Solved

Open range of ports on Cisco 877W

Posted on 2011-02-19
37
2,017 Views
Last Modified: 2012-05-11
Need to open up a range of TCP and UDP ports on our UC540 for a Polycom system. I'm just not sure how to open a range opposed to a bunch of single commands.
Can Anyone help me if My Polycom Internal IP is 10.10.10.2 & WAN IP is configure on Dialer0 Interface
I want to open 3230 to 3255 TCP & UDP  in range also want to open in range 60000 to 65000 for Lifesize Unit & Perticular as per below

389  – Static TCP – ILS Registration (LDAP)
1503 – Static TCP – T.120
1718 – Static UDP – Gatekeeper discovery (must be bi-directional)
1719 – Static UDP – Gatekeeper RAS (must be bi-directional)
1720 – Static TCP – H.323 call set up (must be bi-directional)
1731 – Static TCP – Audio Call Control (must be bi-directional)

ip nat inside source list ToNAT interface Dialer0 overload
ip nat inside source static tcp 10.10.10.2 80 interface Dialer0 8080
ip nat inside source static tcp 10.10.10.2 389 interface Dialer0 389
ip nat inside source static tcp 10.10.10.2 1503 interface Dialer0 1503
ip nat inside source static tcp 10.10.10.2 1720 interface Dialer0 1720
ip nat inside source static udp 10.10.10.2 389 interface Dialer0 389
ip nat inside source static udp 10.10.10.2 1503 interface Dialer0 1503
ip nat inside source static udp 10.10.10.2 1720 interface Dialer0 1720
ip nat inside source static udp 10.10.10.2 3230 interface Dialer0 3230
ip nat inside source static udp 10.10.10.2 3231 interface Dialer0 3231
ip nat inside source static udp 10.10.10.2 3232 interface Dialer0 3232
ip nat inside source static udp 10.10.10.2 3233 interface Dialer0 3233
ip nat inside source static udp 10.10.10.2 3235 interface Dialer0 3235
ip nat inside source static tcp 10.10.10.2 5060 interface Dialer0 5060
ip nat inside source static udp 10.10.10.2 5060 interface Dialer0 5060
ip nat inside source static udp 10.10.10.2 3478 interface Dialer0 3478
ip nat inside source static udp 10.10.10.2 34501 interface Dialer0 34501
ip nat inside source static tcp 10.10.10.2 3560 interface Dialer0 3560
ip nat inside source static udp 10.10.10.2 3560 interface Dialer0 3560
ip nat inside source static udp 10.10.10.2 1719 interface Dialer0 1719
ip nat inside source static tcp 10.10.10.2 1722 interface Dialer0 1722
ip nat inside source static udp 10.10.10.2 6768 interface Dialer0 6769
ip nat inside source static tcp 10.10.10.2 443 interface Dialer0 443
ip nat inside source static tcp 10.10.10.2 444 interface Dialer0 444
ip nat inside source static tcp 10.10.10.2 1090 interface Dialer0 1090
ip nat inside source static udp 10.10.10.2 1090 interface Dialer0 1090
ip nat inside source static tcp 10.10.10.2 3230 interface Dialer0 3230
ip nat inside source static tcp 10.10.10.2 3231 interface Dialer0 3231
ip nat inside source static tcp 10.10.10.2 3232 interface Dialer0 3232
ip nat inside source static tcp 10.10.10.2 3233 interface Dialer0 3233
ip nat inside source static tcp 10.10.10.2 3234 interface Dialer0 3234
ip nat inside source static tcp 10.10.10.2 3235 interface Dialer0 3235
ip nat inside source static tcp 10.10.10.2 3236 interface Dialer0 3236
ip nat inside source static tcp 10.10.10.2 3237 interface Dialer0 3238
ip nat inside source static tcp 10.10.10.2 3239 interface Dialer0 3239
ip nat inside source static tcp 10.10.10.2 3240 interface Dialer0 3240
ip nat inside source static tcp 10.10.10.2 3241 interface Dialer0 3241
ip nat inside source static tcp 10.10.10.2 3242 interface Dialer0 3242
ip nat inside source static tcp 10.10.10.2 3243 interface Dialer0 3243
ip nat inside source static tcp 10.10.10.2 3244 interface Dialer0 3244
ip nat inside source static tcp 10.10.10.2 3245 interface Dialer0 3245
ip nat inside source static tcp 10.10.10.2 3246 interface Dialer0 3246
ip nat inside source static tcp 10.10.10.2 3247 interface Dialer0 3247
ip nat inside source static tcp 10.10.10.2 3248 interface Dialer0 3248
ip nat inside source static tcp 10.10.10.2 3249 interface Dialer0 3249
ip nat inside source static tcp 10.10.10.2 3250 interface Dialer0 3250
ip nat inside source static tcp 10.10.10.2 3252 interface Dialer0 3251
ip nat inside source static tcp 10.10.10.2 3253 interface Dialer0 3253
ip nat inside source static tcp 10.10.10.2 3254 interface Dialer0 3254
ip nat inside source static tcp 10.10.10.2 3255 interface Dialer0 3255
ip nat inside source static udp 10.10.10.2 3234 interface Dialer0 3234
ip nat inside source static udp 10.10.10.2 3236 interface Dialer0 3236
ip nat inside source static udp 10.10.10.2 3237 interface Dialer0 3238
ip nat inside source static udp 10.10.10.2 3239 interface Dialer0 3239
ip nat inside source static udp 10.10.10.2 3240 interface Dialer0 3240
ip nat inside source static udp 10.10.10.2 3241 interface Dialer0 3241
ip nat inside source static udp 10.10.10.2 3242 interface Dialer0 3242
ip nat inside source static udp 10.10.10.2 3243 interface Dialer0 3243
ip nat inside source static udp 10.10.10.2 3244 interface Dialer0 3244
ip nat inside source static udp 10.10.10.2 3245 interface Dialer0 3245
ip nat inside source static udp 10.10.10.2 3246 interface Dialer0 3246
ip nat inside source static udp 10.10.10.2 3247 interface Dialer0 3247
ip nat inside source static udp 10.10.10.2 3248 interface Dialer0 3248
ip nat inside source static udp 10.10.10.2 3249 interface Dialer0 3249
ip nat inside source static udp 10.10.10.2 3250 interface Dialer0 3250
ip nat inside source static udp 10.10.10.2 3252 interface Dialer0 3251
ip nat inside source static udp 10.10.10.2 3253 interface Dialer0 3253
ip nat inside source static udp 10.10.10.2 3254 interface Dialer0 3254
ip nat inside source static udp 10.10.10.2 3255 interface Dialer0 3255
!
ip access-list extended ToNAT
 permit ip 10.10.10.0 0.0.0.255 any

Open in new window

0
Comment
Question by:vikrantambhore
  • 19
  • 11
  • 5
  • +1
37 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34933086
Hi,

I advise to make static nat for IP address, and make ACL on inside interface to enable port range
0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 34933109
If I will Make Static Nat for Polycom Then another user will lossed Internet (as per my think) But if u have any Good way Please Suggest me, I want to open necessary port for 10.10.10.2 but I need to open near about 5000 ports so it's not possible to enter one by one
But Another user Must be access Internet from My Cisco Router

Please help


Vik
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 34934521

access-list 101 permit udp host 10.10.10.2 192.168.10.0 0.0.0.255 range 6000 6500
access-list 101 permit udp host 10.1.1.1 192.168.10.0 0.0.0.255 port number
access-list 101 deny udp any 192.168.10.0 0.0.0.255 range 161 162
access-list 101 deny udp any 192.168.10.0 0.0.0.255 port 17185
access-list 101 permit ip any any
The access-list must then be applied to all interfaces using configuration commands such as:
interface ethernet 0/0
ip access-group 101 in

show control-plane host open-ports

 you can alo create excel file with first column as command and seccons as 6000+1 (or a2+1)
and copy config file to txt paste configuration and then import config file back to router


JAN Ma CCNA
0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 34935448
Hi janpakula,

Thanks for  your reply,
I have 1 query for your above post,
I know 10.10.10.2 is my Polycom IP but please let me know 192.168.10.0 is  which IP
my Public IP is A.B.C.D which is assign on Dialer0 interface  & Polycom is plug into fa0
Can u explain Please
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 34936687
it should be your public ip with responding subnet mask
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34936748
you need something this :

access-list 101 permit udp host 10.10.10.2 any range 6000 6500
access-list 101 permit udp host 10.1.1.1 any  port number

interface ethernet 0/0
ip access-group 101 in

Which source address do you want to reach the Polycom?
0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 34936848
Thanks

Inbound & Oudbound source address  want to reach to Polycom means i want to open below port in a bi-directional mode

389  – Static TCP – ILS Registration (LDAP)
1503 – Static TCP – T.120
1718 – Static UDP – Gatekeeper discovery (must be bi-directional)
1719 – Static UDP – Gatekeeper RAS (must be bi-directional)
1720 – Static TCP – H.323 call set up (must be bi-directional)
1731 – Static TCP – Audio Call Control (must be bi-directional)
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34937063
ok, you need:
 
ip nat inside source static 10.10.10.2 3560 interface Dialer0
and you need to use acl for control which port aviable from net...
I advise to configure firewall:
http://www.cisco.com/en/US/docs/routers/access/1800/1801/software/configuration/guide/firewall.html
0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 34937231
Can u suggest why we need t use 3560 ?
also If i am using  ip nat inside source static 10.10.10.2 interface Dialer0
Then All another user lossed Internet access
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34938112
yep but you need overload nat also:

ip nat inside source list ToNAT interface Dialer0 overload

and you need:

 ip nat inside source static 10.10.10.2 interface Dialer0


0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 34940156
Bro,

Please suggest why u specified 3560 in your second last comment ?

Can u please ?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34940827
it is a missed line, forget 3560....


so need this:

ip nat inside source list ToNAT interface Dialer0 overload
ip nat inside source static 10.10.10.2 interface Dialer0
CTRL+Z
clear ip nat trans *
0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 34940971
OK Thanks,

I will let you know
0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 34940987
Hi,

One more querry you said you need to use acl for control which port aviable from net...
Which Acl please let me know can u give in Step

Please Help
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34941020
I advise to use something this:

ip inspect name firewall tcp      

ip inspect name firewall udp

ip inspect name firewall rtsp
ip inspect name firewall h323
ip inspect name firewall netshow
ip inspect name firewall ftp
ip inspect name firewall sqlnet

access-list 105 permit udp host any  any range 6000 6500
access-list 105 permit udp host any  any tcp 53
access-list 105 permit tcp host any  any tcp 53
! an example
!access-list 105 permit udp host any any  port number

interface ethernet 0/1
ip inspect firewall in
no cdp enable
ip access-group 105 in


ip access-group 105 in
0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 34941103
I did it as per Below We have Losted Internet from  Another System which are connect into Cisco router

ip nat inside source list ToNAT interface Dialer0 overload
ip nat inside source static 10.10.10.2 interface Dialer0
!
ip access-list extended ToNAT
 permit ip 10.10.10.0 0.0.0.255 any
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34941120
please show the whole config
0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 34941137
Ok Please look, Can we use seprate VLAN for Polycom Unit & will open all ports for that VLAN


Vik
comteam#sh run
Building configuration...

Current configuration : 11752 bytes
!
! Last configuration change at 19:12:19 GMT+10 Tue Feb 1 2011 by XXXXXX
! NVRAM config last updated at 19:12:22 GMT+10 Tue Feb 1 2011 by XXXXXX
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname comteam
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone GMT+10 10
!
crypto pki trustpoint TP-self-signed-814900924
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-814900924
 revocation-check none
 rsakeypair TP-self-signed-814900924
!
!
crypto pki certificate chain TP-self-signed-814900924
 certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 38313439 30303932 34301E17 0D313130 31323630 33353635
  395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3831 34393030
  39323430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  E9EF51C3 C77CA2DA 2C06B1DD 4099F308 CBBAA8CB 963E1531 E74C5260 DD9ED17E
  7C1FF7F7 624D3C8A 75894902 BBF2B7CF BE3D8386 B8655693 DCA7E7CB C282D672
  8FC4360C EE032BA2 B685627D DE4DFC39 F39F8D65 23EE720D F5BE2297 96BBF6E4
  65F8947A FFBCDEC9 17772266 0105B4D5 1A81796C 10836ADC F6272826 271C29E3
  02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
  11041A30 18821663 6F6D7465 616D2E79 6F757264 6F6D6169 6E2E636F 6D301F06
  03551D23 04183016 8014F899 77021298 0AD7AB9E 668987B0 2D2810EF BC93301D
  0603551D 0E041604 14F89977 0212980A D7AB9E66 8987B02D 2810EFBC 93300D06
  092A8648 86F70D01 01040500 03818100 7B5B1FE3 7D8B1539 0BADF182 DDE604DA
  19596311 CA847947 A45A36E3 CB6D01C2 D1EA3DF2 5D0C97B7 156EE241 04082030
  73CB20F2 1106269E 3E33368C 37B98B7C E6531808 D623CCD4 1DBE5B36 E9CFC293
  E631C5CE 41B8DE41 C81857F2 30200782 0D2EEAA8 A1FA6E34 487EE4D2 0DBDC8E8
  69D66288 79F6104B C4DA84CB B1BC2B16
        quit
dot11 syslog
!
dot11 ssid comteam
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 XXXXXX
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.5
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 10.10.10.1
   option 42 ip 10.10.10.1
   option 150 ip 10.10.10.10
   lease 0 2
!
!
ip inspect name BT h323
ip domain name yourdomain.com
ip name-server 203.0.178.191
ip name-server 203.215.29.191
!
!
!
username XXXXXX privilege 15 password 7 XXXXXX
!
!
archive
 log config
  hidekeys
!
!
!
class-map match-all Streaming-Video
 match access-group 103
class-map match-all video-conf
 match access-group 102
class-map match-all Video-Conf
 match access-group 102
!
!
policy-map qos-policy
 class video-conf
  bandwidth 512
 class class-default
  fair-queue
policy-map video-police
!
!
bridge irb
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 bandwidth 512
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 ip nat inside
 ip virtual-reassembly
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid comteam
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 no ip address
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Dialer0
 mtu 1454
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1360
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp chap refuse
 ppp pap sent-username computerteam password 7 030E71051F0B74696F18
!
interface BVI1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ToNAT interface Dialer0 overload
ip nat inside source static 10.10.10.2 interface Dialer0

!
ip access-list extended ToNAT
 permit ip 10.10.10.0 0.0.0.255 any
!
no cdp run
!
!
line con 0
 password 7 XXXXXX
 login local
 no modem enable
line aux 0
 password 7 XXXXXX
 login local
line vty 0 4
 access-class 23 in
 privilege level 15
 password 7 XXXXXX
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175004
ntp server 119.148.81.6
end

comteam#

Open in new window

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34941739
you able to ask for secondary ip address for dialer interface?
0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 34941787
u means Need to assign secondary IP on Dialer int if so then i am able to configure Secondary IP on Dialer int, but it will be great if u will suggest me IP & Subnet mask or which is necessary


Regards

VIkrant
0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 34948843
Please anyone help me ?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34949080
You need to ASK for the ISP, ISP give you this informations!
If the ISP not able to give secondary address you need to config individual nat statement for ports:(
0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 34949091
We can get Secondary IP from ISP, I think ur thinking for DMZ Configuration,
Am i right ?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34949096
for example....
But you router configurable only 1 VLAN, so you not able to use real DMZ
0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 34949110
Then Whatt should we do now ?
I can make some changes on Router, also I will configure 2nd VLAN for Polycom ?
Please suggest me your thinking, if you have any other easy way
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34949119
1. You ask for a secondary IP address from your ISP, and configure static nat for IP for IP addres
2. You not get a secondary IP address from your ISP, and you need to configure individual NAT statements for each TCP and UDP ports......
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
ID: 34998983
Try this on for size and see if it accomplished what you're looking for.  This will allow you to port-forward the full range you've described without needing separate IP addresses or VLANs.  I'm not sure if it will meet your requirements for bidirectional communications, but it's worth testing out.

ip access-list extended Polycom
 permit tcp any any eq 389
 permit tcp any any eq 1503
 permit udp any any range 1718 1719
 permit tcp any any eq 1720
 permit tcp any any eq 1731
 permit tcp any any range 3230 3255
 permit udp any any range 3230 3255
 permit tcp any any range 60000 65000
 permit udp any any range 60000 65000
!
ip nat pool NAT-Polycom 10.10.10.2 10.10.10.2 netmask 255.255.255.0 type rotary
ip nat inside source list ToNAT interface Dialer0 overload
ip nat inside destination list ACL-Polycom pool NAT-Polycom

Make sure you have all of those ports opened on the inbound ACL applied to your Dialer0 interface too.
0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 35034280
Hi jodylemoine,

Thanks for your reply, & sorry for late reply, I went out for 1 week

You mean i need to enter below command under WAN Interface also LAN Interface ?
ip access-group Polycom in
ip access-group Polycom out

Regards

Vikrant
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 35036149
Hi Vikrant.

No, I was referring to any security-related ACLs you might have on your WAN interface. Looking at your configuration, you don't have any, so it's not something you have to account for.

Jody
0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 35041584
Hello jodylemoine,

Thanks for your reply, I am not getting you surely, Please look on my config & please help me if I need more changes, I did as per your suggestion


Vikrant
0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 35041590
I am sorry, I forgeted to attach my Running-config Please look on my running config

Building configuration...

Current configuration : 11752 bytes
!
! Last configuration change at 19:12:19 GMT+10 Tue Feb 1 2011 by XXXXXX
! NVRAM config last updated at 19:12:22 GMT+10 Tue Feb 1 2011 by XXXXXX
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname comteam
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone GMT+10 10
!
crypto pki trustpoint TP-self-signed-814900924
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-814900924
 revocation-check none
 rsakeypair TP-self-signed-814900924
!
!
crypto pki certificate chain TP-self-signed-814900924
 certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 38313439 30303932 34301E17 0D313130 31323630 33353635
  395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3831 34393030
  39323430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  E9EF51C3 C77CA2DA 2C06B1DD 4099F308 CBBAA8CB 963E1531 E74C5260 DD9ED17E
  7C1FF7F7 624D3C8A 75894902 BBF2B7CF BE3D8386 B8655693 DCA7E7CB C282D672
  8FC4360C EE032BA2 B685627D DE4DFC39 F39F8D65 23EE720D F5BE2297 96BBF6E4
  65F8947A FFBCDEC9 17772266 0105B4D5 1A81796C 10836ADC F6272826 271C29E3
  02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
  11041A30 18821663 6F6D7465 616D2E79 6F757264 6F6D6169 6E2E636F 6D301F06
  03551D23 04183016 8014F899 77021298 0AD7AB9E 668987B0 2D2810EF BC93301D
  0603551D 0E041604 14F89977 0212980A D7AB9E66 8987B02D 2810EFBC 93300D06
  092A8648 86F70D01 01040500 03818100 7B5B1FE3 7D8B1539 0BADF182 DDE604DA
  19596311 CA847947 A45A36E3 CB6D01C2 D1EA3DF2 5D0C97B7 156EE241 04082030
  73CB20F2 1106269E 3E33368C 37B98B7C E6531808 D623CCD4 1DBE5B36 E9CFC293
  E631C5CE 41B8DE41 C81857F2 30200782 0D2EEAA8 A1FA6E34 487EE4D2 0DBDC8E8
  69D66288 79F6104B C4DA84CB B1BC2B16
        quit
dot11 syslog
!
dot11 ssid comteam
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 XXXXXX
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.5
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 10.10.10.1
   option 42 ip 10.10.10.1
   option 150 ip 10.10.10.10
   lease 0 2
!
!
ip inspect name BT h323
ip domain name yourdomain.com
ip name-server 203.0.178.191
ip name-server 203.215.29.191
!
!
!
username XXXXXX privilege 15 password 7 XXXXXX
!
!
archive
 log config
  hidekeys
!
!
!
class-map match-all Streaming-Video
 match access-group 103
class-map match-all video-conf
 match access-group 102
class-map match-all Video-Conf
 match access-group 102
!
!
policy-map qos-policy
 class video-conf
  bandwidth 512
 class class-default
  fair-queue
policy-map video-police
!
!
bridge irb
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 bandwidth 512
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 ip nat inside
 ip virtual-reassembly
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid comteam
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 no ip address
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Dialer0
 mtu 1454
 ip address negotiated
 ip access-group Polycom in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1360
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp chap refuse
 ppp pap sent-username computerteam password 7 030E71051F0B74696F18
!
interface BVI1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat pool NAT-Polycom 10.10.10.2 10.10.10.2 netmask 255.255.255.0 type rotary
ip nat inside source list ToNAT interface Dialer0 overload
ip nat inside destination list ACL-Polycom pool NAT-Polycom
!
ip access-list extended Polycom
 permit tcp any any eq 389
 permit tcp any any eq 1503
 permit udp any any range 1718 1719
 permit tcp any any eq 1720
 permit tcp any any eq 1731
 permit tcp any any range 3230 3255
 permit udp any any range 3230 3255
 permit tcp any any range 60000 65000
 permit udp any any range 60000 65000
!
ip access-list extended ToNAT
 permit ip 10.10.10.0 0.0.0.255 any
!
no cdp run
!
!
line con 0
 password 7 XXXXXX
 login local
 no modem enable
line aux 0
 password 7 XXXXXX
 login local
line vty 0 4
 access-class 23 in
 privilege level 15
 password 7 XXXXXX
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175004
ntp server 119.148.81.6
end

comteam#
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 35041601
Based on what I see in your configuration, you'll need to remove the "ip inside source static" line and add the ones I've suggested earlier.
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 35041604
Okay, I just saw the new running configuration. It looks good on cursory inspection. Are you getting any results?
0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 35041610
If I will Make Static Nat for Polycom Then another user will lossed Internet, we are using Internet from this unit also want to use Polycom for In & Out Video Call
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 35041615
Don't make a static NAT for the Polycom. That will disable your Internet access from other devices. Stick with the original configuration snippet that I provided and only the ports in the Polycom ACL will be forwarded, leaving the rest of your Internet access to be covered by your NAT overload.
0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 35041645
Can you please check my configuration & Please let me know if anything wrong
It will be a great if you will suggest me by configuration

interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 bandwidth 512
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 ip nat inside
 ip virtual-reassembly
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid comteam
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 no ip address
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Dialer0
 mtu 1454
 ip address negotiated
 ip access-group Polycom in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1360
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp chap refuse
 ppp pap sent-username computerteam password 7 030E71051F0B74696F18
!
interface BVI1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat pool NAT-Polycom 10.10.10.2 10.10.10.2 netmask 255.255.255.0 type rotary
ip nat inside source list ToNAT interface Dialer0 overload
ip nat inside destination list ACL-Polycom pool NAT-Polycom
!
ip access-list extended Polycom
 permit tcp any any eq 389
 permit tcp any any eq 1503
 permit udp any any range 1718 1719
 permit tcp any any eq 1720
 permit tcp any any eq 1731
 permit tcp any any range 3230 3255
 permit udp any any range 3230 3255
 permit tcp any any range 60000 65000
 permit udp any any range 60000 65000
!
ip access-list extended ToNAT
 permit ip 10.10.10.0 0.0.0.255 any
!
0
 
LVL 6

Author Comment

by:vikrantambhore
ID: 35041652
Sorry didn't read your above post (Okay, I just saw the new running configuration. It looks good on cursory inspection. Are you getting any results? )
 

Now all ports are open but please let me know how to check whether open or not, Still unable to getting video on inbound call
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now