Solved: port forwarding Cisco 857W + admin page viewable externally

Kynan Hynes · ‎08-18-2012

I would like to open UDP port 22335, and TCP port 80 on my local server 10.10.10.50. I've been having a heck of a time getting this to work, as I don't really understand access lists and what is required.. also, for some reason my firewall is open to the outside world on port 443 (you can browse and see the admin access page) I don't recally setting this up!! Can someone help me fix all this? Config is as follows:

Thanks a million guys!

CiscoMan

This is the running config of the router: 10.10.10.1

----------------------------------------------------------------------------

!version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname **************

!

boot-start-marker

boot system flash c850-advsecurityk9-mz.124-15.T15.bin

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 **************

!

aaa new-model

!

aaa session-id common

clock timezone CST -6

clock summer-time CDT recurring

!

crypto pki trustpoint TP-self-signed-2488767310

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2488767310

revocation-check none

rsakeypair TP-self-signed-2488767310

!

crypto pki certificate chain TP-self-signed-2488767310

certificate self-signed 01

quit

dot11 syslog

!

dot11 ssid ***********

vlan 1

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 ******************

!

no ip source-route

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1 10.10.10.99

ip dhcp excluded-address 10.10.10.201 10.10.10.254

!

ip dhcp pool ccp-pool1

import all

network 10.10.10.0 255.255.255.0

dns-server *********

default-router 10.10.10.1

!

ip cef

ip inspect log drop-pkt

ip inspect name SDM_MEDIUM appfw SDM_MEDIUM

ip inspect name SDM_MEDIUM cuseeme

ip inspect name SDM_MEDIUM dns

ip inspect name SDM_MEDIUM ftp

ip inspect name SDM_MEDIUM h323

ip inspect name SDM_MEDIUM https

ip inspect name SDM_MEDIUM icmp

ip inspect name SDM_MEDIUM imap reset

ip inspect name SDM_MEDIUM pop3 reset

ip inspect name SDM_MEDIUM rcmd

ip inspect name SDM_MEDIUM realaudio

ip inspect name SDM_MEDIUM rtsp

ip inspect name SDM_MEDIUM esmtp

ip inspect name SDM_MEDIUM sqlnet

ip inspect name SDM_MEDIUM streamworks

ip inspect name SDM_MEDIUM tftp

ip inspect name SDM_MEDIUM tcp router-traffic

ip inspect name SDM_MEDIUM udp

ip inspect name SDM_MEDIUM vdolive

no ip bootp server

ip domain name yourdomain.com

ip name-server *******

!

appfw policy-name SDM_MEDIUM

application im aol

service default action allow alarm

service text-chat action allow alarm

server permit name login.oscar.aol.com

server permit name toc.oscar.aol.com

server permit name oam-d09a.blue.aol.com

application im msn

service default action allow alarm

service text-chat action allow alarm

server permit name messenger.hotmail.com

server permit name gateway.messenger.hotmail.com

server permit name webmessenger.msn.com

application im yahoo

service default action allow alarm

service text-chat action allow alarm

server permit name scs.msg.yahoo.com

server permit name scsa.msg.yahoo.com

server permit name scsb.msg.yahoo.com

server permit name scsc.msg.yahoo.com

server permit name scsd.msg.yahoo.com

server permit name cs16.msg.dcn.yahoo.com

server permit name cs19.msg.dcn.yahoo.com

server permit name cs42.msg.dcn.yahoo.com

server permit name cs53.msg.dcn.yahoo.com

server permit name cs54.msg.dcn.yahoo.com

server permit name ads1.vip.scd.yahoo.com

server permit name radio1.launch.vip.dal.yahoo.com

server permit name in1.msg.vip.re2.yahoo.com

server permit name data1.my.vip.sc5.yahoo.com

server permit name address1.pim.vip.mud.yahoo.com

server permit name edit.messenger.yahoo.com

server permit name messenger.yahoo.com

server permit name http.pager.yahoo.com

server permit name privacy.yahoo.com

server permit name csa.yahoo.com

server permit name csb.yahoo.com

server permit name csc.yahoo.com

!

username ********* privilege 15 secret 5 ************************

!

archive

log config

hidekeys

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

bridge irb

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description $ES_WAN$$FW_OUTSIDE$

no ip redirects

no ip unreachables

no ip proxy-arp

pvc 0/35

pppoe-client dial-pool-number 1

!

interface FastEthernet0

shutdown

!

interface FastEthernet1

!

interface FastEthernet2

shutdown

!

interface FastEthernet3

!

interface Dot11Radio0

no ip address

!

encryption vlan 1 mode ciphers aes-ccm

!

broadcast-key vlan 1 change 30

!

ssid ********

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

no ip address

bridge-group 1

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip inspect SDM_MEDIUM out

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username ******** password 7 ********

!

interface BVI1

description $ES_LAN$$FW_INSIDE$

ip address 10.10.10.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1412

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=BVI1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 100 remark auto generated by SDM firewall configuration##NO_ACES_3##

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_13##

access-list 101 remark SDM_ACL Category=1

access-list 101 deny ip 10.10.10.0 0.0.0.255 any

access-list 101 permit udp host ******* eq domain any

access-list 101 permit udp host ******** eq domain any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log

dialer-list 1 protocol ip permit

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

privilege level 15

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Ramraj Sivagnanam Sivajanam · ‎08-19-2012

Hi Bro

As mentioned by jcarvaja above, you’ll need to enable PAT (Port Address Translation) simply because you’ve a single WAN IP Address.

Here are the commands that you should insert;

ip nat inside source static tcp 10.10.10.50 80 interface Dialer0 80

ip nat inside source static udp 10.10.10.50 22335 interface Dialer0 22335

ip nat inside source static udp 10.10.10.50 22336 interface Dialer0 22336

ip nat inside source static udp 10.10.10.50 30175 interface Dialer0 30175

ip nat translation timeout 600

ip nat translation tcp-timeout 600

ip nat translation udp-timeout 600

ip nat translation syn-timeout 600

ip nat translation icmp-timeout 600

Moreover, the reason as to why your Router’s admin page is widely expose to the Internet cloud is simply because you’ve enabled the http services.

Here are the commands that you should insert;

no ip http server

no ip http secure-server

P/S: if you think this comment is useful, please do rate them nicely :-) and click on the button THIS QUESTION IS ANSWERED.

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

Julio Carvajal · ‎08-18-2012

Hello Kynan

First lets start with the NAT for the server:

ip nat inside source static tcp 10.10.10.50 80 interface Dialer0 80

ip nat inside source static udp 10.10.10.50 2235 interface Dialer0 2235

Then work on the ACL:

ip access-list extended 101

1 permit tcp any host dialer0_ip eq 80

2 permit udp any host dialer0_ip eq 2235

Then the GUI should not work from the outside world as you are restricting the traffic on the ACL, the Inspect HTTPS is on outbound direction so that should not affect, and there is no ACL for port 443 so the port should be closed.

Please try to access-it from an outside PC and let me know what happens,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Ramraj Sivagnanam Sivajanam · ‎08-19-2012

Hi Bro

As mentioned by jcarvaja above, you’ll need to enable PAT (Port Address Translation) simply because you’ve a single WAN IP Address.

Here are the commands that you should insert;

ip nat inside source static tcp 10.10.10.50 80 interface Dialer0 80

ip nat inside source static udp 10.10.10.50 22335 interface Dialer0 22335

ip nat inside source static udp 10.10.10.50 22336 interface Dialer0 22336

ip nat inside source static udp 10.10.10.50 30175 interface Dialer0 30175

ip nat translation timeout 600

ip nat translation tcp-timeout 600

ip nat translation udp-timeout 600

ip nat translation syn-timeout 600

ip nat translation icmp-timeout 600

Moreover, the reason as to why your Router’s admin page is widely expose to the Internet cloud is simply because you’ve enabled the http services.

Here are the commands that you should insert;

no ip http server

no ip http secure-server

P/S: if you think this comment is useful, please do rate them nicely :-) and click on the button THIS QUESTION IS ANSWERED.

Warm regards,
Ramraj Sivagnanam Sivajanam

Julio Carvajal · ‎08-19-2012

Hello Ramraj,

I agree on your post but the problem is that if they take this out

no ip http server

no ip http secure-server

Then you will not be able to access the the SDM from the inside and the requirement is from the outside

Have a great day bro,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Ramraj Sivagnanam Sivajanam · ‎08-19-2012

You're right bro, my bad. I guess with the HTTP vulnerability that exists in most of Cisco IOS equipments, the commands should be inserted, are as shown below;

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20000514-ios-http-server

!

ip http authentication local

ip http access-class 10

!

access-list 10 remark ### To allow a single host access to the Router via SDM from LAN ###

access-list 10 permit host 10.10.10.50

!

arp 10.10.10.50 0014.f666.aa88 arpa

!

Warm regards,
Ramraj Sivagnanam Sivajanam