?
Solved

Opening a tcp port.

Posted on 2004-11-04
10
Medium Priority
?
653 Views
Last Modified: 2013-11-29
Ok, heres my situation, i have my cisco 2600 set up to do the established link filtering on my wan port.  
deny
deny
permit tcp any any established log
...
ok theres the acl fairly well, i am forwarding port tcp 22 to a server internally.  
 ip nat inside souce static tcp x.x.x.x 22 x.x.x.x 22 extendable.

My problem is..... that with the ACL, doing the established bit, forwarding this port to the server on tcp does absolutely nothing.  i can forward udp all day long and it works like a champ.    My question is.... How do i set port 22 in my ACL to ignore the
permit tcp any any established  That i have  at the end of my deny statements?  

I have tried:
permit tcp host x.x.x.x eq 22 host x.x.x.x eq 22 log
Which is the same argument that lets my udp ports though with no problem, port and protocol are all that were changed.

Thanks in advance for any help.
0
Comment
Question by:roscowgo
  • 4
  • 4
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12498311
Try just using the destination port without specifying the source port:
 
 permit tcp host x.x.x.x  host x.x.x.x eq 22 log


0
 

Author Comment

by:roscowgo
ID: 12498490
ill give it a shot :) thanks.
0
 

Author Comment

by:roscowgo
ID: 12507541
tried that....... didnt seem to work...
It's damned bizzare,   it like it reads the top of the acl where the permit 22 statement is...... then instead of just accepting the packet it also checks it against all the other paramters.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12507799
Can you post your complete config? Be sure to mask out any passwords and public IPs

0
 

Author Comment

by:roscowgo
ID: 12604931
sorry about the delay. heres the entire config


Router1# show run
Building configuration...

Current configuration : 9675 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router1
!
no logging exception
logging buffered 9012 warnings
logging console informational
logging monitor informational
enable password 7 14150A5A5851
!

clock timezone edt -4
ip subnet-zero
!
!
no ip domain-lookup
!
!
!
!
interface FastEthernet0/0
 description connected to EthernetLAN_1
 ip address 192.168.1.1 255.255.255.0
 ip access-group 151 in
 ip access-group 151 out
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 description connected to  *******
 ip address 192.168.2.2 255.255.255.0
 ip nat inside
 no ip mroute-cache
 service-module t1 clock source internal
 service-module t1 remote-alarm-enable
!
interface FastEthernet0/1
 description connected to Internet
 ip address X.x.X.x  255.255.255.0
 ip access-group ineqts in
 ip access-group outeq out
 ip nat outside
 duplex auto
 speed auto

ip default-gateway 68.187.246.1
ip nat pool *** X.X.X.X  X.X.X.X netmask 255.255.255.0
ip nat inside source list 1 pool **** overload
ip nat inside source static udp 192.168.1.29 8767 X.X.X.X 8767 extendable
ip nat inside source static tcp 192.168.1.29 22 X.X.X.X 22 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 X.X.X.X
ip route 192.168.3.0 255.255.255.0 192.168.2.1
no ip http server
no ip pim bidir-enable
!
!
ip access-list extended ineqts
 permit tcp host X.X.X.X host 192.168.1.22 eq host 192.168.1.29 22 log
 permit udp host X.X.X.X eq 8767 host 192.168.1.29 eq 8767 log
 deny   tcp any any eq telnet log
 deny   udp any any eq tftp log
 deny   udp any any eq 135 log
 deny   tcp any any eq 135 log
 deny   udp any any eq netbios-ss log
 deny   tcp any any eq 139 log
 deny   udp any any eq 445 log
 deny   tcp any any eq 445 log
 deny   tcp any any eq 4444 log
 deny   tcp any any eq 138 log
 deny   udp any any eq netbios-dgm log
 deny   tcp any any eq echo log
 deny   udp any any eq echo log
 deny   tcp any any eq 136 log
 deny   udp any any eq 136 log
 deny   tcp any any eq 137 log
 deny   udp any any eq netbios-ns log
 deny   tcp any any eq 5000 log
 deny   tcp any any eq 1900 log
 deny   udp any any eq 25 log
 deny   tcp any any eq 9996 log
 deny   tcp any any eq 5554 log
 deny   tcp any any range 9000 9998 log
 deny   ip host 66.103.153.34 any
 deny   ip host 69.20.69.181 any log
 permit tcp any any established log
 permit udp any any log
ip access-list extended outeq
 deny   tcp any any eq telnet log
 deny   udp any any eq tftp log
 deny   udp any any eq 135 log
 deny   tcp any any eq 135 log
 deny   udp any any eq netbios-ss log
 deny   tcp any any eq 139 log
 deny   udp any any eq 445 log
 deny   tcp any any eq 445 log
 deny   tcp any any eq 4444 log
 deny   tcp any any eq 138 log
 deny   udp any any eq netbios-dgm log
 deny   tcp any any eq echo log
 deny   udp any any eq echo log
 deny   tcp any any eq 136 log
 deny   udp any any eq 136 log
 deny   tcp any any eq 137 log
 deny   udp any any eq netbios-ns log
 deny   tcp any any eq 5000 log
 deny   tcp any any eq 1900 log
 deny   udp any any eq 25 log
 deny   tcp any any eq 9996 log
 deny   tcp any any eq 5554 log
 deny   ip host 69.20.69.181 any log
 permit tcp any any log
 permit udp any any log
!


I know i should be doing permit statements and not denying each port seperately, but this is a pretty small place and the router doesnt get much of a workout  at all.

and if you look at the port 8767 forwarding, that works like a champ, 24/7 (teamspeak server),   the 22 i am setting up as an ftp server and just wanted to be strange with the non standard port i guess.   as to what actually makes it work, when i take the established command out of the end of access-list ineqts   it goes right through. so thats where the problem is i think.    

i cant figure out why it is processing one rule, and then processing all the rest of the rules in the acl.  and i dont want to not have the established link thing going on.  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12622092
You've really created a complicated scenario for yourself that is difficult to troubleshoot..

>
interface FastEthernet0/0
 description connected to EthernetLAN_1
 ip address 192.168.1.1 255.255.255.0
 ip access-group 151 in   <== where is access-list 151?
 ip access-group 151 out <== where is access-list 151? You really don't want the same acl both directions
 ip nat inside
 duplex auto
 speed auto

>ip access-list extended ineqts
>permit tcp host X.X.X.X host 192.168.1.22 eq host 192.168.1.29 22 log
This should be
   permit tcp host X.X.X.X host 68.187.246.x eq 22 log
   permit tcp any any established

>and i dont want to not have the established link thing going on.  
I'm not sure I follow you on this. You really  need an acl "established" line

Q: Where are you logging all this to? Are you running a syslog server?



0
 

Author Comment

by:roscowgo
ID: 12625626
Yea i know, its a mess.     but it generally works.

acl 151 blocks port 135,  tcp and udp and lets everything else through.    

i think i misedited trying to get rid of my public ips there......   which i obviously missed..... but anyway, here is a fresh copy and paste of that line
   
and do you mean the permit host statement needs to go close to the permit any statement?

 
permit tcp host 68.187.246.x host 192.168.1.29 eq 22 log
 permit tcp any any established log
 permit udp any any log

that is in and running as we speak.    

a Q. for you too there..
>This should be
   permit tcp host X.X.X.X host 68.187.246.x eq 22 log
   permit tcp any any established

 I think i have a hole in my head today.... i was using the X.X.X.X for my public ip, wouldnt that just allow it to talk to itself?

as for the established line, what i want to do, is be as invisible as possible to the outside world.  

and right at the moment im not running one, but was then.... when im not running a syslog server i just browse the buffered messages on the router.

thanks for the help, sorry im so boneheaded with this one.....
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12626003
You are already invisible due to the NAT

>permit tcp host 68.187.246.x host 192.168.1.29 eq 22 log
You are not permitting anything to the private IP address. NAT takes care of that.

Assuming that you have public IP of 68/187.246.x natted to 192.168.1.29, and you want to permit inbound from anywhere, your acl should look like this:
  permit tcp host any 68.187.246.x eq 22 log

If you want to restrict inbound ssh from only certain hosts on the Internet (like your house) where the public IP is known, then you can restrict further:
   permit tcp host 1.2.3.4 host 68.187.246.x eq 22 log

With the syntax =
   permit [tcp|udp|ip] <source ip> <source mask> <destination ip> <destination mask> eq {port} log

source ip + mask can be replaced with "host x.x.x.x" instead of
    2.3.4.5 255.255.255.255
Same with destination. If the destination is only one IP address, use "host"


0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question