11-05-2006 07:48 AM - edited 03-03-2019 02:35 PM
I deal with the following issue and hope for assistance:
We use a symmetric DSL line that is connected with a Cisco 1712 router that manages traffic for our Unix servers.
The remote management software we want to use requires access to ports 3283 and 5900. Since the server's firewall is correctly configured, but still can't get access using this software, I feel that the ports of the router are blocked by default.
But how can I check this (I have no experience managing the router over the terminal and the webpanel of the router shows that the firewall can't be managed this way because of the fact that ACLs have been used ?
Can someone provide me with tips or hints where to look ?
11-05-2006 02:36 PM
Tobias
Your description does sound like an access list is blocking those ports. If you will post the config of the router (masking out passwords and sensitive information) we can advise you how to modify the access list to permit those ports.
HTH
Rick
11-05-2006 02:53 PM
Thank you for trying to assist me :-)
Okay, here is the configuration (telnet session opened, command "enable", command "show conf"). If you need anything else, please let me know.
Using 2124 out of 29688 bytes
!
! Last configuration change at 12:08:32 PCTime Tue Sep 19 2006
! NVRAM config last updated at 12:08:44 PCTime Tue Sep 19 2006
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname adsl-gw
!
boot-start-marker
boot-end-marker
!
logging buffered 10000 debugging
enable secret 5 *************************************
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
ip ips po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
isdn switch-type basic-net3
!
!
!
!
no crypto isakmp ccm
!
!
!
interface BRI0
no ip address
shutdown
isdn switch-type basic-net3
!
interface FastEthernet0
description zum DSL modem
no ip address
speed auto
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface Vlan1
description LAN
ip address 194.77.x.x.255.255.248
!
interface Dialer1
description T-DSL dialer
ip address negotiated
ip access-group 103 in
ip mtu 1492
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp chap refuse
ppp pap sent-username ******** password 7 **********
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 9
no ip http secure-server
!
!
!
access-list 9 permit 194.77.100.88 0.0.0.7
access-list 101 permit ip any any
access-list 102 permit ip 195.143.235.176 0.0.0.7 any
access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq 22
access-list 103 deny udp any 194.77.100.88 0.0.0.7 eq 22
access-list 103 deny udp any 194.77.100.88 0.0.0.7 eq 23
access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq telnet
access-list 103 permit ip any any
dialer-list 1 protocol ip list 101
!
!
control-plane
!
!
line con 0
password 7 *************************************
login
line aux 0
line vty 0 4
password 7 *************************************
login
!
end
I hope I have removed all passwords, think so (they are replaced by * chars).
11-05-2006 07:01 PM
Tobias
I have looked at the config that you posted and I do not see anything in it that would prevent traffic on the ports that you mention. Is there perhaps some other part of the network that the traffic passes through that could impact it?
Also: the command that you used to get the configuration was show conf. For troubleshooting it is better to use the command show running-config. show conf gets the configuration file that is stored in NVRAM (and is the config that the router would use if it suddenly rebooted). show running-config gets the configuration file that is actually active on the router. It is possible that some configuration changes could have been made but not yet saved to NVRAM. show running-config would see these changes but show conf would not.
HTH
Rick
11-06-2006 05:11 AM
Our network topology is as following:
sDSL ---> Cisco 1712 ---> Switch --->WLAN (Apple AirPort Extreme)
I---> Servers
So when we access our servers we cannot go through the LAN, but use an Internet connection to access them.
The only point I can imagine that interferes is the AirPort station (WLAN router/gateway). But I don't see a configurable firewall there. Just an option to enable SNMP for it, but guess that is not related to this topic.
By the way, here is the output from show running-config:
adsl-gw#show running-config
Building configuration...
Current configuration : 2083 bytes
!
! Last configuration change at 01:16:32 PCTime Sun Nov 5 2006 by adsl07027@viadsl.de
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname adsl-gw
!
boot-start-marker
boot-end-marker
!
logging buffered 10000 debugging
enable secret 5 *****
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
ip ips po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
isdn switch-type basic-net3
!
!
!
!
no crypto isakmp ccm
!
!
!
interface BRI0
no ip address
shutdown
isdn switch-type basic-net3
!
interface FastEthernet0
description zum DSL modem
no ip address
speed auto
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface Vlan1
description LAN
ip address 194.77.100.89 255.255.255.248
!
interface Dialer1
description T-DSL dialer
ip address negotiated
ip access-group 103 in
ip mtu 1492
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp chap refuse
ppp pap sent-username ******** password 7 ******
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 9
no ip http secure-server
!
!
!
access-list 9 permit 194.77.100.88 0.0.0.7
access-list 101 permit ip any any
access-list 102 permit ip 195.143.235.176 0.0.0.7 any
access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq 22
access-list 103 deny udp any 194.77.100.88 0.0.0.7 eq 22
access-list 103 deny udp any 194.77.100.88 0.0.0.7 eq 23
access-list 103 deny tcp any 194.77.100.88 0.0.0.7 eq telnet
access-list 103 permit ip any any
dialer-list 1 protocol ip list 101
!
!
control-plane
!
!
line con 0
password 7 **********
login
line aux 0
line vty 0 4
password 7 ************
login
!
end
And an off-topic question: Is it possible to configure the router to take the date/time from a NTP server ? I noticed that the date stamp is totally wrong and I have only the ability to syncronize with my local computer when having the webpanel open which is a bit inconvenient.
11-06-2006 05:17 AM
I also should mention that a port scanning done with a network utility results in just showing nothing. After five minutes, I interrupted the process. Maybe it has to do something with it, but don't think.
11-06-2006 05:25 AM
Hi ,
configure the following command so that your router will synchronize with ntp server.
router(config)# ntp server
Hope it helps you.
Thanks,
satish
11-06-2006 10:50 AM
Unfortunately I only have the domain address not the IP of the server, guess this was the reason why I failed.
Is it it possible to do it also with just the URL ?
11-06-2006 01:06 PM
I found the problem finally. It was in the WLAN access station we connected. There I had to enable port forwarding for the specific ports this software uses to the LAN-IP of my computer.
Just one issue left: How safe is it to enable port forwarding ? Of course, I ensured that no one can use this remote mgt. software to control my computer - but personally I find it not safe to have open ports. Is there anything I should take care ?
Unfortunately I can't disable them and open only upon request, because I workd daily with this software and so it becomes too inconvenient.
Anyway, thank you for your support by checking my router configuration :-)
11-06-2006 01:28 PM
Tobias
I am glad that you found the problem and fixed it. And I am glad that our discussion was helpful in eliminating potential causes such as the router config. It is frequently an important part of troubleshooting to identify likely sources of the problem, investigate them, realize that they are not really the source of the problem and go on to identify other possible sources of the problem until you get to the actual source of the problem.
And thanks for posting back to the forum indicating that the problem was resolved and what resolved it. It makes the forum more useful when people can read about a problem and can then read about what really solved the problem.
HTH
Rick
11-06-2006 03:01 PM
May I ask you another question: Since I now have to enable port forwarding for two ports I feel that this could be a potential security risk.
Due to how our network is built, the wireless LAN base station has an own WAN-IP assigned (it is connected to the switch that is connected to the Cisco Router).
Is it possible to create an ACL (as did for ports 22 and 23) that allows only access to these ports by given IP addresses (the ones of our two servers) ?
I think that this would make it more secure, because the router would block any accesses to these ports outside our IP range, wouldn't ?
If so, can you assist me in creating an ACL list for this purpose ? I would need a step-by-step advise for creating an ACL via the terminal and save it to the router configuration.
11-06-2006 03:34 PM
Hi ,
You can create extended access-list to allow only specific ip address to access these ports.
ex: access-list 102 permit tcp tcp source source-wildcard destination destination-wildcard port.
Like that create access-list for tcp and udp and apply it on dialer.
Thanks,
satish
Thanks,
satish
11-06-2006 07:34 PM
Tobias
satish has provided an outline of what you need in the access list. If that is enough to get you going it is fine. If you need more detailed help then I need a little clarification from you. Your post mentioned that you need to have access on ports 3283 and 5900 but is not clear whether they are TCP ports or UDP ports. Can you clarify that? Also am I correct in assuming that 194.77.100.88 0.0.0.7 are the destination addresses you wish to access on those ports? If not what are the destination addresses? Also we need to know what source addresses you wish to have access on these ports. If you can tell us these detail then I can give you specific details of how to do this and get it into the router.
In general the approach will be to use the existing access list 103 which is applied to the dialer. We will add statements to permit your specified source addresses to your specified destination addresses on the specified ports. Then we will add statements to deny any source addresses to the specified destination addresses on the specified ports. We will need to make sure that these statements come before the general permit in the access list.
HTH
Rick
11-07-2006 04:21 AM
Thank you. Unfortunately I would need instructions for dummys, because I have really no experience with this Router configuration.
I answer your questions from your last post in the following; let me know if you need to know anything else.
The ports 3283 and 5900 require both, TCP and UDP access.
194.77.100.89 is the IP of the router, 194.77.100.90 of our WLAN gateway (which assigns locally used IPs according the 10.0.x.x scheme). The two servers are 194.77.100.91 and 194.77.100.92.
So generally all these IPs should be able to share these ports with each other, but do not allow accessing them from "outside" ranges.
Using the existing list 103 is fine, just to note that the existing rules should not get overwritten.
Basically the list 103 already contains a sample (we have blocked ports 21 and 22 being used only by our IP range and so I want to do this also with the new ports). Hope this makes sense to you.
11-07-2006 10:56 AM
Tobias
I will be able to give you detailed instructions when we have all the questions answered. You have clarified that the ports need both TCP and UDP and we will include both. You have clarified that the destination addresses are subnet 194.77.100.88. However I am still not clear what source addresses should be permitted. Where will you be (on what addresses) when you use this remote management software? The examples you give in access list 103 deny any remote access via telnet of SSH to the destination address. Do you want to deny all remote access on these ports or are there some addresses that should be permitted?
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: