174.75
nat (inside) 1 192.168.255.0 255.255.255.0 0 0
static (inside,outside) 217.23.174.76 192.168.255.2 netmask 255.255.255.255 0 0
conduit permit tcp host 217.23.174.76 eq www any
route outside 0.0.0.0 0.0.0.0 217.23.174.73 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 192.168.255.2 255.255.255.255 inside
telnet timeout 5
ssh 217.23.163.125 255.255.255.255 outside
ssh 217.23.163.126 255.255.255.255 outside
ssh timeout 15
terminal width 80
Cryptochecksum:******************
: end
[OK]



I don't think there is any money left in a very limited budget to pay to the isp. I think that opening this port is the only work that needs doing, I hope so anyway.

 

[Mask your passwd lines with ****]

Is the local address of the server you wish to open the port: 192.168.255.2 ? If so, you already have a static set-up for that and since you are using conduit commands instead of access-list:

enable <enter enable passwd>

conf t <go to terminal mode>

conduit permit tcp host 217.23.174.76 eq 3030 any

This would let any external client access that public address on that port.
Test before saving the config (using wr mem).
To delete the port mapping:

no conduit permit tcp host 217.23.174.76 eq 3030 any

 

Unixfan - Thanks for the reply, I will do that tomorrow morning and post back with the results. The offices of this organisation are a few hundred yards from my place of work, so I can only get there in my lunch hour.

Newt, I have read the stuff from sans.org - thanks for that, there is alot to read. I hope some of it sinks in.

As the ISP seem to have access to the firewall from their building, could I do the same and set up access from my work computer to save me the walk? (maybe I could block the ISP at the same time seeing as they don't want to do any work on it anyway)

I am on a lan inside another pix firewall, but I suppose it would just be a case of setting up a conduit from our firms' external IP address in the config of the destination firewall.

i.e. :conduit permit tcp host <own firm's external ip> eq ?www/telnet? any

Am I right or way off?

what does the eq mean?

Another peice of help would be appreciated

Thanks

 

For external access use a ssh (secure shell) client (like PuTTY) rather than telnet as all communication is encrypted.

Your config already has:

ssh 217.23.163.125 255.255.255.255 outside
ssh 217.23.163.126 255.255.255.255 outside

So check with whoever is in charge before adding your own public IP address using:

ssh ip_address 255.255.255.255 outside

eq precedes a port number and just means equals.

 

Ok.. I will try that as well tomorrow, I have looked at the PuTTy website and will download that too.

As for who is in charge - erm-- it is me I am afraid. I am network/systems admin and have so many other things to do so I have never had to learn this sort of stuff before.

Are there security implications with putting my work ip address in the config of this remote firewall?
If so, I probably won't bother, I cant afford to compromise security in my paying job

Ta