Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 481
  • Last Modified:

I am unable to open Ports on Cisco

Hi All,

Can any one help to me to open Some ports, I am trying to open some ports on my CIsco 1861 router, I did as per below config but looks like still it's closed after enter below command

Please help me, I need 25, 3389, 80, 443 also 1433

Please help me
interface Vlan1
 description -= DATA Vlan =-
 ip address 192.168.8.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer1
 ip address negotiated
 ip nat outside
 no ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1360
 dialer pool 1
 dialer idle-timeout 0
 dialer-group 1
 keepalive 10 3
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username XXXXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXX
002E
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.4.0 255.255.255.0 10.91.255.3
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT-ALLOWED interface Dialer1 overload
ip nat inside source static tcp 192.168.8.7 25 interface Dialer1 25
ip nat inside source static tcp 192.168.8.7 3535 interface Dialer1 3535
!
ip access-list extended NAT-ALLOWED
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip 192.168.8.0 0.0.0.255 any
!

Open in new window

0
vikrantambhore
Asked:
vikrantambhore
3 Solutions
 
Robert Sutton JrSenior Network ManagerCommented:
Hi, can you post the entire sanitized config(cant even tell what version you are using) and also provide a little more info? Would like to know if these ports need to be open to s specific host on the inside or? Maybe describe your intention a little more clearly for us. Let us know.
0
 
denver218Commented:
Do you want these ports open to any source and destination?  It is best to specify source and destination addresses if possible, if you want these ports open for any source and destination, below is the access-list you need.

access-list 101 permit tcp any any eq 1433
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq smtp

Then all you need to do if apply this access-list to you outbound interface
ip access-group 101 in
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
@denver218, that access list most likely successfully killed all outgoing connections and more ...

Stateless firewalls (or access lists) are a b@tch to configure, once you're used to stateful inspection ...

Make sure you permit established connection:

access-list 101 permit tcp any any established
[/code

Also, in case you use UDP for anything (like, e.g. DNS), you may want to allow returning packets:

[code]
access-list 101 permit udp any eq 53 any

Open in new window


On top of that, ICMP can be very helpful at times ... both for things like "ping", but also for "please fragment your packets" packets ... so in the simplest implementation:

access-list 101 permit icmp any any

Open in new window


Apart from that, there may be other features you need but that are not yet covered with the access list lines ... (VPN, GRE-Tunnels, ...)
0
 
kevinhsiehCommented:
If you open up TCP 1433, Microsoft SQL Server, to the internet you are just asking to get hacked. SQL Server is not designed to be available over the Internet safely, and I can not think of many good reasons why you should have SQL available over the Internet. If you need to be able to directly connect, use IPsec, VPN, or at least ACL on the cisco to limit communication to only the hosts that need access.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
As denver already stated, the permit statement ought to really be limited to certain hosts ...
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now