K_Wilke
asked on
Open Ports on Cisco
Hello all,
This seems like a basic question but I want to get it correct.
I am to open up a couple of ports on my Cisco 831 (tcp/22 and udp/1194).
Let's say the internal IP address that these ports are to go to is 192.168.100.100 and the external IP address of the Cisco is 64.65.66.67 (and no there is not any loopback on the Cisco).
From what I understand I would just put in two lines in that state:
ip nat inside source static tcp 192.168.100.100 22 64.65.66.67 22 extendable
ip nat inside source static udp 192.168.100.100 1194 64.65.66.67 1194 extendable
and put a couple of lines in the access-list:
access-list 102 permit tcp any host 64.65.66.67 eq 22
access-list 102 permit udp any host 64.65.66.67 eq 1194
To me this should work but it doesn't. The vendor that has to get to 192.168.100.100 is not able to through SSH.
Do I need to put in:
ip nat outside source static tcp 192.168.100.100 22 64.65.66.67 22 extendable
ip nat outside source static udp 192.168.100.100 1194 64.65.66.67 1194 extendable
as well?
I am not sure what to do.
Thanks,
Kelly W.
This seems like a basic question but I want to get it correct.
I am to open up a couple of ports on my Cisco 831 (tcp/22 and udp/1194).
Let's say the internal IP address that these ports are to go to is 192.168.100.100 and the external IP address of the Cisco is 64.65.66.67 (and no there is not any loopback on the Cisco).
From what I understand I would just put in two lines in that state:
ip nat inside source static tcp 192.168.100.100 22 64.65.66.67 22 extendable
ip nat inside source static udp 192.168.100.100 1194 64.65.66.67 1194 extendable
and put a couple of lines in the access-list:
access-list 102 permit tcp any host 64.65.66.67 eq 22
access-list 102 permit udp any host 64.65.66.67 eq 1194
To me this should work but it doesn't. The vendor that has to get to 192.168.100.100 is not able to through SSH.
Do I need to put in:
ip nat outside source static tcp 192.168.100.100 22 64.65.66.67 22 extendable
ip nat outside source static udp 192.168.100.100 1194 64.65.66.67 1194 extendable
as well?
I am not sure what to do.
Thanks,
Kelly W.
By <interface> in your case I mean your WAN interface...
Also you are applying your ACL 102 to your WAN interface yes?
Also you are applying your ACL 102 to your WAN interface yes?
Lastly, if those fixes don't work remove the 'extendable'
I don't think you need that. I've never used that before and I've multiple Cisco routers with port forwarding/firewall rules working fine...
I don't think you need that. I've never used that before and I've multiple Cisco routers with port forwarding/firewall rules working fine...
ASKER
Hello,
Okay the external WAN interface is 64.65.66.67 so that is the one I am supposed to put there, correct?
The access-list is the following:
access-list 102 permit ip 192.168.100.0 0.0.0.255 207.2.112.0 0.0.0.255
access-list 102 permit ip 207.2.112.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 172.27.232.0 0.0.0.255
access-list 102 permit ip 172.27.232.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit tcp any host 64.65.66.67 eq 22
access-list 102 permit udp any host 64.65.66.67 eq 1194
access-list 109 deny ip 192.168.100.0 0.0.0.255 207.2.112.0 0.0.0.255
access-list 109 deny ip 192.168.100.0 0.0.0.255 172.27.232.0 0.0.0.255
access-list 109 permit ip 192.168.100.0 0.0.0.255 any
Do I need something else?
THanks,
Kelly W.
Okay the external WAN interface is 64.65.66.67 so that is the one I am supposed to put there, correct?
The access-list is the following:
access-list 102 permit ip 192.168.100.0 0.0.0.255 207.2.112.0 0.0.0.255
access-list 102 permit ip 207.2.112.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 172.27.232.0 0.0.0.255
access-list 102 permit ip 172.27.232.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit tcp any host 64.65.66.67 eq 22
access-list 102 permit udp any host 64.65.66.67 eq 1194
access-list 109 deny ip 192.168.100.0 0.0.0.255 207.2.112.0 0.0.0.255
access-list 109 deny ip 192.168.100.0 0.0.0.255 172.27.232.0 0.0.0.255
access-list 109 permit ip 192.168.100.0 0.0.0.255 any
Do I need something else?
THanks,
Kelly W.
No, sorry you misread what I meant...
Replace 64.65.66.67 in the nat line with Dialer0/FastEthernet0 - which interface is your WAN? What's it called?
Now it should still work as you've done - but maybe its the 'extendable' keyword you need to remove
The ACL looks right, what I was asking was I assume you are applying the ACL to your WAN interface yes?
i.e.
In your running config there will be the section for your wan interface
int dialer0(example)
ip access-group in 102 - something like this?
I will assume you have this much complete as the ACL has multiple other entries...
Try it first by removing the extendable from your nat lines...
If that doesn't work - replace the IP's with the actual name of the interface and test
Replace 64.65.66.67 in the nat line with Dialer0/FastEthernet0 - which interface is your WAN? What's it called?
Now it should still work as you've done - but maybe its the 'extendable' keyword you need to remove
The ACL looks right, what I was asking was I assume you are applying the ACL to your WAN interface yes?
i.e.
In your running config there will be the section for your wan interface
int dialer0(example)
ip access-group in 102 - something like this?
I will assume you have this much complete as the ACL has multiple other entries...
Try it first by removing the extendable from your nat lines...
If that doesn't work - replace the IP's with the actual name of the interface and test
ASKER
Hello,
The interface for the WAN is Ethernet1 (this is a Cisco 806).
yes I have the ip access-group in 102 under Ethernet1
Okay I will try these but it will not be until Monday morning, okay?
Thanks,
Kelly W.
The interface for the WAN is Ethernet1 (this is a Cisco 806).
yes I have the ip access-group in 102 under Ethernet1
Okay I will try these but it will not be until Monday morning, okay?
Thanks,
Kelly W.
Yep cool...let us know cheers...
please show the whole ocnfig
ASKER
That did not work.
I am attaching the sh run with the passwords taken out.
Please help.
Thanks,
Kelly W.
buchele-test.txt
I am attaching the sh run with the passwords taken out.
Please help.
Thanks,
Kelly W.
buchele-test.txt
Ok, well your adding the commands to ACL 102 - why? That looks like a VPN type acl from my reading of the config...
I think you need to add these lines to the 109 ACL instead
access-list 109 permit tcp any host 72.250.187.107 eq 22
access-list 109 permit udp any host 72.250.187.107 eq 1194
Remove the ones from the 102 ACL and test please...
I think you need to add these lines to the 109 ACL instead
access-list 109 permit tcp any host 72.250.187.107 eq 22
access-list 109 permit udp any host 72.250.187.107 eq 1194
Remove the ones from the 102 ACL and test please...
Hi
this is wrong:
access-list 102 permit tcp any host 72.250.187.107 eq 22
access-list 102 permit udp any host 72.250.187.107 eq 1194
why do you put it on the VPN tunnel?
this is wrong:
access-list 102 permit tcp any host 72.250.187.107 eq 22
access-list 102 permit udp any host 72.250.187.107 eq 1194
why do you put it on the VPN tunnel?
ASKER
Well that did not work.
Here is what I have, attached.
I am not sure what to do. I feel very stupid on this one.
Thanks,
Kelly W.
buchele-correct-acl.txt
Here is what I have, attached.
I am not sure what to do. I feel very stupid on this one.
Thanks,
Kelly W.
buchele-correct-acl.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So I would take it out of the 109 acl currently in and do a 104 acl, correct?
Thanks,
kelly W.
Thanks,
kelly W.
Sorry yes...remove from the 109 acl...
ASKER
i get an error when i do the command
ip access-group in 104
thanks,
Kelly W.
ip access-group in 104
thanks,
Kelly W.
Backwards...sorry!!
ip access-group 104 in
ip access-group 104 in
ASKER
Big time issue
put that command in and it froze up the Cisco.
Uh oh
Thanks,
Kelly W.
put that command in and it froze up the Cisco.
Uh oh
Thanks,
Kelly W.
Crap...apologies, guess I missed something here...
ASKER
No biggie.
I know that there is the route-map NAT permit 10 after the access-lists
is that competing with the ip access-group command?
And yes, there is a VPN running on this Cisco to the EMR software vendor.
Thanks,
Kelly W.
I know that there is the route-map NAT permit 10 after the access-lists
is that competing with the ip access-group command?
And yes, there is a VPN running on this Cisco to the EMR software vendor.
Thanks,
Kelly W.
Yes, its a few things now that I look at it more closely, the route-map plus the acl(104) is very restrictive, i.e. doesn't allow anything other than the 2 ports...I'm not 100% familiar with route-map command so I've missed something...maybe @ikalmar will have more to input on this one...
ASKER
Led me down the right path. Had to upgrade the IOS and this worked fine.
Cheers, thanks for the update, glad you are working...
ip nat inside source static tcp 192.168.100.100 22 <interface> 22 extendable
ip nat inside source static udp 192.168.100.100 1194 <interface> 1194 extendable
Replace <interface> with your FA0 or Dialer interface and it should work...