Open range of ports on Cisco 877W

Hi,

I advise to make static nat for IP address, and make ACL on inside interface to enable port range

If I will Make Static Nat for Polycom Then another user will lossed Internet (as per my think) But if u have any Good way Please Suggest me, I want to open necessary port for 10.10.10.2 but I need to open near about 5000 ports so it's not possible to enter one by one
But Another user Must be access Internet from My Cisco Router

Please help


Vik

access-list 101 permit udp host 10.10.10.2 192.168.10.0 0.0.0.255 range 6000 6500
access-list 101 permit udp host 10.1.1.1 192.168.10.0 0.0.0.255 port number
access-list 101 deny udp any 192.168.10.0 0.0.0.255 range 161 162
access-list 101 deny udp any 192.168.10.0 0.0.0.255 port 17185
access-list 101 permit ip any any
The access-list must then be applied to all interfaces using configuration commands such as:
interface ethernet 0/0
ip access-group 101 in

show control-plane host open-ports

 you can alo create excel file with first column as command and seccons as 6000+1 (or a2+1)
and copy config file to txt paste configuration and then import config file back to router


JAN Ma CCNA

Hi janpakula,

Thanks for  your reply,
I have 1 query for your above post,
I know 10.10.10.2 is my Polycom IP but please let me know 192.168.10.0 is  which IP
my Public IP is A.B.C.D which is assign on Dialer0 interface  & Polycom is plug into fa0
Can u explain Please

it should be your public ip with responding subnet mask

you need something this :

access-list 101 permit udp host 10.10.10.2 any range 6000 6500
access-list 101 permit udp host 10.1.1.1 any  port number

interface ethernet 0/0
ip access-group 101 in

Which source address do you want to reach the Polycom?

Thanks

Inbound & Oudbound source address  want to reach to Polycom means i want to open below port in a bi-directional mode

389  – Static TCP – ILS Registration (LDAP)
1503 – Static TCP – T.120
1718 – Static UDP – Gatekeeper discovery (must be bi-directional)
1719 – Static UDP – Gatekeeper RAS (must be bi-directional)
1720 – Static TCP – H.323 call set up (must be bi-directional)
1731 – Static TCP – Audio Call Control (must be bi-directional)

ok, you need:
 
ip nat inside source static 10.10.10.2 3560 interface Dialer0
and you need to use acl for control which port aviable from net...
I advise to configure firewall:
http://www.cisco.com/en/US/docs/routers/access/1800/1801/software/configuration/guide/firewall.html

Can u suggest why we need t use 3560 ?
also If i am using  ip nat inside source static 10.10.10.2 interface Dialer0
Then All another user lossed Internet access

yep but you need overload nat also:

ip nat inside source list ToNAT interface Dialer0 overload

and you need:

 ip nat inside source static 10.10.10.2 interface Dialer0

Bro,

Please suggest why u specified 3560 in your second last comment ?

Can u please ?

it is a missed line, forget 3560....


so need this:

ip nat inside source list ToNAT interface Dialer0 overload
ip nat inside source static 10.10.10.2 interface Dialer0
CTRL+Z
clear ip nat trans *

OK Thanks,

I will let you know

Hi,

One more querry you said you need to use acl for control which port aviable from net...
Which Acl please let me know can u give in Step

Please Help

I advise to use something this:

ip inspect name firewall tcp      

ip inspect name firewall udp

ip inspect name firewall rtsp
ip inspect name firewall h323
ip inspect name firewall netshow
ip inspect name firewall ftp
ip inspect name firewall sqlnet

access-list 105 permit udp host any  any range 6000 6500
access-list 105 permit udp host any  any tcp 53
access-list 105 permit tcp host any  any tcp 53
! an example
!access-list 105 permit udp host any any  port number

interface ethernet 0/1
ip inspect firewall in
no cdp enable
ip access-group 105 in


ip access-group 105 in

I did it as per Below We have Losted Internet from  Another System which are connect into Cisco router

ip nat inside source list ToNAT interface Dialer0 overload
ip nat inside source static 10.10.10.2 interface Dialer0
!
ip access-list extended ToNAT
 permit ip 10.10.10.0 0.0.0.255 any

please show the whole config

Ok Please look, Can we use seprate VLAN for Polycom Unit & will open all ports for that VLAN


Vik

comteam#sh run
Building configuration...

Current configuration : 11752 bytes
!
! Last configuration change at 19:12:19 GMT+10 Tue Feb 1 2011 by XXXXXX
! NVRAM config last updated at 19:12:22 GMT+10 Tue Feb 1 2011 by XXXXXX
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname comteam
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone GMT+10 10
!
crypto pki trustpoint TP-self-signed-814900924
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-814900924
 revocation-check none
 rsakeypair TP-self-signed-814900924
!
!
crypto pki certificate chain TP-self-signed-814900924
 certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 38313439 30303932 34301E17 0D313130 31323630 33353635
  395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3831 34393030
  39323430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  E9EF51C3 C77CA2DA 2C06B1DD 4099F308 CBBAA8CB 963E1531 E74C5260 DD9ED17E
  7C1FF7F7 624D3C8A 75894902 BBF2B7CF BE3D8386 B8655693 DCA7E7CB C282D672
  8FC4360C EE032BA2 B685627D DE4DFC39 F39F8D65 23EE720D F5BE2297 96BBF6E4
  65F8947A FFBCDEC9 17772266 0105B4D5 1A81796C 10836ADC F6272826 271C29E3
  02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
  11041A30 18821663 6F6D7465 616D2E79 6F757264 6F6D6169 6E2E636F 6D301F06
  03551D23 04183016 8014F899 77021298 0AD7AB9E 668987B0 2D2810EF BC93301D
  0603551D 0E041604 14F89977 0212980A D7AB9E66 8987B02D 2810EFBC 93300D06
  092A8648 86F70D01 01040500 03818100 7B5B1FE3 7D8B1539 0BADF182 DDE604DA
  19596311 CA847947 A45A36E3 CB6D01C2 D1EA3DF2 5D0C97B7 156EE241 04082030
  73CB20F2 1106269E 3E33368C 37B98B7C E6531808 D623CCD4 1DBE5B36 E9CFC293
  E631C5CE 41B8DE41 C81857F2 30200782 0D2EEAA8 A1FA6E34 487EE4D2 0DBDC8E8
  69D66288 79F6104B C4DA84CB B1BC2B16
        quit
dot11 syslog
!
dot11 ssid comteam
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 XXXXXX
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.5
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 10.10.10.1
   option 42 ip 10.10.10.1
   option 150 ip 10.10.10.10
   lease 0 2
!
!
ip inspect name BT h323
ip domain name yourdomain.com
ip name-server 203.0.178.191
ip name-server 203.215.29.191
!
!
!
username XXXXXX privilege 15 password 7 XXXXXX
!
!
archive
 log config
  hidekeys
!
!
!
class-map match-all Streaming-Video
 match access-group 103
class-map match-all video-conf
 match access-group 102
class-map match-all Video-Conf
 match access-group 102
!
!
policy-map qos-policy
 class video-conf
  bandwidth 512
 class class-default
  fair-queue
policy-map video-police
!
!
bridge irb
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 bandwidth 512
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 ip nat inside
 ip virtual-reassembly
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid comteam
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 no ip address
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Dialer0
 mtu 1454
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1360
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp chap refuse
 ppp pap sent-username computerteam password 7 030E71051F0B74696F18
!
interface BVI1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ToNAT interface Dialer0 overload
ip nat inside source static 10.10.10.2 interface Dialer0

!
ip access-list extended ToNAT
 permit ip 10.10.10.0 0.0.0.255 any
!
no cdp run
!
!
line con 0
 password 7 XXXXXX
 login local
 no modem enable
line aux 0
 password 7 XXXXXX
 login local
line vty 0 4
 access-class 23 in
 privilege level 15
 password 7 XXXXXX
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175004
ntp server 119.148.81.6
end

comteam#

Select allOpen in new window

you able to ask for secondary ip address for dialer interface?

u means Need to assign secondary IP on Dialer int if so then i am able to configure Secondary IP on Dialer int, but it will be great if u will suggest me IP & Subnet mask or which is necessary


Regards

VIkrant

Please anyone help me ?

You need to ASK for the ISP, ISP give you this informations!
If the ISP not able to give secondary address you need to config individual nat statement for ports:(

We can get Secondary IP from ISP, I think ur thinking for DMZ Configuration,
Am i right ?

for example....
But you router configurable only 1 VLAN, so you not able to use real DMZ

Then Whatt should we do now ?
I can make some changes on Router, also I will configure 2nd VLAN for Polycom ?
Please suggest me your thinking, if you have any other easy way

1. You ask for a secondary IP address from your ISP, and configure static nat for IP for IP addres
2. You not get a secondary IP address from your ISP, and you need to configure individual NAT statements for each TCP and UDP ports......

Hi jodylemoine,

Thanks for your reply, & sorry for late reply, I went out for 1 week

You mean i need to enter below command under WAN Interface also LAN Interface ?
ip access-group Polycom in
ip access-group Polycom out

Regards

Vikrant

Hi Vikrant.

No, I was referring to any security-related ACLs you might have on your WAN interface. Looking at your configuration, you don't have any, so it's not something you have to account for.

Jody

Hello jodylemoine,

Thanks for your reply, I am not getting you surely, Please look on my config & please help me if I need more changes, I did as per your suggestion


Vikrant

I am sorry, I forgeted to attach my Running-config Please look on my running config

Building configuration...

Current configuration : 11752 bytes
!
! Last configuration change at 19:12:19 GMT+10 Tue Feb 1 2011 by XXXXXX
! NVRAM config last updated at 19:12:22 GMT+10 Tue Feb 1 2011 by XXXXXX
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname comteam
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone GMT+10 10
!
crypto pki trustpoint TP-self-signed-814900924
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-814900924
 revocation-check none
 rsakeypair TP-self-signed-814900924
!
!
crypto pki certificate chain TP-self-signed-814900924
 certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 38313439 30303932 34301E17 0D313130 31323630 33353635
  395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3831 34393030
  39323430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  E9EF51C3 C77CA2DA 2C06B1DD 4099F308 CBBAA8CB 963E1531 E74C5260 DD9ED17E
  7C1FF7F7 624D3C8A 75894902 BBF2B7CF BE3D8386 B8655693 DCA7E7CB C282D672
  8FC4360C EE032BA2 B685627D DE4DFC39 F39F8D65 23EE720D F5BE2297 96BBF6E4
  65F8947A FFBCDEC9 17772266 0105B4D5 1A81796C 10836ADC F6272826 271C29E3
  02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
  11041A30 18821663 6F6D7465 616D2E79 6F757264 6F6D6169 6E2E636F 6D301F06
  03551D23 04183016 8014F899 77021298 0AD7AB9E 668987B0 2D2810EF BC93301D
  0603551D 0E041604 14F89977 0212980A D7AB9E66 8987B02D 2810EFBC 93300D06
  092A8648 86F70D01 01040500 03818100 7B5B1FE3 7D8B1539 0BADF182 DDE604DA
  19596311 CA847947 A45A36E3 CB6D01C2 D1EA3DF2 5D0C97B7 156EE241 04082030
  73CB20F2 1106269E 3E33368C 37B98B7C E6531808 D623CCD4 1DBE5B36 E9CFC293
  E631C5CE 41B8DE41 C81857F2 30200782 0D2EEAA8 A1FA6E34 487EE4D2 0DBDC8E8
  69D66288 79F6104B C4DA84CB B1BC2B16
        quit
dot11 syslog
!
dot11 ssid comteam
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 XXXXXX
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.5
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 10.10.10.1
   option 42 ip 10.10.10.1
   option 150 ip 10.10.10.10
   lease 0 2
!
!
ip inspect name BT h323
ip domain name yourdomain.com
ip name-server 203.0.178.191
ip name-server 203.215.29.191
!
!
!
username XXXXXX privilege 15 password 7 XXXXXX
!
!
archive
 log config
  hidekeys
!
!
!
class-map match-all Streaming-Video
 match access-group 103
class-map match-all video-conf
 match access-group 102
class-map match-all Video-Conf
 match access-group 102
!
!
policy-map qos-policy
 class video-conf
  bandwidth 512
 class class-default
  fair-queue
policy-map video-police
!
!
bridge irb
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 bandwidth 512
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 ip nat inside
 ip virtual-reassembly
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid comteam
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 no ip address
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Dialer0
 mtu 1454
 ip address negotiated
 ip access-group Polycom in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1360
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp chap refuse
 ppp pap sent-username computerteam password 7 030E71051F0B74696F18
!
interface BVI1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat pool NAT-Polycom 10.10.10.2 10.10.10.2 netmask 255.255.255.0 type rotary
ip nat inside source list ToNAT interface Dialer0 overload
ip nat inside destination list ACL-Polycom pool NAT-Polycom
!
ip access-list extended Polycom
 permit tcp any any eq 389
 permit tcp any any eq 1503
 permit udp any any range 1718 1719
 permit tcp any any eq 1720
 permit tcp any any eq 1731
 permit tcp any any range 3230 3255
 permit udp any any range 3230 3255
 permit tcp any any range 60000 65000
 permit udp any any range 60000 65000
!
ip access-list extended ToNAT
 permit ip 10.10.10.0 0.0.0.255 any
!
no cdp run
!
!
line con 0
 password 7 XXXXXX
 login local
 no modem enable
line aux 0
 password 7 XXXXXX
 login local
line vty 0 4
 access-class 23 in
 privilege level 15
 password 7 XXXXXX
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175004
ntp server 119.148.81.6
end

comteam#

Based on what I see in your configuration, you'll need to remove the "ip inside source static" line and add the ones I've suggested earlier.

Okay, I just saw the new running configuration. It looks good on cursory inspection. Are you getting any results?

If I will Make Static Nat for Polycom Then another user will lossed Internet, we are using Internet from this unit also want to use Polycom for In & Out Video Call

Don't make a static NAT for the Polycom. That will disable your Internet access from other devices. Stick with the original configuration snippet that I provided and only the ports in the Polycom ACL will be forwarded, leaving the rest of your Internet access to be covered by your NAT overload.

Can you please check my configuration & Please let me know if anything wrong
It will be a great if you will suggest me by configuration

interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 bandwidth 512
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 ip nat inside
 ip virtual-reassembly
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid comteam
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 no ip address
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Dialer0
 mtu 1454
 ip address negotiated
 ip access-group Polycom in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1360
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp chap refuse
 ppp pap sent-username computerteam password 7 030E71051F0B74696F18
!
interface BVI1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat pool NAT-Polycom 10.10.10.2 10.10.10.2 netmask 255.255.255.0 type rotary
ip nat inside source list ToNAT interface Dialer0 overload
ip nat inside destination list ACL-Polycom pool NAT-Polycom
!
ip access-list extended Polycom
 permit tcp any any eq 389
 permit tcp any any eq 1503
 permit udp any any range 1718 1719
 permit tcp any any eq 1720
 permit tcp any any eq 1731
 permit tcp any any range 3230 3255
 permit udp any any range 3230 3255
 permit tcp any any range 60000 65000
 permit udp any any range 60000 65000
!
ip access-list extended ToNAT
 permit ip 10.10.10.0 0.0.0.255 any
!

Sorry didn't read your above post (Okay, I just saw the new running configuration. It looks good on cursory inspection. Are you getting any results? )
 

Now all ports are open but please let me know how to check whether open or not, Still unable to getting video on inbound call