Need help with your equipment?
DAVE66-1's profile

Tutor

 • 

5 Messages

Sunday, June 2nd, 2013 3:41 PM

Ports not open

I have the 3801hvg router...and a Cisco 2600 router behind it

I have 5 Static IP's that are currently assigned to a WWW, FTP and Exchange server.

I followed the instructions in the forums to properly set-up my Cisco router.

 

When I do a port scan from the WEB I do NOT see the ports 80, 443, 21,or 25 open

 

What is next??

Accepted Solution

Official Solution

Expert

 • 

9.4K Messages

11 years ago

Again, as I stated in the last post, you cannot use multiple static IP addresses on the outside interface of the Cisco.  You cannot use:

 

107.219.166.18 and 19 and 20

 

You must configure the outside IP address to only ONE static IP address, and use NAT/PAT to direct the internal services to different servers.

 

Also, I think there are some things in your firewall/access list that are not correct.

 

See here for a representative Cisco configuration.  This uses DHCP on the outside IP address instead of a static, but the NAT and access list configuration is almost identical.

 

https://forums.att.com/t5/Residential-Gateway/U-verse-for-BUSINESS-2Wire-3600HGV-bridge-mode-or-another-AT-amp/m-p/2719759#M259

 

 

Expert

 • 

9.4K Messages

11 years ago

You cannot assign multiple static IP addresses to the same device (same MAC) address, as this will confuse the 2Wire router. If you have all of the static IP addresses pointed to your Cisco, that will not work.

You need to choose one static IP address to use on the WAN port of the Cisco, and then use NAT to put all of your servers behind it on private IP addresses. Configure the Cisco to port-forward with NAT, and allow the inbound traffic on the WAN port access list.

Tutor

 • 

5 Messages

11 years ago

OK.....The WWW, FTP and Exchange point to different private ip's internally

 

107.219.166.xxx is pointed to the cisco router

 

107.219.166.xx is pointed to the web server

 

107.219.166.xx is pointes to the Serv-u FTP server

 

107.219.166.xx is pointed to the exchange server

ip nat inside source static tcp 192.168.0.1 80 107.219.166.18 80 extendable
ip nat inside source static tcp 192.168.0.10 25 107.219.166.19 25 extendable
ip nat inside source static tcp 192.168.0.1 21 107.219.166.20 21 extendable
ip nat inside source static tcp 192.168.0.1 990 107.219.166.20 990 extendable
!
logging trap debugging
logging 192.168.0.1
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark DNS PROTOCOL
access-list 101 permit tcp host 192.168.0.1 eq domain host 107.219.166.17
access-list 101 permit udp host 192.168.0.1 eq domain host 107.219.166.17
access-list 101 permit tcp host 192.168.0.10 eq domain host 107.219.166.17
access-list 101 permit udp host 192.168.0.10 eq domain host 107.219.166.17
access-list 101 permit udp host 4.2.2.4 eq domain host 107.219.166.17
access-list 101 permit udp host 4.2.2.3 eq domain host 107.219.166.17
access-list 101 permit udp host 4.2.2.2 eq domain host 107.219.166.17
access-list 101 remark FTP PROTOCOL
access-list 101 permit tcp any host 107.219.166.20 eq ftp
access-list 101 permit tcp any host 107.219.166.20 eq ftp-data range 1075 1085
access-list 101 permit tcp any host 107.219.166.20 eq 990
access-list 101 remark WWW PROTOCOL
access-list 101 permit tcp any host 107.219.166.18 eq www
access-list 101 remark SMTP PROTOCOL
access-list 101 permit tcp any host 107.219.166.19 eq smtp
access-list 101 remark uTORRENT
access-list 101 permit tcp any any eq 55368
access-list 101 permit tcp any any eq 60817
access-list 101 remark ICMP PROTOCOL
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any source-quench
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.0.0 0.0.0.255 any

 

 

 

Tutor

 • 

5 Messages

11 years ago

Thanks I found the problem......

I changed everything to a single IP Address and made some changes to my ACL's

Expert

 • 

9.4K Messages

11 years ago

Cool, glad you got it working. Smiley Happy

 

 

Tutor

 • 

5 Messages

11 years ago

Well Serv-U FTP is the only thing not working right

 

I have a PASV range of 50000-50015...both on the server and in my ACL

 

When i connect it grabs the PASV port range but then it cannot connect to the server....times out

 

Does AT&T block port 20&21 ??

Expert

 • 

9.4K Messages

11 years ago

No, ports 20 and 21 are not blocked.

Tutor

 • 

5 Messages

11 years ago

i got everything working now except for port 25......and I believe I have to PAY to get that open

Expert

 • 

9.4K Messages

11 years ago

Yes, that's correct. AT&T blocks outbound port 25 on residential accounts for spam control.

AT&T's paid technical support service (ConnectTech) will unblock outbound port 25 on request for a fee. The fee is charged so that only those with a legitimate need to run their own mail server will have the port opened.
Not finding what you're looking for?
New to AT&T Community?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.