Solved

Allowing Port 95 on a Cisco 1600

Posted on 2002-05-29
8
247 Views
Last Modified: 2010-04-17
I would like to know which commands I have to use to allow communication on the TCPIP port 95 in the Cisco 1600.

The commands I have been using are:

* enable
* config t
* access-list 100 permit tcp any host 21.13.84.5 eq 95
* exit
* disable
* wr mem

The modification then shows on the Configuration Table, but I am still not able to access IP Address 21.13.84.5 from Port 95 out of my LAN.

What more do I need to do. Also Ports 25 and 110 are already accessed through this IP Address (21.13.84.5) as such the IP is visible from out side the LAN.

Please Help...
0
Comment
Question by:billyh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 7041559
Can you post your complete config?

Is this access-list applied inbound or outbound, and on what interface? Is this host external to you, or internal? Is port 95 the source port or destination port?
0
 
LVL 8

Expert Comment

by:scraig84
ID: 7041665
Also to add to lrmoore's suggestions, what exactly are you trying to do with port 95?  How are you testing if it works?  Also, maybe I am being picky about wording but you said "I am still not able to access IP Address 21.13.84.5 from Port 95 out of my LAN" - is port 95 the source port from your LAN or the destination out of your LAN?  Just want to clarify your intent.
0
 
LVL 1

Author Comment

by:billyh
ID: 7041748
What I want to do is to use an extension of MDaemon called World Client to be accessed from any web browser by the use of port 95.

21.13.84.5 is the static IP address given to me by our ISP. In the LAN I access World Client by using the url:

http://100.0.0.67:95

Ideally from outside the LAN, to access World client using the Static IP Address I would use the url:

http://21.13.84.5:95

Because the router only allows access on ports 25, and port 110 to IP 21.13.84.5, I cannot get World Client,

The config file is as follows:

interface Ethernet0
 description Local Network
 ip address 10.0.0.254 255.255.255.0 secondary
 ip address 21.13.84.150 255.255.255.248
 ip nat inside
 no cdp enable
!
interface Ethernet1
 ip address 21.13.80.81 255.255.255.0
 ip access-group 100 out
 shutdown
!
interface Serial0
 ip address 21.13.81.130 255.255.255.252
 ip access-group 100 in
 ip nat outside
 no fair-queue
!
ip nat pool NATPool 21.13.84.148 21.13.84.149 netmask 255.255.255.248
ip nat inside source list 1 pool NATPool overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
ip pim bidir-enable
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 permit 10.0.0.2
access-list 2 permit 217.151.169.73
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any eq domain any
access-list 100 permit tcp any host 21.13.84.145 eq smtp
access-list 100 permit tcp any host 21.13.84.145 eq pop3
access-list 100 permit tcp host 196.30.131.82 host 21.13.84.146 eq 5631
access-list 100 permit udp host 196.30.131.82 host 21.13.84.146 eq 5632
access-list 100 permit tcp host 217.151.169.73 host 21.13.84.150 eq telnet
access-list 100 permit tcp any any established
access-list 100 permit icmp any any
access-list 100 deny   ip any any log
access-list 100 permit tcp any host 21.13.84.145 eq 95
access-list 100 permit tcp any host 21.13.84.145 eq www
!
line con 0
line vty 0 4
 access-class 2 in
!
end


0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 8

Expert Comment

by:scraig84
ID: 7041851
You've got a multitude of issues going on here.  You have an access list that is applied in both directions, it is poorly configured in general (no offense to the creator), the lines you added were after a "deny all" statement, and you need to set up static NAT.

One of us can certainly help you, but I have two questions:

How comfortable are you with the IOS and configuring the router?

Do you know exactly what you need to allow and not allow for access?

I would recommend fully rewriting the access list and scrap the current one, which is what prompts the second question.  The first question is due to the fact that there is a decent amount of work here, so I am ensuring you have a comfort level to complete the task.
0
 
LVL 1

Author Comment

by:billyh
ID: 7041880
No offense taken, atleast you will help.

I now that the IP Addresses do not make sense. I did it intensionally not to give away my IP Addresses, the general idea is to allow incoming communications for address 21.13.84.5 on port 95.

I am comfortable with configuring the router, so please give me the steps for rewriting the access list.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 100 total points
ID: 7042031
I agree with scraig84.
The fact that you have the same access-list applied out the Ethernet interface is irrelevant because that interface is shutdown anyway.
You must assign static NAT mapping for this to work.
 use a script like this to cut/paste to change your access lists:

! remove the access-group from the interfaces
!
interface Serial0
 no ip access-group 100 in
!
interface Ethernet1
 no ip access-group 100 in
!
! delete the access-list
!
no access-list 100
!
! now re-build the access-list entirely
!
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any ttl-exceeded
access-list 100 permit icmp any any packet-too-big
access-list 100 permit tcp any host 21.13.84.145 eq 95
access-list 100 permit tcp any host 21.13.84.145 eq www
access-list 100 permit tcp any host 21.13.84.145 eq smtp
access-list 100 permit tcp any host 21.13.84.145 eq pop3
access-list 100 permit udp any eq domain any
access-list 100 permit tcp host 196.30.131.82 host 21.13.84.146 eq 5631
access-list 100 permit udp host 196.30.131.82 host 21.13.84.146 eq 5632
access-list 100 permit tcp host 217.151.169.73 host 21.13.84.150 eq telnet
access-list 100 permit tcp any any established
access-list 100 deny   ip any any log
!
interface Serial0
 ip access-group 100 in
!

Now you need static NAT mappings for 21.13.84.145, .146, and .150:

!
ip nat inside source static 10.0.0.145 21.13.84.145
ip nat inside source static 10.0.0.146 21.13.84.146
ip nat inside source static 10.0.0.150 21.13.84.150
!

0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 7044978
Hi, your question posted in duplicate, recommend you delete the following one to get your points back.
http://www.experts-exchange.com/routerswitch/Q_20305726.html
":0) Asta
0
 
LVL 1

Author Comment

by:billyh
ID: 7050538
You have been both helpful, you suggestion worked. thanx alot.

Billy
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question