08-18-2012 05:33 AM - edited 03-11-2019 04:43 PM
I would like to open UDP port 22335, and TCP port 80 on my local server 10.10.10.50. I've been having a heck of a time getting this to work, as I don't really understand access lists and what is required.. also, for some reason my firewall is open to the outside world on port 443 (you can browse and see the admin access page) I don't recally setting this up!! Can someone help me fix all this? Config is as follows:
Thanks a million guys!
CiscoMan
This is the running config of the router: 10.10.10.1
----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname **************
!
boot-start-marker
boot system flash c850-advsecurityk9-mz.124-15.T15.bin
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 **************
!
aaa new-model
!
!
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
!
crypto pki trustpoint TP-self-signed-2488767310
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2488767310
revocation-check none
rsakeypair TP-self-signed-2488767310
!
!
crypto pki certificate chain TP-self-signed-2488767310
certificate self-signed 01
<cert here>
quit
dot11 syslog
!
dot11 ssid ***********
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 ******************
!
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.201 10.10.10.254
!
ip dhcp pool ccp-pool1
import all
network 10.10.10.0 255.255.255.0
dns-server *********
default-router 10.10.10.1
!
!
ip cef
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp router-traffic
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
no ip bootp server
ip domain name yourdomain.com
ip name-server *******
ip name-server *******
!
appfw policy-name SDM_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
!
!
!
username ********* privilege 15 secret 5 ************************
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers aes-ccm
!
broadcast-key vlan 1 change 30
!
!
ssid ********
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
bridge-group 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip inspect SDM_MEDIUM out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username ******** password 7 ********
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration##NO_ACES_3##
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_13##
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit udp host ******* eq domain any
access-list 101 permit udp host ******** eq domain any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Solved! Go to Solution.
08-19-2012 03:24 PM
Hi Bro
As mentioned by jcarvaja above, you’ll need to enable PAT (Port Address Translation) simply because you’ve a single WAN IP Address.
Here are the commands that you should insert;
ip nat inside source static tcp 10.10.10.50 80 interface Dialer0 80
ip nat inside source static udp 10.10.10.50 22335 interface Dialer0 22335
ip nat inside source static udp 10.10.10.50 22336 interface Dialer0 22336
ip nat inside source static udp 10.10.10.50 30175 interface Dialer0 30175
ip nat translation timeout 600
ip nat translation tcp-timeout 600
ip nat translation udp-timeout 600
ip nat translation syn-timeout 600
ip nat translation icmp-timeout 600
Moreover, the reason as to why your Router’s admin page is widely expose to the Internet cloud is simply because you’ve enabled the http services.
Here are the commands that you should insert;
no ip http server
no ip http secure-server
P/S: if you think this comment is useful, please do rate them nicely :-) and click on the button THIS QUESTION IS ANSWERED.
08-18-2012 11:34 PM
Hello Kynan
First lets start with the NAT for the server:
ip nat inside source static tcp 10.10.10.50 80 interface Dialer0 80
ip nat inside source static udp 10.10.10.50 2235 interface Dialer0 2235
Then work on the ACL:
ip access-list extended 101
1 permit tcp any host dialer0_ip eq 80
2 permit udp any host dialer0_ip eq 2235
Then the GUI should not work from the outside world as you are restricting the traffic on the ACL, the Inspect HTTPS is on outbound direction so that should not affect, and there is no ACL for port 443 so the port should be closed.
Please try to access-it from an outside PC and let me know what happens,
Regards,
Julio
08-19-2012 03:24 PM
Hi Bro
As mentioned by jcarvaja above, you’ll need to enable PAT (Port Address Translation) simply because you’ve a single WAN IP Address.
Here are the commands that you should insert;
ip nat inside source static tcp 10.10.10.50 80 interface Dialer0 80
ip nat inside source static udp 10.10.10.50 22335 interface Dialer0 22335
ip nat inside source static udp 10.10.10.50 22336 interface Dialer0 22336
ip nat inside source static udp 10.10.10.50 30175 interface Dialer0 30175
ip nat translation timeout 600
ip nat translation tcp-timeout 600
ip nat translation udp-timeout 600
ip nat translation syn-timeout 600
ip nat translation icmp-timeout 600
Moreover, the reason as to why your Router’s admin page is widely expose to the Internet cloud is simply because you’ve enabled the http services.
Here are the commands that you should insert;
no ip http server
no ip http secure-server
P/S: if you think this comment is useful, please do rate them nicely :-) and click on the button THIS QUESTION IS ANSWERED.
08-19-2012 06:54 PM
Hello Ramraj,
I agree on your post but the problem is that if they take this out
no ip http server
no ip http secure-server
Then you will not be able to access the the SDM from the inside and the requirement is from the outside
Have a great day bro,
Julio
08-19-2012 10:13 PM
You're right bro, my bad. I guess with the HTTP vulnerability that exists in most of Cisco IOS equipments, the commands should be inserted, are as shown below;
!
ip http authentication local
ip http access-class 10
!
access-list 10 remark ### To allow a single host access to the Router via SDM from LAN ###
access-list 10 permit host 10.10.10.50
!
arp 10.10.10.50 0014.f666.aa88 arpa
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide