Solved

I am unable to open Ports on Cisco

Posted on 2011-09-26
5
474 Views
Last Modified: 2012-05-12
Hi All,

Can any one help to me to open Some ports, I am trying to open some ports on my CIsco 1861 router, I did as per below config but looks like still it's closed after enter below command

Please help me, I need 25, 3389, 80, 443 also 1433

Please help me
interface Vlan1
 description -= DATA Vlan =-
 ip address 192.168.8.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer1
 ip address negotiated
 ip nat outside
 no ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1360
 dialer pool 1
 dialer idle-timeout 0
 dialer-group 1
 keepalive 10 3
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username XXXXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXX
002E
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.4.0 255.255.255.0 10.91.255.3
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT-ALLOWED interface Dialer1 overload
ip nat inside source static tcp 192.168.8.7 25 interface Dialer1 25
ip nat inside source static tcp 192.168.8.7 3535 interface Dialer1 3535
!
ip access-list extended NAT-ALLOWED
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip 192.168.8.0 0.0.0.255 any
!

Open in new window

0
Comment
Question by:vikrantambhore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 36598287
Hi, can you post the entire sanitized config(cant even tell what version you are using) and also provide a little more info? Would like to know if these ports need to be open to s specific host on the inside or? Maybe describe your intention a little more clearly for us. Let us know.
0
 
LVL 4

Accepted Solution

by:
denver218 earned 167 total points
ID: 36598304
Do you want these ports open to any source and destination?  It is best to specify source and destination addresses if possible, if you want these ports open for any source and destination, below is the access-list you need.

access-list 101 permit tcp any any eq 1433
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq smtp

Then all you need to do if apply this access-list to you outbound interface
ip access-group 101 in
0
 
LVL 18

Assisted Solution

by:Garry Glendown
Garry Glendown earned 167 total points
ID: 36598392
@denver218, that access list most likely successfully killed all outgoing connections and more ...

Stateless firewalls (or access lists) are a b@tch to configure, once you're used to stateful inspection ...

Make sure you permit established connection:

access-list 101 permit tcp any any established
[/code

Also, in case you use UDP for anything (like, e.g. DNS), you may want to allow returning packets:

[code]
access-list 101 permit udp any eq 53 any

Open in new window


On top of that, ICMP can be very helpful at times ... both for things like "ping", but also for "please fragment your packets" packets ... so in the simplest implementation:

access-list 101 permit icmp any any

Open in new window


Apart from that, there may be other features you need but that are not yet covered with the access list lines ... (VPN, GRE-Tunnels, ...)
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 166 total points
ID: 36599790
If you open up TCP 1433, Microsoft SQL Server, to the internet you are just asking to get hacked. SQL Server is not designed to be available over the Internet safely, and I can not think of many good reasons why you should have SQL available over the Internet. If you need to be able to directly connect, use IPsec, VPN, or at least ACL on the cisco to limit communication to only the hosts that need access.
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36599838
As denver already stated, the permit statement ought to really be limited to certain hosts ...
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question