David Alcorn
asked on
How do I open a UDP port on a Cisco Router
How do I open a UDP port on a Cisco Router? I have checked my firewall and the rule is allowing traffic, I think the router is blocking it.
My current config is as follows:
Config Type Running
Downloaded 1/5/2018 12:01:06 PM
Modified never modified
Comments
001: !
002: ! No configuration change since last restart
003: !
004: version 12.2
005: no service pad
006: service tcp-keepalives-in
007: service tcp-keepalives-out
008: service timestamps debug uptime
009: service timestamps log uptime
010: service password-encryption
011: !
012: hostname BMCRT1A
013: !
014: boot-start-marker
015: boot-end-marker
016: !
017: !
018: logging buffered 10240
019: no logging console
020: enable secret 5 $1$mFes$1zoJpoV9IaR0oIZdg6
021: enable password 7 15250E00072526217A1A3B271C
022: !
023: username leerx privilege 15 secret 5 $1$Y3g0$w3Ij1PdfU/f4Z/R2My
024: username alcodl privilege 15 secret 5 $1$TFf3$2ukvwNNI8xlB0TTRlO
025: username admin privilege 15 secret 5 $1$5dwD$p8GRyRnLAMP6WCMGU9
026: no aaa new-model
027: switch 1 provision ws-c3750x-12s
028: system mtu routing 1500
029: ip routing
030: no ip gratuitous-arps
031: !
032: !
033: !
034: no ip domain-lookup
035: ip multicast-routing distributed
036: ip multicast multipath
037: !
038: mls qos
039: !
040: crypto pki trustpoint TP-self-signed-2052103296
041: enrollment selfsigned
042: subject-name cn=IOS-Self-Signed-Certifi
043: revocation-check none
044: rsakeypair TP-self-signed-2052103296
045: !
046: !
047: crypto pki certificate chain TP-self-signed-2052103296
048: certificate self-signed 01
049: 3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
050: 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
051: 69666963 6174652D 32303532 31303332 3936301E 170D3933 30333031 30303031
052: 32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
053: 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30353231
054: 30333239 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
055: 8100C38B 3356FD19 4B8862BF 43723C13 FD1FEA1D 87E58E62 C2A0F738 3120D756
056: 25BD2E67 CDCE5BB7 B33A1927 11C7C68A 247C4ABF 0750EFFA 594BBBCF FDF027A2
057: 7FD24F77 66BEE6CE 232B28C3 C87E9D01 D8484842 6F6DFB6F 7530E19D 2B3967E6
058: D6E02933 A9E27DBE 7FDA3985 D732CDE7 F13CCE9A CD9B6E65 7C43502D 5678FBEB
059: 36A30203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
060: 551D1104 0B300982 07424D43 52543141 301F0603 551D2304 18301680 141D3613
061: 0FC6A82E 8BF1363C 2A781CD8 C8F54220 36301D06 03551D0E 04160414 1D36130F
062: C6A82E8B F1363C2A 781CD8C8 F5422036 300D0609 2A864886 F70D0101 04050003
063: 8181009C 50A48009 15798826 EFE1C3BD 869954A9 9A46AB62 C93778D4 5CF9034A
064: D69B4FC8 C2B13FB4 3C91D476 06C3CE8F C809DA91 F86B9152 D03BA887 E147F4C4
065: AF63702B 66205097 2383075D 676C16CC 51318D1F DC53FB99 6C128DD4 AA1E2884
066: A8C10AA8 BF07B50C 8403A49D FE559532 EA02A71E FD57E1C3 98F18B4F 55A7C384 527EDD
067: quit
068: !
069: spanning-tree mode mst
070: no spanning-tree optimize bpdu transmission
071: spanning-tree extend system-id
072: spanning-tree mst hello-time 1
073: !
074: !
075: !
076: no errdisable detect cause loopback
077: errdisable recovery cause udld
078: errdisable recovery cause bpduguard
079: errdisable recovery cause security-violation
080: errdisable recovery cause channel-misconfig (STP)
081: errdisable recovery cause pagp-flap
082: errdisable recovery cause dtp-flap
083: errdisable recovery cause link-flap
084: errdisable recovery cause gbic-invalid
085: errdisable recovery cause l2ptguard
086: errdisable recovery cause psecure-violation
087: errdisable recovery cause dhcp-rate-limit
088: errdisable recovery cause vmps
089: errdisable recovery cause storm-control
090: errdisable recovery cause arp-inspection
091: errdisable recovery cause loopback
092: errdisable recovery interval 180
093: !
094: vlan internal allocation policy ascending
095: !
096: !
097: !
098: !
099: !
100: !
101: !
102: interface Loopback0
103: no ip address
104: !
105: interface FastEthernet0
106: no ip address
107: no ip route-cache cef
108: no ip route-cache
109: !
110: interface GigabitEthernet1/0/1
111: description BMCFW1A Primary Firewall
112: switchport access vlan 250
113: switchport mode access
114: !
115: interface GigabitEthernet1/0/2
116: description BMCG1L3SW1A Level 3 Switch A
117: switchport access vlan 250
118: switchport mode access
119: !
120: interface GigabitEthernet1/0/3
121: description BMCG1FTEBBSWA1 L2 Backbone Switch A
122: no switchport
123: ip address 10.10.13.252 255.255.255.0
124: no ip proxy-arp
125: ip pim dense-mode
126: standby 103 ip 10.10.13.254
127: standby 103 timers 2 6
128: standby 103 priority 105
129: standby 103 preempt delay minimum 90
130: !
131: interface GigabitEthernet1/0/4
132: shutdown
133: !
134: interface GigabitEthernet1/0/5
135: shutdown
136: !
137: interface GigabitEthernet1/0/6
138: shutdown
139: !
140: interface GigabitEthernet1/0/7
141: shutdown
142: !
143: interface GigabitEthernet1/0/8
144: shutdown
145: !
146: interface GigabitEthernet1/0/9
147: shutdown
148: !
149: interface GigabitEthernet1/0/10
150: shutdown
151: !
152: interface GigabitEthernet1/0/11
153: no switchport
154: ip address 10.80.192.1 255.255.255.0
155: !
156: interface GigabitEthernet1/0/12
157: description Crossover
158: switchport trunk encapsulation dot1q
159: switchport mode trunk
160: !
161: interface GigabitEthernet1/1/1
162: !
163: interface GigabitEthernet1/1/2
164: !
165: interface GigabitEthernet1/1/3
166: !
167: interface GigabitEthernet1/1/4
168: !
169: interface TenGigabitEthernet1/1/1
170: !
171: interface TenGigabitEthernet1/1/2
172: !
173: interface Vlan1
174: no ip address
175: shutdown
176: !
177: interface Vlan250
178: description L3 Network
179: ip address 10.10.12.250 255.255.255.0
180: no ip proxy-arp
181: ip pim dense-mode
182: standby 250 ip 10.10.12.252
183: standby 250 timers 2 6
184: standby 250 priority 105
185: standby 250 preempt delay minimum 90
186: !
187: !
188: router eigrp 100
189: network 10.10.12.0 0.0.0.255
190: network 10.10.13.0 0.0.0.255
191: network 10.80.192.0 0.0.0.255
192: !
193: !
194: ip http server
195: ip http secure-server
196: !
197: ip route 0.0.0.0 0.0.0.0 10.10.12.200
198: !
199: logging esm config
200: logging trap notifications
201: logging source-interface Loopback0
202: !
203: snmp-server community BMCG1 RO
204: snmp-server community string RO
205: snmp-server location Control Room
206: snmp-server enable traps snmp linkdown linkup coldstart warmstart
207: snmp-server host 10.10.13.45 BMCG1 snmp
208: snmp-server host 10.10.13.46 BMCG1 snmp
209: !
210: !
211: line con 0
212: exec-timeout 30 0
213: password 7 142017070F0B272E76013D302D
214: line vty 0 4
215: exec-timeout 30 0
216: password 7 073824404D061400453B05090B
217: login local
218: transport input telnet ssh
219: line vty 5 15
220: exec-timeout 30 0
221: password 7 073824404D061400453B05090B
222: login local
223: !
224: ntp server 10.80.192.132
225: ntp server 129.230.38.114
226: end
My current config is as follows:
Config Type Running
Downloaded 1/5/2018 12:01:06 PM
Modified never modified
Comments
001: !
002: ! No configuration change since last restart
003: !
004: version 12.2
005: no service pad
006: service tcp-keepalives-in
007: service tcp-keepalives-out
008: service timestamps debug uptime
009: service timestamps log uptime
010: service password-encryption
011: !
012: hostname BMCRT1A
013: !
014: boot-start-marker
015: boot-end-marker
016: !
017: !
018: logging buffered 10240
019: no logging console
020: enable secret 5 $1$mFes$1zoJpoV9IaR0oIZdg6
021: enable password 7 15250E00072526217A1A3B271C
022: !
023: username leerx privilege 15 secret 5 $1$Y3g0$w3Ij1PdfU/f4Z/R2My
024: username alcodl privilege 15 secret 5 $1$TFf3$2ukvwNNI8xlB0TTRlO
025: username admin privilege 15 secret 5 $1$5dwD$p8GRyRnLAMP6WCMGU9
026: no aaa new-model
027: switch 1 provision ws-c3750x-12s
028: system mtu routing 1500
029: ip routing
030: no ip gratuitous-arps
031: !
032: !
033: !
034: no ip domain-lookup
035: ip multicast-routing distributed
036: ip multicast multipath
037: !
038: mls qos
039: !
040: crypto pki trustpoint TP-self-signed-2052103296
041: enrollment selfsigned
042: subject-name cn=IOS-Self-Signed-Certifi
043: revocation-check none
044: rsakeypair TP-self-signed-2052103296
045: !
046: !
047: crypto pki certificate chain TP-self-signed-2052103296
048: certificate self-signed 01
049: 3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
050: 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
051: 69666963 6174652D 32303532 31303332 3936301E 170D3933 30333031 30303031
052: 32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
053: 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30353231
054: 30333239 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
055: 8100C38B 3356FD19 4B8862BF 43723C13 FD1FEA1D 87E58E62 C2A0F738 3120D756
056: 25BD2E67 CDCE5BB7 B33A1927 11C7C68A 247C4ABF 0750EFFA 594BBBCF FDF027A2
057: 7FD24F77 66BEE6CE 232B28C3 C87E9D01 D8484842 6F6DFB6F 7530E19D 2B3967E6
058: D6E02933 A9E27DBE 7FDA3985 D732CDE7 F13CCE9A CD9B6E65 7C43502D 5678FBEB
059: 36A30203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
060: 551D1104 0B300982 07424D43 52543141 301F0603 551D2304 18301680 141D3613
061: 0FC6A82E 8BF1363C 2A781CD8 C8F54220 36301D06 03551D0E 04160414 1D36130F
062: C6A82E8B F1363C2A 781CD8C8 F5422036 300D0609 2A864886 F70D0101 04050003
063: 8181009C 50A48009 15798826 EFE1C3BD 869954A9 9A46AB62 C93778D4 5CF9034A
064: D69B4FC8 C2B13FB4 3C91D476 06C3CE8F C809DA91 F86B9152 D03BA887 E147F4C4
065: AF63702B 66205097 2383075D 676C16CC 51318D1F DC53FB99 6C128DD4 AA1E2884
066: A8C10AA8 BF07B50C 8403A49D FE559532 EA02A71E FD57E1C3 98F18B4F 55A7C384 527EDD
067: quit
068: !
069: spanning-tree mode mst
070: no spanning-tree optimize bpdu transmission
071: spanning-tree extend system-id
072: spanning-tree mst hello-time 1
073: !
074: !
075: !
076: no errdisable detect cause loopback
077: errdisable recovery cause udld
078: errdisable recovery cause bpduguard
079: errdisable recovery cause security-violation
080: errdisable recovery cause channel-misconfig (STP)
081: errdisable recovery cause pagp-flap
082: errdisable recovery cause dtp-flap
083: errdisable recovery cause link-flap
084: errdisable recovery cause gbic-invalid
085: errdisable recovery cause l2ptguard
086: errdisable recovery cause psecure-violation
087: errdisable recovery cause dhcp-rate-limit
088: errdisable recovery cause vmps
089: errdisable recovery cause storm-control
090: errdisable recovery cause arp-inspection
091: errdisable recovery cause loopback
092: errdisable recovery interval 180
093: !
094: vlan internal allocation policy ascending
095: !
096: !
097: !
098: !
099: !
100: !
101: !
102: interface Loopback0
103: no ip address
104: !
105: interface FastEthernet0
106: no ip address
107: no ip route-cache cef
108: no ip route-cache
109: !
110: interface GigabitEthernet1/0/1
111: description BMCFW1A Primary Firewall
112: switchport access vlan 250
113: switchport mode access
114: !
115: interface GigabitEthernet1/0/2
116: description BMCG1L3SW1A Level 3 Switch A
117: switchport access vlan 250
118: switchport mode access
119: !
120: interface GigabitEthernet1/0/3
121: description BMCG1FTEBBSWA1 L2 Backbone Switch A
122: no switchport
123: ip address 10.10.13.252 255.255.255.0
124: no ip proxy-arp
125: ip pim dense-mode
126: standby 103 ip 10.10.13.254
127: standby 103 timers 2 6
128: standby 103 priority 105
129: standby 103 preempt delay minimum 90
130: !
131: interface GigabitEthernet1/0/4
132: shutdown
133: !
134: interface GigabitEthernet1/0/5
135: shutdown
136: !
137: interface GigabitEthernet1/0/6
138: shutdown
139: !
140: interface GigabitEthernet1/0/7
141: shutdown
142: !
143: interface GigabitEthernet1/0/8
144: shutdown
145: !
146: interface GigabitEthernet1/0/9
147: shutdown
148: !
149: interface GigabitEthernet1/0/10
150: shutdown
151: !
152: interface GigabitEthernet1/0/11
153: no switchport
154: ip address 10.80.192.1 255.255.255.0
155: !
156: interface GigabitEthernet1/0/12
157: description Crossover
158: switchport trunk encapsulation dot1q
159: switchport mode trunk
160: !
161: interface GigabitEthernet1/1/1
162: !
163: interface GigabitEthernet1/1/2
164: !
165: interface GigabitEthernet1/1/3
166: !
167: interface GigabitEthernet1/1/4
168: !
169: interface TenGigabitEthernet1/1/1
170: !
171: interface TenGigabitEthernet1/1/2
172: !
173: interface Vlan1
174: no ip address
175: shutdown
176: !
177: interface Vlan250
178: description L3 Network
179: ip address 10.10.12.250 255.255.255.0
180: no ip proxy-arp
181: ip pim dense-mode
182: standby 250 ip 10.10.12.252
183: standby 250 timers 2 6
184: standby 250 priority 105
185: standby 250 preempt delay minimum 90
186: !
187: !
188: router eigrp 100
189: network 10.10.12.0 0.0.0.255
190: network 10.10.13.0 0.0.0.255
191: network 10.80.192.0 0.0.0.255
192: !
193: !
194: ip http server
195: ip http secure-server
196: !
197: ip route 0.0.0.0 0.0.0.0 10.10.12.200
198: !
199: logging esm config
200: logging trap notifications
201: logging source-interface Loopback0
202: !
203: snmp-server community BMCG1 RO
204: snmp-server community string RO
205: snmp-server location Control Room
206: snmp-server enable traps snmp linkdown linkup coldstart warmstart
207: snmp-server host 10.10.13.45 BMCG1 snmp
208: snmp-server host 10.10.13.46 BMCG1 snmp
209: !
210: !
211: line con 0
212: exec-timeout 30 0
213: password 7 142017070F0B272E76013D302D
214: line vty 0 4
215: exec-timeout 30 0
216: password 7 073824404D061400453B05090B
217: login local
218: transport input telnet ssh
219: line vty 5 15
220: exec-timeout 30 0
221: password 7 073824404D061400453B05090B
222: login local
223: !
224: ntp server 10.80.192.132
225: ntp server 129.230.38.114
226: end
Additionally, ports are opened automatically for process that is started on router. For traffic that is just passing through router there is no filtering except in the case that filtering is manually configured (ACL), or router's statefull firewall is configured.
The only traffic that will get blocked by a router without an an access-list (ACL) that I'm aware of is directed broadcast traffic. So if you are on vlan A and you are trying to send traffic to VLAN B's broadcast address you will need to use the directed broadcast command and setup permissions through an ACL.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
debug ip udp ?
address UDP source or destination address
port UDP source or destination port number
But be careful on production router, since it can make router unusable.
or you can create simple access list and apply it to interface in direction of firewall (if ACL is not already applied to interface).
access-list 100 permit udp <sourcIPadd> <wildcard> <port> <destIPadd> <wildcard> eq <port> log
access-list 100 permit ip any any
interface gi1/0
ip access-group 100 in
No traffic will be dropped, but it will logg all matches to the first ACL 100 statement.
simplified if you know, for example destination port, and destination host IP address is 10.1.1.1 and destination udp port is 7897.
access-list 100 permit udp any host 10.1.1.1 eq 7897 log
This would be less risky way. Since for monitor capture is recommendable to configured way much more details to avoid to make router unresponsive.