Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
From technical user, open port 873 on cisco 1921
1. From Technical User: Open Port 873 on Cisco 1921
Caskibum’s Problem of Opening Port 873 on Cisco 1921
I have a Cisco 1921 and need to open ports 22 (SSH) and 873 (rsync) to run an rsync
server on my network and the rest of the network needs standard "internet"
access. I am fairly new to Cisco ACLs and so I expect I'm doing something stupid but
not sure what.When I add the ip access-group XXX in / out to the gig0/0 interface, I
lose all www functionality at that point.Here is my current (working) config with the
ACLs listed (101 and 102) but not enabled on the gig0/0 interface.I have tried the
"established" statement at the start and end of the 101 list, no difference.Thanks for
any help!
Router#show run
Building configuration...
Current configuration : 2675 bytes
!
! Last configuration change at 15:03:45 UTC Sun Dec 18 2011 by
!
version 15.0
service timestamps debug datetimemsec
service timestamps log datetimemsec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Sx2k$wiHT8Af585IB/HsSZkwC61
enable password 7 073E325F19190C1D47
!
noaaa new-model
!
no ipv6 cef
ip source-route
ipcef
!
!
noipdhcp use vrf connected
ipdhcp excluded-address 10.1.0.1 10.1.0.149
ipdhcp excluded-address 10.1.0.200 10.1.0.254
!
ipdhcp pool net_dhcp
import all
network 10.1.0.0 255.255.255.0
http://www.router-switch.com/
2. default-router 10.1.0.1
lease 0 0 5
!
!
noipdomain lookup
ipdomain name treeskier.ca
multilink bundle-name authenticated
!
!
!
licenseudipid CISCO1921/K9 sn FGL15092836
!
!
username blah password blahblah
!
!
ipssh version 2
!
!
!
!
interface GigabitEthernet0/0
description Internet
ipdhcp client update dns
ip address dhcp
ipnat outside
! ip access-group 101 in
! ip access-group 102 out
! once I turn these on, it all dies.
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description internal
ip address 10.1.0.1 255.255.255.0
ipnat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
http://www.router-switch.com/
3. ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ipnat inside source list 1 interface GigabitEthernet0/0 overload
ipnat inside source static tcp 10.1.0.102 873 interface GigabitEthernet0/0 873
ipnat inside source static tcp 10.1.0.102 22 interface GigabitEthernet0/0 22
!
access-list 1 permit 10.1.0.0 0.0.0.255
access-list 1 remark INSIDE_IF=gig0/1
access-list 101 permit tcp any 10.1.0.0 0.0.0.255 established
access-list 101 permit tcp any host 10.1.0.102 eq 22
access-list 101 permit udp any host 10.1.0.102 eq 22
access-list 101 permit tcp any host 10.1.0.102 eq 873
access-list 101 permit udp any host 10.1.0.102 eq 873
access-list 102 permit tcp 10.1.0.0 0.0.0.255 any
access-list 102 permit udp 10.1.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
banner login ^C**************************^C
!
CON and VTY setup
!
scheduler allocate 20000 1000
end
A bit of really basic troubleshooting:
Router#sh access-lists
Standard IP access list 1
10 permit 10.1.0.0, wildcard bits 0.0.0.255 (9854736 matches)
Extended IP access list 101
10 permit tcp any 10.1.0.0 0.0.0.255 established
20 permit tcp any host 10.1.0.102 eq 22
30 permit udp any host 10.1.0.102 eq 22
40 permit tcp any host 10.1.0.102 eq 873
50 permit udp any host 10.1.0.102 eq 873
Extended IP access list 102
10 permit tcp 10.1.0.0 0.0.0.255 any
20 permit udp 10.1.0.0 0.0.0.255 any
http://www.router-switch.com/
4. Router#shipnat translations
Pro Inside global Inside local Outside local Outside global
tcp 192.168.0.10:22 10.1.0.102:22 --- ---
tcp 192.168.0.10:873 10.1.0.102:873 --- ---
tcp 192.168.0.10:54693 10.1.0.150:54693 208.88.180.96:80 208.88.180.96:80
tcp 192.168.0.10:54695 10.1.0.150:54695 208.88.180.96:80 208.88.180.96:80
tcp
192.168.0.10:54696 10.1.0.150:54696 208.88.180.106:5222 208.88.180.106:52
22
tcp
192.168.0.10:54699 10.1.0.150:54699 208.88.181.46:1935 208.88.181.46:193
5
tcp 192.168.0.10:54700 10.1.0.150:54700 208.88.180.96:80 208.88.180.96:80
... (more dynamic NAT at work)
Reply to Caskibum from Imbadatthis
You aren't allowing DNS in .
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_exampl
e09186a0080100548.shtml#allowdns
also a nice to know:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_exampl
e09186a0080100548.shtml#debugtraffic
After Imbadatthis‘s Reply
Caskibumsolved problems like this:
Thanks for the response.
I actually sorted it out last night, my "new" cable modem was blocking the port
forwarding before it got to the router. So once I set up the NAT port forwarding on
the cable modem, all good now.
Just FYI, I've ended up with a much simpler ACL and NAT setup:
!
ipnat inside source list nat-acl interface GigabitEthernet0/0 overload
ipnat inside source static tcp 10.1.0.101 873 interface GigabitEthernet0/0 873
ipnat inside source static tcp 10.1.0.101 22 interface GigabitEthernet0/0 22
!
ip access-list extended nat-acl
permitip 10.1.0.0 0.0.0.255 any
permittcp any host 10.1.0.101 eq 22
permittcp any host 10.1.0.101 eq 873
!
!
Best Regards
http://www.router-switch.com/
5. More discussion between these two buddies to talk about Opening port 873 on
Cisco 1921
Imbadatthis: So you've removed both acl 101 and 102?
Caskibum:
Yep, the only ACL is the named extended list, which is applied on the outside
interface in the overload command.I could have probably left them in place, I found
this "alternate" solution with the named extended list as it is now, and then after
that didn't work either I went to the cable modem and found the source of the
problem. I expect the 101 / 102 acls are fine if I were to use them.Then the two
static NAT commands to handle the traffic direction.Seems to be working.I'm no
security expert so if this leaves some gaping hole please let me know and I'll rework
it.
Cheers!
More Related Discussion on Open port 873 on Cisco 1921at tek-tips.com
More Cisco News and Cisco Hardware Tips you can visit:
http://blog.router-switch.com/
http://www.router-switch.com/