ports and firewalls and ISA, oh my!
deicist
Manchester, UK
Just want to check my understanding of something is correct really.... some background first. I'm a systems admin for a recruitment agency, and one of our clients has recently started to use a system that allows us to send / recieve invoices from a piece of client software running on one of our workstations to a secure IP address provided by them. Now, the system works on port 8080. so to nat the port through to the correct workstation I have: opened the port on our PIX firewall, to route port 8080 inbound from that specific IP address to the address of our ISA server. then on the ISA server I have a port 8080 inbound rule from the address the ISA talks to the PIX on to the workstation, and an outbound rule for 8080 to the IP address provided by the client. this seems fine to me, however the software doesn't work. Now, the client is saying that when they do a port probe using sheilds up port 8080 should show open when the software is running, and closed when it isn't. The port shows open irrespective of wether the software is running or not. The client is saying that because the port is showing open all the time that means that we have another piece of software listening on 8080. Now I have 2 problems with this.
1) shields up doesn't use the specific IP provided by the client, so the rule in the pic doesn't apply to traffic from that address. I think it's showing open because we have another rule allowing any traffic from the shields up address purely for testing.
2) the whole 'port shows open only when software is listening on it' really doesn't sit well with me. Asd I understand it, when a port is open it's open no matter if something is listening on that port or not. is that right? for eexample, if I have a firewall with no client PCs attached to it and open ports on it, then scan the firewall the ports will show as open no?
1) shields up doesn't use the specific IP provided by the client, so the rule in the pic doesn't apply to traffic from that address. I think it's showing open because we have another rule allowing any traffic from the shields up address purely for testing.
2) the whole 'port shows open only when software is listening on it' really doesn't sit well with me. Asd I understand it, when a port is open it's open no matter if something is listening on that port or not. is that right? for eexample, if I have a firewall with no client PCs attached to it and open ports on it, then scan the firewall the ports will show as open no?
0
Comments
Did you use
static inside outside..?
That's one easy and safe way. Creating a static route from the outside interface on the pix to the "outside" interface of the ISA.
What else do you use ISA for...? ISA quite often is set up to provide internet proxy service on 8080...!