How to open an outbound port on the UC520 firewall without changing the firewall setting in CCA

eoncablewire · ‎01-25-2010

I need to allow port 8000 outbound but the interface is not using an access list but the ip inspect sdm_low out. Due to changes made to the config it is not compatible with CCA. How can I open that port or any other port without upsetting the whole system?

Thanks

Steven Smith · ‎01-25-2010

This depends on the configuration of the interface. You can add ip inspect commands to sdm_low. You can also create your own services through the ip port-map command.

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i2.html#wp1049229

and

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i2.html#wp1051510

I think this would work by default outbound. Inbound is a different story.

For inbound traffic, it depends on what ACL is applied to your interface, and then you have to add your line to the ACL.

My access-list ends in the following sequence.

140 deny ip 10.0.0.0 0.255.255.255 any

150 deny ip 172.16.0.0 0.15.255.255 any

160 deny ip 192.168.0.0 0.0.255.255 any

170 deny ip 127.0.0.0 0.255.255.255 any

180 deny ip host 255.255.255.255 any

190 deny ip host 0.0.0.0 any

200 deny ip any any log

It would be best to add them in before this section of the ACL.

Also, you probably are going to need a static nat entry, something like the following...

ip nat inside source static tcp 10.1.10.1 80 interface FastEthernet0/0 80

This entry opens translates the destination port 80 on the outside interface to 10.1.10.1 and port 80. For this to work, my ACL on the outside interface has already opened port 80. Say you need to use the same destination port on a few different web servers, you could do this.

ip nat inside source static tcp 10.1.10.1 80 interface FastEthernet0/0 81

Now, outside port 81 is changed to 80. Again, an ACL would be needed to allow the traffic in.