2514 access list (help needed) 1

[rwallac]

I have a cisco 2514 router that I'm using for NAT off a cable modem.

Up until now I had the access list set up to deny all unsolicited inbound traffic, however, I'd like to open a port so as I can host a multiplayer game occasionally w/o having to unplug the router and plug the game peecee directly into the cable modem..

I don't have access to my script atm, but I can supply it.

Bascially I need to know what command to use to open this port.

 

[rwallac]

I'd rather not modify too much, I just want to open port 3453 so that I can host multi-player games. thanks.


Here is my config file (Cisco IOS 12.2):
---------------------------------------

internet#show config
Using 1848 out of 32762 bytes
!
version 12.2
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname internet
!
enable secret 5 $1$Yx56$uS5F0ZsZ9nWQ4RFJB2bu6.
!
username ###### password 7 01300E05550C032224
clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
ip dhcp excluded-address 192.168.0.1 192.168.0.128
!
ip dhcp pool 0
network 192.168.0.0 255.255.255.0
dns-server 68.1.208.30 68.12.16.30 68.12.15.30
netbios-node-type h-node
default-router 192.168.0.1
lease 30
!
ip dhcp pool hplaser
host 192.168.0.254 255.255.255.0
hardware-address 0800.09a4.c168
client-name hplaser
lease 30
!
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
!
interface Ethernet1
ip address dhcp
ip nat outside
no ip route-cache
no ip mroute-cache
!
interface Serial0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
ip nat inside source list 10 interface Ethernet1 overload
ip classless
no ip http server
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 20 permit 192.168.0.0 0.0.255.255
access-list 20 deny any
!
banner motd ^C
You are now connected to an internet router. All connections are logged and moni
tored. Unauthorized connections will be dealt with severely!^C
!
line con 0
password 7 14341A0A02032F0621
logging synchronous
login local
line aux 0
password 7 00271B070A5C0E2B0A
login local
transport input all
line vty 0 4
access-class 20 in
exec-timeout 0 0
password 7 0307530A080824614B
login local
!
ntp clock-period 17179757
ntp server 199.165.76.11
ntp server 192.5.5.250 prefer
end

 

[ior]

ip nat inside source static tcp 192.168.0.200 3453 interface ethernet 1 3453

Where 192.168.0.200 is your internal server ip.
3453 is ofcourse the (tcp)port.
Also make sure your ACL´s allow this traffic.

And you should never post the password part of your configs online.

 

[rwallac]

ior,

thanks for the response. How would I encorporate this line in the config file?

Also I'm at a bit of a loss. I was trying to work on access lists and I did a write erase, and now this script doesn't work any more. I'm totally baffled...

Basically what I need is that line encorporated into this script and any modifications necessary to get it installed again using the config/write command.

I had someone write it for me a year back, but I can't see what has changed from what they loaded to this show config printout


PS, I'll change the PWs.

 

[gconnect]

You need to do the following:
find out what ports you game uses (TCP # and/or UDP #)
then redirect all traffic hitting your Internet Interface on the ports associated with the game to the Internal Game Server


ip nat inside source static tcp/udp 192.168.0.X GAMEPORT# ethernet 1 GAMEPORT# extendable
**multiple ports may need to be opened depending on the behavior of the game

[If you do not use the EXTENDABLE option, it will not work]

- then allow players on the net access to your Game Server
- this allows anyone to hit your router at the ports that the game is running on (src = any players, dst = any because you have a DHCP addy)

access-list 101 permit tcp/udp any any eq GAMEPORT#
**all traffic that hits the allowed ports will be redirected to the gameserver via the static nat statments above
***multiple lines may be needed in this acl depending on the nature of the game

Bind the acl to the outside/Internet interface

interface ethernet1
ip access-group 101 in


copy and paste this into notepad, then change it to suit the game (ports). THen copy and paste this into your router using a terminal emulation program.

configure terminal
ip nat inside source static tcp/udp 192.168.0.X GAMEPORT# ethernet 1 GAMEPORT# extendable
access-list 101 permit tcp/udp any any eq GAMEPORT#
interface ethernet1
ip access-group 101 in

 

[rwallac]

gconect,

thanks. Do you see what might be making my current script not work? I wiped router, and reinstalled it (from a show config, not the original config--make a difference?)?

 

[rwallac]

Well I reinstalled the old show config and I can ping out to the internet from the router, but it's not serving DHCP to the machines on the subnet (or printer) still. Any ideas?

Is this what you meant re: incorporating those lines:

----------------------
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname internet
!
enable secret 5 $1$Yx56$uS5F0ZsZ9nWQ4RFJB2bu6.
!
username ###### password 7 01300E05550C032224
clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
ip dhcp excluded-address 192.168.0.1 192.168.0.128
!
ip dhcp pool 0
network 192.168.0.0 255.255.255.0
dns-server 68.1.208.30 68.12.16.30 68.12.15.30
netbios-node-type h-node
default-router 192.168.0.1
lease 30
!
ip dhcp pool hplaser
host 192.168.0.254 255.255.255.0
hardware-address 0800.09a4.c168
client-name hplaser
lease 30
!
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
!
interface Ethernet1
ip address dhcp
ip nat outside
no ip route-cache
no ip mroute-cache
!
interface Serial0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface Serial1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
ip nat inside source list 10 interface Ethernet1 overload
ip classless
no ip http server
!
ip nat inside source static tcp/udp 192.168.0.2 3453 ethernet 1 3453 extendable
access-list 101 permit tcp/udp any any eq 3453
interface ethernet1
ip access-group 101 in
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 20 permit 192.168.0.0 0.0.255.255
access-list 20 deny any
!
banner motd ^C
You are now connected to an internet router. All connections are logged and moni
tored. Unauthorized connections will be dealt with severely!^C
!
line con 0
password 7 14341A0A02032F0621
logging synchronous
login local
line aux 0
password 7 00271B070A5C0E2B0A
login local
transport input all
line vty 0 4
access-class 20 in
exec-timeout 0 0
password 7 0307530A080824614B
login local
!
ntp clock-period 17179757
ntp server 199.165.76.11
ntp server 192.5.5.250 prefer
end

 

[rwallac]

ok, I restored the old config file and it's working again. had to:

config t
interface ethernet 0
no shutdown
write

anyhow. after this i ran config t again and pasted in:

ip nat inside source static tcp 192.168.0.xxx 3453 interface ethernet 1 3453 extendable

access-list 101 permit tcp any any eq 3453

interface ethernet1

ip access-group 101 in

and here's what I got for the first line:

dev.null#config t
Enter configuration commands, one per line. End with CNTL/Z.
dev.null(config)#$ 192.168.0.xxx 3453 interface ethernet 1 3453 extendable
ip nat inside source static tcp 192.168.0.xxx 3453 interface ethernet 1 3453 ext^endable

% Invalid input detected at '^' marker.

dev.null(config)#


so I went ahead and took out extendable and put in the other lines and lost the ability to access the internet, though strangely i was able to ping the other computers in the 192.168.0.xxx range. so for some reason these lines are conflicting w/ my config--and both ethernet 0 and ethernet 1 were still up.

 

[rwallac]

Bueller? Bueller?

 

[pmesjar]

Try ebtering the command without the extendable keyword. Most of the time I have seen Cisco routers to add this keyword by default.

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.

 

[rwallac]

well I figured what I did wrong with config rejecting extendable. this was fixed by putting the IP address in place of "ethernet 1":

ip nat inside source static tcp 192.168.0.130 3453 <IPaddyfor eth1> 3453 extendable

I also successfully entered (w/o killing my connect):

access-list 101 permit tcp any any eq 3453

However,

when I try to bind Bind the acl to the outside/Internet interface:

interface ethernet1
ip access-group 101 in

it freezes my connect to the internet, can't ping out, nothing... I can still ping the subnet.

So i feel I'm almost there, just need to bind the ACL w/o killing my internet connection (and hopefully get this port open!)

 

[gaveeve]

rwallac, At the end of each ACL is an implicit deny statement. So your ACL 101 is only allowing traffic into the network on port 3453(no http or icmp). Your ACL 20 was never applied or bound to the interface so it was doing nothing. The ping needs to go in and out. I imagine it is going out but just cannot get back in.

 

[pmesjar]

Of course you have lost your connection. With acl defined as:

access-list 101 permit tcp any any eq 3453

you are permitting only incoming traffic on that interface from any address to any address with destination port 3453. Everything else is denied by default with statement "deny ip any any", even if it is not shown. You can add following statement to keep your connection up

access-list 101 permit tcp any any le 5000 established

this way you are permitting any connections that were previously established from inside and deny anyone from outside trying to establish connection to inside before it was already established from inside. Also with "le 5000" you are permitting packets trying to reach inside only if their destination ports (that is on your inside computers) are lower or equal to 5000 (most rootkits work on ports higher than 5000, like NetBus, etc...). If you also need ping add:

access-list 101 permit icmp any any eq echo-reply

I also noticed you are setting up static NAT, but your IP address fo Eth1 is assigned by DHCP. This way if you get your address reassigned by DHCP, you need to change your static NAT too.

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.