Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Open Ports on Cisco

Posted on 2012-08-17
23
Medium Priority
?
654 Views
Last Modified: 2012-08-29
Hello all,
This seems like a basic question but I want to get it correct.
I am to open up a couple of ports on my Cisco 831 (tcp/22 and udp/1194).
Let's say the internal IP address that these ports are to go to is 192.168.100.100 and the external IP address of the Cisco is 64.65.66.67 (and no there is not any loopback on the Cisco).

From what I understand I would just put in two lines in that state:
ip nat inside source static tcp 192.168.100.100 22 64.65.66.67 22 extendable
ip nat inside source static udp 192.168.100.100 1194 64.65.66.67 1194 extendable

and put a couple of lines in the access-list:
access-list 102 permit tcp any host 64.65.66.67 eq 22
access-list 102 permit udp any host 64.65.66.67 eq 1194

To me this should work but it doesn't.  The vendor that has to get to 192.168.100.100 is not able to through SSH.
Do I need to put in:
ip nat outside source static tcp 192.168.100.100 22 64.65.66.67 22 extendable
ip nat outside source static udp 192.168.100.100 1194 64.65.66.67 1194 extendable

as well?
I am not sure what to do.
Thanks,
Kelly W.
0
Comment
Question by:K_Wilke
  • 12
  • 9
  • 2
23 Comments
 
LVL 24

Expert Comment

by:smckeown777
ID: 38306669
They look ok, but I think you need this...


ip nat inside source static tcp 192.168.100.100 22 <interface> 22 extendable
ip nat inside source static udp 192.168.100.100 1194 <interface> 1194 extendable

Replace <interface> with your FA0 or Dialer interface and it should work...
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38306674
By <interface> in your case I mean your WAN interface...

Also you are applying your ACL 102 to your WAN interface yes?
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38306713
Lastly, if those fixes don't work remove the 'extendable'

I don't think you need that. I've never used that before and I've multiple Cisco routers with port forwarding/firewall rules working fine...
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 6

Author Comment

by:K_Wilke
ID: 38306724
Hello,
Okay the external WAN interface is 64.65.66.67 so that is the one I am supposed to put there, correct?

The access-list is the following:

access-list 102 permit ip 192.168.100.0 0.0.0.255 207.2.112.0 0.0.0.255
access-list 102 permit ip 207.2.112.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 172.27.232.0 0.0.0.255
access-list 102 permit ip 172.27.232.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit tcp any host 64.65.66.67 eq 22
access-list 102 permit udp any host 64.65.66.67 eq 1194
access-list 109 deny   ip 192.168.100.0 0.0.0.255 207.2.112.0 0.0.0.255
access-list 109 deny   ip 192.168.100.0 0.0.0.255 172.27.232.0 0.0.0.255
access-list 109 permit ip 192.168.100.0 0.0.0.255 any

Do I need something else?
THanks,
Kelly W.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38306734
No, sorry you misread what I meant...

Replace 64.65.66.67 in the nat line with Dialer0/FastEthernet0 - which interface is your WAN? What's it called?

Now it should still work as you've done - but maybe its the 'extendable' keyword you need to remove

The ACL looks right, what I was asking was I assume you are applying the ACL to your WAN interface yes?

i.e.
In your running config there will be the section for your wan interface
int dialer0(example)
ip access-group in 102 - something like this?
I will assume you have this much complete as the ACL has multiple other entries...

Try it first by removing the extendable from your nat lines...
If that doesn't work - replace the IP's with the actual name of the interface and test
0
 
LVL 6

Author Comment

by:K_Wilke
ID: 38306742
Hello,
The interface for the WAN is Ethernet1 (this is a Cisco 806).

yes I have the ip access-group in 102  under Ethernet1

Okay I will try these but it will not be until Monday morning, okay?

Thanks,
Kelly W.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38306747
Yep cool...let us know cheers...
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 38307241
please show the whole ocnfig
0
 
LVL 6

Author Comment

by:K_Wilke
ID: 38311635
That did not work.
I am attaching the sh run with the passwords taken out.
Please help.
Thanks,
Kelly W.
buchele-test.txt
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38311703
Ok, well your adding the commands to ACL 102 - why? That looks like a VPN type acl from my reading of the config...

I think you need to add these lines to the 109 ACL instead

access-list 109 permit tcp any host 72.250.187.107 eq 22
access-list 109 permit udp any host 72.250.187.107 eq 1194

Remove the ones from the 102 ACL and test please...
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 38311976
Hi

this is wrong:

access-list 102 permit tcp any host 72.250.187.107 eq 22
access-list 102 permit udp any host 72.250.187.107 eq 1194

why do you put it on the VPN tunnel?
0
 
LVL 6

Author Comment

by:K_Wilke
ID: 38313866
Well that did not work.
Here is what I have, attached.
I am not sure what to do.  I feel very stupid on this one.
Thanks,
Kelly W.
buchele-correct-acl.txt
0
 
LVL 24

Accepted Solution

by:
smckeown777 earned 2000 total points
ID: 38313927
Ok, think I made a mistake, you need to put this in a seperate ACL, then apply that ACL to your WAN interface like

access-list 104 permit tcp any host 72.250.187.107 eq 22
access-list 104 permit udp any host 72.250.187.107 eq 1194

Then
conf t
int Ethernet1
ip access-group in 104

I think that will make things work...sorry for the mistake earlier...hope this one works.
0
 
LVL 6

Author Comment

by:K_Wilke
ID: 38313941
So I would take it out of the 109 acl currently in and do a 104 acl, correct?
Thanks,
kelly W.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38313952
Sorry yes...remove from the 109 acl...
0
 
LVL 6

Author Comment

by:K_Wilke
ID: 38313979
i get an error when i do the command
ip access-group in 104
thanks,
Kelly W.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38313983
Backwards...sorry!!

ip access-group 104 in
0
 
LVL 6

Author Comment

by:K_Wilke
ID: 38313994
Big time issue
put that command in and it froze up the Cisco.
Uh oh
Thanks,
Kelly W.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38314015
Crap...apologies, guess I missed something here...
0
 
LVL 6

Author Comment

by:K_Wilke
ID: 38314028
No biggie.
I know that there is the route-map NAT permit 10 after the access-lists
is that competing with the ip access-group command?
And yes, there is a VPN running on this Cisco to the EMR software vendor.
Thanks,
Kelly W.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38314058
Yes, its a few things now that I look at it more closely, the route-map plus the acl(104) is very restrictive, i.e. doesn't allow anything other than the 2 ports...I'm not 100% familiar with route-map command so I've missed something...maybe @ikalmar will have more to input on this one...
0
 
LVL 6

Author Closing Comment

by:K_Wilke
ID: 38346722
Led me down the right path.  Had to upgrade the IOS and this worked fine.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38347213
Cheers, thanks for the update, glad you are working...
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question