- Posts: 3
- Thank you received: 0
Help Opening a Port on a Cisco Router
16 years 8 months ago #25259
by tanger
Help Opening a Port on a Cisco Router was created by tanger
Dear All,
This is probably a very simple question to answer for those of you with the knowledge but currently I am awaiting Cisco training and I need to open a port on two Cisco 800 series routers.
Basically, I have a timeclock device that will communicate with a server on another site on port 5005.
So I need to open up port 5005 on both ends (on each router), both routers are the same Cisco 800 series (837 from memory) and only have the telnet console. So I'm assuming it'll be the same command twice (once on each router).
I have been searching through the posts here and on the Cisco website but really it all looks like a foreign language. I'm sure once I have a bit of training all will become clear.
I would greatly appreciate any help anyone can give me - point me to a website, forum post I missed or if you have the time the line of coding required.
Thanks in advance,
Tanger
This is probably a very simple question to answer for those of you with the knowledge but currently I am awaiting Cisco training and I need to open a port on two Cisco 800 series routers.
Basically, I have a timeclock device that will communicate with a server on another site on port 5005.
So I need to open up port 5005 on both ends (on each router), both routers are the same Cisco 800 series (837 from memory) and only have the telnet console. So I'm assuming it'll be the same command twice (once on each router).
I have been searching through the posts here and on the Cisco website but really it all looks like a foreign language. I'm sure once I have a bit of training all will become clear.
I would greatly appreciate any help anyone can give me - point me to a website, forum post I missed or if you have the time the line of coding required.
Thanks in advance,
Tanger
16 years 8 months ago #25264
by Chojin
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
Replied by Chojin on topic Re: Help Opening a Port on a Cisco Router
If you want to allow your router to permit port 5005 than you don't have to do anything unless you have Access lists configured.
Routers without access list basicly 'route' traffic (that is ofcourse if you have your routing working).
Routers without access list basicly 'route' traffic (that is ofcourse if you have your routing working).
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
16 years 8 months ago #25271
by tanger
Replied by tanger on topic Re: Help Opening a Port on a Cisco Router
Yes I have configured access-lists, not by me (to be honest I don't know how) but by consultants who set the system up before I joined the company.
Are the commands to configure the access-list similar to what I see when I do a show access-lists command
for example
I see
permit tcp any host (router ip) eq www (assume this is port 80)
Can I do the following command to add port 5005 to the access-list?
permit tcp any host (router ip) eq 5005 (5005 for the port I want open)
Are the commands to configure the access-list similar to what I see when I do a show access-lists command
for example
I see
permit tcp any host (router ip) eq www (assume this is port 80)
Can I do the following command to add port 5005 to the access-list?
permit tcp any host (router ip) eq 5005 (5005 for the port I want open)
16 years 8 months ago #25273
by Elohim
Replied by Elohim on topic Re: Help Opening a Port on a Cisco Router
actually... lets assume it's using tcp protocol:
access-list 100 permit tcp host 192.168.1.1 host 192.168.2.2 eq 5005
access-list 100 permit tcp host 192.168.1.1 host 192.168.2.2 eq 23
This creates an access-list 100 which permits host 192.168.1.1 to send traffic to 192.168.2.2 on tcp port 5005. THe second line opens up the telnet port.
NOw, the las thing to do is apply the access-list to an interface.
There is an implicit deny all at the end of every ACL... unless the traffic is explicitly defined, it won't pass through the acl.
access-list 100 permit tcp host 192.168.1.1 host 192.168.2.2 eq 5005
access-list 100 permit tcp host 192.168.1.1 host 192.168.2.2 eq 23
This creates an access-list 100 which permits host 192.168.1.1 to send traffic to 192.168.2.2 on tcp port 5005. THe second line opens up the telnet port.
NOw, the las thing to do is apply the access-list to an interface.
There is an implicit deny all at the end of every ACL... unless the traffic is explicitly defined, it won't pass through the acl.
Yes I have configured access-lists, not by me (to be honest I don't know how) but by consultants who set the system up before I joined the company.
Are the commands to configure the access-list similar to what I see when I do a show access-lists command
for example
I see
permit tcp any host (router ip) eq www (assume this is port 80)
Can I do the following command to add port 5005 to the access-list?
permit tcp any host (router ip) eq 5005 (5005 for the port I want open)
16 years 8 months ago #25279
by Chojin
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
Replied by Chojin on topic Re: Help Opening a Port on a Cisco Router
You should add the rules to your current Access-list as you said.
Depending on your IOS you can add rules between your current rules.
With the newer versions you have access lists like :
Extended IP access list 101
10 permit ip host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 23
20 permit ip host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 23
30 permit ip 10.0.0.0 255.0.0.0 host xxx.xxx.xxx.xxx eq 80
etc
Now you add the rules simply by using :
>enable
>conf t
>ip access-list extended 101
>15 permit ip host 192.168.1.200 host 192.168.2.200 eq 5005
Hope this will help.
Depending on your IOS you can add rules between your current rules.
With the newer versions you have access lists like :
Extended IP access list 101
10 permit ip host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 23
20 permit ip host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 23
30 permit ip 10.0.0.0 255.0.0.0 host xxx.xxx.xxx.xxx eq 80
etc
Now you add the rules simply by using :
>enable
>conf t
>ip access-list extended 101
>15 permit ip host 192.168.1.200 host 192.168.2.200 eq 5005
Hope this will help.
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
16 years 8 months ago #25291
by tanger
Replied by tanger on topic Re: Help Opening a Port on a Cisco Router
Thank you very very much Chojin and Elohim for all your help, this has helped me add the necessary port permissions and it seems the device is talking to the server.
I have a couple questions on a side note.
Do the access list lines enable two way communication? For your example Elohim of
access-list 100 permit tcp host 192.168.1.1 host 192.168.2.2 eq 5005
Do I need to do two lines to enable two way communication (incoming traffic and outgoing traffic)? In the case of the above example put the following two lines in the access list.
access-list 100 permit tcp host 192.168.1.1 host 192.168.2.2 eq 5005
access-list 100 permit tcp host 192.168.2.2 host 192.168.1.1 eq 5005
The other question I have was in regards to the names of the access lists themselves and regarding the order. I understand the firewall rule principle (am versed in Win ISA) but the Cisco coding was the stumbling block for me. If I currently have an access list 150 and for some reason I wanted to create another firstly, can I do that (have multiple access lists) and secondly if I can and I created an access list 100 since the number 100 is lower then 150 would its rules take effect first?
Much appreciated,
tanger
I have a couple questions on a side note.
Do the access list lines enable two way communication? For your example Elohim of
access-list 100 permit tcp host 192.168.1.1 host 192.168.2.2 eq 5005
Do I need to do two lines to enable two way communication (incoming traffic and outgoing traffic)? In the case of the above example put the following two lines in the access list.
access-list 100 permit tcp host 192.168.1.1 host 192.168.2.2 eq 5005
access-list 100 permit tcp host 192.168.2.2 host 192.168.1.1 eq 5005
The other question I have was in regards to the names of the access lists themselves and regarding the order. I understand the firewall rule principle (am versed in Win ISA) but the Cisco coding was the stumbling block for me. If I currently have an access list 150 and for some reason I wanted to create another firstly, can I do that (have multiple access lists) and secondly if I can and I created an access list 100 since the number 100 is lower then 150 would its rules take effect first?
Much appreciated,
tanger
Time to create page: 0.140 seconds