How can I open all ports to specific host?

Posted on 2008-10-20
Medium Priority
Last Modified: 2012-06-21
I have a public IP address of being NAT'd to and want to open ALL ports just to that device.  Ultimately, I would like to be able to pass off the public IP address directly to that device, however, if it is not allowed I just want to open all ports to it.  How can I go about doing so?

interface Vlan1
 description Inside
 nameif inside
 security-level 100
 ip address
interface Vlan2
 description Outside Interface
 nameif outside
 security-level 0
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name This.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outsidein extended permit icmp any any
access-list outsidein extended permit tcp any any eq www
access-list outsidein extended permit tcp any any eq smtp
access-list outsidein extended permit tcp any any eq pop3
access-list outsidein extended permit tcp any any eq imap4
access-list outsidein extended permit udp any any eq 23
access-list outsidein extended permit tcp any host eq telnet
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,outside) netmask
access-group outsidein in interface outside
route outside X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd enable inside

class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
Question by:rcooper83
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4

Expert Comment

ID: 22764027
Since you have the static set up ok, you just need to tweak your internet facing access-list (outsidein)

here is a suggested config.  The only line you actually need is the line shown in bold below. (with some additions that will help you for management if you wish them)

1. Make a readable name for your inbound server
2. Create object groups for services and or networks. This makes changes to the ports you use as easy as adding or deleting an object in the object-group..instead of having to add or remove actual lines in the access-list.  Much less chance of making an error that way.
3. Create the access-list with the appropriate destinations based on the services you want.
4. Apply the access-list to an interface.

router# config t

name mydestinationserver

object-group network ServiceDestinations_net
  network-object (THIS IS OPTIONAL..It covers all the servers in your netblock..I suggest honing each destination individually based on the services you need.)
  network-object host
object-group service InboundServices-tcp tdp
  port-object eq www
  port-object eq pop3
  port-object eq smtp
  port-object eq imap4
object-group service InboundServices-udp udp
  port-object eq 23

(this next section will erase your current access-list, make it much easier to edit and cleaner..sorry..i am a neat freak.  if you want, there are some security items you should know given what your access-list looks like. make sure you have internal connectivity before you do the step clear config access-list outsidein)

clear config access-list outsidein
access-list outsidein permit icmp any any
access-list outsidein permit tcp any mydestinationserver log
access-list outsidein permit tcp any ServiceDestinations_net object-group InboundServices-tcp
access-list outsidein permit udp any ServiceDestinations_net object-group InboundServices-udp
access-list outsidein extended permit tcp any host eq telnet
access-list outsidein deny ip any any log

access-group outsidein in interface outside

I know this was way more than you asked for.  But a firewall isnt any good if all you do is put accept ip any any everywhere.


Accepted Solution

inrouted earned 2000 total points
ID: 22764051
oops..hit send before i spell checked..

here is the super terse answer to your question..without all of the unsolicited policy changes.  haha..sorry..i just cant look at a firewall configuration and not optimize and try to lock it down.  it is what a firewall is for hehe:)

this will insert any tcp or udp port access to and log it.

access-list outsidein line 1 permit tcp any host log
access-list outsidein line 2 permit udp any host log

Author Comment

ID: 22764066
I will give it a shot in the morning.  I have never thought to use the object groups.  It does clean it up quite nice.  Just a lil more lines, but clean.  Then you just add to the service group as apposed to the acl each time.

Doing it this way can I assign the public IP address directly to the device?  Or do I need to keep the NAT?

Expert Comment

ID: 22764934
The device needs to keep its RFC1918 address.  But anything will be able to connect to it.

As for the policy optimization, yes..when you have to add a new service (to the ip other than the one you are allowing everything obviously) its just one line.  From one computer nerd to another..you really need to go through your policy and eliminate anything clear text.  No telnet etc.  SSH is trivial to set up..because if you use telnet, you might as well not even use passwords.  I apologize for the lecture..but i have to do it.  

Expert Comment

ID: 22840860
So were you successful?

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question