Your SlideShare is downloading. ×

From technical user, open port 873 on cisco 1921

857

Published on

open port 873 on cisco 1921

open port 873 on cisco 1921

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
857
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. From Technical User: Open Port 873 on Cisco 1921Caskibum’s Problem of Opening Port 873 on Cisco 1921I have a Cisco 1921 and need to open ports 22 (SSH) and 873 (rsync) to run an rsyncserver on my network and the rest of the network needs standard "internet"access. I am fairly new to Cisco ACLs and so I expect Im doing something stupid butnot sure what.When I add the ip access-group XXX in / out to the gig0/0 interface, Ilose all www functionality at that point.Here is my current (working) config with theACLs listed (101 and 102) but not enabled on the gig0/0 interface.I have tried the"established" statement at the start and end of the 101 list, no difference.Thanks forany help!Router#show runBuilding configuration...Current configuration : 2675 bytes!! Last configuration change at 15:03:45 UTC Sun Dec 18 2011 by!version 15.0service timestamps debug datetimemsecservice timestamps log datetimemsecservice password-encryption!hostname Router!boot-start-markerboot-end-marker!enable secret 5 $1$Sx2k$wiHT8Af585IB/HsSZkwC61enable password 7 073E325F19190C1D47!noaaa new-model!no ipv6 cefip source-routeipcef!!noipdhcp use vrf connectedipdhcp excluded-address 10.1.0.1 10.1.0.149ipdhcp excluded-address 10.1.0.200 10.1.0.254!ipdhcp pool net_dhcp import all network 10.1.0.0 255.255.255.0http://www.router-switch.com/
  • 2. default-router 10.1.0.1 lease 0 0 5!!noipdomain lookupipdomain name treeskier.camultilink bundle-name authenticated!!!licenseudipid CISCO1921/K9 sn FGL15092836!!username blah password blahblah!!ipssh version 2!!!!interface GigabitEthernet0/0 description Internet ipdhcp client update dns ip address dhcp ipnat outside! ip access-group 101 in! ip access-group 102 out! once I turn these on, it all dies. ip virtual-reassembly duplex auto speed auto no cdp enable no mop enabled!interface GigabitEthernet0/1 description internal ip address 10.1.0.1 255.255.255.0 ipnat inside ip virtual-reassembly duplex auto speed auto no mop enabled!http://www.router-switch.com/
  • 3. ip forward-protocol nd!ip http serverip http authentication localno ip http secure-server!ipnat inside source list 1 interface GigabitEthernet0/0 overloadipnat inside source static tcp 10.1.0.102 873 interface GigabitEthernet0/0 873ipnat inside source static tcp 10.1.0.102 22 interface GigabitEthernet0/0 22!access-list 1 permit 10.1.0.0 0.0.0.255access-list 1 remark INSIDE_IF=gig0/1access-list 101 permit tcp any 10.1.0.0 0.0.0.255 establishedaccess-list 101 permit tcp any host 10.1.0.102 eq 22access-list 101 permit udp any host 10.1.0.102 eq 22access-list 101 permit tcp any host 10.1.0.102 eq 873access-list 101 permit udp any host 10.1.0.102 eq 873access-list 102 permit tcp 10.1.0.0 0.0.0.255 anyaccess-list 102 permit udp 10.1.0.0 0.0.0.255 anydialer-list 1 protocol ip permit!!!control-plane!banner login ^C**************************^C!CON and VTY setup!scheduler allocate 20000 1000endA bit of really basic troubleshooting:Router#sh access-listsStandard IP access list 1 10 permit 10.1.0.0, wildcard bits 0.0.0.255 (9854736 matches)Extended IP access list 101 10 permit tcp any 10.1.0.0 0.0.0.255 established 20 permit tcp any host 10.1.0.102 eq 22 30 permit udp any host 10.1.0.102 eq 22 40 permit tcp any host 10.1.0.102 eq 873 50 permit udp any host 10.1.0.102 eq 873Extended IP access list 102 10 permit tcp 10.1.0.0 0.0.0.255 any 20 permit udp 10.1.0.0 0.0.0.255 anyhttp://www.router-switch.com/
  • 4. Router#shipnat translationsPro Inside global Inside local Outside local Outside globaltcp 192.168.0.10:22 10.1.0.102:22 --- ---tcp 192.168.0.10:873 10.1.0.102:873 --- ---tcp 192.168.0.10:54693 10.1.0.150:54693 208.88.180.96:80 208.88.180.96:80tcp 192.168.0.10:54695 10.1.0.150:54695 208.88.180.96:80 208.88.180.96:80tcp192.168.0.10:54696 10.1.0.150:54696 208.88.180.106:5222 208.88.180.106:5222tcp192.168.0.10:54699 10.1.0.150:54699 208.88.181.46:1935 208.88.181.46:1935tcp 192.168.0.10:54700 10.1.0.150:54700 208.88.180.96:80 208.88.180.96:80... (more dynamic NAT at work)Reply to Caskibum from ImbadatthisYou arent allowing DNS in .http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml#allowdnsalso a nice to know:http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml#debugtrafficAfter Imbadatthis‘s ReplyCaskibumsolved problems like this:Thanks for the response.I actually sorted it out last night, my "new" cable modem was blocking the portforwarding before it got to the router. So once I set up the NAT port forwarding onthe cable modem, all good now.Just FYI, Ive ended up with a much simpler ACL and NAT setup:!ipnat inside source list nat-acl interface GigabitEthernet0/0 overloadipnat inside source static tcp 10.1.0.101 873 interface GigabitEthernet0/0 873ipnat inside source static tcp 10.1.0.101 22 interface GigabitEthernet0/0 22!ip access-list extended nat-aclpermitip 10.1.0.0 0.0.0.255 anypermittcp any host 10.1.0.101 eq 22permittcp any host 10.1.0.101 eq 873!!Best Regardshttp://www.router-switch.com/
  • 5. More discussion between these two buddies to talk about Opening port 873 onCisco 1921Imbadatthis: So youve removed both acl 101 and 102?Caskibum:Yep, the only ACL is the named extended list, which is applied on the outsideinterface in the overload command.I could have probably left them in place, I foundthis "alternate" solution with the named extended list as it is now, and then afterthat didnt work either I went to the cable modem and found the source of theproblem. I expect the 101 / 102 acls are fine if I were to use them.Then the twostatic NAT commands to handle the traffic direction.Seems to be working.Im nosecurity expert so if this leaves some gaping hole please let me know and Ill reworkit.Cheers!More Related Discussion on Open port 873 on Cisco 1921at tek-tips.comMore Cisco News and Cisco Hardware Tips you can visit:http://blog.router-switch.com/http://www.router-switch.com/

×