Solved

opening port

Posted on 2008-06-10
29
321 Views
Last Modified: 2010-04-09
I want to open port 22 on my cisco 800 series adsl router.

the client has a fixed ip x.x.x.x and wants to connect to a pc on my network 192.168.0.100 on port 22

can any one post a command that i have to use.

Thanks
0
Comment
Question by:aucklandnz
  • 16
  • 10
  • 3
29 Comments
 
LVL 1

Expert Comment

by:ntscott
Comment Utility
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
im not sure where to put my clients ip address that he will be connecting from

Thx
0
 
LVL 1

Expert Comment

by:ntscott
Comment Utility
Port forwarding just opens up the port on the router. all trafic on port 22 will be redirected to 192.169.1.100
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
is it possible to restict it so only people from one ip will be able to go thru port 22

thanks
0
 
LVL 1

Expert Comment

by:ntscott
Comment Utility
It is posible but I'm not sure if it can be done on your router. You can however just configure the firewall on the computer

if you are using windows firewall
Open windows firewall
go to the exceptions tab
find the program/port you want to use
click properties
click change scope
select custom list
and add his IP/subnet
0
 
LVL 2

Expert Comment

by:wgoodfellow
Comment Utility
The exact commands needed will depend on how the router is configured, and what model it is.

0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
adsl router acts as firewall.
it is Cisco 800 adsl router
0
 
LVL 2

Expert Comment

by:wgoodfellow
Comment Utility
ip nat inside source static 192.168.10.100 22 x.x.x.x 22
access-list 101 permit ip y.y.y.y eq 22 x.x.x.x eq 22

Like I said, kinda hard to say exactly without seeing the config, but it should look something like that.
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
i will post the config
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
Current configuration : 5273 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname TA-Lou
!
enable secret 5
!
username xxxxxx password
username xxxxxxx password
clock timezone nzst 12
clock summer-time +1300 recurring 1 Sun Oct 2:00 2 Sun Mar 3:00
aaa new-model
!
!
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
ip domain name mydomain.com
ip name-server x.x.x.x
ip name-server x.x.x.x
!
!
no ip bootp server
ip cef
ip inspect tcp synwait-time 300
ip inspect tcp max-incomplete host 200 block-time 3
ip inspect name CBACFilter tcp
ip inspect name CBACFilter udp
ip inspect name CBACFilter http java-list 51 timeout 3600
ip inspect name CBACFilter cuseeme
ip inspect name CBACFilter ftp
ip inspect name CBACFilter h323
ip inspect name CBACFilter realaudio
ip inspect name CBACFilter smtp
ip inspect name CBACFilter icmp alert on audit-trail on
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 11
 hash md5
 authentication pre-share
crypto isakmp key 0 themightyreds address x.x.x.x
crypto isakmp identity hostname
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
 set peer x.x.x.x
 set transform-set sharks
 match address TAVPN
!
!
!
!
interface Ethernet0
 description Connection to LAN
 ip address 192.168.1.254 255.255.255.0
 ip access-group InternetOutbound in
 ip nat inside
 ip inspect CBACFilter out
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 dsl power-cutback 30
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 description ADSL connection to the Internet via Xtra
 ip address negotiated previous
 ip access-group InternetInbound in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect CBACFilter out
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username xxxx password xxxx
 ppp ipcp dns accept
 crypto map nolan
!
ip nat inside source route-map nonat interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
!
!
ip access-list extended InternetInbound
 permit icmp any any
 remark allowes Head office full access
 permit ip host x.x.x.x any
 remark allow VNC from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 5900
 remark allow RDP from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 3389
 remark allow MS SQL from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 1433
 remark allow TELNET from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq telnet
 remark allow FTP from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq ftp
 permit ip host x.x.x.x any
 permit ip x.x.x.x 0.0.0.255 any
 permit ip host x.x.x.x any
ip access-list extended InternetOutbound
 permit ip any any
 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit icmp any any
 remark allowes WebMarshal
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 8080
 remark allowes Outlook Web Access
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq www
 remark allowes MS SQL
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 1433
 remark allowes RDP
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 3389
 remark allowes VNC
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 5900
 remark allowes FTP
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq ftp
 remark allowes TELNET
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq telnet
ip access-list extended TAVPN
 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
logging trap debugging
access-list 1 remark Local LAN
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 remark Who can Telnet In
access-list 23 permit any
access-list 150 remark NAT bypass for VPN traffic
access-list 150 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map nonat permit 10
 match ip address 150 130
!
banner motd ^CCC

------------------------------


Unauthorised access prohibited
All access is logged

^C
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 login authentication local
 length 0
 transport input telnet
 transport output none
!
scheduler max-task-time 5000
!
end
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
any suggestions ?

Thx
0
 
LVL 2

Expert Comment

by:wgoodfellow
Comment Utility
access-list 22 remark Who can ssh In
access-list 22 permit 10.10.10.0 0.0.0.255
access-list 22 permit ip host x.x.x.x host dialer0. eq 22

ip nat inside source static 192.168.10.100 22 dialer0 22

I think that should do it.  The problem is that with only 1 external IP, all traffic for port 22 will go to 192.168.10.100.  

0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
what does this command do?
access-list 22 permit 10.10.10.0 0.0.0.255

should it be 192.168.0.100 instead of 10.10.10.0 ?

Thanks
0
 
LVL 2

Expert Comment

by:wgoodfellow
Comment Utility
I put that in b/c you had previously given that range access to everything.
putting it in here just assures that it is still available.  You can just omit it if you don't want the 10.x.x.x subnet to have ssh access (or if you just wanna see if it still works without it).
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
cool

should be there a dot after dialer0 or its a typo ?
access-list 22 permit ip host x.x.x.x host dialer0. eq 22

0
 
LVL 2

Expert Comment

by:wgoodfellow
Comment Utility
typo...no dot
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
im getting this input error
Translating "ip"
Invalid input detected and the marker is point at ip

thanks
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
the error is for this line
access-list 22 permit ip host x.x.x.x host dialer0. eq 22
0
 
LVL 2

Expert Comment

by:wgoodfellow
Comment Utility
try leaving out the word host.

access-list 22 permit ip x.x.x.x dialer0 eq 22
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
still doesnt like ip
0
 
LVL 2

Expert Comment

by:wgoodfellow
Comment Utility
Are you in config mode?  Where\how are you putting it in?
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
im in config mode
0
 
LVL 2

Expert Comment

by:wgoodfellow
Comment Utility
OK.  I found a config for one of our remote offices using an 871w
directly copoy\pasted this line from the VPN portion of that config, so I don't know why it wouldn't be working for you.

access-list 101 permit ip 172.16.0.0 0.0.255.255 192.168.10.100 0.0.0.255

Oops...just thought of it.  lol  you're allowing a port...above line is allowing a range.  tcp...not ip

access-list 22 permit tcp host x.x.x.x host dialer0. eq 22
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
it doesnt like tcp now
0
 
LVL 2

Accepted Solution

by:
wgoodfellow earned 500 total points
Comment Utility

test# config t
Enter configuration commands, one per line.  End with CNTL/Z.
test(config)# access-list 22 permit tcp any eq 22 10.0.0.1 0.0.0.0 eq 22
test(config)#

I just typed that into an 871.  That is a copy\paste of the session, so you can see that it worked for me.  I don't know what would be different about your environment

0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
so you reckon is something with my cisco ?
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
i have found user guide and its cisco 837 router and SOHO 97
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
what about this line ?
ip nat inside source static tcp 192.168.0.100 22 interface Dialer0 22

Thanks
0
 
LVL 2

Expert Comment

by:wgoodfellow
Comment Utility
Give it a try.  It will work.  I'm just not sure if it will allow connect from outside that way.  I would think it will.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now