topic port forwarding Cisco 857W + admin page viewable externally in Network Security

port forwarding Cisco 857W + admin page viewable externally

Kynan Hynes — Mon, 11 Mar 2019 23:43:45 GMT

I would like to open UDP port 22335, and TCP port 80 on my local server 10.10.10.50. I've been having a heck of a time getting this to work, as I don't really understand access lists and what is required.. also, for some reason my firewall is open to the outside world on port 443 (you can browse and see the admin access page) I don't recally setting this up!! Can someone help me fix all this? Config is as follows:

Thanks a million guys!

CiscoMan

This is the running config of the router: 10.10.10.1

----------------------------------------------------------------------------

!version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

hostname **************

boot-start-marker

boot system flash c850-advsecurityk9-mz.124-15.T15.bin

boot-end-marker

logging buffered 51200

logging console critical

enable secret 5 **************

aaa new-model

aaa session-id common

clock timezone CST -6

clock summer-time CDT recurring

crypto pki trustpoint TP-self-signed-2488767310

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2488767310

revocation-check none

rsakeypair TP-self-signed-2488767310

crypto pki certificate chain TP-self-signed-2488767310

certificate self-signed 01

quit

dot11 syslog

dot11 ssid ***********

vlan 1

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 ******************

no ip source-route

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1 10.10.10.99

ip dhcp excluded-address 10.10.10.201 10.10.10.254

ip dhcp pool ccp-pool1

import all

network 10.10.10.0 255.255.255.0

dns-server *********

default-router 10.10.10.1

ip cef

ip inspect log drop-pkt

ip inspect name SDM_MEDIUM appfw SDM_MEDIUM

ip inspect name SDM_MEDIUM cuseeme

ip inspect name SDM_MEDIUM dns

ip inspect name SDM_MEDIUM ftp

ip inspect name SDM_MEDIUM h323

ip inspect name SDM_MEDIUM https

ip inspect name SDM_MEDIUM icmp

ip inspect name SDM_MEDIUM imap reset

ip inspect name SDM_MEDIUM pop3 reset

ip inspect name SDM_MEDIUM rcmd

ip inspect name SDM_MEDIUM realaudio

ip inspect name SDM_MEDIUM rtsp

ip inspect name SDM_MEDIUM esmtp

ip inspect name SDM_MEDIUM sqlnet

ip inspect name SDM_MEDIUM streamworks

ip inspect name SDM_MEDIUM tftp

ip inspect name SDM_MEDIUM tcp router-traffic

ip inspect name SDM_MEDIUM udp

ip inspect name SDM_MEDIUM vdolive

no ip bootp server

ip domain name yourdomain.com

ip name-server *******

appfw policy-name SDM_MEDIUM

application im aol

service default action allow alarm

service text-chat action allow alarm

server permit name login.oscar.aol.com

server permit name toc.oscar.aol.com

server permit name oam-d09a.blue.aol.com

application im msn

service default action allow alarm

service text-chat action allow alarm

server permit name messenger.hotmail.com

server permit name gateway.messenger.hotmail.com

server permit name webmessenger.msn.com

application im yahoo

service default action allow alarm

service text-chat action allow alarm

server permit name scs.msg.yahoo.com

server permit name scsa.msg.yahoo.com

server permit name scsb.msg.yahoo.com

server permit name scsc.msg.yahoo.com

server permit name scsd.msg.yahoo.com

server permit name cs16.msg.dcn.yahoo.com

server permit name cs19.msg.dcn.yahoo.com

server permit name cs42.msg.dcn.yahoo.com

server permit name cs53.msg.dcn.yahoo.com

server permit name cs54.msg.dcn.yahoo.com

server permit name ads1.vip.scd.yahoo.com

server permit name radio1.launch.vip.dal.yahoo.com

server permit name in1.msg.vip.re2.yahoo.com

server permit name data1.my.vip.sc5.yahoo.com

server permit name address1.pim.vip.mud.yahoo.com

server permit name edit.messenger.yahoo.com

server permit name messenger.yahoo.com

server permit name http.pager.yahoo.com

server permit name privacy.yahoo.com

server permit name csa.yahoo.com

server permit name csb.yahoo.com

server permit name csc.yahoo.com

username ********* privilege 15 secret 5 ************************

port forwarding Cisco 857W + admin page viewable externally

Julio Carvajal — Sun, 19 Aug 2012 06:34:46 GMT

Hello Kynan

First lets start with the NAT for the server:

ip nat inside source static tcp 10.10.10.50 80 interface Dialer0 80

ip nat inside source static udp 10.10.10.50 2235 interface Dialer0 2235

Then work on the ACL:

ip access-list extended 101

1 permit tcp any host dialer0_ip eq 80

2 permit udp any host dialer0_ip eq 2235

Then the GUI should not work from the outside world as you are restricting the traffic on the ACL, the Inspect HTTPS is on outbound direction so that should not affect, and there is no ACL for port 443 so the port should be closed.

Please try to access-it from an outside PC and let me know what happens,

Regards,

Julio

port forwarding Cisco 857W + admin page viewable externally

Ramraj Sivagnanam Sivajanam — Sun, 19 Aug 2012 22:24:27 GMT

Hi Bro

As mentioned by jcarvaja above, you’ll need to enable PAT (Port Address Translation) simply because you’ve a single WAN IP Address.

Here are the commands that you should insert;

ip nat inside source static tcp 10.10.10.50 80 interface Dialer0 80

ip nat inside source static udp 10.10.10.50 22335 interface Dialer0 22335

ip nat inside source static udp 10.10.10.50 22336 interface Dialer0 22336

ip nat inside source static udp 10.10.10.50 30175 interface Dialer0 30175

ip nat translation timeout 600

ip nat translation tcp-timeout 600

ip nat translation udp-timeout 600

ip nat translation syn-timeout 600

ip nat translation icmp-timeout 600

Moreover, the reason as to why your Router’s admin page is widely expose to the Internet cloud is simply because you’ve enabled the http services.

Here are the commands that you should insert;

no ip http server

no ip http secure-server

P/S: if you think this comment is useful, please do rate them nicely 🙂 and click on the button THIS QUESTION IS ANSWERED.

port forwarding Cisco 857W + admin page viewable externally

Julio Carvajal — Mon, 20 Aug 2012 01:54:17 GMT

Hello Ramraj,

I agree on your post but the problem is that if they take this out

no ip http server

no ip http secure-server

Then you will not be able to access the the SDM from the inside and the requirement is from the outside

Have a great day bro,

Julio

port forwarding Cisco 857W + admin page viewable externally

Ramraj Sivagnanam Sivajanam — Mon, 20 Aug 2012 05:13:55 GMT

You're right bro, my bad. I guess with the HTTP vulnerability that exists in most of Cisco IOS equipments, the commands should be inserted, are as shown below;

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20000514-ios-http-server

ip http authentication local

ip http access-class 10

access-list 10 remark ### To allow a single host access to the Router via SDM from LAN ###

access-list 10 permit host 10.10.10.50

arp 10.10.10.50 0014.f666.aa88 arpa