?
Solved

I am unable to open Ports on Cisco

Posted on 2011-09-26
5
Medium Priority
?
477 Views
Last Modified: 2012-05-12
Hi All,

Can any one help to me to open Some ports, I am trying to open some ports on my CIsco 1861 router, I did as per below config but looks like still it's closed after enter below command

Please help me, I need 25, 3389, 80, 443 also 1433

Please help me
interface Vlan1
 description -= DATA Vlan =-
 ip address 192.168.8.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer1
 ip address negotiated
 ip nat outside
 no ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1360
 dialer pool 1
 dialer idle-timeout 0
 dialer-group 1
 keepalive 10 3
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username XXXXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXX
002E
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.4.0 255.255.255.0 10.91.255.3
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT-ALLOWED interface Dialer1 overload
ip nat inside source static tcp 192.168.8.7 25 interface Dialer1 25
ip nat inside source static tcp 192.168.8.7 3535 interface Dialer1 3535
!
ip access-list extended NAT-ALLOWED
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip 192.168.8.0 0.0.0.255 any
!

Open in new window

0
Comment
Question by:vikrantambhore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 36598287
Hi, can you post the entire sanitized config(cant even tell what version you are using) and also provide a little more info? Would like to know if these ports need to be open to s specific host on the inside or? Maybe describe your intention a little more clearly for us. Let us know.
0
 
LVL 4

Accepted Solution

by:
denver218 earned 668 total points
ID: 36598304
Do you want these ports open to any source and destination?  It is best to specify source and destination addresses if possible, if you want these ports open for any source and destination, below is the access-list you need.

access-list 101 permit tcp any any eq 1433
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq smtp

Then all you need to do if apply this access-list to you outbound interface
ip access-group 101 in
0
 
LVL 18

Assisted Solution

by:Garry Glendown
Garry Glendown earned 668 total points
ID: 36598392
@denver218, that access list most likely successfully killed all outgoing connections and more ...

Stateless firewalls (or access lists) are a b@tch to configure, once you're used to stateful inspection ...

Make sure you permit established connection:

access-list 101 permit tcp any any established
[/code

Also, in case you use UDP for anything (like, e.g. DNS), you may want to allow returning packets:

[code]
access-list 101 permit udp any eq 53 any

Open in new window


On top of that, ICMP can be very helpful at times ... both for things like "ping", but also for "please fragment your packets" packets ... so in the simplest implementation:

access-list 101 permit icmp any any

Open in new window


Apart from that, there may be other features you need but that are not yet covered with the access list lines ... (VPN, GRE-Tunnels, ...)
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 664 total points
ID: 36599790
If you open up TCP 1433, Microsoft SQL Server, to the internet you are just asking to get hacked. SQL Server is not designed to be available over the Internet safely, and I can not think of many good reasons why you should have SQL available over the Internet. If you need to be able to directly connect, use IPsec, VPN, or at least ACL on the cisco to limit communication to only the hosts that need access.
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36599838
As denver already stated, the permit statement ought to really be limited to certain hosts ...
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question