• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 340
  • Last Modified:

opening port

I want to open port 22 on my cisco 800 series adsl router.

the client has a fixed ip x.x.x.x and wants to connect to a pc on my network 192.168.0.100 on port 22

can any one post a command that i have to use.

Thanks
0
aucklandnz
Asked:
aucklandnz
  • 16
  • 10
  • 3
1 Solution
 
ntscottCommented:
0
 
aucklandnzAuthor Commented:
im not sure where to put my clients ip address that he will be connecting from

Thx
0
 
ntscottCommented:
Port forwarding just opens up the port on the router. all trafic on port 22 will be redirected to 192.169.1.100
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
aucklandnzAuthor Commented:
is it possible to restict it so only people from one ip will be able to go thru port 22

thanks
0
 
ntscottCommented:
It is posible but I'm not sure if it can be done on your router. You can however just configure the firewall on the computer

if you are using windows firewall
Open windows firewall
go to the exceptions tab
find the program/port you want to use
click properties
click change scope
select custom list
and add his IP/subnet
0
 
wgoodfellowCommented:
The exact commands needed will depend on how the router is configured, and what model it is.

0
 
aucklandnzAuthor Commented:
adsl router acts as firewall.
it is Cisco 800 adsl router
0
 
wgoodfellowCommented:
ip nat inside source static 192.168.10.100 22 x.x.x.x 22
access-list 101 permit ip y.y.y.y eq 22 x.x.x.x eq 22

Like I said, kinda hard to say exactly without seeing the config, but it should look something like that.
0
 
aucklandnzAuthor Commented:
i will post the config
0
 
aucklandnzAuthor Commented:
Current configuration : 5273 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname TA-Lou
!
enable secret 5
!
username xxxxxx password
username xxxxxxx password
clock timezone nzst 12
clock summer-time +1300 recurring 1 Sun Oct 2:00 2 Sun Mar 3:00
aaa new-model
!
!
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
ip domain name mydomain.com
ip name-server x.x.x.x
ip name-server x.x.x.x
!
!
no ip bootp server
ip cef
ip inspect tcp synwait-time 300
ip inspect tcp max-incomplete host 200 block-time 3
ip inspect name CBACFilter tcp
ip inspect name CBACFilter udp
ip inspect name CBACFilter http java-list 51 timeout 3600
ip inspect name CBACFilter cuseeme
ip inspect name CBACFilter ftp
ip inspect name CBACFilter h323
ip inspect name CBACFilter realaudio
ip inspect name CBACFilter smtp
ip inspect name CBACFilter icmp alert on audit-trail on
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 11
 hash md5
 authentication pre-share
crypto isakmp key 0 themightyreds address x.x.x.x
crypto isakmp identity hostname
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
 set peer x.x.x.x
 set transform-set sharks
 match address TAVPN
!
!
!
!
interface Ethernet0
 description Connection to LAN
 ip address 192.168.1.254 255.255.255.0
 ip access-group InternetOutbound in
 ip nat inside
 ip inspect CBACFilter out
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 dsl power-cutback 30
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 description ADSL connection to the Internet via Xtra
 ip address negotiated previous
 ip access-group InternetInbound in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect CBACFilter out
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username xxxx password xxxx
 ppp ipcp dns accept
 crypto map nolan
!
ip nat inside source route-map nonat interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
!
!
ip access-list extended InternetInbound
 permit icmp any any
 remark allowes Head office full access
 permit ip host x.x.x.x any
 remark allow VNC from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 5900
 remark allow RDP from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 3389
 remark allow MS SQL from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 1433
 remark allow TELNET from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq telnet
 remark allow FTP from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq ftp
 permit ip host x.x.x.x any
 permit ip x.x.x.x 0.0.0.255 any
 permit ip host x.x.x.x any
ip access-list extended InternetOutbound
 permit ip any any
 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit icmp any any
 remark allowes WebMarshal
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 8080
 remark allowes Outlook Web Access
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq www
 remark allowes MS SQL
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 1433
 remark allowes RDP
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 3389
 remark allowes VNC
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 5900
 remark allowes FTP
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq ftp
 remark allowes TELNET
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq telnet
ip access-list extended TAVPN
 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
logging trap debugging
access-list 1 remark Local LAN
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 remark Who can Telnet In
access-list 23 permit any
access-list 150 remark NAT bypass for VPN traffic
access-list 150 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map nonat permit 10
 match ip address 150 130
!
banner motd ^CCC

------------------------------


Unauthorised access prohibited
All access is logged

^C
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 login authentication local
 length 0
 transport input telnet
 transport output none
!
scheduler max-task-time 5000
!
end
0
 
aucklandnzAuthor Commented:
any suggestions ?

Thx
0
 
wgoodfellowCommented:
access-list 22 remark Who can ssh In
access-list 22 permit 10.10.10.0 0.0.0.255
access-list 22 permit ip host x.x.x.x host dialer0. eq 22

ip nat inside source static 192.168.10.100 22 dialer0 22

I think that should do it.  The problem is that with only 1 external IP, all traffic for port 22 will go to 192.168.10.100.  

0
 
aucklandnzAuthor Commented:
what does this command do?
access-list 22 permit 10.10.10.0 0.0.0.255

should it be 192.168.0.100 instead of 10.10.10.0 ?

Thanks
0
 
wgoodfellowCommented:
I put that in b/c you had previously given that range access to everything.
putting it in here just assures that it is still available.  You can just omit it if you don't want the 10.x.x.x subnet to have ssh access (or if you just wanna see if it still works without it).
0
 
aucklandnzAuthor Commented:
cool

should be there a dot after dialer0 or its a typo ?
access-list 22 permit ip host x.x.x.x host dialer0. eq 22

0
 
wgoodfellowCommented:
typo...no dot
0
 
aucklandnzAuthor Commented:
im getting this input error
Translating "ip"
Invalid input detected and the marker is point at ip

thanks
0
 
aucklandnzAuthor Commented:
the error is for this line
access-list 22 permit ip host x.x.x.x host dialer0. eq 22
0
 
wgoodfellowCommented:
try leaving out the word host.

access-list 22 permit ip x.x.x.x dialer0 eq 22
0
 
aucklandnzAuthor Commented:
still doesnt like ip
0
 
wgoodfellowCommented:
Are you in config mode?  Where\how are you putting it in?
0
 
aucklandnzAuthor Commented:
im in config mode
0
 
wgoodfellowCommented:
OK.  I found a config for one of our remote offices using an 871w
directly copoy\pasted this line from the VPN portion of that config, so I don't know why it wouldn't be working for you.

access-list 101 permit ip 172.16.0.0 0.0.255.255 192.168.10.100 0.0.0.255

Oops...just thought of it.  lol  you're allowing a port...above line is allowing a range.  tcp...not ip

access-list 22 permit tcp host x.x.x.x host dialer0. eq 22
0
 
aucklandnzAuthor Commented:
it doesnt like tcp now
0
 
wgoodfellowCommented:

test# config t
Enter configuration commands, one per line.  End with CNTL/Z.
test(config)# access-list 22 permit tcp any eq 22 10.0.0.1 0.0.0.0 eq 22
test(config)#

I just typed that into an 871.  That is a copy\paste of the session, so you can see that it worked for me.  I don't know what would be different about your environment

0
 
aucklandnzAuthor Commented:
so you reckon is something with my cisco ?
0
 
aucklandnzAuthor Commented:
i have found user guide and its cisco 837 router and SOHO 97
0
 
aucklandnzAuthor Commented:
what about this line ?
ip nat inside source static tcp 192.168.0.100 22 interface Dialer0 22

Thanks
0
 
wgoodfellowCommented:
Give it a try.  It will work.  I'm just not sure if it will allow connect from outside that way.  I would think it will.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

  • 16
  • 10
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now