Solved

Cisco subinterface can't open ports

Posted on 2013-01-06
8
2,560 Views
Last Modified: 2013-01-07
I have a cisco 3745 router. Fa0/0 outside interface. Fa0/1 no ip. Fa0/1.1 native vlan ip 192.168.0.1 255.255.255.0.  Fa0/1.2 vlan 10 ip 10.0.0.1 255.255.255.0.

I can connect to Internet on either vlan.
I can open ports to specific devices on native vlan. I cannot open ports on vlan 10.

Any thoughts.
0
Comment
Question by:bjewell03
8 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38749721
It isn't quite clear to me what the problem is. What do you mean by "open ports"? Are you talking about devices accessing the router or Internet through the port, or an acl that permits or denies access to specific tcp/udp port numbers?
0
 

Author Comment

by:bjewell03
ID: 38749726
I can open port 1723 from internet to my 192.168.0.10 server.
If I do the same for port 5060 for sip to 10.0.0.10 it never opens.

I can port scan and the scan shows 1723 open and 5060 not responding.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 38749731
Looks like you're configuring phones.

By "open ports", are you referring to port forwarding (Static NAT)?
0
 

Author Comment

by:bjewell03
ID: 38749753
Here is the config file.  Yes I want Data on native vlan which is working and Voice on VLAN 10.  The othet rhing is looking through this, I do see junk left over from SDM configurations.  I do not have and site vpn's nor is there a 192.168.16.X.  

If you say hay!!...This is a mess and I need to start fresh let me know.  I want this router to serve voice and data on the sub interfaces.  It is connect to a cable modem on fa0/0

!This is the running config of the router: 192.168.0.1
!----------------------------------------------------------------------------
!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R3700
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 XXXXXXXXXXXXX
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_authen local
aaa authorization exec default local
aaa authorization exec local_author local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip cef
ip domain name XXXXX.com
ip dhcp excluded-address 10.0.0.1 10.0.0.19
ip dhcp excluded-address 10.0.0.200 10.0.0.254
!
ip dhcp pool VOICE
   import all
   network 10.0.0.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4
   default-router 10.0.0.1
   lease infinite
!
no ip bootp server
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW sip
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 XXXXXXXXX
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key XXXX address 108.XXX.XXX.XXX
crypto isakmp key XXXX address 74..XXX.XXX.XXX
crypto isakmp key XXXX address 0.0.0.0 0.0.0.0
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group TESTGROUP
 key XXXXXXXX
 dns 192.168.0.10
 pool SDM_POOL_1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set CUSTOM-TRANSFORM esp-aes esp-sha-hmac
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FastEthernet 0/0$$ETH-WAN$$FW_OUTSIDE$
 ip address 108.XXX.XXX.XXX 255.255.248.0
 ip access-group 104 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet0/1.1
 description $ETH-LAN$$FW_INSIDE$
 encapsulation dot1Q 1 native
 ip address 192.168.0.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
!
interface FastEthernet0/1.2
 description $ETH-LAN$$FW_INSIDE$
 encapsulation dot1Q 10
 ip address 10.0.0.1 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
!
ip nat inside source static udp 10.0.0.10 5060 interface FastEthernet0/0 5060
ip nat inside source static tcp 192.168.0.78 3389 interface FastEthernet0/0 3395
ip nat inside source static tcp 192.168.0.20 8082 interface FastEthernet0/0 8082
ip nat inside source static tcp 192.168.0.185 3389 interface FastEthernet0/0 3390
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.10 1723 interface FastEthernet0/0 1723
ip nat inside source static tcp 192.168.0.10 4125 interface FastEthernet0/0 4125
ip nat inside source static tcp 192.168.0.10 443 interface FastEthernet0/0 443
ip nat inside source static tcp 192.168.0.10 444 interface FastEthernet0/0 444
ip nat inside source static tcp 192.168.0.10 25 interface FastEthernet0/0 25
ip nat inside source static tcp 192.168.0.10 80 interface FastEthernet0/0 80
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip classless
ip route 0.0.0.0 0.0.0.0 108.XXX.XXX.XXX
!
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 10.0.0.0 0.0.0.255 any
access-list 100 deny   ip 108.XXX.XXX.XXX 0.0.7.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any
access-list 101 deny   ip 108.XXX.XXX.XXX 0.0.7.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny   ip 10.0.0.0 0.0.0.255 any
access-list 102 deny   ip 192.168.0.0 0.0.0.255 any
access-list 102 permit icmp any host 108.XXX.XXX.XXX echo-reply
access-list 102 permit icmp any host 108.XXX.XXX.XXX time-exceeded
access-list 102 permit icmp any host 108.XXX.XXX.XXX unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp any host 108.XXX.XXX.XXX eq 1723
access-list 103 permit tcp any host 108.XXX.XXX.XXX eq 4125
access-list 103 permit tcp any host 108.XXX.XXX.XXX eq 443
access-list 103 permit tcp any host 108.XXX.XXX.XXX eq 444
access-list 103 permit tcp any host 108.XXX.XXX.XXX eq smtp
access-list 103 permit tcp any host 108.XXX.XXX.XXX eq www
access-list 103 deny   ip 10.0.0.0 0.0.0.255 any
access-list 103 deny   ip 192.168.0.0 0.0.0.255 any
access-list 103 permit icmp any host 108.XXX.XXX.XXX echo-reply
access-list 103 permit icmp any host 108.XXX.XXX.XXX time-exceeded
access-list 103 permit icmp any host 108.XXX.XXX.XXX unreachable
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp any host 108.XXX.XXX.XXX eq non500-isakmp
access-list 104 permit udp any host 108.XXX.XXX.XXX eq isakmp
access-list 104 permit esp any host 108.XXX.XXX.XXX
access-list 104 permit ahp any host 108.XXX.XXX.XXX
access-list 104 permit udp any range 10000 20000 host 108.XXX.XXX.XXX range 10000 20000
access-list 104 permit udp any range 5060 5080 host 108.XXX.XXX.XXX range 5060 5080
access-list 104 permit tcp any host 108.XXX.XXX.XXX eq 8082
access-list 104 remark Pete_Remote
access-list 104 permit tcp any host 108.XXX.XXX.XXX eq 3395
access-list 104 remark Jimmy_Remote
access-list 104 permit tcp any host 108.XXX.XXX.XXX eq 3390
access-list 104 permit tcp any host 108.XXX.XXX.XXX eq www
access-list 104 permit tcp any host 108.XXX.XXX.XXX eq smtp
access-list 104 permit tcp any host 108.XXX.XXX.XXX eq 444
access-list 104 permit tcp any host 108.XXX.XXX.XXX eq 443
access-list 104 permit tcp any host 108.XXX.XXX.XXX eq 4125
access-list 104 permit tcp any host 108.XXX.XXX.XXX eq 1723
access-list 104 permit gre any host 108.XXX.XXX.XXX
access-list 104 deny   ip 10.0.0.0 0.0.0.255 any
access-list 104 deny   ip 192.168.0.0 0.0.0.255 any
access-list 104 permit icmp any host 108.XXX.XXX.XXX echo-reply
access-list 104 permit icmp any host 108.XXX.XXX.XXX time-exceeded
access-list 104 permit icmp any host 108.XXX.XXX.XXX unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
access-list 106 remark SDM_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny   ip 10.0.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 106 deny   udp host 10.0.0.10 range 10000 20000 any range 10000 20000
access-list 106 remark VOICE
access-list 106 deny   udp host 10.0.0.10 eq 5060 any eq 5060
access-list 106 deny   ip any host 192.168.16.100
access-list 106 deny   ip any host 192.168.16.101
access-list 106 deny   ip any host 192.168.16.102
access-list 106 deny   ip any host 192.168.16.103
access-list 106 deny   ip any host 192.168.16.104
access-list 106 deny   ip any host 192.168.16.105
access-list 106 deny   ip any host 192.168.16.106
access-list 106 deny   ip any host 192.168.16.107
access-list 106 deny   ip any host 192.168.16.108
access-list 106 deny   ip any host 192.168.16.109
access-list 106 deny   ip any host 192.168.16.110
access-list 106 deny   ip any host 192.168.16.111
access-list 106 deny   ip any host 192.168.16.112
access-list 106 deny   ip any host 192.168.16.113
access-list 106 deny   ip any host 192.168.16.114
access-list 106 deny   ip any host 192.168.16.115
access-list 106 deny   ip any host 192.168.16.116
access-list 106 deny   ip any host 192.168.16.117
access-list 106 deny   ip any host 192.168.16.118
access-list 106 deny   ip any host 192.168.16.119
access-list 106 deny   ip any host 192.168.16.120
access-list 106 deny   ip any host 192.168.16.121
access-list 106 deny   ip any host 192.168.16.122
access-list 106 deny   ip any host 192.168.16.123
access-list 106 deny   ip any host 192.168.16.124
access-list 106 deny   ip any host 192.168.16.125
access-list 106 deny   ip any host 192.168.16.126
access-list 106 deny   ip any host 192.168.16.127
access-list 106 deny   ip any host 192.168.16.128
access-list 106 deny   ip any host 192.168.16.129
access-list 106 deny   ip any host 192.168.16.130
access-list 106 deny   ip any host 192.168.16.131
access-list 106 deny   ip any host 192.168.16.132
access-list 106 deny   ip any host 192.168.16.133
access-list 106 deny   ip any host 192.168.16.134
access-list 106 deny   ip any host 192.168.16.135
access-list 106 deny   ip any host 192.168.16.136
access-list 106 deny   ip any host 192.168.16.137
access-list 106 deny   ip any host 192.168.16.138
access-list 106 deny   ip any host 192.168.16.139
access-list 106 deny   ip any host 192.168.16.140
access-list 106 deny   ip any host 192.168.16.141
access-list 106 deny   ip any host 192.168.16.142
access-list 106 deny   ip any host 192.168.16.143
access-list 106 deny   ip any host 192.168.16.144
access-list 106 deny   ip any host 192.168.16.145
access-list 106 deny   ip any host 192.168.16.146
access-list 106 deny   ip any host 192.168.16.147
access-list 106 deny   ip any host 192.168.16.148
access-list 106 deny   ip any host 192.168.16.149
access-list 106 deny   ip any host 192.168.16.150
access-list 106 deny   ip any host 192.168.16.151
access-list 106 deny   ip any host 192.168.16.152
access-list 106 deny   ip any host 192.168.16.153
access-list 106 deny   ip any host 192.168.16.154
access-list 106 deny   ip any host 192.168.16.155
access-list 106 deny   ip any host 192.168.16.156
access-list 106 deny   ip any host 192.168.16.157
access-list 106 deny   ip any host 192.168.16.158
access-list 106 deny   ip any host 192.168.16.159
access-list 106 deny   ip any host 192.168.16.160
access-list 106 deny   ip any host 192.168.16.161
access-list 106 deny   ip any host 192.168.16.162
access-list 106 deny   ip any host 192.168.16.163
access-list 106 deny   ip any host 192.168.16.164
access-list 106 deny   ip any host 192.168.16.165
access-list 106 deny   ip any host 192.168.16.166
access-list 106 deny   ip any host 192.168.16.167
access-list 106 deny   ip any host 192.168.16.168
access-list 106 deny   ip any host 192.168.16.169
access-list 106 deny   ip any host 192.168.16.170
access-list 106 deny   ip any host 192.168.16.171
access-list 106 deny   ip any host 192.168.16.172
access-list 106 deny   ip any host 192.168.16.173
access-list 106 deny   ip any host 192.168.16.174
access-list 106 deny   ip any host 192.168.16.175
access-list 106 deny   ip any host 192.168.16.176
access-list 106 deny   ip any host 192.168.16.177
access-list 106 deny   ip any host 192.168.16.178
access-list 106 deny   ip any host 192.168.16.179
access-list 106 deny   ip any host 192.168.16.180
access-list 106 deny   ip any host 192.168.16.181
access-list 106 deny   ip any host 192.168.16.182
access-list 106 deny   ip any host 192.168.16.183
access-list 106 deny   ip any host 192.168.16.184
access-list 106 deny   ip any host 192.168.16.185
access-list 106 deny   ip any host 192.168.16.186
access-list 106 deny   ip any host 192.168.16.187
access-list 106 deny   ip any host 192.168.16.188
access-list 106 deny   ip any host 192.168.16.189
access-list 106 deny   ip any host 192.168.16.190
access-list 106 deny   ip any host 192.168.16.191
access-list 106 deny   ip any host 192.168.16.192
access-list 106 deny   ip any host 192.168.16.193
access-list 106 deny   ip any host 192.168.16.194
access-list 106 deny   ip any host 192.168.16.195
access-list 106 deny   ip any host 192.168.16.196
access-list 106 deny   ip any host 192.168.16.197
access-list 106 deny   ip any host 192.168.16.198
access-list 106 deny   ip any host 192.168.16.199
access-list 106 deny   ip any host 192.168.16.200
access-list 106 permit ip 10.0.0.0 0.0.0.255 any
access-list 106 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 106

!
line con 0
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 23 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 4000 1000
end
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 18

Expert Comment

by:Akinsd
ID: 38749802
I don't see any voice commands in here.
Do you have another router running cme or you have a CCM server?
I don't see any route entries either
Can you provide a simple network diagram or sketch?
0
 
LVL 18

Accepted Solution

by:
fgasimzade earned 250 total points
ID: 38749924
Try removing  ip access-group 104 in from interface Fa0/0. See if you port 5060 opens or no

Is there any device listening on 5060 on inside?
0
 
LVL 9

Assisted Solution

by:Sandeep Gupta
Sandeep Gupta earned 250 total points
ID: 38750020
first remove acl 104 and see if port 5060 is opening or not then,
in your acl 104..just put all the permits and then at last "deny ip any any".

remove all multiple denys.

make your acl like this:
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp any host 108.XXX.XXX.XXX eq non500-isakmp
access-list 104 permit udp any host 108.XXX.XXX.XXX eq isakmp
access-list 104 permit esp any host 108.XXX.XXX.XXX
access-list 104 permit ahp any host 108.XXX.XXX.XXX
access-list 104 permit udp any range 10000 20000 host 108.XXX.XXX.XXX range 10000 20000
access-list 104 permit udp any range 5060 5080 host 108.XXX.XXX.XXX range 5060 5080
access-list 104 permit tcp any host 108.XXX.XXX.XXX eq 8082
access-list 104 remark Pete_Remote
access-list 104 permit tcp any host 108.XXX.XXX.XXX eq 3395
access-list 104 remark Jimmy_Remote
access-list 104 permit tcp any host 108.XXX.XXX.XXX eq 3390
access-list 104 permit tcp any host 108.XXX.XXX.XXX eq www
access-list 104 permit tcp any host 108.XXX.XXX.XXX eq smtp
access-list 104 permit tcp any host 108.XXX.XXX.XXX eq 444
access-list 104 permit tcp any host 108.XXX.XXX.XXX eq 443
access-list 104 permit tcp any host 108.XXX.XXX.XXX eq 4125
access-list 104 permit tcp any host 108.XXX.XXX.XXX eq 1723
access-list 104 permit gre any host 108.XXX.XXX.XXX
access-list 104 permit icmp any host 108.XXX.XXX.XXX echo-reply
access-list 104 permit icmp any host 108.XXX.XXX.XXX time-exceeded
access-list 104 permit icmp any host 108.XXX.XXX.XXX unreachable
access-list 104 deny   ip any any log
0
 

Author Comment

by:bjewell03
ID: 38751411
Ok. I removed the access-list 104.  Was still blocked but I found the issue where the port needed to be to opened in access-list 103 to allow the nat to work to 10.0.0.10, thats corrected.  My sip phone will now register with the pbx.  Last detail is the range of 10000-20000.  what would be the rotary command for my inside source 10.0.0.10 to destination 108.XXX.XXX.XXX?  I looked at this link but I am stuck.
http://evilrouters.net/2010/05/25/port-forwarding-a-range-of-ports-on-cisco-ios/
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now