Firewalls and CLI

Answered Question
Mar 15th, 2010

We were not able to set up our UC 520 firewall with CCA to allow port forwarding to a couple of network storage servers and had to use CLI. Now I find that I need to open several ports to test VPN connection kits for a few client networks and even if I wanted to use CCA, our firewall is not recognized by CCA 2.2.2.

What is the downside to opening ports 1723 and 1701 (TCP) as well as 500 and 4500 (UDP) to test VPN connections to other networks from several workstations here in this facility? How difficult is this to do using CLI?

I have this problem too.
0 votes
Correct Answer by Marcos Hernandez about 6 years 10 months ago

All you need to do is add static NAT statements and edit the ACL applied to your FE0/0 interface to allow the new ports.


Example:

!

ip nat inside source static tcp 192.168.10.8 80 interface FastEthernet0/0 1910

!

The above command maps port 1910 to port 80 on internal IP 192.168.10.8

!

access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp any host A.B.C.D eq 1910 log

!

The above command allows port 1910 through ACL 104, which is applied in the inbound direction  to the WAN interface. In my case where I use a static public IP I need to enter A.B.C.D in the ACL entry. If you use a dynamic IP, replace A.B.C.D with the keyword "any".

Remember that every ACL has an implicit deny all at the end, so you will have to place your ACE not as the last line.

Marcos

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JOHN NIKOLATOS Sun, 03/21/2010 - 14:13

Sound like these are outbound connections to a VPN server from your internal netwrok out to the internet?  By default all proteocals are let outbound already.. DId you try the connections?

dhankins1 Mon, 03/22/2010 - 06:28

The issue is actually user authentication. I can use the same computer and create a vpn tunnel to the same destination using a different internet connection ( I "borrowed" a neighboring office's for a minute) and it works fine. From behind our UC 520 I get an authentication failure. I am pretty sure that the authentication traffic goes through port 1723 for PPTP and 1701 for L2TP so I wanted to open them up to the outside. Just want to make sure we go about it correctly.

Correct Answer
Marcos Hernandez Sat, 03/20/2010 - 07:53

All you need to do is add static NAT statements and edit the ACL applied to your FE0/0 interface to allow the new ports.


Example:

!

ip nat inside source static tcp 192.168.10.8 80 interface FastEthernet0/0 1910

!

The above command maps port 1910 to port 80 on internal IP 192.168.10.8

!

access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp any host A.B.C.D eq 1910 log

!

The above command allows port 1910 through ACL 104, which is applied in the inbound direction  to the WAN interface. In my case where I use a static public IP I need to enter A.B.C.D in the ACL entry. If you use a dynamic IP, replace A.B.C.D with the keyword "any".

Remember that every ACL has an implicit deny all at the end, so you will have to place your ACE not as the last line.

Marcos

Actions

This Discussion