Reply
Posted Jun 2, 2013
8:41:59 AM
Ports not open

I have the 3801hvg router...and a Cisco 2600 router behind it

I have 5 Static IP's that are currently assigned to a WWW, FTP and Exchange server.

I followed the instructions in the forums to properly set-up my Cisco router.

 

When I do a port scan from the WEB I do NOT see the ports 80, 443, 21,or 25 open

 

What is next??

0
(0)
  • Rate this reply
View profile
Solved
Jun 2, 2013 10:05:48 AM
0
(0)
Expert

Again, as I stated in the last post, you cannot use multiple static IP addresses on the outside interface of the Cisco.  You cannot use:

 

107.219.166.18 and 19 and 20

 

You must configure the outside IP address to only ONE static IP address, and use NAT/PAT to direct the internal services to different servers.

 

Also, I think there are some things in your firewall/access list that are not correct.

 

See here for a representative Cisco configuration.  This uses DHCP on the outside IP address instead of a static, but the NAT and access list configuration is almost identical.

 

https://forums.att.com/t5/Residential-Gateway/U-verse-for-BUSINESS-2Wire-3600HGV-bridge-mode-or-another-AT-amp/m-p/2719759#M259

 

 

Accepted Solution

Ports not open

1,679 views
9 replies
(0) Me too
(0) Me too
Post reply
Replies
(9)
0
(0)
  • Rate this reply
View profile
Jun 2, 2013 8:55:42 AM
0
(0)
Expert
You cannot assign multiple static IP addresses to the same device (same MAC) address, as this will confuse the 2Wire router. If you have all of the static IP addresses pointed to your Cisco, that will not work.

You need to choose one static IP address to use on the WAN port of the Cisco, and then use NAT to put all of your servers behind it on private IP addresses. Configure the Cisco to port-forward with NAT, and allow the inbound traffic on the WAN port access list.

Re: Ports not open

2 of 10 (1,675 Views)
0
(0)
  • Rate this reply
View profile
Jun 2, 2013 9:05:49 AM
0
(0)
Tutor
Edited by DAVE66-1 on Jun 2, 2013 at 9:11:04 AM

OK.....The WWW, FTP and Exchange point to different private ip's internally

 

107.219.166.xxx is pointed to the cisco router

 

107.219.166.xx is pointed to the web server

 

107.219.166.xx is pointes to the Serv-u FTP server

 

107.219.166.xx is pointed to the exchange server

ip nat inside source static tcp 192.168.0.1 80 107.219.166.18 80 extendable
ip nat inside source static tcp 192.168.0.10 25 107.219.166.19 25 extendable
ip nat inside source static tcp 192.168.0.1 21 107.219.166.20 21 extendable
ip nat inside source static tcp 192.168.0.1 990 107.219.166.20 990 extendable
!
logging trap debugging
logging 192.168.0.1
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark DNS PROTOCOL
access-list 101 permit tcp host 192.168.0.1 eq domain host 107.219.166.17
access-list 101 permit udp host 192.168.0.1 eq domain host 107.219.166.17
access-list 101 permit tcp host 192.168.0.10 eq domain host 107.219.166.17
access-list 101 permit udp host 192.168.0.10 eq domain host 107.219.166.17
access-list 101 permit udp host 4.2.2.4 eq domain host 107.219.166.17
access-list 101 permit udp host 4.2.2.3 eq domain host 107.219.166.17
access-list 101 permit udp host 4.2.2.2 eq domain host 107.219.166.17
access-list 101 remark FTP PROTOCOL
access-list 101 permit tcp any host 107.219.166.20 eq ftp
access-list 101 permit tcp any host 107.219.166.20 eq ftp-data range 1075 1085
access-list 101 permit tcp any host 107.219.166.20 eq 990
access-list 101 remark WWW PROTOCOL
access-list 101 permit tcp any host 107.219.166.18 eq www
access-list 101 remark SMTP PROTOCOL
access-list 101 permit tcp any host 107.219.166.19 eq smtp
access-list 101 remark uTORRENT
access-list 101 permit tcp any any eq 55368
access-list 101 permit tcp any any eq 60817
access-list 101 remark ICMP PROTOCOL
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any source-quench
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.0.0 0.0.0.255 any

 

 

 

Re: Ports not open

[ Edited ]
3 of 10 (1,671 Views)
0
(0)
  • Rate this reply
View profile
Solved
Jun 2, 2013 10:05:48 AM
0
(0)
Expert

Again, as I stated in the last post, you cannot use multiple static IP addresses on the outside interface of the Cisco.  You cannot use:

 

107.219.166.18 and 19 and 20

 

You must configure the outside IP address to only ONE static IP address, and use NAT/PAT to direct the internal services to different servers.

 

Also, I think there are some things in your firewall/access list that are not correct.

 

See here for a representative Cisco configuration.  This uses DHCP on the outside IP address instead of a static, but the NAT and access list configuration is almost identical.

 

https://forums.att.com/t5/Residential-Gateway/U-verse-for-BUSINESS-2Wire-3600HGV-bridge-mode-or-anot...

 

 

Re: Ports not open

4 of 10 (1,635 Views)
Solution
0
(0)
  • Rate this reply
View profile
Jun 2, 2013 2:45:57 PM
0
(0)
Tutor

Thanks I found the problem......

I changed everything to a single IP Address and made some changes to my ACL's

Re: Ports not open

5 of 10 (1,606 Views)
0
(0)
  • Rate this reply
View profile
Jun 2, 2013 5:20:02 PM
0
(0)
Expert

Cool, glad you got it working. :smileyhappy:

 

 

Re: Ports not open

6 of 10 (1,584 Views)
0
(0)
  • Rate this reply
View profile
Jun 2, 2013 11:33:06 PM
0
(0)
Tutor

Well Serv-U FTP is the only thing not working right

 

I have a PASV range of 50000-50015...both on the server and in my ACL

 

When i connect it grabs the PASV port range but then it cannot connect to the server....times out

 

Does AT&T block port 20&21 ??

Re: Ports not open

7 of 10 (1,569 Views)
0
(0)
  • Rate this reply
View profile
Jun 3, 2013 6:02:36 PM
0
(0)
Expert
No, ports 20 and 21 are not blocked.

Re: Ports not open

8 of 10 (1,532 Views)
0
(0)
  • Rate this reply
View profile
Jun 4, 2013 4:24:59 AM
0
(0)
Tutor

i got everything working now except for port 25......and I believe I have to PAY to get that open

Re: Ports not open

9 of 10 (1,519 Views)
0
(0)
  • Rate this reply
View profile
Jun 4, 2013 6:32:14 AM
0
(0)
Expert
Yes, that's correct. AT&T blocks outbound port 25 on residential accounts for spam control.

AT&T's paid technical support service (ConnectTech) will unblock outbound port 25 on request for a fee. The fee is charged so that only those with a legitimate need to run their own mail server will have the port opened.

Re: Ports not open

10 of 10 (1,510 Views)
Share this post
Share this post