• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1375
  • Last Modified:

Cisco 857 Router Port 1723 remains closed

Hi. I have recently installed a Cisco 857 router, but despite doing what I think is necessary to open port 1723 in the config, when I carry out a port scan using Shields Up, it shows port 1723 to remain closed. All other ports I have opened show up as open, all other ports show up as closed. Here is my config (with private info XXXXed out):
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname XXXXX
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5 XXXXXXXXXXXXXXXXXXX.
!
no aaa new-model
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
!
!
crypto pki trustpoint TP-self-signed-3284358714
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3284358714
 revocation-check none
 rsakeypair TP-self-signed-3284358714
!
!
crypto pki certificate chain TP-self-signed-3284358714
 certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
!
!
username cisco privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX
username pcs privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXX
!
!
!
!
!
!
interface ATM0
 no ip address
 ip virtual-reassembly
 no atm ilmi-keepalive
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description XXXXXXXXXXXXXXXXXXXXXXX
 ip address xxx.xxx.xxx.yyy 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username XXXXXXXXXXXXXXXXXXXXXXXXXXX password 0 XXXXXXXXXXXXX
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp xxx.xxx.xxx.zzz 3389 interface Dialer0 3389
ip nat inside source static tcp xxx.xxx.xxx.zzz  443 interface Dialer0 443
ip nat inside source static tcp xxx.xxx.xxx.zzz  80 interface Dialer0 80
ip nat inside source static tcp xxx.xxx.xxx.zzz  25 interface Dialer0 25
ip nat inside source static tcp xxx.xxx.xxx.zzz  1723 interface Dialer0 1723
!
access-list 1 permit XXXXXXXXXXXXXXXXXXXX
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 1723
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 password XXXXXXXXXXXXXX
 login
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Cheers
pcsbay94

 
0
pcsbay94
Asked:
pcsbay94
  • 3
  • 2
2 Solutions
 
stsonlineCommented:
Maybe I'm missing it, but I don't see where access-list 101 is applied to any of your interfaces... that'd probably be the issue. Functionally, the ACL is correct.
0
 
tvman_odCommented:
Are you sure that PPTP server has started? Do you have MS Firewall enabled on the host?
Everything seems correct in your config.
0
 
pcsbay94Author Commented:
stsonline:

I added the following line under the interface Dialer0

 ip access-group 101 in

to bind it to the Dialer0 interface.  Then, as I could no longer surf the web or anything I added the following ports to access-list 101

access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 25
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 443
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 1723

However upon uploading the conf to the router I still couldn't get any access to the internet (web pages etc) so I blew away that conf and reuploaded the conf that I originally posted.  So I'm back to where I started.

What did I do wrong with binding the access-list 101 to the dialer0 interface?

Thanks

0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
tvman_odCommented:
1. Direction
2. you need udp 53 for DNS
0
 
pcsbay94Author Commented:
Tvman od:

Thank you for your concise answer. However, being new at all this Cisco IOS stuff, its so concise that I need you to expand on it a little for it to be helpful to me.  I don't understand what you mean by yoiur first point Direction.

As for the second point I put in  
access-list 101 permit udp any any eq 53
as that is what I assume you meant but it made no difference - when I bind my access-list 101 to Dialer0 I cannot surf the web despite ATMo and Dialer0 both being alive.

Any further help you could point out would be appreciated.

0
 
tvman_odCommented:
You can apply ACL as inbound and outgoing. You need to make sure that source and destination IPs matched as desired. In your case "Dialer in" meand from the Internet. So this ACL will allow packets to port 80 and others in YOUR network. You need to apply it as

ip access-group 101 out

Besides that ACL 1 controls which IPs will be NATed

sh ip nat translation

will give you a list of all existing translations
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now