Announcement

Collapse
No announcement yet.

Cisco 877 Port Question

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 877 Port Question

    Hi There,

    I have had to remove my trusty 837 with an 877 but am having a problem and would be grateful if someone could point me in the right direction please.

    I have setup th eunit and my computers inside the network can get out thats fine, however...

    I have several servers inside my network and an isa server.

    My problem is or i can't figure out how to set the follow senarios up

    1) I have a website held externally which uses one of my internal servers for MS-SQL on port 1433. My thought was to use Permit<any Source IP><Port 1433><Destination Internal IP><Port 1433> however I then saw in the traffic logs that the site doesn't send the request on the same port all the time but because it is coming from a fixed IP Address I set a rule using the Firewall and ACL rules window of the 877 as Permit<Source Site IP> <Port - any> <Destination Internal IP><Port1433> but that does not work, also when i visit the site i see all content minus the SQL content, also looking at the traffic running through the router it is denying packets from the site?

    2) Am I correct in assuming that when setting up the rules you can just type in the port reference instead of choosing from the list available, that might sound like a silly question really but am just trying to make sure am doing it correctly. The 837 was so simple in that you just said any traffic on this port send it to this internal machine. so i don't see why it doesn't work as easy with the 877.

    I do have a few more questions but will wait to resolve this one first and woudl like to thank anyone in advance of any help given.

    Kind Regards

    Ray

  • #2
    Re: Cisco 877 Port Question

    Hi Ray,

    I have the 877 and I find it highly configurable and not too complex. These are the appropriate snippets from my config, using object groups for clarity:

    Code:
     
    !
    object-group network L1_JimHome 
     description Jim Willsher Home IP
     host 109.224.xxx.xx
    !
    object-group network L1_Mermaid 
     description Mermaid Site 1
     host 86.22.xx.xxx
    !
    object-group network L2_Allow_MSSQL 
     description Allow MS SQL from these hosts
     group-object L1_JimHome
     group-object L1_Mermaid
    !
    ...
    ...
    !
    interface Dialer0
     bandwidth inherit
     ip address negotiated
     ip access-group EXT-IN in
     ip access-group EXT-OUT out
     ip nat outside
     ip inspect fw out
    ...
    ...
    ip nat inside source static tcp 192.168.3.2 1433 interface Dialer0 1433
    ...
    ...
    ip access-list extended EXT-IN
     remark Inbound external interface
     remark The below set the rfc1918 private exclusions
     deny   ip 192.168.0.0 0.0.255.255 any
     deny   ip 172.16.0.0 0.15.255.255 any
     deny   ip 10.0.0.0 0.255.255.255 any
     remark Allow established sessions back in
     permit tcp any any established
     permit tcp object-group L2_Allow_MSSQL any eq 1433
     permit gre any any
     permit udp any eq domain any
     remark Standard acceptable icmp rules
     permit icmp any any echo
     permit icmp any any echo-reply
     permit icmp any any source-quench
     permit icmp any any packet-too-big
     permit icmp any any time-exceeded
     deny   ip any any log-input
    ip access-list extended EXT-OUT
     remark Allow all outbound IP
     permit ip any any
    In other words, don't worry about the source port, just the destination port (1433). IMO it's very rare to want to specify a source port in a firewall when in a NAT world.


    Jim

    Comment


    • #3
      Re: Cisco 877 Port Question

      Hi Jimwillsher

      Thank you for your reply, sorry so long in seeing it but work gets in the way sometimes

      Many thanks for help and advice. Is there a way to rate replies I can't seem to see anything?

      Regards

      Ray
      (Hankypark)

      Comment


      • #4
        Re: Cisco 877 Port Question

        No worries, hope you managed to get it sorted.


        Jim

        Comment

        Working...
        X