[c-nsp] closing ports
Michael K. Smith
mksmith at adhost.com
Thu Sep 24 13:01:03 EDT 2009
Hello:
On 9/23/09 11:58 PM, "abs" <abhishake00 at yahoo.com> wrote:
> Hello all,
> I am new to this so please excuse my ignorance.
>
> I am running the following version of IOS: Cisco IOS Software, 2800 Software
> (C2800NM-ADVENTERPRISEK9-M), Version 12.4(11)T, RELEASE SOFTWARE (fc2)
>
> I recently made some changes to the config at which point a port scan on the
> router is showing all ports to be open. I only want 80, 8080, and 22 to be
> open. I know this is something very basic but I cannot seem to figure it
> out. Here is my partial config. Please let me know if additional information
> is required. Thank you in advance.
>
> ==============================
>
> ip nat inside source list 2 interface Cable-Modem0/0/0 overload
> ip nat inside source list 4 interface Cable-Modem0/0/0 overload
> ip nat inside source static tcp 192.168.2.210 8080 interface Cable-Modem0/0/0
> 8080
> ip nat inside source static tcp 192.168.2.208 22 interface Cable-Modem0/0/0 22
> ip nat inside source static tcp 192.168.2.208 80 interface Cable-Modem0/0/0 80
>
> access-list 2 permit 192.168.2.0 0.0.0.255
> access-list 2 deny any
> access-list 4 permit 192.168.54.0 0.0.0.255
> access-list 4 deny any
>
> ================ end config ================
>
You will need to add an access-list for that traffic and apply it to the
appropriate interface. First off, do you want 80/8080/22 allowed in from
the outside, or in from your cable modems, or both? The answer to that
determines which interface(s) to apply the ACL to.
Access-list 100 permit tcp any any eq 80
Access-list 100 permit tcp any any eq 8080
Access-list 100 permit tcp any any eq 20
Access-list 100 deny ip any any
Interface <whichever you want>
Access-group 100 in
Regards,
Mike
More information about the cisco-nsp
mailing list