question on opening a port on my cisco router

[lance70]

Hi, our compamy has a vpn connection and we just received an e-mail from our customer who we must use a vpn connection with. We need to add the following and I'm not sure if I do this under my general access-list or if it has to be done under our vpn access-list? If it's under the VPN list how would I enter the following? Thank you.

For 135.113.4.30 and 135.113.4.22, open TCP ports 80, 8080 and 443

135.113.119.199 & 135.113.119.200
ports 23 and 6000-6063

 

[unclerico]

post a scrubbed config of your router

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[lance70]

version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BCI
!
boot-start-marker
boot-end-marker

!
username privilege 15 secret 5 $1.
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.150 192.168.1.254
!
ip dhcp pool pool-dhcp
network 192.168.1.0 255.255.255.0
dns-server 151.164.14.201 151.164.1.8
default-router 192.168.1.1
lease infinite
!
ip dhcp pool POOL-DHCP
dns-server 151.164.14.201 151.164.1.8
default-router 192.168.1.1
!
!
ip domain name yourdomain.com
ip name-server 0.0.0.0
ip name-server 0.0.0.0
ip ips po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 18
encr 3des
authentication pre-share
group 2
crypto isakmp key !B3ck3r13! address 0.0.0.0!
crypto ipsec transform-set Alternative esp-3des esp-sha-hmac
!
crypto map mymap 11 ipsec-isakmp
set peer 0.0.0.0
set transform-set Alternative
set pfs group2
match address 148
!
!
!
interface Ethernet0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Ethernet1
no ip address
duplex auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address 0.0.0.0 255.255.255.248
ip access-group 120 in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxx
ppp chap password 0 xxxxxxx
ppp pap sent-username xxxxxxx password 0 xxxxxxxx crypto map mymap
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.1.126 3389 interface Dialer1 3390
ip nat inside source static tcp 192.168.1.125 3389 interface Dialer1 3389
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp 192.168.1.123 3389 interface Dialer1 3391
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 120 permit tcp any any established
access-list 120 permit udp any any eq domain
access-list 120 permit udp any eq domain any
access-list 120 permit tcp any any eq smtp
access-list 120 permit tcp any any eq pop3
access-list 120 permit tcp any any eq ftp
access-list 120 permit tcp any gt 1023 any eq ftp-data
access-list 120 permit tcp any any gt 1023
access-list 120 permit tcp any any eq telnet
access-list 120 permit tcp any any eq 69
access-list 120 permit tcp any any eq finger
access-list 120 permit tcp any any eq www
access-list 120 permit tcp any any eq 161
access-list 120 permit tcp any any eq 144
access-list 120 permit tcp any any eq 115
access-list 120 permit tcp any any eq ident
access-list 120 permit icmp any any
access-list 120 permit udp any any eq isakmp
access-list 120 permit udp any any eq non500-isakmp
access-list 120 permit esp any any
access-list 120 permit tcp any any eq 443
access-list 120 permit tcp any any eq 1521
access-list 120 permit tcp any any eq 15000
access-list 120 permit tcp any any eq 139
access-list 120 permit tcp any any eq 812
access-list 120 permit tcp any any eq 813
access-list 120 permit tcp any any eq 814
access-list 120 permit tcp any any eq 815
access-list 120 permit tcp any any eq 816
access-list 120 permit tcp any any eq 817
access-list 120 permit tcp any any eq 818
access-list 120 permit tcp any any eq 819
access-list 120 permit tcp any any eq 820
access-list 120 permit tcp any any eq 821
access-list 120 permit tcp any any eq 1701
access-list 120 permit tcp any any eq 1702
access-list 120 permit tcp any any eq 1703
access-list 120 permit tcp any any eq 1704
access-list 120 permit tcp any any eq 1705
access-list 120 permit tcp any any eq 1706
access-list 120 permit tcp any any eq 1707
access-list 120 permit tcp any any eq 32771
access-list 120 permit tcp any any eq ftp-data
access-list 120 permit tcp any any eq 9443
access-list 120 permit tcp any any eq 563
access-list 120 permit tcp any any eq 448
access-list 120 permit udp any any eq snmp
access-list 120 permit tcp any any eq 30
access-list 120 permit tcp any any eq 8443
access-list 120 permit tcp any any eq 10010
access-list 120 permit tcp any any eq 9906
access-list 120 permit tcp any any eq 5900
access-list 129 permit ip 192.168.1.0 0.0.0.255 any
access-list 148 permit ip host 0.0.0.0 150.235.0.0 0.0.255.255
access-list 148 permit ip host 0.0.0.0 129.245.0.0 0.0.255.255
access-list 148 permit ip host 0.0.0.0 132.201.0.0 0.0.255.255
access-list 148 permit ip host 0.0.0.0 144.155.0.0 0.0.255.255
access-list 148 permit ip host 0.0.0.0 144.148.0.0 0.0.255.255
access-list 148 permit ip host 0.0.0.0 135.37.0.0 0.0.255.255
access-list 148 permit ip host 0.0.0.0 135.38.0.0 0.0.255.255
access-list 148 permit ip host 0.0.0.0 135.155.0.0 0.0.255.255
access-list 148 permit ip host 0.0.0.0 135.188.0.0 0.0.255.255
access-list 148 permit ip host 0.0.0.0 155.179.0.0 0.0.255.255
access-list 148 permit ip host 0.0.0.0 135.38.0.0 0.0.255.255
access-list 148 permit ip host 0.0.0.0 135.40.0.0 0.0.255.255
access-list 148 permit ip host 0.0.0.0 135.51.0.0 0.0.255.255
access-list 148 permit ip host 0.0.0.0 135.113.0.0 0.0.255.255

 

[burtsbees]

What you are describing is not a vpn, just opening ports for a certain host out in No Man's Land.

Also, I would NEVER open telnet over the internet...you may as well put your private data on an anonymous FTP server...

/

 

[lance70]

Thanks, well one of the firewall addresses shows that it uses port 23, it's on the sheet our customer gave us. We are confused on all this anyway, thanks.

 

[burtsbees]

I actually don't understand your config...why the public addresses? What lies between the machines with the public IP addresses and the router???

I have never seen an IPSEC tunnel built like this...

/

 

[lance70]

Honestly I don't know, someone from Cisco actually set this up when I first bought the router for our company. We are supposed to have a B2B VPN circuit. I may have to contract someone to program this, thanks.