Solved

Allowing Port 95 on a Cisco 1600

Posted on 2002-05-29
8
241 Views
Last Modified: 2010-04-17
I would like to know which commands I have to use to allow communication on the TCPIP port 95 in the Cisco 1600.

The commands I have been using are:

* enable
* config t
* access-list 100 permit tcp any host 21.13.84.5 eq 95
* exit
* disable
* wr mem

The modification then shows on the Configuration Table, but I am still not able to access IP Address 21.13.84.5 from Port 95 out of my LAN.

What more do I need to do. Also Ports 25 and 110 are already accessed through this IP Address (21.13.84.5) as such the IP is visible from out side the LAN.

Please Help...
0
Comment
Question by:billyh
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Can you post your complete config?

Is this access-list applied inbound or outbound, and on what interface? Is this host external to you, or internal? Is port 95 the source port or destination port?
0
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
Also to add to lrmoore's suggestions, what exactly are you trying to do with port 95?  How are you testing if it works?  Also, maybe I am being picky about wording but you said "I am still not able to access IP Address 21.13.84.5 from Port 95 out of my LAN" - is port 95 the source port from your LAN or the destination out of your LAN?  Just want to clarify your intent.
0
 
LVL 1

Author Comment

by:billyh
Comment Utility
What I want to do is to use an extension of MDaemon called World Client to be accessed from any web browser by the use of port 95.

21.13.84.5 is the static IP address given to me by our ISP. In the LAN I access World Client by using the url:

http://100.0.0.67:95

Ideally from outside the LAN, to access World client using the Static IP Address I would use the url:

http://21.13.84.5:95

Because the router only allows access on ports 25, and port 110 to IP 21.13.84.5, I cannot get World Client,

The config file is as follows:

interface Ethernet0
 description Local Network
 ip address 10.0.0.254 255.255.255.0 secondary
 ip address 21.13.84.150 255.255.255.248
 ip nat inside
 no cdp enable
!
interface Ethernet1
 ip address 21.13.80.81 255.255.255.0
 ip access-group 100 out
 shutdown
!
interface Serial0
 ip address 21.13.81.130 255.255.255.252
 ip access-group 100 in
 ip nat outside
 no fair-queue
!
ip nat pool NATPool 21.13.84.148 21.13.84.149 netmask 255.255.255.248
ip nat inside source list 1 pool NATPool overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
ip pim bidir-enable
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 permit 10.0.0.2
access-list 2 permit 217.151.169.73
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any eq domain any
access-list 100 permit tcp any host 21.13.84.145 eq smtp
access-list 100 permit tcp any host 21.13.84.145 eq pop3
access-list 100 permit tcp host 196.30.131.82 host 21.13.84.146 eq 5631
access-list 100 permit udp host 196.30.131.82 host 21.13.84.146 eq 5632
access-list 100 permit tcp host 217.151.169.73 host 21.13.84.150 eq telnet
access-list 100 permit tcp any any established
access-list 100 permit icmp any any
access-list 100 deny   ip any any log
access-list 100 permit tcp any host 21.13.84.145 eq 95
access-list 100 permit tcp any host 21.13.84.145 eq www
!
line con 0
line vty 0 4
 access-class 2 in
!
end


0
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
You've got a multitude of issues going on here.  You have an access list that is applied in both directions, it is poorly configured in general (no offense to the creator), the lines you added were after a "deny all" statement, and you need to set up static NAT.

One of us can certainly help you, but I have two questions:

How comfortable are you with the IOS and configuring the router?

Do you know exactly what you need to allow and not allow for access?

I would recommend fully rewriting the access list and scrap the current one, which is what prompts the second question.  The first question is due to the fact that there is a decent amount of work here, so I am ensuring you have a comfort level to complete the task.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Author Comment

by:billyh
Comment Utility
No offense taken, atleast you will help.

I now that the IP Addresses do not make sense. I did it intensionally not to give away my IP Addresses, the general idea is to allow incoming communications for address 21.13.84.5 on port 95.

I am comfortable with configuring the router, so please give me the steps for rewriting the access list.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 100 total points
Comment Utility
I agree with scraig84.
The fact that you have the same access-list applied out the Ethernet interface is irrelevant because that interface is shutdown anyway.
You must assign static NAT mapping for this to work.
 use a script like this to cut/paste to change your access lists:

! remove the access-group from the interfaces
!
interface Serial0
 no ip access-group 100 in
!
interface Ethernet1
 no ip access-group 100 in
!
! delete the access-list
!
no access-list 100
!
! now re-build the access-list entirely
!
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any ttl-exceeded
access-list 100 permit icmp any any packet-too-big
access-list 100 permit tcp any host 21.13.84.145 eq 95
access-list 100 permit tcp any host 21.13.84.145 eq www
access-list 100 permit tcp any host 21.13.84.145 eq smtp
access-list 100 permit tcp any host 21.13.84.145 eq pop3
access-list 100 permit udp any eq domain any
access-list 100 permit tcp host 196.30.131.82 host 21.13.84.146 eq 5631
access-list 100 permit udp host 196.30.131.82 host 21.13.84.146 eq 5632
access-list 100 permit tcp host 217.151.169.73 host 21.13.84.150 eq telnet
access-list 100 permit tcp any any established
access-list 100 deny   ip any any log
!
interface Serial0
 ip access-group 100 in
!

Now you need static NAT mappings for 21.13.84.145, .146, and .150:

!
ip nat inside source static 10.0.0.145 21.13.84.145
ip nat inside source static 10.0.0.146 21.13.84.146
ip nat inside source static 10.0.0.150 21.13.84.150
!

0
 
LVL 27

Expert Comment

by:Asta Cu
Comment Utility
Hi, your question posted in duplicate, recommend you delete the following one to get your points back.
http://www.experts-exchange.com/routerswitch/Q_20305726.html
":0) Asta
0
 
LVL 1

Author Comment

by:billyh
Comment Utility
You have been both helpful, you suggestion worked. thanx alot.

Billy
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now