Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
254
Views
0
Helpful
1
Replies

Ports that are opened in ACL are not actually open

Go to solution
xpace
Level 1
Level 1

‎07-31-2022 09:08 PM - last edited on ‎08-17-2022 03:52 AM by Community Manager

Hi guys,

first time asking for support because I'm lost and none of the help from all over the internet did not solve my issue.

Router Cisco 1941 new 1Gbit link, all working except I can't get some ports working.

I'm running BigBlueButton server on the LAN and need it accessible on WAN. The server was working in my place behind Draytek router no issues. Have moved it to school premisses and of course it doesn't work. Some ports like 80, 443, 7443, 6999 and others are fine but UDP ports for RTP range 16384 32768 is inaccessible.

Router is nothing special and older but works

OS version: C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M5

access lists:

Standard IP access list 1
10 permit 130.102.128.23
20 permit 10.0.0.0, wildcard bits 0.0.7.255 (22360 matches)
Extended IP access list OUTSIDE
10 permit tcp any any established (5702 matches)
20 permit udp any any range 16384 32768
30 permit udp any any range 5060 5090
40 permit tcp any any eq 7443
50 permit tcp any any eq 443
60 permit udp any any eq domain (38 matches)
70 permit tcp any eq www any
80 permit udp any eq domain any
90 deny ip any any log-input (9096 matches)

some entries I've added recently, like 7443 and 443

NATting:

ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.0.7.254 23 interface GigabitEthernet0/1 23
ip nat inside source static tcp 10.0.7.252 443 interface GigabitEthernet0/1 8443
ip nat inside source static tcp 10.0.7.200 80 interface GigabitEthernet0/1 88
ip nat inside source static tcp 10.0.7.222 8585 interface GigabitEthernet0/1 8585
ip nat inside source static tcp 10.0.7.130 443 interface GigabitEthernet0/1 443
ip nat inside source static tcp 10.0.0.2 8585 interface GigabitEthernet0/1 8500
ip nat inside source static tcp 10.0.7.130 6999 interface GigabitEthernet0/1 6999
ip nat inside source static tcp 10.0.7.130 7443 interface GigabitEthernet0/1 7443
ip nat inside source static tcp 10.0.0.23 80 interface GigabitEthernet0/1 8080
ip nat inside source static tcp 10.0.7.130 80 interface GigabitEthernet0/1 80
ip nat inside source static udp 10.0.7.130 5066 interface GigabitEthernet0/1 5066
ip nat inside source list OUTSIDE interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.0.7.130 1935 interface GigabitEthernet0/1 1935
ip nat inside source static tcp 10.0.7.130 9123 interface GigabitEthernet0/1 9123

Not sure what I'm doing wrong but it's driving me crazy.

Also one more problem I'm having but that's probably ISP issue: I can't reach server on SSH port 6999 from my home WAN IP yet when connected to VPN, I have no issues, but connecting to router via telnet works fine from home or VPN. THIS IS REALLY STRANGE.

All help is greatly appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
xpace
Level 1
Level 1

‎08-11-2022 03:14 PM - last edited on ‎08-17-2022 03:53 AM by Community Manager

To answer my own question please see below

added :

ip nat inside source static 10.0.7.130 14.200.xx.xx route-map BBB_NAT

ip access-list extended UDP_RTP
permit udp host 10.0.7.130 any range 16384 32768
permit udp host 10.0.7.130 any range 5060 5090

route-map BBB_NAT permit 10
match ip address UDP_RTP


View solution in original post

0 Helpful
1 Reply 1

Go to solution
xpace
Level 1
Level 1

‎08-11-2022 03:14 PM - last edited on ‎08-17-2022 03:53 AM by Community Manager

To answer my own question please see below

added :

ip nat inside source static 10.0.7.130 14.200.xx.xx route-map BBB_NAT

ip access-list extended UDP_RTP
permit udp host 10.0.7.130 any range 16384 32768
permit udp host 10.0.7.130 any range 5060 5090

route-map BBB_NAT permit 10
match ip address UDP_RTP


0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card