Solved

I am unable to open Ports on Cisco

Posted on 2011-09-26
5
468 Views
Last Modified: 2012-05-12
Hi All,

Can any one help to me to open Some ports, I am trying to open some ports on my CIsco 1861 router, I did as per below config but looks like still it's closed after enter below command

Please help me, I need 25, 3389, 80, 443 also 1433

Please help me
interface Vlan1
 description -= DATA Vlan =-
 ip address 192.168.8.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer1
 ip address negotiated
 ip nat outside
 no ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1360
 dialer pool 1
 dialer idle-timeout 0
 dialer-group 1
 keepalive 10 3
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username XXXXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXX
002E
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.4.0 255.255.255.0 10.91.255.3
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT-ALLOWED interface Dialer1 overload
ip nat inside source static tcp 192.168.8.7 25 interface Dialer1 25
ip nat inside source static tcp 192.168.8.7 3535 interface Dialer1 3535
!
ip access-list extended NAT-ALLOWED
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip 192.168.8.0 0.0.0.255 any
!

Open in new window

0
Comment
Question by:vikrantambhore
5 Comments
 
LVL 15

Expert Comment

by:The_Warlock
Comment Utility
Hi, can you post the entire sanitized config(cant even tell what version you are using) and also provide a little more info? Would like to know if these ports need to be open to s specific host on the inside or? Maybe describe your intention a little more clearly for us. Let us know.
0
 
LVL 4

Accepted Solution

by:
denver218 earned 167 total points
Comment Utility
Do you want these ports open to any source and destination?  It is best to specify source and destination addresses if possible, if you want these ports open for any source and destination, below is the access-list you need.

access-list 101 permit tcp any any eq 1433
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq smtp

Then all you need to do if apply this access-list to you outbound interface
ip access-group 101 in
0
 
LVL 17

Assisted Solution

by:Garry-G
Garry-G earned 167 total points
Comment Utility
@denver218, that access list most likely successfully killed all outgoing connections and more ...

Stateless firewalls (or access lists) are a b@tch to configure, once you're used to stateful inspection ...

Make sure you permit established connection:

access-list 101 permit tcp any any established
[/code

Also, in case you use UDP for anything (like, e.g. DNS), you may want to allow returning packets:

[code]
access-list 101 permit udp any eq 53 any

Open in new window


On top of that, ICMP can be very helpful at times ... both for things like "ping", but also for "please fragment your packets" packets ... so in the simplest implementation:

access-list 101 permit icmp any any

Open in new window


Apart from that, there may be other features you need but that are not yet covered with the access list lines ... (VPN, GRE-Tunnels, ...)
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 166 total points
Comment Utility
If you open up TCP 1433, Microsoft SQL Server, to the internet you are just asking to get hacked. SQL Server is not designed to be available over the Internet safely, and I can not think of many good reasons why you should have SQL available over the Internet. If you need to be able to directly connect, use IPsec, VPN, or at least ACL on the cisco to limit communication to only the hosts that need access.
0
 
LVL 17

Expert Comment

by:Garry-G
Comment Utility
As denver already stated, the permit statement ought to really be limited to certain hosts ...
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now