[c-nsp] closing ports

Michael K. Smith mksmith at adhost.com
Thu Sep 24 13:01:03 EDT 2009


Hello:


On 9/23/09 11:58 PM, "abs" <abhishake00 at yahoo.com> wrote:

> Hello all, 
> I am new to this so please excuse my ignorance.
> 
> I am running the following version of IOS: Cisco IOS Software, 2800 Software
> (C2800NM-ADVENTERPRISEK9-M), Version 12.4(11)T, RELEASE SOFTWARE (fc2)
> 
> I recently made some changes to the config at which point a port scan on the
> router is showing all ports to be open.  I only want 80, 8080, and 22 to be
> open.  I know this is something very basic but I cannot seem to figure it
> out.  Here is my partial config.  Please let me know if additional information
> is required.  Thank you in advance.
> 
> ==============================
> 
> ip nat inside source list 2 interface Cable-Modem0/0/0 overload
> ip nat inside source list 4 interface Cable-Modem0/0/0 overload
> ip nat inside source static tcp 192.168.2.210 8080 interface Cable-Modem0/0/0
> 8080
> ip nat inside source static tcp 192.168.2.208 22 interface Cable-Modem0/0/0 22
> ip nat inside source static tcp 192.168.2.208 80 interface Cable-Modem0/0/0 80
> 
> access-list 2 permit 192.168.2.0 0.0.0.255
> access-list 2 deny   any
> access-list 4 permit 192.168.54.0 0.0.0.255
> access-list 4 deny   any
> 
> ================ end config ================
> 
You will need to add an access-list for that traffic and apply it to the
appropriate interface.  First off, do you want 80/8080/22 allowed in from
the outside, or in from your cable modems, or both?  The answer to that
determines which interface(s) to apply the ACL to.

Access-list 100 permit tcp any any eq 80
Access-list 100 permit tcp any any eq 8080
Access-list 100 permit tcp any any eq 20
Access-list 100 deny ip any any

Interface <whichever you want>
Access-group 100 in

Regards,

Mike



More information about the cisco-nsp mailing list