I need top open ports 80, 443 and 1882 to a specific external client (IP address). Can someone help me with the commands for that please?
If the client has public IP 126.96.36.199 and the server is located inside network and has the IP 10.10.10.10
This is the config, if you are using ASA
object network CLIENT-OBJ
description --- The client ----
object network SERVER-OBJ
description --- The inside server ----
nat (inside,outside) static CLIENT-OBJ
object-group service SERVICES-TCP-OBJ tcp
description --- Serices TCP published ----
port-object eq 80
port-object eq 443
port-object eq 1882
access-list OUTSIDE-IN-ACL extended permit tcp object CLIENT-OBJ object SERVER-OBJ object-group SERVICES-TCP-OBJ
access-group OUTSIDE-IN-ACL in interface outside
Thanks. Is the host IP my external IP or the internal IP of a particular client? I need to do this to permit VoIP traffic to some tablets that are connected wirelessly to the internal network and have IPs dynamically assigned by DHCP.
You need to be more specific
No, this config, allow the client outside network with public IP 188.8.131.52 to access a host inside your network that has private IP 10.10.10.10 on the ports TCP 80,443,1882
It is possible but you will need to configure some nat rules and ACL's permitting that traffic just as Samuel showed you
If the traffic is initiated from outside (internet) to your tablets, inside your network :
This require mappings public-IP -> private-IP one to one
You need to have one public IP for each tabled.
If the problem is in backwards, tablets from inside are trying to access an outside public IP, to specific ports, this is easy and possible.
OK, I think the first suggestion may have been almost correct then, thanks. But if I wanted to add more than one internal host (in fact all in the range 192.168.1.100 to 149) is there a way to do that or will I have to create 50 object network SERVER-OBJ?
My wireless router is plugged into one port on the 819 ISR, my main router/firewall. Can I configure that port to have a narrower IP range and just add those to the solution?
For completeness my VoIP host is on an external IP address xxx.xxx.xxx.xxx and I want to permit inbound and outbound traffic across ports 80, 443 and 1882 to any tablet on the internal subnet 192.168.1.aaa to bbb. Hope this is clearer now and thanks to everyone who has helped so far.
I tried entering the script suggested by Samuel. Unfortunately the command "nat" after object network SERVER-OBJ is not recognised by my CLI. These are the only supported commands:
Network object group configuration commands:
A.B.C.D Network address of the group members
any Any host
description Network object group description
exit Exit from IP policy-group configuration mode
group-object Nested object group
host Host address of the object-group member
no Negate or set default values of a command
range Match only packets in the range of IP address