Solved

How can I open all ports to specific host?

Posted on 2008-10-20
5
1,701 Views
Last Modified: 2012-06-21
I have a public IP address of 1.2.3.99 being NAT'd to 192.168.0.250 and want to open ALL ports just to that device.  Ultimately, I would like to be able to pass off the public IP address directly to that device, however, if it is not allowed I just want to open all ports to it.  How can I go about doing so?

names
!
interface Vlan1
 description Inside
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 description Outside Interface
 nameif outside
 security-level 0
 ip address 1.2.3.98 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name This.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outsidein extended permit icmp any any
access-list outsidein extended permit tcp any any eq www
access-list outsidein extended permit tcp any any eq smtp
access-list outsidein extended permit tcp any any eq pop3
access-list outsidein extended permit tcp any any eq imap4
access-list outsidein extended permit udp any any eq 23
access-list outsidein extended permit tcp any host 192.168.0.1 eq telnet
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.2.3.99 192.168.0.250 netmask 255.255.255.255
access-group outsidein in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.100-192.168.0.199 inside
dhcpd enable inside
!


!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
0
Comment
Question by:rcooper83
  • 4
5 Comments
 
LVL 2

Expert Comment

by:inrouted
ID: 22764027
Since you have the static set up ok, you just need to tweak your internet facing access-list (outsidein)

here is a suggested config.  The only line you actually need is the line shown in bold below. (with some additions that will help you for management if you wish them)

1. Make a readable name for your inbound server
2. Create object groups for services and or networks. This makes changes to the ports you use as easy as adding or deleting an object in the object-group..instead of having to add or remove actual lines in the access-list.  Much less chance of making an error that way.
3. Create the access-list with the appropriate destinations based on the services you want.
4. Apply the access-list to an interface.

router# config t

name 1.2.3.99 mydestinationserver

object-group network ServiceDestinations_net
  network-object  1.2.3.97 255.255.255.248 (THIS IS OPTIONAL..It covers all the servers in your netblock..I suggest honing each destination individually based on the services you need.)
  network-object host 1.2.3.99
object-group service InboundServices-tcp tdp
  port-object eq www
  port-object eq pop3
  port-object eq smtp
  port-object eq imap4
object-group service InboundServices-udp udp
  port-object eq 23
exit

(this next section will erase your current access-list, make it much easier to edit and cleaner..sorry..i am a neat freak.  if you want, there are some security items you should know given what your access-list looks like. make sure you have internal connectivity before you do the step clear config access-list outsidein)

clear config access-list outsidein
access-list outsidein permit icmp any any
access-list outsidein permit tcp any mydestinationserver log
access-list outsidein permit tcp any ServiceDestinations_net object-group InboundServices-tcp
access-list outsidein permit udp any ServiceDestinations_net object-group InboundServices-udp
access-list outsidein extended permit tcp any host 192.168.0.1 eq telnet
access-list outsidein deny ip any any log

access-group outsidein in interface outside



I know this was way more than you asked for.  But a firewall isnt any good if all you do is put accept ip any any everywhere.

Goodluck
-route
0
 
LVL 2

Accepted Solution

by:
inrouted earned 500 total points
ID: 22764051
oops..hit send before i spell checked..

here is the super terse answer to your question..without all of the unsolicited policy changes.  haha..sorry..i just cant look at a firewall configuration and not optimize and try to lock it down.  it is what a firewall is for hehe:)

this will insert any tcp or udp port access to 1.2.3.99 and log it.

access-list outsidein line 1 permit tcp any host 1.2.3.99 log
access-list outsidein line 2 permit udp any host 1.2.3.99 log
0
 
LVL 1

Author Comment

by:rcooper83
ID: 22764066
I will give it a shot in the morning.  I have never thought to use the object groups.  It does clean it up quite nice.  Just a lil more lines, but clean.  Then you just add to the service group as apposed to the acl each time.

Doing it this way can I assign the public IP address directly to the device?  Or do I need to keep the NAT?
0
 
LVL 2

Expert Comment

by:inrouted
ID: 22764934
The device needs to keep its RFC1918 address.  But anything will be able to connect to it.

As for the policy optimization, yes..when you have to add a new service (to the ip other than the one you are allowing everything obviously) its just one line.  From one computer nerd to another..you really need to go through your policy and eliminate anything clear text.  No telnet etc.  SSH is trivial to set up..because if you use telnet, you might as well not even use passwords.  I apologize for the lecture..but i have to do it.  
0
 
LVL 2

Expert Comment

by:inrouted
ID: 22840860
So were you successful?
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now