Tutor
•
5 Messages
Ports not open
I have the 3801hvg router...and a Cisco 2600 router behind it
I have 5 Static IP's that are currently assigned to a WWW, FTP and Exchange server.
I followed the instructions in the forums to properly set-up my Cisco router.
When I do a port scan from the WEB I do NOT see the ports 80, 443, 21,or 25 open
What is next??
Accepted Solution
Official Solution
SomeJoe7777
Expert
•
9.4K Messages
11 years ago
Again, as I stated in the last post, you cannot use multiple static IP addresses on the outside interface of the Cisco. You cannot use:
107.219.166.18 and 19 and 20
You must configure the outside IP address to only ONE static IP address, and use NAT/PAT to direct the internal services to different servers.
Also, I think there are some things in your firewall/access list that are not correct.
See here for a representative Cisco configuration. This uses DHCP on the outside IP address instead of a static, but the NAT and access list configuration is almost identical.
https://forums.att.com/t5/Residential-Gateway/U-verse-for-BUSINESS-2Wire-3600HGV-bridge-mode-or-another-AT-amp/m-p/2719759#M259
0
SomeJoe7777
Expert
•
9.4K Messages
11 years ago
You need to choose one static IP address to use on the WAN port of the Cisco, and then use NAT to put all of your servers behind it on private IP addresses. Configure the Cisco to port-forward with NAT, and allow the inbound traffic on the WAN port access list.
0
0
DAVE66-1
Tutor
•
5 Messages
11 years ago
OK.....The WWW, FTP and Exchange point to different private ip's internally
107.219.166.xxx is pointed to the cisco router
107.219.166.xx is pointed to the web server
107.219.166.xx is pointes to the Serv-u FTP server
107.219.166.xx is pointed to the exchange server
ip nat inside source static tcp 192.168.0.1 80 107.219.166.18 80 extendable
ip nat inside source static tcp 192.168.0.10 25 107.219.166.19 25 extendable
ip nat inside source static tcp 192.168.0.1 21 107.219.166.20 21 extendable
ip nat inside source static tcp 192.168.0.1 990 107.219.166.20 990 extendable
!
logging trap debugging
logging 192.168.0.1
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark DNS PROTOCOL
access-list 101 permit tcp host 192.168.0.1 eq domain host 107.219.166.17
access-list 101 permit udp host 192.168.0.1 eq domain host 107.219.166.17
access-list 101 permit tcp host 192.168.0.10 eq domain host 107.219.166.17
access-list 101 permit udp host 192.168.0.10 eq domain host 107.219.166.17
access-list 101 permit udp host 4.2.2.4 eq domain host 107.219.166.17
access-list 101 permit udp host 4.2.2.3 eq domain host 107.219.166.17
access-list 101 permit udp host 4.2.2.2 eq domain host 107.219.166.17
access-list 101 remark FTP PROTOCOL
access-list 101 permit tcp any host 107.219.166.20 eq ftp
access-list 101 permit tcp any host 107.219.166.20 eq ftp-data range 1075 1085
access-list 101 permit tcp any host 107.219.166.20 eq 990
access-list 101 remark WWW PROTOCOL
access-list 101 permit tcp any host 107.219.166.18 eq www
access-list 101 remark SMTP PROTOCOL
access-list 101 permit tcp any host 107.219.166.19 eq smtp
access-list 101 remark uTORRENT
access-list 101 permit tcp any any eq 55368
access-list 101 permit tcp any any eq 60817
access-list 101 remark ICMP PROTOCOL
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any source-quench
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
0
0
DAVE66-1
Tutor
•
5 Messages
11 years ago
Thanks I found the problem......
I changed everything to a single IP Address and made some changes to my ACL's
0
0
SomeJoe7777
Expert
•
9.4K Messages
11 years ago
Cool, glad you got it working.
0
0
DAVE66-1
Tutor
•
5 Messages
11 years ago
Well Serv-U FTP is the only thing not working right
I have a PASV range of 50000-50015...both on the server and in my ACL
When i connect it grabs the PASV port range but then it cannot connect to the server....times out
Does AT&T block port 20&21 ??
0
0
SomeJoe7777
Expert
•
9.4K Messages
11 years ago
0
0
DAVE66-1
Tutor
•
5 Messages
11 years ago
i got everything working now except for port 25......and I believe I have to PAY to get that open
0
0
SomeJoe7777
Expert
•
9.4K Messages
11 years ago
AT&T's paid technical support service (ConnectTech) will unblock outbound port 25 on request for a fee. The fee is charged so that only those with a legitimate need to run their own mail server will have the port opened.
0
0