Re: Router 4321 config questions

ZDitner62005 · ‎10-27-2020

#1 When I set up the router initially, I purposely turned on management via internet.. so when I access my static IP via internet to port 80, I get a login prompt to the router. How can I disable this over WAN?

#2 How can I port forward tcp 5000 port from internet to LAN address 192.168.1.200

staticip:5000 <> 192.168.1.200:5000 ?

Am I able to implement these changes via LAN console on port 80 in my web browser, or do I need to connect to the router physically and use terminal ?

Thank you in advance

RohitSudhakar81994 · ‎10-27-2020

I am facing the same issue

balaji.bandi · ‎10-27-2020

#1

you can have ACL to deny on Manangement side for http request

ip access-list extended no-web

deny host any any eq http

interface gi 0/0 (this is management interface )

ip access-group no-web in

#2

ip nat inside source static tcp publicip 5000 192.168.1.200 5000

Note : make sure some changes to be done on Lan side.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ZDitner62005 · ‎10-29-2020

Port 5000 is still not open

Aref Alsouqi · ‎10-29-2020

I would disable http protocol for management all the way, and if a web access is required to the router, I would enable https as http is not really secure at all. Regarding restricting the traffic, you can restrict the traffic destined to the router itself by using an ACL and apply it to the ingress interface, or, you can use the access-class command and associate a standard ACL (1 - 99) to it. Example:

ip access-list standard 1

permit host <host IP>

ip http access-class 1

However, if you want to apply a static PAT, you can do that with the command:

ip nat inside source static tcp <the private IP> <real port> <the public IP> <external port>

Example:

ip nat inside source static tcp 192.168.1.200 443 1.1.1.1 5000

This will translate the traffic destined to the port 5000 to port 443, and the IP 1.1.1.1 to the private IP 192.168.1.200.

ZDitner62005 · ‎11-02-2020

I get the exception

%Port 5000 is being used by system

I tried a few other ports and get the same error

Aref Alsouqi · ‎11-04-2020

That would be because the device is doing PAT, and most likely that port has been allocated for a connection. What you can try to do is to clear the NAT translations and apply the new commands. If that does not help, you might need to temporarily disable NAT on the inside interface, apply the new commands, and then re-enable NAT on the inside interface.

ZDitner62005 · ‎11-05-2020

Unfortunately I am not comfortable enough to do this with a live office

Is there a way to find out any TCP port that is not in use I can use for
forwarding, the port # for WAN doesn't matter to me much

Aref Alsouqi · ‎11-05-2020

You can issue the command show ip nat translations and use any port higher than 1023 that you don't see on the list.

ZDitner62005 · ‎11-05-2020

Looks like I found the problem

Pro Inside global Inside local Outside local
Outside global

tcp 192.168.1.9:5000 :5000 --- ---

I guess one of the commands in this thread caused me to configure this wrong

Obviously outside should not be ---

How can I fix this mistake ?