[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

opening port

Posted on 2008-06-10
29
Medium Priority
?
334 Views
Last Modified: 2010-04-09
I want to open port 22 on my cisco 800 series adsl router.

the client has a fixed ip x.x.x.x and wants to connect to a pc on my network 192.168.0.100 on port 22

can any one post a command that i have to use.

Thanks
0
Comment
Question by:aucklandnz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 16
  • 10
  • 3
29 Comments
 
LVL 1

Expert Comment

by:ntscott
ID: 21756410
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21756420
im not sure where to put my clients ip address that he will be connecting from

Thx
0
 
LVL 1

Expert Comment

by:ntscott
ID: 21756493
Port forwarding just opens up the port on the router. all trafic on port 22 will be redirected to 192.169.1.100
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:aucklandnz
ID: 21756512
is it possible to restict it so only people from one ip will be able to go thru port 22

thanks
0
 
LVL 1

Expert Comment

by:ntscott
ID: 21756611
It is posible but I'm not sure if it can be done on your router. You can however just configure the firewall on the computer

if you are using windows firewall
Open windows firewall
go to the exceptions tab
find the program/port you want to use
click properties
click change scope
select custom list
and add his IP/subnet
0
 
LVL 2

Expert Comment

by:wgoodfellow
ID: 21762304
The exact commands needed will depend on how the router is configured, and what model it is.

0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21765016
adsl router acts as firewall.
it is Cisco 800 adsl router
0
 
LVL 2

Expert Comment

by:wgoodfellow
ID: 21765062
ip nat inside source static 192.168.10.100 22 x.x.x.x 22
access-list 101 permit ip y.y.y.y eq 22 x.x.x.x eq 22

Like I said, kinda hard to say exactly without seeing the config, but it should look something like that.
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21765068
i will post the config
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21765103
Current configuration : 5273 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname TA-Lou
!
enable secret 5
!
username xxxxxx password
username xxxxxxx password
clock timezone nzst 12
clock summer-time +1300 recurring 1 Sun Oct 2:00 2 Sun Mar 3:00
aaa new-model
!
!
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
ip domain name mydomain.com
ip name-server x.x.x.x
ip name-server x.x.x.x
!
!
no ip bootp server
ip cef
ip inspect tcp synwait-time 300
ip inspect tcp max-incomplete host 200 block-time 3
ip inspect name CBACFilter tcp
ip inspect name CBACFilter udp
ip inspect name CBACFilter http java-list 51 timeout 3600
ip inspect name CBACFilter cuseeme
ip inspect name CBACFilter ftp
ip inspect name CBACFilter h323
ip inspect name CBACFilter realaudio
ip inspect name CBACFilter smtp
ip inspect name CBACFilter icmp alert on audit-trail on
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 11
 hash md5
 authentication pre-share
crypto isakmp key 0 themightyreds address x.x.x.x
crypto isakmp identity hostname
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
 set peer x.x.x.x
 set transform-set sharks
 match address TAVPN
!
!
!
!
interface Ethernet0
 description Connection to LAN
 ip address 192.168.1.254 255.255.255.0
 ip access-group InternetOutbound in
 ip nat inside
 ip inspect CBACFilter out
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 dsl power-cutback 30
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 description ADSL connection to the Internet via Xtra
 ip address negotiated previous
 ip access-group InternetInbound in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect CBACFilter out
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username xxxx password xxxx
 ppp ipcp dns accept
 crypto map nolan
!
ip nat inside source route-map nonat interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
!
!
ip access-list extended InternetInbound
 permit icmp any any
 remark allowes Head office full access
 permit ip host x.x.x.x any
 remark allow VNC from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 5900
 remark allow RDP from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 3389
 remark allow MS SQL from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 1433
 remark allow TELNET from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq telnet
 remark allow FTP from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq ftp
 permit ip host x.x.x.x any
 permit ip x.x.x.x 0.0.0.255 any
 permit ip host x.x.x.x any
ip access-list extended InternetOutbound
 permit ip any any
 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit icmp any any
 remark allowes WebMarshal
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 8080
 remark allowes Outlook Web Access
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq www
 remark allowes MS SQL
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 1433
 remark allowes RDP
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 3389
 remark allowes VNC
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 5900
 remark allowes FTP
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq ftp
 remark allowes TELNET
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq telnet
ip access-list extended TAVPN
 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
logging trap debugging
access-list 1 remark Local LAN
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 remark Who can Telnet In
access-list 23 permit any
access-list 150 remark NAT bypass for VPN traffic
access-list 150 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map nonat permit 10
 match ip address 150 130
!
banner motd ^CCC

------------------------------


Unauthorised access prohibited
All access is logged

^C
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 login authentication local
 length 0
 transport input telnet
 transport output none
!
scheduler max-task-time 5000
!
end
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21766050
any suggestions ?

Thx
0
 
LVL 2

Expert Comment

by:wgoodfellow
ID: 21766180
access-list 22 remark Who can ssh In
access-list 22 permit 10.10.10.0 0.0.0.255
access-list 22 permit ip host x.x.x.x host dialer0. eq 22

ip nat inside source static 192.168.10.100 22 dialer0 22

I think that should do it.  The problem is that with only 1 external IP, all traffic for port 22 will go to 192.168.10.100.  

0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21766194
what does this command do?
access-list 22 permit 10.10.10.0 0.0.0.255

should it be 192.168.0.100 instead of 10.10.10.0 ?

Thanks
0
 
LVL 2

Expert Comment

by:wgoodfellow
ID: 21766205
I put that in b/c you had previously given that range access to everything.
putting it in here just assures that it is still available.  You can just omit it if you don't want the 10.x.x.x subnet to have ssh access (or if you just wanna see if it still works without it).
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21766216
cool

should be there a dot after dialer0 or its a typo ?
access-list 22 permit ip host x.x.x.x host dialer0. eq 22

0
 
LVL 2

Expert Comment

by:wgoodfellow
ID: 21766222
typo...no dot
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21766229
im getting this input error
Translating "ip"
Invalid input detected and the marker is point at ip

thanks
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21766239
the error is for this line
access-list 22 permit ip host x.x.x.x host dialer0. eq 22
0
 
LVL 2

Expert Comment

by:wgoodfellow
ID: 21766245
try leaving out the word host.

access-list 22 permit ip x.x.x.x dialer0 eq 22
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21766250
still doesnt like ip
0
 
LVL 2

Expert Comment

by:wgoodfellow
ID: 21766252
Are you in config mode?  Where\how are you putting it in?
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21766258
im in config mode
0
 
LVL 2

Expert Comment

by:wgoodfellow
ID: 21766278
OK.  I found a config for one of our remote offices using an 871w
directly copoy\pasted this line from the VPN portion of that config, so I don't know why it wouldn't be working for you.

access-list 101 permit ip 172.16.0.0 0.0.255.255 192.168.10.100 0.0.0.255

Oops...just thought of it.  lol  you're allowing a port...above line is allowing a range.  tcp...not ip

access-list 22 permit tcp host x.x.x.x host dialer0. eq 22
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21766367
it doesnt like tcp now
0
 
LVL 2

Accepted Solution

by:
wgoodfellow earned 1500 total points
ID: 21766417

test# config t
Enter configuration commands, one per line.  End with CNTL/Z.
test(config)# access-list 22 permit tcp any eq 22 10.0.0.1 0.0.0.0 eq 22
test(config)#

I just typed that into an 871.  That is a copy\paste of the session, so you can see that it worked for me.  I don't know what would be different about your environment

0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21790451
so you reckon is something with my cisco ?
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21790474
i have found user guide and its cisco 837 router and SOHO 97
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 21799313
what about this line ?
ip nat inside source static tcp 192.168.0.100 22 interface Dialer0 22

Thanks
0
 
LVL 2

Expert Comment

by:wgoodfellow
ID: 21800807
Give it a try.  It will work.  I'm just not sure if it will allow connect from outside that way.  I would think it will.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question