We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


Cisco Router Allow Incoming Ports to all IPs

Medium Priority
Last Modified: 2006-11-18
Hello all.

Need help with a router config.  I can setup port forwarding easily to an internal static IP.  Works fine.  I am adding 2 VISA machine that work over ip and DHCP internal.  Visa has told me the ports to open and the static routable IP address they will be communicating from.  

I need to setup an access list that will allow any traffice on these ports from a specific IP to any internal machines.  Does this look correct:

access-list 100 permit tcp host <Routable IP> any eq <port number1>
access-list 100 permit tcp host <Routable IP> any eq <port number2>
access-list 100 permit tcp host <Routable IP> any eq <port number3>
access-list 100 deny tcp any any eq <port number1>
access-list 100 deny tcp any any eq <port number2>
access-list 100 deny tcp any any eq <port number3>
access-list 100 permit ip any any

interface dialer1
 ip acces-group 100 in

Watch Question

Top Expert 2004
That will work as expected, except that as long as you're creating an access list, how about limiting some of the other things that you don't want people doing from the outside? You're actually better off figuring out what you DO need and then by default not allowing anything else.

The only thing your list denies is attempted access to that specific port on any machine. What about Windows, telnet, and everything else that people try to do into your network?

If it's a dedicated link from VISA, why permit everything at the end?

things to think about...

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


What exactly is happening with this VISA stuff, are your computers requesting traffic from a VISA machine or what?  Is VISA from the outside making the requests in the first place.  I guess I dont see what they are trying to do and why they need to get in from the outside to any computer on the inside unless a computer from the inside requests the traffic in the first place.

My reasoning is that if the VISA from the outside is responding to an inside request, then you need to switch the eq "port" to the source not the destination, and you'd be better off changing the access list to accept an "established" connections, for example

access-list 100 permit tcp "Static IP" eq "port any established

That would allow all established (which means a response to a SYN packet) connections back in on those ports.  


VISA need to communicate not with a computer, but with it's VISA terminals.  They installed terminals that will communicate through IP instead of phone line.

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.