Solved

I am unable to open Ports on Cisco

Posted on 2011-09-26
5
470 Views
Last Modified: 2012-05-12
Hi All,

Can any one help to me to open Some ports, I am trying to open some ports on my CIsco 1861 router, I did as per below config but looks like still it's closed after enter below command

Please help me, I need 25, 3389, 80, 443 also 1433

Please help me
interface Vlan1
 description -= DATA Vlan =-
 ip address 192.168.8.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer1
 ip address negotiated
 ip nat outside
 no ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1360
 dialer pool 1
 dialer idle-timeout 0
 dialer-group 1
 keepalive 10 3
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username XXXXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXX
002E
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.4.0 255.255.255.0 10.91.255.3
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT-ALLOWED interface Dialer1 overload
ip nat inside source static tcp 192.168.8.7 25 interface Dialer1 25
ip nat inside source static tcp 192.168.8.7 3535 interface Dialer1 3535
!
ip access-list extended NAT-ALLOWED
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip 192.168.8.0 0.0.0.255 any
!

Open in new window

0
Comment
Question by:vikrantambhore
5 Comments
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 36598287
Hi, can you post the entire sanitized config(cant even tell what version you are using) and also provide a little more info? Would like to know if these ports need to be open to s specific host on the inside or? Maybe describe your intention a little more clearly for us. Let us know.
0
 
LVL 4

Accepted Solution

by:
denver218 earned 167 total points
ID: 36598304
Do you want these ports open to any source and destination?  It is best to specify source and destination addresses if possible, if you want these ports open for any source and destination, below is the access-list you need.

access-list 101 permit tcp any any eq 1433
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq smtp

Then all you need to do if apply this access-list to you outbound interface
ip access-group 101 in
0
 
LVL 17

Assisted Solution

by:Garry-G
Garry-G earned 167 total points
ID: 36598392
@denver218, that access list most likely successfully killed all outgoing connections and more ...

Stateless firewalls (or access lists) are a b@tch to configure, once you're used to stateful inspection ...

Make sure you permit established connection:

access-list 101 permit tcp any any established
[/code

Also, in case you use UDP for anything (like, e.g. DNS), you may want to allow returning packets:

[code]
access-list 101 permit udp any eq 53 any

Open in new window


On top of that, ICMP can be very helpful at times ... both for things like "ping", but also for "please fragment your packets" packets ... so in the simplest implementation:

access-list 101 permit icmp any any

Open in new window


Apart from that, there may be other features you need but that are not yet covered with the access list lines ... (VPN, GRE-Tunnels, ...)
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 166 total points
ID: 36599790
If you open up TCP 1433, Microsoft SQL Server, to the internet you are just asking to get hacked. SQL Server is not designed to be available over the Internet safely, and I can not think of many good reasons why you should have SQL available over the Internet. If you need to be able to directly connect, use IPsec, VPN, or at least ACL on the cisco to limit communication to only the hosts that need access.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36599838
As denver already stated, the permit statement ought to really be limited to certain hosts ...
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now