mvalpreda
asked on
Open range of ports on Cisco UC540?
Need to open up a range of TCP and UDP ports on our UC540 for a Polycom system. I'm just not sure how to open a range opposed to a bunch of single commands.
Currently there are simple ip nat statements like:
ip nat inside source static tcp INTERNAL1 25 EXTERNAL1 25 extendable
ip nat inside source static tcp INTERNAL1 80 EXTERNAL1 80 extendable
ip nat inside source static tcp INTERNAL1 443 EXTERNAL1 443 extendable
ip nat inside source static tcp INTERNAL2 80 EXTERNAL2 80 extendable
ip nat inside source static tcp INTERNAL2 3389 EXTERNAL2 3389 extendable
and subsequent access-lists
access-list 111 permit tcp any host EXTERNAL2 eq 3389 log
access-list 111 permit tcp any host EXTERNAL2 eq www log
access-list 111 permit tcp any host EXTERNAL1 eq 443 log
access-list 111 permit tcp any host EXTERNAL1 eq www log
access-list 111 permit tcp any host EXTERNAL1 eq smtp log
Now I want to set up INTERNAL3, map it to EXTERNAL3 and have 1720/tcp, 3230-3270/tcp and 3230-3253/udp open.
What's the cleanest way to do that?
Thanks
Currently there are simple ip nat statements like:
ip nat inside source static tcp INTERNAL1 25 EXTERNAL1 25 extendable
ip nat inside source static tcp INTERNAL1 80 EXTERNAL1 80 extendable
ip nat inside source static tcp INTERNAL1 443 EXTERNAL1 443 extendable
ip nat inside source static tcp INTERNAL2 80 EXTERNAL2 80 extendable
ip nat inside source static tcp INTERNAL2 3389 EXTERNAL2 3389 extendable
and subsequent access-lists
access-list 111 permit tcp any host EXTERNAL2 eq 3389 log
access-list 111 permit tcp any host EXTERNAL2 eq www log
access-list 111 permit tcp any host EXTERNAL1 eq 443 log
access-list 111 permit tcp any host EXTERNAL1 eq www log
access-list 111 permit tcp any host EXTERNAL1 eq smtp log
Now I want to set up INTERNAL3, map it to EXTERNAL3 and have 1720/tcp, 3230-3270/tcp and 3230-3253/udp open.
What's the cleanest way to do that?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I suggest that you start our own question, rather than piggybacking on someone else's request.
Can you please look below I already did it
https://www.experts-exchange.com/questions/26833288/Open-range-of-ports-on-Cisco-877W.html
https://www.experts-exchange.com/questions/26833288/Open-range-of-ports-on-Cisco-877W.html
ASKER
Now that the interruption is over, the issue I have now is the outgoing from the INTERNAL3 are not going out through EXTERNAL3. Is there something more I need to do in order to get that one to one NAT working?
Can you explain the difficulty in more detail? Did the previous commands given allow inbound connections on the ports you specified?
ASKER
I did the command wrong for the IP NAT. I included a port number on accident. That's what I get for doing a copy and paste. I am going to test today.
ASKER
I do a port scan with nMap and it shows all those ports as closed. Do I need to reapply that access-list somewhere since it was changed?
ASKER
I take that back, I did a port scan and nMap shows more ports open than should be. For instance 1025/tcp is open and there is no reason that should be open.
I would suggest adding the following commands to the end of your access list:
access-list 111 deny tcp any range 1 65535 any range 1 65535 log
access-list 111 deny udp any range 1 65535 any range 1 65535 log
access-list 111 deny ip any any log
Then, run nmap against your device and examine the log file.
access-list 111 deny tcp any range 1 65535 any range 1 65535 log
access-list 111 deny udp any range 1 65535 any range 1 65535 log
access-list 111 deny ip any any log
Then, run nmap against your device and examine the log file.
ASKER
I don't even see where access-list 111 is applied anywhere.
interface BVI1
description **Data VLAN Inside**$FW_INSIDE$
ip address 192.168.0.57 255.255.255.0
ip access-group 107 in
ip nat inside
ip inspect SDM_LOW in
ip virtual-reassembly
!
!
interface BVI10
description $FW_DMZ$
ip address 192.168.150.1 255.255.255.0
ip access-group 110 in
ip nat inside
ip inspect dmzinspect out
ip virtual-reassembly
!
!
interface BVI20
description GHRO Test VLAN
ip address 192.168.254.254 255.255.255.0
ip access-group 120 in
ip nat inside
ip inspect dmzinspect out
ip virtual-reassembly
!
!
interface BVI100
description **Voice VLAN Inside**$FW_INSIDE$
ip address 192.168.50.1 255.255.255.0
ip access-group 109 in
ip nat inside
ip inspect SDM_LOW in
ip virtual-reassembly
interface BVI1
description **Data VLAN Inside**$FW_INSIDE$
ip address 192.168.0.57 255.255.255.0
ip access-group 107 in
ip nat inside
ip inspect SDM_LOW in
ip virtual-reassembly
!
!
interface BVI10
description $FW_DMZ$
ip address 192.168.150.1 255.255.255.0
ip access-group 110 in
ip nat inside
ip inspect dmzinspect out
ip virtual-reassembly
!
!
interface BVI20
description GHRO Test VLAN
ip address 192.168.254.254 255.255.255.0
ip access-group 120 in
ip nat inside
ip inspect dmzinspect out
ip virtual-reassembly
!
!
interface BVI100
description **Voice VLAN Inside**$FW_INSIDE$
ip address 192.168.50.1 255.255.255.0
ip access-group 109 in
ip nat inside
ip inspect SDM_LOW in
ip virtual-reassembly
ASKER
The way I read that is it only cares about access-list 107. There is nothing in 107 for any firewall rules!
access-list 107 deny ip 192.168.0.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 107 deny ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 107 remark auto generated by SDM firewall configuration##NO_ACES_9##
access-list 107 remark SDM_ACL Category=1
access-list 107 permit udp any host 192.168.0.57 eq non500-isakmp
access-list 107 permit udp any host 192.168.0.57 eq isakmp
access-list 107 permit esp any host 192.168.0.57
access-list 107 permit ahp any host 192.168.0.57
access-list 107 remark Auto generated by SDM for NTP (123) time.windows.com
access-list 107 permit udp host 207.46.232.182 eq ntp host 192.168.0.57 eq ntp
access-list 107 deny ip 10.1.10.0 0.0.0.3 any
access-list 107 deny ip 192.168.150.0 0.0.0.255 any
access-list 107 deny ip 192.168.50.0 0.0.0.255 any
access-list 107 deny ip 192.168.254.0 0.0.0.255 any
access-list 107 deny ip 216.231.29.32 0.0.0.15 any
access-list 107 deny ip host 255.255.255.255 any
access-list 107 deny ip 127.0.0.0 0.255.255.255 any
access-list 107 permit ip any any
access-list 107 deny ip 192.168.0.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 107 deny ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 107 remark auto generated by SDM firewall configuration##NO_ACES_9##
access-list 107 remark SDM_ACL Category=1
access-list 107 permit udp any host 192.168.0.57 eq non500-isakmp
access-list 107 permit udp any host 192.168.0.57 eq isakmp
access-list 107 permit esp any host 192.168.0.57
access-list 107 permit ahp any host 192.168.0.57
access-list 107 remark Auto generated by SDM for NTP (123) time.windows.com
access-list 107 permit udp host 207.46.232.182 eq ntp host 192.168.0.57 eq ntp
access-list 107 deny ip 10.1.10.0 0.0.0.3 any
access-list 107 deny ip 192.168.150.0 0.0.0.255 any
access-list 107 deny ip 192.168.50.0 0.0.0.255 any
access-list 107 deny ip 192.168.254.0 0.0.0.255 any
access-list 107 deny ip 216.231.29.32 0.0.0.15 any
access-list 107 deny ip host 255.255.255.255 any
access-list 107 deny ip 127.0.0.0 0.255.255.255 any
access-list 107 permit ip any any
I used the access list number that you provided in your original post; you need to insert the lines in the appropriate place in an access list applied to your outside interface.
What interface has "ip nat outside" applied to it?
ASKER
I just realized that 111 is not applied to anything. I am taking this over from our phone vendor and I'm beginning to realize they didn't handle things properly.
ip nat outside is on FE0/0
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address OUTSIDE IP
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
ip nat outside is on FE0/0
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address OUTSIDE IP
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
Ah.
They were relying on NAT for security. NAT can incidentally provide security, but you should not rely on it exclusively.
They were relying on NAT for security. NAT can incidentally provide security, but you should not rely on it exclusively.
ASKER
What is my best course of action then? Are the new rules I put in access-list 111 doing anything? I do port scans and I see too many open ports!
Unless the access list is applied to an interface, it will not do anything.
You need to create IP Inspect rules, apply the IP inspect rules to the outside interface, and then apply the access list to the outside interface.
ip inspect name F0/0-Out ftp
ip inspect name F0/0-Out icmp
ip inspect name F0/0-Out dns
ip inspect name F0/0-Out tcp
ip inspect name F0/0-Out udp
interface FastEthernet0/0
ip inspect F0/0-Out out
ip access-group 111 in
You need to create IP Inspect rules, apply the IP inspect rules to the outside interface, and then apply the access list to the outside interface.
ip inspect name F0/0-Out ftp
ip inspect name F0/0-Out icmp
ip inspect name F0/0-Out dns
ip inspect name F0/0-Out tcp
ip inspect name F0/0-Out udp
interface FastEthernet0/0
ip inspect F0/0-Out out
ip access-group 111 in
ASKER
What will the IP Inspect rules do for me?
The IP inspect rules allow you to make outbound connections. It allows the router to dynamically open ports for returning traffic.
See this document: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
See this document: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
ASKER
Thanks for all the help.
Can u suggest me if My Polycom Internal IP is 10.10.10.2 & WAN IP is configure on Dialer0 Interface
I want to open 3230 to 3255 TCP & UDP in range also want to open in range 60000 to 65000 for Lifesize Unit & Perticular as per below
389 – Static TCP – ILS Registration (LDAP)
1503 – Static TCP – T.120
1718 – Static UDP – Gatekeeper discovery (must be bi-directional)
1719 – Static UDP – Gatekeeper RAS (must be bi-directional)
1720 – Static TCP – H.323 call set up (must be bi-directional)
1731 – Static TCP – Audio Call Control (must be bi-directional)
ip nat inside source list ToNAT interface Dialer0 overload
!
ip access-list extended ToNAT
permit ip 10.10.10.0 0.0.0.255 any