Re: CLI command to open ports 80, 443 and 1882

PricingKernel · ‎08-24-2012

I need top open ports 80, 443 and 1882 to a specific external client (IP address). Can someone help me with the commands for that please?

Samuel Petrescu · ‎08-24-2012

If the client has public IP 123.123.123.123 and the server is located inside network and has the IP 10.10.10.10
This is the config, if you are using ASA

!
object network CLIENT-OBJ
description --- The client ----
host 123.123.123.123
!

object network SERVER-OBJ
     description --- The inside server ----
     host 10.10.10.10
     nat (inside,outside) static CLIENT-OBJ
!

object-group service SERVICES-TCP-OBJ tcp
     description --- Serices TCP published ----
     port-object eq 80
     port-object eq 443
     port-object eq 1882
!
!
!
access-list OUTSIDE-IN-ACL extended permit tcp object CLIENT-OBJ object SERVER-OBJ object-group SERVICES-TCP-OBJ

access-group OUTSIDE-IN-ACL in interface outside
!

Samuel Petrescu

PricingKernel · ‎08-24-2012

Thanks. Is the host IP my external IP or the internal IP of a particular client? I need to do this to permit VoIP traffic to some tablets that are connected wirelessly to the internal network and have IPs dynamically assigned by DHCP.

Samuel Petrescu · ‎08-24-2012

You need to be more specific

No, this config, allow the client outside network with public IP 123.123.123.123 to access a host inside your network that has private IP 10.10.10.10 on the ports TCP 80,443,1882

PricingKernel · ‎08-24-2012

Sorry about that. So is it possible to open those ports up to the whole range of DHCP assigned IPs as I described?

Julio Carvajal · ‎08-24-2012

Hello Joel,

It is possible but you will need to configure some nat rules and ACL's permitting that traffic just as Samuel showed you

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Samuel Petrescu · ‎08-24-2012

If the traffic is initiated from outside (internet) to your tablets, inside your network :

This require mappings public-IP -> private-IP one to one

You need to have one public IP for each tabled.

If the problem is in backwards, tablets from inside are trying to access an outside public IP, to specific ports, this is easy and possible.

PricingKernel · ‎08-25-2012

OK, I think the first suggestion may have been almost correct then, thanks. But if I wanted to add more than one internal host (in fact all in the range 192.168.1.100 to 149) is there a way to do that or will I have to create 50 object network SERVER-OBJ?

My wireless router is plugged into one port on the 819 ISR, my main router/firewall. Can I configure that port to have a narrower IP range and just add those to the solution?

For completeness my VoIP host is on an external IP address xxx.xxx.xxx.xxx and I want to permit inbound and outbound traffic across ports 80, 443 and 1882 to any tablet on the internal subnet 192.168.1.aaa to bbb. Hope this is clearer now and thanks to everyone who has helped so far.

PricingKernel · ‎08-28-2012

hi,

I tried entering the script suggested by Samuel. Unfortunately the command "nat" after object network SERVER-OBJ is not recognised by my CLI. These are the only supported commands:

Network object group configuration commands:

A.B.C.D Network address of the group members

any Any host

description Network object group description

exit Exit from IP policy-group configuration mode

group-object Nested object group

host Host address of the object-group member

no Negate or set default values of a command

range Match only packets in the range of IP address