01-25-2010 02:41 PM - edited 03-21-2019 02:04 AM
I need to allow port 8000 outbound but the interface is not using an access list but the ip inspect sdm_low out. Due to changes made to the config it is not compatible with CCA. How can I open that port or any other port without upsetting the whole system?
Thanks
01-25-2010 03:57 PM
This depends on the configuration of the interface. You can add ip inspect commands to sdm_low. You can also create your own services through the ip port-map command.
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i2.html#wp1049229
and
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i2.html#wp1051510
I think this would work by default outbound. Inbound is a different story.
For inbound traffic, it depends on what ACL is applied to your interface, and then you have to add your line to the ACL.
My access-list ends in the following sequence.
140 deny ip 10.0.0.0 0.255.255.255 any
150 deny ip 172.16.0.0 0.15.255.255 any
160 deny ip 192.168.0.0 0.0.255.255 any
170 deny ip 127.0.0.0 0.255.255.255 any
180 deny ip host 255.255.255.255 any
190 deny ip host 0.0.0.0 any
200 deny ip any any log
It would be best to add them in before this section of the ACL.
Also, you probably are going to need a static nat entry, something like the following...
ip nat inside source static tcp 10.1.10.1 80 interface FastEthernet0/0 80
This entry opens translates the destination port 80 on the outside interface to 10.1.10.1 and port 80. For this to work, my ACL on the outside interface has already opened port 80. Say you need to use the same destination port on a few different web servers, you could do this.
ip nat inside source static tcp 10.1.10.1 80 interface FastEthernet0/0 81
Now, outside port 81 is changed to 80. Again, an ACL would be needed to allow the traffic in.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide