Opening a tcp port.

Ok, heres my situation, i have my cisco 2600 set up to do the established link filtering on my wan port.  
deny
deny
permit tcp any any established log
...
ok theres the acl fairly well, i am forwarding port tcp 22 to a server internally.  
 ip nat inside souce static tcp x.x.x.x 22 x.x.x.x 22 extendable.

My problem is..... that with the ACL, doing the established bit, forwarding this port to the server on tcp does absolutely nothing.  i can forward udp all day long and it works like a champ.    My question is.... How do i set port 22 in my ACL to ignore the
permit tcp any any established  That i have  at the end of my deny statements?  

I have tried:
permit tcp host x.x.x.x eq 22 host x.x.x.x eq 22 log
Which is the same argument that lets my udp ports though with no problem, port and protocol are all that were changed.

Thanks in advance for any help.
roscowgoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Try just using the destination port without specifying the source port:
 
 permit tcp host x.x.x.x  host x.x.x.x eq 22 log


0
roscowgoAuthor Commented:
ill give it a shot :) thanks.
0
roscowgoAuthor Commented:
tried that....... didnt seem to work...
It's damned bizzare,   it like it reads the top of the acl where the permit 22 statement is...... then instead of just accepting the packet it also checks it against all the other paramters.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

lrmooreCommented:
Can you post your complete config? Be sure to mask out any passwords and public IPs

0
roscowgoAuthor Commented:
sorry about the delay. heres the entire config


Router1# show run
Building configuration...

Current configuration : 9675 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router1
!
no logging exception
logging buffered 9012 warnings
logging console informational
logging monitor informational
enable password 7 14150A5A5851
!

clock timezone edt -4
ip subnet-zero
!
!
no ip domain-lookup
!
!
!
!
interface FastEthernet0/0
 description connected to EthernetLAN_1
 ip address 192.168.1.1 255.255.255.0
 ip access-group 151 in
 ip access-group 151 out
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 description connected to  *******
 ip address 192.168.2.2 255.255.255.0
 ip nat inside
 no ip mroute-cache
 service-module t1 clock source internal
 service-module t1 remote-alarm-enable
!
interface FastEthernet0/1
 description connected to Internet
 ip address X.x.X.x  255.255.255.0
 ip access-group ineqts in
 ip access-group outeq out
 ip nat outside
 duplex auto
 speed auto

ip default-gateway 68.187.246.1
ip nat pool *** X.X.X.X  X.X.X.X netmask 255.255.255.0
ip nat inside source list 1 pool **** overload
ip nat inside source static udp 192.168.1.29 8767 X.X.X.X 8767 extendable
ip nat inside source static tcp 192.168.1.29 22 X.X.X.X 22 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 X.X.X.X
ip route 192.168.3.0 255.255.255.0 192.168.2.1
no ip http server
no ip pim bidir-enable
!
!
ip access-list extended ineqts
 permit tcp host X.X.X.X host 192.168.1.22 eq host 192.168.1.29 22 log
 permit udp host X.X.X.X eq 8767 host 192.168.1.29 eq 8767 log
 deny   tcp any any eq telnet log
 deny   udp any any eq tftp log
 deny   udp any any eq 135 log
 deny   tcp any any eq 135 log
 deny   udp any any eq netbios-ss log
 deny   tcp any any eq 139 log
 deny   udp any any eq 445 log
 deny   tcp any any eq 445 log
 deny   tcp any any eq 4444 log
 deny   tcp any any eq 138 log
 deny   udp any any eq netbios-dgm log
 deny   tcp any any eq echo log
 deny   udp any any eq echo log
 deny   tcp any any eq 136 log
 deny   udp any any eq 136 log
 deny   tcp any any eq 137 log
 deny   udp any any eq netbios-ns log
 deny   tcp any any eq 5000 log
 deny   tcp any any eq 1900 log
 deny   udp any any eq 25 log
 deny   tcp any any eq 9996 log
 deny   tcp any any eq 5554 log
 deny   tcp any any range 9000 9998 log
 deny   ip host 66.103.153.34 any
 deny   ip host 69.20.69.181 any log
 permit tcp any any established log
 permit udp any any log
ip access-list extended outeq
 deny   tcp any any eq telnet log
 deny   udp any any eq tftp log
 deny   udp any any eq 135 log
 deny   tcp any any eq 135 log
 deny   udp any any eq netbios-ss log
 deny   tcp any any eq 139 log
 deny   udp any any eq 445 log
 deny   tcp any any eq 445 log
 deny   tcp any any eq 4444 log
 deny   tcp any any eq 138 log
 deny   udp any any eq netbios-dgm log
 deny   tcp any any eq echo log
 deny   udp any any eq echo log
 deny   tcp any any eq 136 log
 deny   udp any any eq 136 log
 deny   tcp any any eq 137 log
 deny   udp any any eq netbios-ns log
 deny   tcp any any eq 5000 log
 deny   tcp any any eq 1900 log
 deny   udp any any eq 25 log
 deny   tcp any any eq 9996 log
 deny   tcp any any eq 5554 log
 deny   ip host 69.20.69.181 any log
 permit tcp any any log
 permit udp any any log
!


I know i should be doing permit statements and not denying each port seperately, but this is a pretty small place and the router doesnt get much of a workout  at all.

and if you look at the port 8767 forwarding, that works like a champ, 24/7 (teamspeak server),   the 22 i am setting up as an ftp server and just wanted to be strange with the non standard port i guess.   as to what actually makes it work, when i take the established command out of the end of access-list ineqts   it goes right through. so thats where the problem is i think.    

i cant figure out why it is processing one rule, and then processing all the rest of the rules in the acl.  and i dont want to not have the established link thing going on.  
0
lrmooreCommented:
You've really created a complicated scenario for yourself that is difficult to troubleshoot..

>
interface FastEthernet0/0
 description connected to EthernetLAN_1
 ip address 192.168.1.1 255.255.255.0
 ip access-group 151 in   <== where is access-list 151?
 ip access-group 151 out <== where is access-list 151? You really don't want the same acl both directions
 ip nat inside
 duplex auto
 speed auto

>ip access-list extended ineqts
>permit tcp host X.X.X.X host 192.168.1.22 eq host 192.168.1.29 22 log
This should be
   permit tcp host X.X.X.X host 68.187.246.x eq 22 log
   permit tcp any any established

>and i dont want to not have the established link thing going on.  
I'm not sure I follow you on this. You really  need an acl "established" line

Q: Where are you logging all this to? Are you running a syslog server?



0
roscowgoAuthor Commented:
Yea i know, its a mess.     but it generally works.

acl 151 blocks port 135,  tcp and udp and lets everything else through.    

i think i misedited trying to get rid of my public ips there......   which i obviously missed..... but anyway, here is a fresh copy and paste of that line
   
and do you mean the permit host statement needs to go close to the permit any statement?

 
permit tcp host 68.187.246.x host 192.168.1.29 eq 22 log
 permit tcp any any established log
 permit udp any any log

that is in and running as we speak.    

a Q. for you too there..
>This should be
   permit tcp host X.X.X.X host 68.187.246.x eq 22 log
   permit tcp any any established

 I think i have a hole in my head today.... i was using the X.X.X.X for my public ip, wouldnt that just allow it to talk to itself?

as for the established line, what i want to do, is be as invisible as possible to the outside world.  

and right at the moment im not running one, but was then.... when im not running a syslog server i just browse the buffered messages on the router.

thanks for the help, sorry im so boneheaded with this one.....
0
lrmooreCommented:
You are already invisible due to the NAT

>permit tcp host 68.187.246.x host 192.168.1.29 eq 22 log
You are not permitting anything to the private IP address. NAT takes care of that.

Assuming that you have public IP of 68/187.246.x natted to 192.168.1.29, and you want to permit inbound from anywhere, your acl should look like this:
  permit tcp host any 68.187.246.x eq 22 log

If you want to restrict inbound ssh from only certain hosts on the Internet (like your house) where the public IP is known, then you can restrict further:
   permit tcp host 1.2.3.4 host 68.187.246.x eq 22 log

With the syntax =
   permit [tcp|udp|ip] <source ip> <source mask> <destination ip> <destination mask> eq {port} log

source ip + mask can be replaced with "host x.x.x.x" instead of
    2.3.4.5 255.255.255.255
Same with destination. If the destination is only one IP address, use "host"


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.