Solved

Open range of ports on Cisco UC540?

Posted on 2011-02-16
21
1,671 Views
Last Modified: 2012-05-11
Need to open up a range of TCP and UDP ports on our UC540 for a Polycom system. I'm just not sure how to open a range opposed to a bunch of single commands.

Currently there are simple ip nat statements like:
ip nat inside source static tcp INTERNAL1 25 EXTERNAL1 25 extendable
ip nat inside source static tcp INTERNAL1 80 EXTERNAL1 80 extendable
ip nat inside source static tcp INTERNAL1 443 EXTERNAL1 443 extendable
ip nat inside source static tcp INTERNAL2 80 EXTERNAL2 80 extendable
ip nat inside source static tcp INTERNAL2 3389 EXTERNAL2 3389 extendable

and subsequent access-lists
access-list 111 permit tcp any host EXTERNAL2 eq 3389 log
access-list 111 permit tcp any host EXTERNAL2 eq www log
access-list 111 permit tcp any host EXTERNAL1  eq 443 log
access-list 111 permit tcp any host EXTERNAL1  eq www log
access-list 111 permit tcp any host EXTERNAL1  eq smtp log

Now I want to set up INTERNAL3, map it to EXTERNAL3 and have 1720/tcp, 3230-3270/tcp and 3230-3253/udp open.

What's the cleanest way to do that?

Thanks
0
Comment
Question by:mvalpreda
  • 10
  • 9
  • 2
21 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 34919400
Well, assuming that the commands are similar to the normal IOS commands:

ip nat inside source static Internet3 External3 extendable

access-list 111 permit tcp any host External3 eq 1720
access-list 111 permit tcp any host External3 range 3230 3270
access-lsit 111 permit udp any host External3 range 3230 3253

0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 34932414
Hi asavener,

Can u suggest me if My Polycom Internal IP is 10.10.10.2 & WAN IP is configure on Dialer0 Interface
I want to open 3230 to 3255 TCP & UDP  in range also want to open in range 60000 to 65000 for Lifesize Unit & Perticular as per below

389  – Static TCP – ILS Registration (LDAP)
1503 – Static TCP – T.120
1718 – Static UDP – Gatekeeper discovery (must be bi-directional)
1719 – Static UDP – Gatekeeper RAS (must be bi-directional)
1720 – Static TCP – H.323 call set up (must be bi-directional)
1731 – Static TCP – Audio Call Control (must be bi-directional)
ip nat inside source list ToNAT interface Dialer0 overload
!
ip access-list extended ToNAT
 permit ip 10.10.10.0 0.0.0.255 any
0
 
LVL 28

Expert Comment

by:asavener
ID: 34952946
I suggest that you start our own question, rather than piggybacking on someone else's request.
0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 34957744
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 34957783
Now that the interruption is over, the issue I have now is the outgoing from the INTERNAL3 are not going out through EXTERNAL3. Is there something more I need to do in order to get that one to one NAT working?
0
 
LVL 28

Expert Comment

by:asavener
ID: 34958622
Can you explain the difficulty in more detail?  Did the previous commands given allow inbound connections on the ports you specified?
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 34962140
I did the command wrong for the IP NAT. I included a port number on accident. That's what I get for doing a copy and paste. I am going to test today.
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 34962357
I do a port scan with nMap and it shows all those ports as closed. Do I need to reapply that access-list somewhere since it was changed?
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 34962568
I take that back, I did a port scan and nMap shows more ports open than should be. For instance 1025/tcp is open and there is no reason that should be open.
0
 
LVL 28

Expert Comment

by:asavener
ID: 34962740
I would suggest adding the following commands to the end of your access list:

access-list 111 deny tcp any range 1 65535 any range 1 65535 log
access-list 111 deny udp any range 1 65535 any range 1 65535 log
access-list 111 deny ip any any log

Then, run nmap against your device and examine the log file.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 2

Author Comment

by:mvalpreda
ID: 34962778
I don't even see where access-list 111 is applied anywhere.

interface BVI1
 description **Data VLAN Inside**$FW_INSIDE$
 ip address 192.168.0.57 255.255.255.0
 ip access-group 107 in
 ip nat inside
 ip inspect SDM_LOW in
 ip virtual-reassembly
 !
!
interface BVI10
 description $FW_DMZ$
 ip address 192.168.150.1 255.255.255.0
 ip access-group 110 in
 ip nat inside
 ip inspect dmzinspect out
 ip virtual-reassembly
 !
!
interface BVI20
 description GHRO Test VLAN
 ip address 192.168.254.254 255.255.255.0
 ip access-group 120 in
 ip nat inside
 ip inspect dmzinspect out
 ip virtual-reassembly
 !
!
interface BVI100
 description **Voice VLAN Inside**$FW_INSIDE$
 ip address 192.168.50.1 255.255.255.0
 ip access-group 109 in
 ip nat inside
 ip inspect SDM_LOW in
 ip virtual-reassembly
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 34962824
The way I read that is it only cares about access-list 107. There is nothing in 107 for any firewall rules!

access-list 107 deny   ip 192.168.0.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 107 deny   ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 107 remark auto generated by SDM firewall configuration##NO_ACES_9##
access-list 107 remark SDM_ACL Category=1
access-list 107 permit udp any host 192.168.0.57 eq non500-isakmp
access-list 107 permit udp any host 192.168.0.57 eq isakmp
access-list 107 permit esp any host 192.168.0.57
access-list 107 permit ahp any host 192.168.0.57
access-list 107 remark Auto generated by SDM for NTP (123) time.windows.com
access-list 107 permit udp host 207.46.232.182 eq ntp host 192.168.0.57 eq ntp
access-list 107 deny   ip 10.1.10.0 0.0.0.3 any
access-list 107 deny   ip 192.168.150.0 0.0.0.255 any
access-list 107 deny   ip 192.168.50.0 0.0.0.255 any
access-list 107 deny   ip 192.168.254.0 0.0.0.255 any
access-list 107 deny   ip 216.231.29.32 0.0.0.15 any
access-list 107 deny   ip host 255.255.255.255 any
access-list 107 deny   ip 127.0.0.0 0.255.255.255 any
access-list 107 permit ip any any
0
 
LVL 28

Expert Comment

by:asavener
ID: 34962875
I used the access list number that you provided in your original post; you need to insert the lines in the appropriate place in an access list applied to your outside interface.
0
 
LVL 28

Expert Comment

by:asavener
ID: 34962884
What interface has "ip nat outside" applied to it?
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 34963008
I just realized that 111 is not applied to anything. I am taking this over from our phone vendor and I'm beginning to realize they didn't handle things properly.

ip nat outside is on FE0/0

interface FastEthernet0/0
 description $FW_OUTSIDE$
 ip address OUTSIDE IP
 ip verify unicast reverse-path
 ip nat outside
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto
0
 
LVL 28

Expert Comment

by:asavener
ID: 34963185
Ah.

They were relying on NAT for security.  NAT can incidentally provide security, but you should not rely on it exclusively.
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 34963204
What is my best course of action then? Are the new rules I put in access-list 111 doing anything? I do port scans and I see too many open ports!
0
 
LVL 28

Expert Comment

by:asavener
ID: 34963483
Unless the access list is applied to an interface, it will not do anything.

You need to create IP Inspect rules, apply the IP inspect rules to the outside interface, and then apply the access list to the outside interface.

ip inspect name F0/0-Out ftp
ip inspect name F0/0-Out icmp
ip inspect name F0/0-Out dns
ip inspect name F0/0-Out tcp
ip inspect name F0/0-Out udp

interface FastEthernet0/0
ip inspect F0/0-Out out
ip access-group 111 in

0
 
LVL 2

Author Comment

by:mvalpreda
ID: 34963672
What will the IP Inspect rules do for me?
0
 
LVL 28

Expert Comment

by:asavener
ID: 34963761
The IP inspect rules allow you to make outbound connections.  It allows the router to dynamically open ports for returning traffic.

See this document:  http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
0
 
LVL 2

Author Closing Comment

by:mvalpreda
ID: 35152442
Thanks for all the help.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now