Cisco – Allow Network to Network traffic for specific port, Cisco PIX v6.2

ciscofirewall

simple question. I am trying to allow traffic from NetworkA to NetworkB through and old PIX firewall. The firewall has a leg into each NetworkA+B.

nameif ethernet1 inside security 100
nameif ethernet2 dmz security 20

ip address inside 192.168.1.1 255.255.255.0
ip address dmz 192.168.254.1 255.255.255.0

I want to allow an IP 192.168.254.50 to connect to 192.168.1.10 over port 14333. After researching, I was told that I need to make a static statement for each direction and use conduit command as well…Correct me if I am wrong..

static (dmz,inside) 192.168.1.0 192.168.254.0 netmask 255.255.255.0 0 0 
conduit permit tcp host 192.168.254.50 host 192.168.1.10 eq 1433

I have only done Cisco Firewall rules via access-lists and access-groups. However I am limited to this method due to the version of our PIX.

Best Answer

I can't say for certain with 6.2 as I'm only familiar with 6.3+ but this is how you would usually do it.

access-list dmz-in permit tcp host 192.168.254.50 host 192.168.1.10 eq 1433
access-group dmz-in in interface dmz

This will basically put an access-list on the DMZ interface and allow the traffic that you have mentioned.

Be aware that if you don't already have one applied that when you put an access-group on an interface it changes the traffic behaviours of existing traffic and you will need to add these to the same ACL.

Related Solutions

Cisco – Monitor specific traffic type on a Cisco router

You could monitor the traffic

on the router, Cisco IOS 12.4(20)T and later, there is a packet capture feature, with filtering on interface name and direction and ACL.
- set up an access list for matching the traffic
- create a capture buffer monitor capture buffer holdpackets filter access-list <number>
- define a capture point monitor capture point ... possibly with interface name, direction, and more - use the inline help to see possibilities
- let the traffic pass
- look at the capture buffer: show monitor capture buffer holdpackets dump, use export instead of dump to get a PCAP file for Wireshark analysis
- don't forget to stop capturing, remove the capture point and delete the capture buffer afterwards
For details and examples, follow the link or look at a Cisco troubleshooting manual.
on the switchport, where the router is connected to, for this you could set up a mirror port on the switch and monitor this via Wireshark
on the firewall, where the traffic passes

Cisco ASAs are capable of remotely doing packet capturing and giving you the output as a PCAP file which you can open locally with Wireshark. The ASDM provides an assistant for this. Step by step, you can specify source and destionation interface, ACLs or src/dest networks/host, and the protocol you like to watch. That's why I like having ASAs in place everywhere - with a router CLI may seem a bit complicated.

Screenshot of the packet capture wizard

Cisco PIX – How to Increase SIP Timeout for REGISTER Transaction Type

After further research, looks like this is Cisco bug CSCei29494 though I see no fixed release. An ASA 5515-X running 9.1(2) shows the same 0:03:00 timeout, also apparently not configurable, though it doesn't have the same trouble with calls (e.g. INVITEs) when the REGISTER session expired and got deleted by the ASA.

Initial REGISTER shows "expires" found and set to 300 seconds, but PIX is setting to 180 (0:03:00).

SIP::Found CSeq 21141 REGISTER
...
SIP::Found Expires, 300 seconds

ASA looks to allow INVITE and RTP without a REGISTER session as shown by these sip debug entries:

SIP::Not updating database for Contact x.17.30.16/60422, registry database total 0
SIP::Non-session level connection addr x.17.30.16, media port 4000
Created SIP session for inside:x.17.30.16/55816 to outside:y.241.2.206/5060, 1 total
SIP::Adding early RTP conn y.241.2.206/* to x.17.30.16/4000

Best Answer

Related Solutions

Cisco – Monitor specific traffic type on a Cisco router

Cisco PIX – How to Increase SIP Timeout for REGISTER Transaction Type

Related Topic