Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Ports to be unblocked.

I need to provide access to certain machine ips(source) to access other ips(destination) of different classess for the ports mentioned 22, 21, 80 , 3389, 3000, 443,8080, 8443 , 8000-65535 in my corporate firewall. Can you please give me the commands to be executed ?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Ports to be unblocked.

Hi Ravi,

Lets assume your inside interface name is " inside" and outside interface name is " outside ".

Here you need to permit traffic from your destination IPs to your source IPs also open these ports for that communication.

  1. First create a opbject group for ports

object-group service EXTERNAL_TO_INTERNAL tcp

description EXTERNAL TO INTERNAL

port-object eq 22

port-object eq 21

port-object eq 3389

port-object eq 3000

port-object eq 8443

port-object range 8000 65535

2. Create a object group for the destination IPs

object-group network DESTINATION_PUBLIC_IPS

network-object 79.105.0.0 255.255.192.0

network-object 214.182.224.0 255.255.240.0

network-object 204.236.128.0 255.255.192.0

network-object 107.12.0.0 255.255.0.0

3. Create ACL

access-list out-in permit tcp object-group DESTINATION_PUBLIC_IPS host 172.19.26.72 object-group EXTERNAL_TO_INTERNAL

access-list out-in permit tcp object-group DESTINATION_PUBLIC_IPS host 172.19.31.82 object-group EXTERNAL_TO_INTERNAL

4. Bind to outside interface

access-group in interface outside

i think it will work. Please try it and rate this post if it is helpful.

Thanks

Vipin

Thanks and Regards, Vipin
5 REPLIES

Ports to be unblocked.

You need add acl to allow these ports .Frist of all i would like to know source and destination IP. Its better you post your configuration I will write ACLs for you you can simply copy and paste in your firewall.

Thanks

Ajay

New Member

Ports to be unblocked.

source ips:: 172.19.26.72 (dynamic) and 172.19.31.82


destination ips:: 79.105.0.0/18 (79.105.0.0 - 79.105.63.255) [EU]

                         214.182.224.0/20 (214.182.224.0 - 214.182.239.255) [US]

                          204.236.128.0/18 (204.236.128.0 - 204.236.191.255)

                         107.12.0.0 - 107.12.199.255

ports::22, 21,3389, 3000, 8443 , 8000-65535

Ports to be unblocked.

I am sure you will be having access-list applied to interfaces. If these are fixed internet Ips better you create object group.

Here is the sample configuration.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

New Member

Re: Ports to be unblocked.

Hi Ravi,

Lets assume your inside interface name is " inside" and outside interface name is " outside ".

Here you need to permit traffic from your destination IPs to your source IPs also open these ports for that communication.

  1. First create a opbject group for ports

object-group service EXTERNAL_TO_INTERNAL tcp

description EXTERNAL TO INTERNAL

port-object eq 22

port-object eq 21

port-object eq 3389

port-object eq 3000

port-object eq 8443

port-object range 8000 65535

2. Create a object group for the destination IPs

object-group network DESTINATION_PUBLIC_IPS

network-object 79.105.0.0 255.255.192.0

network-object 214.182.224.0 255.255.240.0

network-object 204.236.128.0 255.255.192.0

network-object 107.12.0.0 255.255.0.0

3. Create ACL

access-list out-in permit tcp object-group DESTINATION_PUBLIC_IPS host 172.19.26.72 object-group EXTERNAL_TO_INTERNAL

access-list out-in permit tcp object-group DESTINATION_PUBLIC_IPS host 172.19.31.82 object-group EXTERNAL_TO_INTERNAL

4. Bind to outside interface

access-group in interface outside

i think it will work. Please try it and rate this post if it is helpful.

Thanks

Vipin

Thanks and Regards, Vipin

Re: Ports to be unblocked.

Hello Ravi,

Adding to this 2 great answers Ajay and Vipin have provided, I would like to  know if the connection is being make from the inside to the outside or from the outside to the inside.

I can see that you want to allow the communication from the private sector to the public sector so I guess would be from inside to outside if this is the case and you do not have any access-list on your inside interface you do not need to create one because all connections are allowed when you go from a higher security level to a lower security level.

Please let me know if this is what you are looking for.

Do please rate helpful posts.

Julio!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
294
Views
10
Helpful
5
Replies
CreatePlease login to create content