Access-list opening a port

abbetech
abbetech used Ask the Experts™
on
I need to open a port on one of my server for our public wireless folks. So they can get to the proxy server which controls access to our paid databases. The port the proxy is on is 81 and the server's ip is 10.3.50.111, so would I just add the line below to the access-list on my router?

access-list 199 permit tcp any host 10.3.50.111 eq 81
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
it is ok, but can we see the all config?

Commented:
Is this router facing the internet? It may require you to use the public IP address of the server they are trying to access.

Author

Commented:
Here you,
I would be adding it to this one.
Regards,
ABBEtech
 
Building configuration...

Current configuration : 3604 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 31-Router-1
!
boot-start-marker
boot system flash:c1841-ipbasek9-mz.124-12.bin
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$bEh2$jBuRY4j0Hl9G6kSbspsCs0
!
aaa new-model
!
!
aaa authentication banner ^CCC
ALL ACCESS IS LOGGED!!
^C
aaa authentication fail-message ^CCC
Failure logged.^C
aaa authentication login default local line
!
aaa session-id common
ip cef
!
!
!
!
ip domain name it.abbe-lib.org
ip name-server 10.3.50.222
ip name-server 10.3.31.222
ip dhcp-server 10.3.31.222
!
!
username abbeadmin secret 5 $1$eo/9$W0YjUPhZ67OzKBYvhyi5//
!
!
!
interface Loopback0
ip address 10.161.192.222 255.255.255.255
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
description Private Lan Interface
encapsulation dot1Q 1 native
ip address 10.3.31.222 255.255.255.0
ip helper-address 10.3.31.222
ip helper-address 10.3.50.222
ip helper-address 10.3.50.222
ip policy route-map bluesocket
no cdp enable
!
interface FastEthernet0/0.2
description Public Lan Interface
encapsulation dot1Q 2
ip address 10.5.31.1 255.255.255.0
ip helper-address 10.3.31.222
ip helper-address 10.3.50.222
ip helper-address 10.3.50.222
ip policy route-map bluesocket
no cdp enable
!
interface FastEthernet0/0.3
description ABBEnet Wireless Interface
encapsulation dot1Q 3
ip address 10.7.31.222 255.255.255.0
ip access-group 199 in
ip helper-address 10.3.31.222
ip helper-address 10.3.50.222
ip helper-address 10.3.50.222
ip policy route-map bluesocket
no cdp enable
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description CONNECTED TO MPLS-T1-CIR_ID: 34.HCGS.418604
ip address 10.190.176.222 255.255.255.252
encapsulation ppp
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
no cdp enable
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
ip default-gateway 10.190.176.222
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 199 permit tcp any host 10.3.50.222 eq www
access-list 199 permit udp any host 10.3.31.222 eq domain
access-list 199 permit udp any host 10.3.31.222 eq bootps
access-list 199 deny ip any 10.0.0.0 0.255.255.255
access-list 199 permit ip any any
snmp-server community public RO
snmp-server enable traps snmp authentication
snmp-server host 10.3.50.245 public snmp
no cdp run
route-map bluesocket permit 10
match ip address 110
set interface Serial0/0/0
!
route-map bluesocket permit 20
match ip address 120
set interface Serial0/0/0
!
!
control-plane
!
banner login ^CCC
**********************Warning!Warning!Warning!***************************

All unauthorized access is prohibited. Any access and/or activities
not explicitly authorized by ABBE are unauthorized. Users have no
explicit/implicit expectation of privacy. Unauthorized
improper use of system may result in disciplinary action and
civil/criminal penalties. Using this system indicates your
consent. LOG OFF IMMEDIATELY if you do not agree to these conditions.

**********************Warning!Warning!Warning!***************************
!
line con 0
password 7 095A08085A5D4E4B
line aux 0
password 7 001255074703525F
line vty 0 4
privilege level 15
transport input telnet
line vty 5 15
privilege level 15
transport input telnet
!
scheduler allocate 20000 1000
end

Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Head of IT Security Division
Top Expert 2010
Commented:
it is ok:

access-list 199 permit tcp any host 10.3.50.111 eq 81

Author

Commented:
No, this is an internal router. They will need to go through the internal router to the proxy server, which is on port 81 in order to use our public wireless to access our paid database for free. I hope that makes sense. I'll play with it monday and see if it works as is. If not, I'll be back with questions.

Have a great weekend!
Regards,
ABBEtech

Author

Commented:
If I want to add this to my access-list for the public wireless, Where would I have to place it in the list for it to allow use of the proxy server. We have some paid databases that we would like our patrons to be able to access on their laptops. In order to do this they need to get there through the proxy server on port 81. I believe this will allow that access-list 199 permit tcp any host 10.3.50.255 eq 81. However, I don't no where to put it in the access-list.
 
Maybe here, ??
access-list 199 permit tcp any host 10.3.50.255 eq 81
access-list 199 permit tcp any host 10.3.50.226 eq www
access-list 199 permit udp any host 10.3.50.222 eq domain
access-list 199 permit udp any host 10.3.50.222 eq bootp
access-list 199 deny   ip any 10.0.0.0 0.255.255.255
access-list 199 permit ip any any



 Regards,
Commented:
remember the access list follows the commands from the top down so yes you can add new rules at the top and as long as it comes befor your deny statement it will work.

Author

Commented:
Thanks! I'm still not quite sure I understand if it will work right, to do what I want it to do, but a little test will tell.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial