Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Unsecured firewall?


This has to be an easy one...

I have it connected to DSL on a subnet

The main IP (113) needs to be stealthed with ssh open, 114 need asterisk on tcp 5060 open, everything else stealthed, 118 has a web server.

After 10 very difficult days with a new 877, I still cannot get the firewall to stealth mode only all ports closed. Also I cannot seem to be able to allow any 80 or 5060 traffic in.

The bits of my config are:

interface Dialer0

description Internet

ip address

ip access-group 150 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname

ppp chap password 7 mypassword

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 5060 5060 extendable

ip nat inside source static tcp 80 80 extendable

logging trap debugging

access-list 1 remark NAT ACCESS

access-list 1 permit

access-list 23 remark MANAGEMENT LIST

access-list 23 permit

access-list 150 remark INBOUND CONNECTIONS

access-list 150 permit tcp any host eq www

access-list 150 permit ip any host

access-list 150 deny ip any

access-list 150 deny ip any

access-list 150 deny ip any

access-list 150 deny ip any

access-list 150 deny ip host any

access-list 150 deny ip host any

access-list 150 permit ip any any

dialer-list 1 protocol ip permit

no cdp run

(I still cannot find any docs on that are in any way comprehensible)

BTW, SDM doesn't seem to work so I am forced into the rather cryptic CLI




Re: Unsecured firewall?

Basically what you will need to do varies a little depending on your setup but you will need to set up access-list to allow ports 5060,80, 137, 138, and 139 through the PIX. Here is a design guide on it

On your config I take it is probally your WINS. I'm not sure who is the pdc and who is the wins Your acls are a little confusing beacuse you have the same network in both parts of the acl

Since I can not open the VSD's that you sent I am not sure what you are referenceing with the addresses