Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
751
Views
10
Helpful
5
Replies

Ports to be unblocked.

Go to solution
Ravichandra T
Level 1
Level 1

‎12-25-2011 08:57 PM - edited ‎03-11-2019 03:06 PM

I need to provide access to certain machine ips(source) to access other ips(destination) of different classess for the ports mentioned 22, 21, 80 , 3389, 3000, 443,8080, 8443 , 8000-65535 in my corporate firewall. Can you please give me the commands to be executed ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vipinrajrc
Level 3
Level 3
In response to Ravichandra T

‎12-26-2011 01:40 AM

Hi Ravi,

Lets assume your inside interface name is " inside" and outside interface name is " outside ".

Here you need to permit traffic from your destination IPs to your source IPs also open these ports for that communication.

  1. First create a opbject group for ports

object-group service EXTERNAL_TO_INTERNAL tcp

description EXTERNAL TO INTERNAL

port-object eq 22

port-object eq 21

port-object eq 3389

port-object eq 3000

port-object eq 8443

port-object range 8000 65535

2. Create a object group for the destination IPs

object-group network DESTINATION_PUBLIC_IPS

network-object 79.105.0.0 255.255.192.0

network-object 214.182.224.0 255.255.240.0

network-object 204.236.128.0 255.255.192.0

network-object 107.12.0.0 255.255.0.0

3. Create ACL

access-list out-in permit tcp object-group DESTINATION_PUBLIC_IPS host 172.19.26.72 object-group EXTERNAL_TO_INTERNAL

access-list out-in permit tcp object-group DESTINATION_PUBLIC_IPS host 172.19.31.82 object-group EXTERNAL_TO_INTERNAL

4. Bind to outside interface

access-group in interface outside

i think it will work. Please try it and rate this post if it is helpful.

Thanks

Vipin

Thanks and Regards, Vipin

View solution in original post

0 Helpful
5 Replies 5

Go to solution
ajay chauhan
Level 7
Level 7

‎12-26-2011 12:01 AM

You need add acl to allow these ports .Frist of all i would like to know source and destination IP. Its better you post your configuration I will write ACLs for you you can simply copy and paste in your firewall.

Thanks

Ajay

0 Helpful

Go to solution
Ravichandra T
Level 1
Level 1
In response to ajay chauhan

‎12-26-2011 12:57 AM

source ips:: 172.19.26.72 (dynamic) and 172.19.31.82


destination ips:: 79.105.0.0/18 (79.105.0.0 - 79.105.63.255) [EU]

                         214.182.224.0/20 (214.182.224.0 - 214.182.239.255) [US]

                          204.236.128.0/18 (204.236.128.0 - 204.236.191.255)

                         107.12.0.0 - 107.12.199.255

ports::22, 21,3389, 3000, 8443 , 8000-65535

0 Helpful

Go to solution
ajay chauhan
Level 7
Level 7
In response to Ravichandra T

‎12-26-2011 01:04 AM

I am sure you will be having access-list applied to interfaces. If these are fixed internet Ips better you create object group.

Here is the sample configuration.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

Go to solution
vipinrajrc
Level 3
Level 3
In response to Ravichandra T

‎12-26-2011 01:40 AM

Hi Ravi,

Lets assume your inside interface name is " inside" and outside interface name is " outside ".

Here you need to permit traffic from your destination IPs to your source IPs also open these ports for that communication.

  1. First create a opbject group for ports

object-group service EXTERNAL_TO_INTERNAL tcp

description EXTERNAL TO INTERNAL

port-object eq 22

port-object eq 21

port-object eq 3389

port-object eq 3000

port-object eq 8443

port-object range 8000 65535

2. Create a object group for the destination IPs

object-group network DESTINATION_PUBLIC_IPS

network-object 79.105.0.0 255.255.192.0

network-object 214.182.224.0 255.255.240.0

network-object 204.236.128.0 255.255.192.0

network-object 107.12.0.0 255.255.0.0

3. Create ACL

access-list out-in permit tcp object-group DESTINATION_PUBLIC_IPS host 172.19.26.72 object-group EXTERNAL_TO_INTERNAL

access-list out-in permit tcp object-group DESTINATION_PUBLIC_IPS host 172.19.31.82 object-group EXTERNAL_TO_INTERNAL

4. Bind to outside interface

access-group in interface outside

i think it will work. Please try it and rate this post if it is helpful.

Thanks

Vipin

Thanks and Regards, Vipin
0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Ravichandra T

‎12-26-2011 09:51 AM

Hello Ravi,

Adding to this 2 great answers Ajay and Vipin have provided, I would like to  know if the connection is being make from the inside to the outside or from the outside to the inside.

I can see that you want to allow the communication from the private sector to the public sector so I guess would be from inside to outside if this is the case and you do not have any access-list on your inside interface you do not need to create one because all connections are allowed when you go from a higher security level to a lower security level.

Please let me know if this is what you are looking for.

Do please rate helpful posts.

Julio!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card