cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
947
Views
0
Helpful
3
Replies

Firewalls and CLI

dhankins1
Level 1
Level 1

We were not able to set up our UC 520 firewall with CCA to allow port forwarding to a couple of network storage servers and had to use CLI. Now I find that I need to open several ports to test VPN connection kits for a few client networks and even if I wanted to use CCA, our firewall is not recognized by CCA 2.2.2.

What is the downside to opening ports 1723 and 1701 (TCP) as well as 500 and 4500 (UDP) to test VPN connections to other networks from several workstations here in this facility? How difficult is this to do using CLI?

1 Accepted Solution

Accepted Solutions

All you need to do is add static NAT statements and edit the ACL applied to your FE0/0 interface to allow the new ports.


Example:

!

ip nat inside source static tcp 192.168.10.8 80 interface FastEthernet0/0 1910

!

The above command maps port 1910 to port 80 on internal IP 192.168.10.8

!

access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp any host A.B.C.D eq 1910 log

!

The above command allows port 1910 through ACL 104, which is applied in the inbound direction  to the WAN interface. In my case where I use a static public IP I need to enter A.B.C.D in the ACL entry. If you use a dynamic IP, replace A.B.C.D with the keyword "any".

Remember that every ACL has an implicit deny all at the end, so you will have to place your ACE not as the last line.

Marcos

View solution in original post

3 Replies 3

All you need to do is add static NAT statements and edit the ACL applied to your FE0/0 interface to allow the new ports.


Example:

!

ip nat inside source static tcp 192.168.10.8 80 interface FastEthernet0/0 1910

!

The above command maps port 1910 to port 80 on internal IP 192.168.10.8

!

access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp any host A.B.C.D eq 1910 log

!

The above command allows port 1910 through ACL 104, which is applied in the inbound direction  to the WAN interface. In my case where I use a static public IP I need to enter A.B.C.D in the ACL entry. If you use a dynamic IP, replace A.B.C.D with the keyword "any".

Remember that every ACL has an implicit deny all at the end, so you will have to place your ACE not as the last line.

Marcos

JOHN NIKOLATOS
Level 3
Level 3

Sound like these are outbound connections to a VPN server from your internal netwrok out to the internet?  By default all proteocals are let outbound already.. DId you try the connections?

The issue is actually user authentication. I can use the same computer and create a vpn tunnel to the same destination using a different internet connection ( I "borrowed" a neighboring office's for a minute) and it works fine. From behind our UC 520 I get an authentication failure. I am pretty sure that the authentication traffic goes through port 1723 for PPTP and 1701 for L2TP so I wanted to open them up to the outside. Just want to make sure we go about it correctly.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: