topic Open a port on Cisco 1811 in Network Security

Open a port on Cisco 1811

jsandau — Mon, 11 Mar 2019 21:23:04 GMT

This is problably a stupid question but how do I open a prot on a cisco 1811? I have a cisco 1811 and a computer that has VNC installed on it. I want to be able to access that computer from out side the network using the external ip address and port 5950. People outside the network will be able to open vnc viewer and type in *external ip address*:5950 and it will be directed to the computer with a static internal ip address of 10.11.101.10. What commands do I use to do this?

Thanks,

Re: Open a port on Cisco 1811

cadet alain — Fri, 09 Sep 2011 21:03:36 GMT

Hi,

Port forwarding on Cisco routers is accomplished using static PAT;

let's suppose the server on inside is located out port f0/0 and public port is f0/1

then you must do following: configure ip nat inside under f0/0 and ip nat outside under f0/1

then issue following global config command: ip nat inside source static tcp 10.11.101.10 5950 interface f0/1 5950

Regards.

Alain.

Open a port on Cisco 1811

jsandau — Fri, 09 Sep 2011 21:27:10 GMT

I'm not quite sure what you mean by F0/0 and F0/1. The outside internet is connnected to port FE0 and the inside computer (the vnc server) is getting an ip address from Vlan1

Open a port on Cisco 1811

pablo.nxh — Fri, 09 Sep 2011 23:47:57 GMT

Hi,

Alain was just trying to make a supposition with the interface names... In your case you need to put the command ip nat outside under your interface FE0 and ip nat inside on whatever interface is connected internally to VLAN1.

HTH

__ __

Pablo

Open a port on Cisco 1811

jsandau — Mon, 12 Sep 2011 17:13:32 GMT

I entered the commands that you said and under the edit NAT configuration tab on CCP I have the following:

Original Address Translated Address Rule Type
10.11.101.10 (5950) FastEthernet0 (5950) Static

However VNC still isn't working from outside the network.

Shouldn't the original address be fastethernet0 and the translated address be 10.11.101.10?

Open a port on Cisco 1811

cadet alain — Mon, 12 Sep 2011 19:35:04 GMT

Hi,

No this is how it should be but you also have to add an ACL permitting tcp traffic to the translated address and port 5950. Then apply this ACL to interface outside inbound.

eg: access-list VNC_INBOUND permit tcp any x.x.x.x eq 5950 where x.x.x.x is outside IP

access-group VNC_INBOUND in interface outside

Regards.

Alain.

Open a port on Cisco 1811

jsandau — Mon, 12 Sep 2011 19:44:41 GMT

I typed in:

access-list VNC_INBOUND permit tcp any *external IP* eq 5950

and I got Invalid input detected at '^' marker, and the ^ marker is right under the V in VNC_inbound

Open a port on Cisco 1811

cadet alain — Mon, 12 Sep 2011 20:47:45 GMT

Hi,

sorry I gave config for an ASA not a router.

if this is a router then you don't nedd an ACL unless you've already got one in place then you have to modify to permit vnc access.

Post the output of sh access-list and sh run | i int| ip access-group

Regards.

Alain.

Open a port on Cisco 1811

jsandau — Mon, 12 Sep 2011 21:20:29 GMT

Here is the results of the show access-list:

standard IP access list 1

10 permit 10.11.101.0, wildcard bits 0.0.0.255

Extended IP access list 100

10 permit ip host 255.255.255.255 any

20 permit ip 127.0.0.0 0.255.255.255 any

Extended IP access list 101

10 permit ip any host *exteranl ip address*

Extended IP access list 102

10 permit ip 10.11.101.0 0.0.0.255 any

Extended IP access list 103

10 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255

Extended IP access list 104

10 permit ip host *Site to site VPN address* any

Extended IP access list 105

10 permit ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255

Extended IP access list 106

10 deny ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255

20 permit ip 10.11.101.0 0.0.0.255 any (71 matches)

Extended IP access list CCP_IP

10 permit ip any any

Extended IP access list SDM_AH

10 permit ahp any any

Extended IP access list SDM_BOOTPC

10 permit udp any any eq bootpc (2049 matches)

Extended IP access list SDM_ESP

10 permit esp any any

Extended IP access list SDM_WEBVPN

10 permit tcp any any eq 443

when I try the sh run | i int| ip access-group command I get an error

nvalid input detected at '^' marker, and the ^ marker is under the i after the |

Open a port on Cisco 1811

cadet alain — Tue, 13 Sep 2011 07:49:10 GMT

Hi,

there must be a space after the first | and before the i but maybe your IOS version doesn't support pipe filtering.

Anyway then do a sh ip interface x/x for your outside and inside interfaces.

Alain.

Open a port on Cisco 1811

jsandau — Tue, 13 Sep 2011 20:26:36 GMT

Here is the results of sho ip interface fastethernet0 (the outside interface):

FastEthernet0 is up, line protocol is up

Internet address is *external IP*/22

Broadcast address is 255.255.255.255

Address determined by DHCP

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is not set

Proxy ARP is disabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are never sent

ICMP unreachables are never sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Flow switching is disabled

IP CEF switching is enabled

IP CEF switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, CEF

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is enabled, interface in domain outside

BGP Policy Mapping is disabled

Input features: Stateful Inspection, Ingress-NetFlow, Virtual Fragment Reassem

bly, IPSec input classification, Virtual Fragment Reassembly After IPSec Decrypt

ion, NAT Outside, MCI Check

Output features: Post-routing NAT Outside, Stateful Inspection, IPSec output c

lassification, CCE Post NAT Classification, Firewall (firewall component), Post-

Ingress-NetFlow, IPSec: to crypto engine, Post-encryption output features

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

Here is the results fr show ip interface vlan 1 (inside interface):

Vlan1 is up, line protocol is up

Internet address is 10.11.101.1/24

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is not set

Proxy ARP is disabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are never sent

ICMP unreachables are never sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Flow switching is disabled

IP CEF switching is enabled

IP CEF switching turbo vector

IP Null turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, CEF

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is enabled, interface in domain inside

BGP Policy Mapping is disabled

Input features: Stateful Inspection, Ingress-NetFlow, Virtual Fragment Reassem

bly, Virtual Fragment Reassembly After IPSec Decryption, MCI Check, TCP Adjust M

Output features: NAT Inside, Stateful Inspection, CCE Post NAT Classification,

Firewall (firewall component), TCP Adjust MSS, Post-Ingress-NetFlow

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

Open a port on Cisco 1811

cadet alain — Wed, 14 Sep 2011 07:26:27 GMT

Hi,

could you post the show run output please.

Regards.

Alain.

Open a port on Cisco 1811

jsandau — Wed, 14 Sep 2011 14:49:30 GMT

Here is the show run

Current configuration : 12201 bytes

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

hostname *Host Name*

boot-start-marker

boot-end-marker

security authentication failure rate 3 log

security passwords min-length 6

logging message-counter syslog

logging buffered 51200

logging console critical

enable secret 5 $1$3R6c$adcoV0cvM5hTzxOoPBByc0

aaa new-model

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa session-id common

clock timezone PCTime -7

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

crypto pki trustpoint TP-self-signed-1097866965

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1097866965

revocation-check none

rsakeypair TP-self-signed-1097866965

crypto pki certificate chain TP-self-signed-1097866965

certificate self-signed 01

30820256 308201BF A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31303937 38363639 3635301E 170D3131 30393039 31383130

32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30393738

36363936 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B1C3 0B9F3231 E9911C7A 7A84E566 F4530769 16830F32 4A61F775 12CDDB5C

23227963 5A53E5C5 2C0E8945 640DB32C ACD17F1A 2C52EC96 7C274099 5D4BBD26

6E7C4DA9 32C5162B 0A54D437 64B719B9 36904DDA 7B23FC3C E7763F5E BF651874

1870462E FA0ABE9C 37918D53 2B5B13A7 4FADFC9E 1D8B0B64 141733A7 8DC61C03

80E90203 010001A3 7E307C30 0F060355 1D130101 FF040530 030101FF 30290603

551D1104 22302082 1E426F77 5F49736C 616E6453 43414441 2E796F75 72646F6D

61696E2E 636F6D30 1F060355 1D230418 30168014 0AEF8942 249D4EF1 A18B1BA6

389822CB 16CB4922 301D0603 551D0E04 1604140A EF894224 9D4EF1A1 8B1BA638

9822CB16 CB492230 0D06092A 864886F7 0D010104 05000381 81008DC2 DFF3604C

93BE4175 7078AC30 7391F8AF 4A15E116 C53D523E 12F6B5F4 15CA5635 C12576F7

0D5D1A2A F330F781 459F3418 7E82FFBD 2679E17C CDF07A4F A257B599 E7CCC9C6

38617B96 F2E66F0D 6BFBC000 524B377B 969D51BD 48A9BF8F 8C0220D4 BB249435

08688D18 794CAFB3 1F74F2F9 4E0C0245 AEA8E55A 2AE758A0 36CC

quit

dot11 syslog

no ip source-route

ip dhcp excluded-address 10.11.101.1 10.11.101.99

ip dhcp pool ccp-pool1

import all

network 10.11.101.0 255.255.255.0

default-router 10.11.101.1

ip cef

no ip bootp server

no ip domain lookup

ip domain name yourdomain.com

no ipv6 cef

multilink bundle-name authenticated

username *username* privilege 15 secret 5 $1$1O79$nIJGrBD9hCpDqheT3mDsC1

username VPNuser secret 5 $1$nPz8$Cni5jyIWv9zlKAU3B5no9.

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key *key* address *External VPN IP address*

crypto isakmp client configuration group VPN_Users

key *Key*

pool VPN_Pool

acl 102

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to*External VPN IP address*

set peer *External VPN IP address*

set transform-set ESP-3DES-SHA

match address 103

Open a port on Cisco 1811

cadet alain — Wed, 14 Sep 2011 18:03:36 GMT

Hi,

try this:

ip inspect log drop-pkt

ip access-list extended VNC

permit tcp any host 10.11.101.10 eq 5950

class-map type inspect VNC_CLASS

match access-group name VNC

policy-map type inspect VNC_POLICY

class VNC_CLASS

inspect

zone-pair security VNC_OUT_IN source out-zone destination in-zone

service-policy type inspect VNC_POLICY

Regards.

Alain.

Open a port on Cisco 1811

jsandau — Wed, 14 Sep 2011 19:33:45 GMT

That didn't work. Here is the new running config:

Building configuration...

Current configuration : 12519 bytes