Cisco Newbe Please help.....

[golson]

I have absolutly no experience with routers and my company switched ISP's and decided to purchace a Cisco router, have the new ISP set it up and then it would be up to me to manage it. I need to know how to open a port on the router so my internal clients can use a citrix ICA client app. I beleve the ports are TCP 1494 and UDP 1604. I have the enable password and can get in to configure but I have no idea where to go from here? Can someone walk me through this process?

Thanks in advance,

Golson

 

[teknoguy]

My knowlegde of configuring cisco devices isn't that extensive..
what you should do is look into setting up access lists to permit that particular port on your interface. the cisco website has lots of information on how to setup access lists.

Ryan

 

[teknoguy]

extended access lists, to be exact.

 

[marlonn]

Still new on cisco.
try this one...

hope this will help.

access-list 100 permit tcp any any eq 1494
access-list 100 permit udp any any eq 1604

 

[marvandkelly]

Are you doing any NAT'ing (Network Address Translation) to an IP address on your ISP's network?

 

[RedCTR]

Supply a "show access-list". Log onto router and access enable mode. The router sounds as though it is being used as a firewall device as well as gateway.
PS ensure you remove any outside IP addresses from any posts to prevent spotty kids hacking your system!

 

[gaveeve]

Access-lists have an implicit deny at the end of a line of statements. For example what marlon posted will only allow that specific traffic and all else will be denied. So what ever else is on the router can be important.

 

[golson]

Here is what I get when I enter a show access-list from enable mode:

Standard IP access list 1
permit 192.168.X.X, wildcard bits 0.0.0.255

We are using NAT and do have some ports forwarded for incoming traffic e-mail ect... This app needs to go outside. Should I try the commands that marlon posted? Or do I need to do somthing else?

 

[marvandkelly]

The reson I asked about NAT is that Citrix embeds the servers IP address in the packet pay-load. This can cause issues with NAT since the router only translates the IP headers.

There is a server patch and some documentation on it at

http://support.citrix.com

(just type in NAT in the search field.)

You'll also need to apply the acl to an interface. But if your trying to filter at the port level you'll need to create an extended access list.. Here's an example from one of the router's we have:

ip access-list extended COMCAST
permit icmp any any echo
permit icmp any any echo-reply
permit tcp host 4.3.2.1 eq

http://www 1.2.3.0

0.0.3.255 gt 1023
...
permit tcp host 4.3.2.1 eq 443 1.2.3.0 0.0.3.255 gt 1023
.....
....
...

This ACL is allowing a specific address 4.3.2.1 on TCP port 80 and 443 to talk to the 1.2.3.0 255.255.252.0 network on any port greater than 1023. Notice that the subnet mask for network 1.2.3.0 is inverted. ACL's use inverse-masks to match subnets. There's a good IP Calc at

http://www.wildpackets.com

-> Products and under Free Utilities. That will figure inverse masks. Also note that this ACL will deny all other traffic that is not listed. This is done by default.

You'll also need to apply the ACL to an interface. Example:

interface Serial0/0
ip access-group COMCAST in

There are two options for appling the ACL to an interface. in and out. Inbound (most common) is filtering traffic comming in on that interface. Out of couse filers outbound traffic. You'll have to be careful of the order which you write the ACL since depending how you apply the ACL dictates the function of the ACL (The ACL above would have to be written in reverse if applied as an outbound ACL)

To see if you are getting "hits" on the ACL issue the show ip access command. You should notice hit counters incrementing.

Hope this helps you out.

 

[marlonn]

Thanks for the correction gaveeve. forgot about that one.