We were not able to set up our UC 520 firewall with CCA to allow port forwarding to a couple of network storage servers and had to use CLI. Now I find that I need to open several ports to test VPN connection kits for a few client networks and even if I wanted to use CCA, our firewall is not recognized by CCA 2.2.2.
What is the downside to opening ports 1723 and 1701 (TCP) as well as 500 and 4500 (UDP) to test VPN connections to other networks from several workstations here in this facility? How difficult is this to do using CLI?
All you need to do is add static NAT statements and edit the ACL applied to your FE0/0 interface to allow the new ports.
ip nat inside source static tcp 192.168.10.8 80 interface FastEthernet0/0 1910
The above command maps port 1910 to port 80 on internal IP 192.168.10.8
access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp any host A.B.C.D eq 1910 log
The above command allows port 1910 through ACL 104, which is applied in the inbound direction to the WAN interface. In my case where I use a static public IP I need to enter A.B.C.D in the ACL entry. If you use a dynamic IP, replace A.B.C.D with the keyword "any".
Remember that every ACL has an implicit deny all at the end, so you will have to place your ACE not as the last line.