Cisco Router Allow Incoming Ports to all IPs

Hello all.

Need help with a router config.  I can setup port forwarding easily to an internal static IP.  Works fine.  I am adding 2 VISA machine that work over ip and DHCP internal.  Visa has told me the ports to open and the static routable IP address they will be communicating from.  

I need to setup an access list that will allow any traffice on these ports from a specific IP to any internal machines.  Does this look correct:

access-list 100 permit tcp host <Routable IP> any eq <port number1>
access-list 100 permit tcp host <Routable IP> any eq <port number2>
access-list 100 permit tcp host <Routable IP> any eq <port number3>
access-list 100 deny tcp any any eq <port number1>
access-list 100 deny tcp any any eq <port number2>
access-list 100 deny tcp any any eq <port number3>
access-list 100 permit ip any any

interface dialer1
 ip acces-group 100 in

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

That will work as expected, except that as long as you're creating an access list, how about limiting some of the other things that you don't want people doing from the outside? You're actually better off figuring out what you DO need and then by default not allowing anything else.

The only thing your list denies is attempted access to that specific port on any machine. What about Windows, telnet, and everything else that people try to do into your network?

If it's a dedicated link from VISA, why permit everything at the end?

things to think about...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

What exactly is happening with this VISA stuff, are your computers requesting traffic from a VISA machine or what?  Is VISA from the outside making the requests in the first place.  I guess I dont see what they are trying to do and why they need to get in from the outside to any computer on the inside unless a computer from the inside requests the traffic in the first place.

My reasoning is that if the VISA from the outside is responding to an inside request, then you need to switch the eq "port" to the source not the destination, and you'd be better off changing the access list to accept an "established" connections, for example

access-list 100 permit tcp "Static IP" eq "port any established

That would allow all established (which means a response to a SYN packet) connections back in on those ports.  

bobbydall2000Author Commented:
VISA need to communicate not with a computer, but with it's VISA terminals.  They installed terminals that will communicate through IP instead of phone line.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.