Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CLI command to open ports 80, 443 and 1882

I need top open ports 80, 443 and 1882 to a specific external client (IP address).  Can someone help me with the commands for that please?

Everyone's tags (7)
8 REPLIES
New Member

Re: CLI command to open ports 80, 443 and 1882

If the client has public IP 123.123.123.123 and the server is located inside network and has the IP 10.10.10.10
This is the config, if you are using ASA


!
object network CLIENT-OBJ
     description --- The client ----
     host 123.123.123.123
!

object network SERVER-OBJ
     description --- The inside server  ----
     host 10.10.10.10
     nat (inside,outside) static CLIENT-OBJ
!

object-group service SERVICES-TCP-OBJ tcp
     description --- Serices TCP published ----
     port-object eq  80
     port-object eq  443
     port-object eq  1882
!
!
!
access-list OUTSIDE-IN-ACL extended permit tcp object CLIENT-OBJ object SERVER-OBJ object-group SERVICES-TCP-OBJ

access-group OUTSIDE-IN-ACL in interface outside
!

Samuel Petrescu

New Member

Re: CLI command to open ports 80, 443 and 1882

Thanks. Is the host IP my external IP or the internal IP of a particular client? I need to do this to permit VoIP traffic to some tablets that are connected wirelessly to the internal network and have IPs dynamically assigned by DHCP.

New Member

Re: CLI command to open ports 80, 443 and 1882

You need to be more specific

No, this config, allow the client outside network  with public IP 123.123.123.123 to access a host inside your network that has private IP 10.10.10.10 on the ports TCP 80,443,1882

New Member

Re: CLI command to open ports 80, 443 and 1882

Sorry about that. So is it possible to open those ports up to the whole range of DHCP assigned IPs as I described?

Re: CLI command to open ports 80, 443 and 1882

Hello Joel,

It is possible but you will need to configure some  nat rules and ACL's permitting that traffic just as Samuel showed you

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: CLI command to open ports 80, 443 and 1882

If the traffic is initiated from outside (internet) to your tablets, inside your network :

     This require mappings  public-IP -> private-IP one to one

     You need to have one public IP for each tabled.

If the problem is in backwards, tablets from inside are trying to access an outside public IP, to specific ports, this is easy and possible.

      

New Member

Re: CLI command to open ports 80, 443 and 1882

OK, I think the first suggestion may have been almost correct then, thanks.  But if I wanted to add more than one internal host (in fact all in the range 192.168.1.100 to 149) is there a way to do that or will I have to create 50 object network SERVER-OBJ? 

My wireless router is plugged into one port on the 819 ISR, my main router/firewall.  Can I configure that port to have a narrower IP range and just add those to the solution?

For completeness my VoIP host is on an external IP address xxx.xxx.xxx.xxx and I want to permit inbound and outbound traffic across ports 80, 443 and 1882 to any tablet on the internal subnet 192.168.1.aaa to bbb.  Hope this is clearer now and thanks to everyone who has helped so far.

New Member

Re: CLI command to open ports 80, 443 and 1882

hi,

I tried entering the script suggested by Samuel.  Unfortunately the command "nat" after object network SERVER-OBJ is not recognised by my CLI.  These are the only supported commands:

Network object group configuration commands:

  A.B.C.D       Network address of the group members

  any           Any host

  description   Network object group description

  exit          Exit from IP policy-group configuration mode

  group-object  Nested object group

  host          Host address of the object-group member

  no            Negate or set default values of a command

  range         Match only packets in the range of IP address

6029
Views
0
Helpful
8
Replies
CreatePlease login to create content