Adding a new server behind the firewall (Pix) that needs access to specific "unusual" ports (eg. cvs, protel...) In this example, we need to add access to TCP ports 6504 and 2401 to host aspersa for the user. 1. Put host in private and public DNS servers. 2. Open Pix PDM. (https://172.16.0.1 username admin) Resize window. Select Configuration tab. 3. Add the host to the outside and inside interfaces as described in steps 3-10 above. 4. From the drop down menu at the top of the PDM window, select Tools->Service Groups 5. Make sure TCP is selected at the top and then click on the Add button on the RHS. 6. In the new box that appears, enter a service group name and description. I either name the group according to the services (eg MAIL_SVCS = smtp, pop, imap, pops, etc.) or according to the user who requested the service (since the user quite oftem wants those services on more than one computer). In this case I will name the service agibb. In the description, I entered "http on 6504, CVS on 2401". To add services to the group, you can either select from one of the services shown on the LHS, or enter a new port (range) at the bottom on the LHS. In this case, the ports are not in the list, so I click on the "Range" button and enter 6504 for the starting port number and leave the "to" field blank. Next, click the Add button. Then enter the 2401 for the starting port number (again leaving the "to" port number blank) and then click the Add button. On the RHS you should now see the two ports showing. Click the OK button to save the new service group, then click the Apply button in the Manage Service Groups window. Review you CLI commands in the Preview window and click the send button if everything looks OK. We now need to add an access rule so that outside hosts can access the service group we just defined on the particular host(s) that we want. 7. In the Main PDM window, click on the Access Rules tab. Click on the "Add New Rule" icon. It is on the LHS just above the Access Rules tab and looks like a sheet of paper with the top RHS corner folded down and a small "sun" behine the top LHS corner. When you hover the mouse over the icon, it will show you what the icon represents. 8. Enter data as follows: Action: - make sure permit is selected. Syslog: - leave unchecked. Source Host/Network: - make sure IP address is selected - change the Interface to "Outside" - in this case we want to allow anyone access to these ports, so leave the IP address and netmask set to "0.0.0.0". Destination Host/Network: - make sure IP address is selected - leave the Interface set to "Inside" - click the browse button and select the appropriate host; in this case it is aspersa-i. After it is selected, the IP address shows 172.16.16.237 and the Netmask is set to 255.255.255.255 Protocol and Services - on the LHS, make sure TCP is selected. - under Source Port, make sure the Service button is selected and that "Service = any". - on the RHS, under Destination Port, make sure "Service Group" is selected, and select the agibb service group from the drop-down menu. Don't enter anything for the optional description at the bottom. There seems to be a bug in the PDM where the descriptions get disassociated with the access rule and they become meaningless (and confusing). Click the OK button when done. 9. Click the Apply button at the bottom of the Access Rules tab. Check that the CLI commands look correct and then press Send. 10. Do the save to flash again as instructed above. 11. From the File menu in the top LHS, select Save Running Configuration to TFTP server. The "Configuration file name" should be set to /YYMMDDXX where YY, MM, DD are obvious, and XX is incremented each time you do a save during the same day, starting from 00. ===================================================================