topic Re: Router 4321 config questions in Network Security

Router 4321 config questions

ZDitner62005 — Tue, 27 Oct 2020 18:34:59 GMT

#1 When I set up the router initially, I purposely turned on management via internet.. so when I access my static IP via internet to port 80, I get a login prompt to the router. How can I disable this over WAN?

#2 How can I port forward tcp 5000 port from internet to LAN address 192.168.1.200

staticip:5000 <> 192.168.1.200:5000 ?

Am I able to implement these changes via LAN console on port 80 in my web browser, or do I need to connect to the router physically and use terminal ?

Thank you in advance

Re: Router 4321 config questions

RohitSudhakar81994 — Tue, 27 Oct 2020 18:42:37 GMT

I am facing the same issue

Re: Router 4321 config questions

balaji.bandi — Tue, 27 Oct 2020 19:46:12 GMT

you can have ACL to deny on Manangement side for http request

ip access-list extended no-web

deny host any any eq http

interface gi 0/0 (this is management interface )

ip access-group no-web in

ip nat inside source static tcp publicip 5000 192.168.1.200 5000

Note : make sure some changes to be done on Lan side.

Re: Router 4321 config questions

ZDitner62005 — Thu, 29 Oct 2020 14:56:58 GMT

Port 5000 is still not open

Re: Router 4321 config questions

Aref Alsouqi — Thu, 29 Oct 2020 21:45:05 GMT

I would disable http protocol for management all the way, and if a web access is required to the router, I would enable https as http is not really secure at all. Regarding restricting the traffic, you can restrict the traffic destined to the router itself by using an ACL and apply it to the ingress interface, or, you can use the access-class command and associate a standard ACL (1 - 99) to it. Example:

ip access-list standard 1

permit host <host IP>

ip http access-class 1

However, if you want to apply a static PAT, you can do that with the command:

ip nat inside source static tcp <the private IP> <real port> <the public IP> <external port>

Example:

ip nat inside source static tcp 192.168.1.200 443 1.1.1.1 5000

This will translate the traffic destined to the port 5000 to port 443, and the IP 1.1.1.1 to the private IP 192.168.1.200.

Re: Router 4321 config questions

ZDitner62005 — Mon, 02 Nov 2020 14:06:13 GMT

I get the exception

%Port 5000 is being used by system

I tried a few other ports and get the same error

Re: Router 4321 config questions

Aref Alsouqi — Wed, 04 Nov 2020 20:38:53 GMT

That would be because the device is doing PAT, and most likely that port has been allocated for a connection. What you can try to do is to clear the NAT translations and apply the new commands. If that does not help, you might need to temporarily disable NAT on the inside interface, apply the new commands, and then re-enable NAT on the inside interface.

Re: Router 4321 config questions

ZDitner62005 — Thu, 05 Nov 2020 14:42:13 GMT

Unfortunately I am not comfortable enough to do this with a live office

Is there a way to find out any TCP port that is not in use I can use for
forwarding, the port # for WAN doesn't matter to me much

Re: Router 4321 config questions

Aref Alsouqi — Thu, 05 Nov 2020 18:03:09 GMT

You can issue the command show ip nat translations and use any port higher than 1023 that you don't see on the list.

Re: Router 4321 config questions

ZDitner62005 — Thu, 05 Nov 2020 19:16:13 GMT

Looks like I found the problem

Pro Inside global Inside local Outside local
Outside global

tcp 192.168.1.9:5000 :5000 --- ---

I guess one of the commands in this thread caused me to configure this wrong

Obviously outside should not be ---

How can I fix this mistake ?