- Cisco Community
- Technology and Support
- Networking
- Routing
- Open outboound ports on Cisco 2801 router
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Open outboound ports on Cisco 2801 router
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2016 11:26 PM - edited 03-05-2019 07:26 AM
Hi,
I have recently configured a cisco 2801 with two interfaces (PPPoE Dialer/outside/fa0/0 and LAN/fa0/1) for basic internet connectivity in my office. I used Cisco CP tool to configure the device from scratch and have enabled firewall on legacy mode to block some applications and services.
Now i have a requirement where i have to open some ports for outgoing traffic for the LAN clients and would like to know how to do it using CP or by command.
Below are list of ports i would need to be opened.
UDP ports 53,67,68,4550, 500,123
I have tried adding some commands to the ACL via the CP but it doesnot seem to work. Can someone help me on this ? Below is the running config extracted from the device.
Building configuration...
Current configuration : 7868 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GMSHORTR02
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$R24V$SWtmLMghzVBlFjRaBpsRc/
!
no aaa new-model
clock timezone Muscat 4
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.9
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
ip dhcp pool LAN
import all
network 192.168.1.0 255.255.255.0
dns-server 213.42.20.20 8.8.8.8
default-router 192.168.1.1
!
!
ip name-server 8.8.8.8
ip name-server 213.42.20.20
ip inspect log drop-pkt
ip inspect name CCP_HIGH appfw CCP_HIGH
ip inspect name CCP_HIGH https
ip inspect name CCP_HIGH dns
ip urlfilter exclusive-domain deny youtube
!
appfw policy-name CCP_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
crypto pki trustpoint TP-self-signed-2957537574
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2957537574
revocation-check none
rsakeypair TP-self-signed-2957537574
!
!
crypto pki certificate chain TP-self-signed-2957537574
certificate self-signed 01
30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32393537 35333735 3734301E 170D3136 31303330 31333036
32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39353735
33373537 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100972E 36793CD8 EC230487 E749DB3D 2FC1B93F E95C358A 05670266 FF6DC8CE
4EB08DCF F5A2EEE7 0F256F3A 44BE17F5 3B4522C7 78D3040D F8AF4CD8 873EF595
92E8E44D 76CEDD00 D8549192 F7AB0CF2 2BE7F4CB C7D2ABE3 C5866C02 077EED98
95BE406C E234FB18 C4BAF232 93618294 9981B6D6 DBD76F1B 878FC469 E0C87F19
277F0203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603
551D1104 0E300C82 0A474D53 484F5254 52303230 1F060355 1D230418 30168014
376FBE42 A6F9F0F8 F50D95C7 391F729F 39678E25 301D0603 551D0E04 16041437
6FBE42A6 F9F0F8F5 0D95C739 1F729F39 678E2530 0D06092A 864886F7 0D010104
05000381 81004764 5D20E4F4 37B31675 789EB4C4 C912A789 E701574C B028BB06
665631EF 34337722 73F7D564 4CCFBB1C 33EE0498 2DF73EAB 2D6FA730 162D51CB
9A2C6113 BD80B4E2 F1E03ED8 ADF0A36E F023ED22 C7226665 3CE54F6D 25111B3A
F6ED5F79 E4DC7B85 FCE6F85C CAD27D45 D0F5CFC9 B725726D 5063B42B EEEEDB90
7F3B6F79 961C
quit
!
!
username xxxxx privilege 15 password 0 xxxxxx
archive
log config
!
!
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_CCP_HIGH
class sdm_p2p_edonkey
drop
class sdm_p2p_gnutella
drop
class sdm_p2p_kazaa
drop
class sdm_p2p_bittorrent
drop
!
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-WAN$
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
description Basic filtering$FW_INSIDE$$ETH-LAN$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
!
interface FastEthernet0/1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip mtu 1452
ip nat outside
ip inspect CCP_HIGH out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxx password 0 xxxxx
service-policy input sdmappfwp2p_CCP_HIGH
service-policy output sdmappfwp2p_CCP_HIGH
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 remark INSIDE_IF=FastEthernet0/1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by CCP firewall configuration
access-list 100 remark CCP_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 remark Etisalat Booster 53
access-list 100 permit udp any eq domain any
access-list 100 remark Etisalat booster 67
access-list 100 permit udp any eq bootps any eq bootps
access-list 100 remark Etisalalt Booster 68
access-list 100 permit udp any eq bootpc any
access-list 100 remark Etisalat Booster 33434
access-list 100 permit udp any range 33434 33445 any
access-list 100 remark Etisalat Booster 123
access-list 100 permit udp any eq ntp any
access-list 100 remark Etisalat 500
access-list 100 permit udp any eq isakmp any
access-list 100 remark Etisalat Booster 4500
access-list 100 permit udp any eq non500-isakmp any
access-list 100 permit ip any any
access-list 101 remark auto generated by CCP firewall configuration
access-list 101 remark CCP_ACL Category=1
access-list 101 permit udp host 8.8.8.8 eq domain any
access-list 101 permit udp host 213.42.20.20 eq domain any
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CPlease disconnect immediately if you are not an authorized user.. !!^C
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
webvpn cef
!
end
Thank for assitance.
Regards,
AV
- Labels:
-
Other Routers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide