Opening ports on router

Discussion in 'Networks' started by Chummers, Oct 18, 2007.

  1. Chummers

    Chummers New Member

    9
    0
    1
    Hi all,

    a real noob needs your help.

    I have been running my business on a SAR-110 for a number of years (the only router i know how to open ports on!) well, that was until the weekend when it went bang, no power leds on but power out of the ac adaptor :cry:

    Was a lovley little router, but i have since got a cisco 1700 series router to get running again.. and this is when the problem starts..

    I have tried for a number of days to get ports open - that i need for my webserver/email server, but to no avail.

    to make things easier for the poeple on here, i have reset to the router to factory default, and gone though a simple setup - only enough the get a net connection, and left it at that.

    I would prefer to type /copy/paste into hyperterminal to make things ever easier all round

    when i go to www.grc.com, it states that ALL ports are stealthed..

    Has anyone any idea of what lines to put in the config file??

    I need to open ports, 22,25,80,110,143, and 443

    Please go easy on me, these routers are like the dark arts to me!!


    Any help is appreciated

    Thanks..
     
  2. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Attaching a sanitized copy of your config would be helpful. Opening ports is fairly easy - assuming you have a working basic configuration (with nat) all you need is to statically nat the ports to an internal host.

    For example:

    ip nat inside source static tcp 10.1.1.50 80 A.B.C.D 80 extendable

    The above command maps port 80 on the external (ip nat outside) interface to host 10.1.1.50 on the internal (ip nat inside) interface. A.B.C.D would be your external ip address. You can also replace that with the interface if your ip is dynamic, for example:

    ip nat inside source static tcp 10.1.1.50 80 interface Dialer0 80 extendable

    Any tcp packets arriving at your external interface, to port 80, will be sent to the internal host 10.1.1.50. Thus, a webserver at 10.1.1.50 would be accessable from the Internet.

    Make very sure you only open ports you need. Also, I would highly recommend an access-list on the external interface to filter traffic, or even better use the IOS stateful firewall, if that is available.

    A handy tip: Since you are opening ssh, presumably so that you can remote admin a computer, consider using a random external port, for example:

    ip nat inside source static tcp 10.1.1.50 22 interface Dialer0 26173 extendable

    You would know to point your ssh client to port 26173, but others would not, so at least port scanners looking for common ports won't see ssh as open on your external ip.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  3. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Hm? I've set up quite a few 1700-series routers, and none of them block ports by default... they're all wide open. It's a router, not a firewall. You can certainly block ports on a 1700, but you have to block them manually.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  4. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    While it is true that ports are not blocked by default on a router, the default behaviour of the router effectively blocks them. For example, imagine a router with dynamic nat, internal ip 10.10.10.0/24, external ip 1.1.1.1:

    If a packet arrives from some Internet host (2.2.2.2), destination port tcp 80, the router will discard the packet. Effectively, port 80 is blocked. This occurs because the router has no nat translation that the packet matches, and assuming there is no process on the router itself listening to http, the packet is discarded.

    The same applies to other packets; with no matching nat entry, they are discarded by the router. In effect, all ports are blocked.

    Of course, if the router receives a packet from an Internet host with a destination ip on the internal network, it will be routed to the internal destination. However, since packets with private destination ip addresses will be dropped by some ISP en route you will not typically see such packets arrive.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  5. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    You are correct... but in that case, he's not "opening up ports"... he's performing NAT translation. :)
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  6. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    hehe, yes, you are right, he is not opening up ports, rather he is allowing already open ports to be used, by creating a static nat translation. I should have made that clear, instead of saying "Opening ports is fairly easy..." - that made it seem as though the ports were blocked. I was lazy and the coffee run hadn't came back yet :)

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  7. Chummers

    Chummers New Member

    9
    0
    1
    Hi guys,

    Here is my config.

    --------------------------------------
    Building configuration...

    Current configuration : 4948 bytes
    !
    ! Last configuration change at 19:21:10 PCTime Thu Oct 18 2007 by <username>
    ! NVRAM config last updated at 15:51:25 PCTime Thu Oct 18 2007 by <username>
    !
    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 51200 debugging
    logging console critical
    enable secret 5 <Secretpassword>
    !
    username <username> privilege 15 secret 5 <secretpassword>
    clock timezone PCTime 0
    clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    no aaa new-model
    ip subnet-zero
    no ip source-route
    !
    !
    !
    !
    ip tcp synwait-time 10
    ip domain name server1
    ip name-server <DNSSERVER>
    ip name-server <DNSSERVER>
    no ip bootp server
    ip cef
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip ips po max-events 100
    ip ssh time-out 60
    ip ssh authentication-retries 2
    no ftp-server write-enable
    !
    !
    !
    !
    !
    !
    !
    !
    interface ATM0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    description $ES_WAN$$FW_OUTSIDE$
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface BRI0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    shutdown
    !
    interface FastEthernet0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-10/100 Ethernet$$ES_LAN$$FW_INSIDE$
    ip address <PRIVATEIP> 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    speed auto
    !
    interface Dialer0
    description $FW_OUTSIDE$
    ip address <PUBLICIP> 255.255.255.252
    ip access-group 101 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip inspect DEFAULT100 out
    ip virtual-reassembly
    encapsulation ppp
    ip route-cache flow
    dialer pool 1
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname <ISP username>
    ppp chap password 7 <password>
    ppp pap sent-username <username> password 7 <password>
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 1 interface Dialer0 overload
    !
    !
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=FastEthernet0
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 100 remark auto generated by Cisco SDM Express firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip <PUBLICIP> 0.0.0.3 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto generated by Cisco SDM Express firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit udp host <DNSSERVER> eq domain host <PUBLICIP>
    access-list 101 permit udp host <DNSSERVER> eq domain host <PUBLICIP>
    access-list 101 deny ip 192.168.0.0 0.0.0.255 any
    access-list 101 permit icmp any host <PUBLICIP> echo-reply
    access-list 101 permit icmp any host <PUBLICIP> time-exceeded
    access-list 101 permit icmp any host <PUBLICIP> unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any
    dialer-list 1 protocol ip permit
    no cdp run
    !
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    login local
    transport output telnet
    line aux 0
    login local
    transport output telnet
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    line vty 5 15
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler allocate 4000 1000
    scheduler interval 500
    end

    ----------------------------------

    This is the currently running config.

    I hope this is what you are after, what makes things worse for me is that the Globespan SAR-110 syntax is completely different to Cisco syntax, so the shreds of knowlege I had on the SAR-110 disappears altogether with cisco routers...:oops:


    If there is anything else you guys need just let me know, and i will supply..

    Thanks for the replys so far!

    Regards,
     
  8. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    I don't think I'd post my public IP addresses on a forum... nor my private ones, for that matter... all it takes is a statically configured internal address and me jacked into a port in your reception area to start hacking your network...
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  9. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,292
    265
    329
    Yep as Michael says thats not very clever to post your IP address on a public forum, all it takes is some person with bad intentions to hack your network and your screwed.
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  10. Chummers

    Chummers New Member

    9
    0
    1
    errr... thanks for that lads :oops: i have ammended the config above (i am glad you spotted that!)

    my ignorace is truley shocking :eek:
     
  11. Chummers

    Chummers New Member

    9
    0
    1
    sorry to bump this one guys, but i am really struggling here, here is what i have so far....
    in SDM

    in Tasks go to the NAT button, in there i have original address ie 192.168.x.x and translated address is <public ip> and rule type is dynamic

    in firewall and acl tab i have nothing in services.

    now it seems that when it is set like this i run grc.com and it states all common ports are closed with the execption of 23!, 80, and 443 - they are wide open

    but as soon as i run the firewall wizard everything goes to stealth.

    can't seem to sus this, and been on it for three days now :(

    I have read, and reread the comments above, but they just dont seem to gel, i think i get the basic idea, but when i apply what i *think* is right it just dont work....


    i need some really idiot proof instructions i think :oops:
     
  12. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Learning the IOS (and why/how you issue those commands) will help you in so many ways... much better than trying to stumble through the SDM and figure out which button to push to make something magically work.

    Cisco's not for idiots... that's why many people have trouble getting through the CCNA. But if you study the topics until you understand them... it's REALLY not that difficult. :)
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.