?
Solved

Cisco 1700 w/ firewall port forwarding

Posted on 2003-03-05
11
Medium Priority
?
496 Views
Last Modified: 2012-06-27
I want to forward ports 25,110,143 to my Exchange server: 10.0.0.5.  

I also want to use RPC to publish my Exchange server over the web, so from what I can tell, I need the following:

Primary connection:  TCP 135 Outbound
Secondary connections:  TCP 1025-65534 Outbound

I also want to forward port 3389 to my TS server: 10.0.0.6.    



Below is my configuration:

show running-config
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug datetime msec
service timestamps log uptime
no service password-encryption
!
hostname 1720
!
logging buffered 6048 debugging
enable secret 5 $1$anWb$nQL0ctDzeAWVdZ09IFk2z1
enable password 67128
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
          !
          !
          crypto isakmp policy 1
           encr 3des
           authentication pre-share
          crypto isakmp key 5m3f1i7a3n5e0 address 0.0.0.0        
          crypto isakmp client configuration address-pool local vpn
          !
          crypto ipsec security-association lifetime seconds 43200
          !
          crypto ipsec transform-set strong esp-3des esp-sha-hmac
          !
          crypto dynamic-map dyna 1
           set transform-set strong
          !
          crypto map mfiane client configuration address initiate
          crypto map mfiane client configuration address respond
          crypto map mfiane 10 ipsec-isakmp dynamic dyna
          cns event-service server
          !
          !
          !
          interface Loopback0
           ip address 172.16.1.1 255.255.255.252
           no ip directed-broadcast
          !
          interface Serial0
           no ip address
           no ip directed-broadcast
           encapsulation frame-relay IETF
           no ip route-cache
           no ip mroute-cache
          !
          interface Serial0.1 point-to-point
           ip address 64.69.104.201 255.255.255.248
           ip access-group 199 in
           no ip directed-broadcast
           ip nat outside
           no ip route-cache
           no ip mroute-cache
           no arp frame-relay
           frame-relay interface-dlci 40  
           crypto map mfiane
          !
          interface FastEthernet0
           ip address 10.0.0.254 255.255.255.0
           no ip directed-broadcast
           ip nat inside
           no ip route-cache
           ip policy route-map nostatic
           no ip mroute-cache
           half-duplex
          !
          router eigrp 2000
           network 10.0.0.0
          !
          ip local pool vpn 192.168.1.1 192.168.1.254
          ip nat inside source route-map nonat interface Serial0.1 overload
          ip nat inside source static 10.0.0.251 64.69.104.206
          ip nat inside source static 10.0.0.250 64.69.104.205
          ip classless
          ip route 0.0.0.0 0.0.0.0 Serial0.1
          no ip http server
          !
          access-list 1 permit 10.0.0.0 0.0.0.255
          access-list 101 deny   ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
          access-list 101 permit ip 10.0.0.0 0.0.0.255 any
          access-list 102 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
          access-list 150 permit ip any host 24.58.250.249
          access-list 150 permit ip host 24.58.250.249 any
          access-list 199 permit tcp any any established
          access-list 199 permit udp any eq domain any
          access-list 199 permit icmp any any
          access-list 199 permit tcp any any eq www
          access-list 199 permit tcp any any range ftp-data 22
          access-list 199 permit tcp any any eq 3144
          access-list 199 permit udp any any eq 3144
          access-list 199 permit tcp any any eq 10000
          access-list 199 permit tcp any any eq telnet
          access-list 199 permit tcp any any eq 1723
          access-list 199 permit tcp any eq 1723 any
          access-list 199 permit udp any any eq isakmp
          access-list 199 permit esp any any
          access-list 199 permit udp any any range netbios-ns netbios-ss
          access-list 199 permit tcp any any
          access-list 199 permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq 5631
          access-list 199 permit udp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq 5632
          route-map nostatic permit 20
           match ip address 102
           set ip next-hop 172.16.1.2
          !
          route-map nonat permit 10
           match ip address 101
          !
          !
          line con 0
           transport input none
          line aux 0
          line vty 0
           exec-timeout 0 0
           password
           login
          line vty 1 4
           password
           login
          !
          end
         
1720#
1720#
1720#
1720#
0
Comment
Question by:subjasonthomas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8075674
>I want to forward ports 25,110,143 to my Exchange server: 10.0.0.5.  

Tackling one thing at a time - assuming that you publish 64.69.104.207 as your mail server:

First, permit the traffic into the serial interface:

# add these lines to acl 199:
!
access-list 199 permit tcp any host 64.69.104.207 eq smtp
access-list 199 permit tcp any host 64.69.104.207 eq 443
access-list 199 permit tcp any host 64.69.104.207 eq www
access-list 199 permit tcp any host 64.69.104.207 eq pop3
!

# Add static NAT statement:
!
ip nat inside source static 10.0.0.5 64.69.104.207
!
Deny the statically assigned hosts from using the NAT Pool:
!
access-list 101 deny  ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip host 10.0.0.5 any
access-list 101 deny ip host 10.0.0.251 any
access-list 101 deny ip host 10.0.0.250 any
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
!

>I also want to forward port 3389 to my TS server: 10.0.0.6.    
If you're doing IPSEC tunnels, why not just do it over a VPN connection?
Else, use the same convention above to add a static nat map to the Term server, and permit tcp 3389 in via acl 199

>I also want to use RPC to publish my Exchange server over the web, so from what I can tell, I need the following:

Primary connection:  TCP 135 Outbound
Secondary connections:  TCP 1025-65534 Outbound

Not sure what you're trying to accomplish here. All outbound traffic is already permitted...





0
 

Author Comment

by:subjasonthomas
ID: 8095428
This worked great, thank you.  However, all ports are being shown as open.  How can I lock down the Cisco so that only the ports I specify are open?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8095557
Only those ports explicitly permitted in acl 199 are being permitted, as long as that acl is applied inbound on the serial interface.
Where are you seeing "all ports being shown as open"?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:subjasonthomas
ID: 8095755
This worked great, thank you.  However, all ports are being shown as open.  How can I lock down the Cisco so that only the ports I specify are open?
0
 

Author Comment

by:subjasonthomas
ID: 8096379
I ran a port scan on the IP I used to do this with, and there are about 100 ports open.  All these ports were open before I even applied the ACLs.  Any ideas?  Here's what the current-config looks like (I chose 64.69.104.204 to point to the Exchange Server):

Building configuration...                        

Current configuration:                      
!
version 12.0            
service timestamps debug datetime msec                                      
service timestamps log uptime                            
no service password-encryption                              
!
hostname 1720            
!
logging buffered 6048 debugging                              
enable secret                                            
enable password                
!
!
!
!
!
memory-size iomem 25                    
ip subnet-zero              
!
ip audit notify log                  
ip audit po max-events 100                          
!
!
crypto isakmp policy 1                      
 encr 3des          
 authentication            
crypto isakmp key 5m3f1i7a3n5e0 address 0.0.0.0                                              
crypto isakmp client configuration address-pool local vpn                                                        
!
crypto ipsec security-association lifetime seconds 43200                                                        
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac                                                      
!
crypto dynamic-map dyna 1                        
 set transform-set strong                        
!
crypto map mfiane client configuration address initiate                                                      
crypto map mfiane client configuration address respond                                                      
crypto map mfiane 10 ipsec-isakmp dynamic dyna                                              
cns event-service server                        
!
!
!
interface Loopback0                  
 ip address 172.16.1.1 255.255.25                                
 no ip directed-broadcast                        
!
interface Serial0                
 no ip address              
 no ip directed-broadcast                        
 encapsulation frame-relay IETF                              
 no ip route-cache                  
 no ip mroute-cache                  
!
interface Serial0.1 point-to-point                                  
 ip address 64.69.104.201 255.255.255.248                                        
 ip access-group 199 in                      
 no ip directed-broadcast                        
 ip nat outside              
 no ip route-cache                  
 no ip mroute-cache                  
 no arp frame-relay                  
 frame-relay interface-dlci 40                              
 crypto map mfiane                  
!
interface FastEthernet0                      
 ip address 10.0.0.254 255.255.255.0                                    
 no ip directed-broadcast                        
 ip nat inside              
 no ip route-cache                  
 ip policy route-map nostatic                            
 no ip mroute-cache                  
 half-duplex            
!
router eigrp 2000                
 network 10.0.0.0                
!
ip local pool vpn 192.168.1.1 192.168.1.254                                          
ip nat inside source route-map nonat interface Serial0.1 overload                                                                
ip nat inside source static 10.0.0.5 64.69.104.204                                                  
ip nat inside source static 10.0.0.251 64.69.104.206                                                    
ip nat inside source static 10.0.0.250 64.69.104.205                                                    
ip classless            
ip route 0.0.0.0 0.0.0.0 Serial0.1                                  
no ip http server                
!
access-list 1 permit 10.0.0.0 0.0.0.255                                      
access-list 101 deny   ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255                                                                  
access-list 101 permit ip 10.0.0.0 0.0.0.255 any                                                
access-list 101 deny   ip host 10.0.0.5 any                                          
access-list 101 deny   ip host 10.0.0.251 any                                            
access-list 101 deny   ip host 10.0.0.250 any                                            
access-list 102 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255                                                                  
access-list 150 permit ip any host 24.58.250.249                                                
access-list 150 permit ip host 24.58.250.249 any                                                
access-list 199 permit tcp any any established                                              
access-list 199 permit udp any eq domain any                                            
access-list 199 permit icmp any any                                  
access-list 199 permit tcp any any eq www                                        
access-list 199 permit tcp any any range ftp-data 22                                                    
access-list 199 permit tcp any any eq 3144                                          
access-list 199 permit udp any any eq 3144                                          
access-list 199 permit tcp any any eq 10000                                          
access-list 199 permit tcp any any eq telnet                                            
access-list 199 permit tcp any any eq 1723                                          
access-list 199 permit tcp any eq 1723 any                                          
access-list 199 permit udp any any eq isakmp                                            
access-list 199 permit esp any any                                  
access-list 199 permit udp any any range netbi                                            
access-list 199 permit tcp any any                                  
access-list 199 permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq 5631                                                                          
access-list 199 permit udp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 eq 5632                                                                          
access-list 199 permit tcp any host 64.69.104.204 eq smtp                                                        
access-list 199 permit tcp any host 64.69.104.204 eq 143                                                        
access-list 199 permit tcp any host 64.69.104.204 eq www                                                        
access-list 199 permit tcp any host 64.69.104.204 eq pop3                                                        
access-list 199 permit tcp any host 64.69.104.204 eq 135                                                        
route-map nostatic permit 20                            
 match ip addr            
 set ip next-hop 172.16.1.2                          
!
route-map nonat permit 10                        
 match ip address 101                    
!
!
line con 0
 transport input none
line aux 0
line vty 0
 exec-timeout 0 0
 password
 login
line vty 1 4
 password
 login
!
end


0
 
LVL 79

Accepted Solution

by:
lrmoore earned 400 total points
ID: 8096534
Put these at the top of the acl 199:

access-list 199 permit tcp any host 64.69.104.204 eq smtp                                                     access-list 199 permit tcp any host 64.69.104.204 eq 143                                                      
access-list 199 permit tcp any host 64.69.104.204 eq www                                                      
access-list 199 permit tcp any host 64.69.104.204 eq pop3                                                      
access-list 199 permit tcp any host 64.69.104.204 eq 135
access-list 199 permit udp any eq 53 host 64.69.104.204
!!Then deny any other traffic to it
access-list 199 deny  ip any host 64.69.104.204                    
0
 

Author Comment

by:subjasonthomas
ID: 8152490
Quick question:  I'm going to create another access-list (call it 198) and put all those items at the top of the list, and then redo the entire list as 198.  I obviously need to apply that to an interface.  What command would I issue to apply access-list 198 to the interface (I'm assuming I apply it to s0?)  

access-class 198 in  (onto the serial interface)?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8152807
the command is:
router(config)#interface serial 0
router(config-if)# no ip access-group 199 in
router(config-if)# ip access-group 198 in
router(config-if)# exit
router(config)#
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8442631
G'day, subjasonthomas
It has been 57 days since you posted this question.
Do you still need help? Have you received enough information?
Can you close out this question?
Ways to close questions: http://www.apollois.com/EE/Help/Closing_Questions.htm
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8637093
subjasonthomas,
No comment has been added lately (33 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: Award points to lrmoore

Please leave any comments here within 7 days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Thanks,

lrmoore
EE Cleanup Volunteer
---------------------
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points. http://www.experts-exchange.com/Community_Support/
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question