If you were Registered and logged in, you could reply and use other advanced thread options
|
Posted by guru@progon.net on July 20, 2004, 11:28 am
Hello...
I need to restrict the port range used for NAT/PAT to 8192..65535.
PIX 525 with 6.3(.3) is used.
Any suggestions?
Details:
pixfirewall# sh xlat
10 in use, 47 most used
PAT Global x.y.z.194(1025) Local 10.32.32.141(1036)
PAT Global x.y.z.194(165) Local 10.32.16.181(123)
PAT Global x.y.z.194(5) Local 10.32.3.5(123)
PAT Global x.y.z.194(121) Local 10.32.32.131(123)
PAT Global x.y.z.194(4) Local 10.32.3.1(123)
Low port as 4,5,... are causing problems as some services won't talk
to these port...
Best regards...
|
|
Posted by Walter Roberson on July 20, 2004, 3:25 pm
:I need to restrict the port range used for NAT/PAT to 8192..65535.
:PIX 525 with 6.3(.3) is used.
:Any suggestions?
There is no provided way to do that.
:Details:
:pixfirewall# sh xlat
:10 in use, 47 most used
:PAT Global x.y.z.194(1025) Local 10.32.32.141(1036)
:PAT Global x.y.z.194(165) Local 10.32.16.181(123)
:PAT Global x.y.z.194(5) Local 10.32.3.5(123)
:PAT Global x.y.z.194(121) Local 10.32.32.131(123)
:PAT Global x.y.z.194(4) Local 10.32.3.1(123)
:Low port as 4,5,... are causing problems as some services won't talk
:to these port...
Notice that the low ports are only used to talk to low ports (< 1024).
The PIX uses three different PAT port pools, reserving low ports
for talking to low ports, reserving the middle range for talking to
the middle range, and reserving the high range for talking to the
high range. I do not recall exactly where the boundry between the middle
and high range is -- it is a much less important boundary than the
1023 boundary, and is often overlooked. The high range is, as I recall,
completely reserved for user-defined and dynamic allocations,
whereas the midrange is allowed to have a mix of dynamic allocations and
registered services. (In other words, if you use a high enough port
number than the standards say that you are guaranteed not to clash with
any officially registered service, whereas ports in the mid-range are
still subject to reservation through the official IANA process and
if you use one of them, you risk clashing with an official service.)
If the remote machines won't listen to low-numbered ports when talking
to low-numbered ports then they are, as best i recall, operating
out of spec. But of course there's always the problem that if you
don't yourself happen to be using (say) 137, that you might
get dynamically allocated 137 and someone might filter on that in
order to block apparent NETBIOS. The work-around to that is to
add in specific PAT translations for the ports you don't want
dynamically allocated, and then block the access to those ports via
ACLs so you don't accidently leak anything in either direction on
those ports.
--
Studies show that the average reader ignores 106% of all statistics
they see in .signatures.
|
|
Posted by Rod Dorman on July 20, 2004, 5:26 pm
> ...
>Notice that the low ports are only used to talk to low ports (< 1024).
>The PIX uses three different PAT port pools, reserving low ports
>for talking to low ports, reserving the middle range for talking to
>the middle range, and reserving the high range for talking to the
>high range. I do not recall exactly where the boundry between the middle
>and high range is -- it is a much less important boundary than the
>1023 boundary, and is often overlooked. The high range is, as I recall,
>completely reserved for user-defined and dynamic allocations,
Good memory.
For those that like links see
http://www.iana.org/assignments/port-numbers
The Well Known Ports are those from 0 through 1023.
The Registered Ports are those from 1024 through 49151
The Dynamic and/or Private Ports are those from 49152 through 65535
--
-- Rod --
rodd(at)polylogics(dot)com
|
|
Posted by guru@progon.net on July 20, 2004, 6:58 pm
On 20 Jul 2004 15:25:32 GMT, roberson@ibd.nrc-cnrc.gc.ca (Walter
Roberson) wrote:
>There is no provided way to do that.
Ok, thank you anyway...
>If the remote machines won't listen to low-numbered ports when talking
>to low-numbered ports then they are, as best i recall, operating
>out of spec.
My problem is NTP. NTP only accepts port 123 form the reserved
range:
if (!(SRCPORT(&rbufp->recv_srcadr) == NTP_PORT ||
SRCPORT(&rbufp->recv_srcadr) >= IPPORT_RESERVED)) {
sys_badlength++;
return;
Best regards...
|
|
Posted by Walter Roberson on July 20, 2004, 5:06 pm
:My problem is NTP. NTP only accepts port 123 form the reserved
:range:
: if (!(SRCPORT(&rbufp->recv_srcadr) == NTP_PORT ||
: SRCPORT(&rbufp->recv_srcadr) >= IPPORT_RESERVED)) {
: sys_badlength++;
: return;
I have never seen an instance in which our PIX allocated a non-
reserved port when connecting to NTP. I believe it could happen in
theory if all the reserved ports were full, but we've never had
all the reserved ports fill up simultaneously.
rsh/rexec is another one that only accepts reserved ports. Makes it
difficult to tunnel my software updates through ssh [the update
script uses rsh to "dd" out of the middle of package files.]
--
I predict that you will not trust this prediction.
|
| Similar Threads | Posted | | Howto hit an external ip with VPN | September 27, 2005, 8:11 pm |
| Howto Show RIB and FIB ? | March 18, 2007, 12:21 pm |
| Pix 501 Firewqll config - howto | November 14, 2005, 10:49 am |
| Allow WAN access to LAN server Howto? | August 7, 2006, 6:47 am |
| Access outside address from the inside (howto) | April 7, 2008, 9:19 am |
| enable cli command logging howto | December 18, 2009, 5:30 pm |
| HowTo assign DNS Server with "ip local pool" | September 3, 2007, 5:22 am |
| HowTo select the certificate for web-based authentication (HTTPS-cert) | December 6, 2006, 7:10 am |
| restricting all BUT port 80...... | November 23, 2004, 1:51 pm |
| PIX 525: Restricting www access | September 18, 2005, 11:11 am |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map
>Notice that the low ports are only used to talk to low ports (< 1024).
>The PIX uses three different PAT port pools, reserving low ports
>for talking to low ports, reserving the middle range for talking to
>the middle range, and reserving the high range for talking to the
>high range. I do not recall exactly where the boundry between the middle
>and high range is -- it is a much less important boundary than the
>1023 boundary, and is often overlooked. The high range is, as I recall,
>completely reserved for user-defined and dynamic allocations,