08-24-2012 08:23 AM - edited 03-11-2019 04:46 PM
I need top open ports 80, 443 and 1882 to a specific external client (IP address). Can someone help me with the commands for that please?
08-24-2012 08:48 AM
If the client has public IP 123.123.123.123 and the server is located inside network and has the IP 10.10.10.10
This is the config, if you are using ASA
!
object network CLIENT-OBJ
description --- The client ----
host 123.123.123.123
!
object network SERVER-OBJ
description --- The inside server ----
host 10.10.10.10
nat (inside,outside) static CLIENT-OBJ
!
object-group service SERVICES-TCP-OBJ tcp
description --- Serices TCP published ----
port-object eq 80
port-object eq 443
port-object eq 1882
!
!
!
access-list OUTSIDE-IN-ACL extended permit tcp object CLIENT-OBJ object SERVER-OBJ object-group SERVICES-TCP-OBJ
access-group OUTSIDE-IN-ACL in interface outside
!
Samuel Petrescu
08-24-2012 09:02 AM
Thanks. Is the host IP my external IP or the internal IP of a particular client? I need to do this to permit VoIP traffic to some tablets that are connected wirelessly to the internal network and have IPs dynamically assigned by DHCP.
08-24-2012 09:14 AM
You need to be more specific
No, this config, allow the client outside network with public IP 123.123.123.123 to access a host inside your network that has private IP 10.10.10.10 on the ports TCP 80,443,1882
08-24-2012 09:18 AM
Sorry about that. So is it possible to open those ports up to the whole range of DHCP assigned IPs as I described?
08-24-2012 10:00 AM
Hello Joel,
It is possible but you will need to configure some nat rules and ACL's permitting that traffic just as Samuel showed you
Regards,
Julio
08-24-2012 09:44 AM
If the traffic is initiated from outside (internet) to your tablets, inside your network :
This require mappings public-IP -> private-IP one to one
You need to have one public IP for each tabled.
If the problem is in backwards, tablets from inside are trying to access an outside public IP, to specific ports, this is easy and possible.
08-25-2012 04:40 AM
OK, I think the first suggestion may have been almost correct then, thanks. But if I wanted to add more than one internal host (in fact all in the range 192.168.1.100 to 149) is there a way to do that or will I have to create 50 object network SERVER-OBJ?
My wireless router is plugged into one port on the 819 ISR, my main router/firewall. Can I configure that port to have a narrower IP range and just add those to the solution?
For completeness my VoIP host is on an external IP address xxx.xxx.xxx.xxx and I want to permit inbound and outbound traffic across ports 80, 443 and 1882 to any tablet on the internal subnet 192.168.1.aaa to bbb. Hope this is clearer now and thanks to everyone who has helped so far.
08-28-2012 12:25 AM
hi,
I tried entering the script suggested by Samuel. Unfortunately the command "nat" after object network SERVER-OBJ is not recognised by my CLI. These are the only supported commands:
Network object group configuration commands:
A.B.C.D Network address of the group members
any Any host
description Network object group description
exit Exit from IP policy-group configuration mode
group-object Nested object group
host Host address of the object-group member
no Negate or set default values of a command
range Match only packets in the range of IP address
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide