Open up P2P ports on a 2811 Router 1

[drew1701d]

We have a Cisco 2811(IOS 12.4) series router which also serves as our firewall to the outside world, one of our PC's internally needs for the ports to work both ways for a P2P application we use to move and retrieve large amounts of data on the internet, this app is only partially working and indicates the firewall is still the issue
Using external sites such as auditmypc.com and a couple other to test if the ports are open indicates they are not open, TCP 42087, and UDP 41976, if the ports are open then everything should work fine.

The internal private IP is 10.10.10.30

Below is the entry in the router config which should work, according to what we've researched, are we missing anything here? Not tying it to a specific public IP address as that changes since we only have a business cable internet ISP service and will not be purchasing a static IP.


ip nat inside source static tcp 10.10.10.30 42087 int FA0/1 42087
ip nat inside source static udp 10.10.10.30 41976 int FA0/1 41976

Thanks In Advance


"I'm certifiable, not certified. It just means my answers are from experience...not a book

 

[plshlpme]

those statements look good...
iw ould look to your windows firewall (or any other firewall on that pc) .. make sure those ports are open there...

 

[drew1701d]

I have also downloaded Emule as another P2P app to test the functionality and it too fails on those ports. The Windows Firewall is disabled, and I have disabled McAfee during tests to eliminate it from the equation. Would their be a setting on the Cisco Switch that the PC is connected to that also might be a factor? I can't imagine one, but the switch (a 2950) is in it's default out of the box configuration with no weird VLAN's or anything else.
Are there any settings I'm maybe missing on the router that I need to have enabled to make the statements work in the router config?

TIA

"I'm certifiable, not certified. It just means my answers are from experience...not a book

 

[plshlpme]

do you have an inbound acl applied on your router?

the switch wouldnt be blocking this type of traffic.


on your wan interface do you have an
ip access-group XXX in

statement?
it will need to allow those ports in.

 

[drew1701d]

Yes we have an inbound ACL applied on the router, shown below is the WAN interface

Interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address 10.XXX.XXX.XXX 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed 100
no cdp enable

What should the inbound permit statement be?

TIA!

"I'm certifiable, not certified. It just means my answers are from experience...not a book

 

[plshlpme]

ok well youll need to allow those two ports through that access-list as well


so your going to need

to add

permit tcp any host XXX eq 42087
permit udp any host XXX eq 41976

if you acl ends with deny ip any any

then you need to make sure those statements are applied ahead of that statement..

 

[drew1701d]

below is my sanitized configuration, yes our wan interface (FA0/0) is a private ip as it is assinged by the cable modem which has no firewall whatsoever and is just a plain cable modem. Any other ideas to what to add or change to get this to work?


vtel_r1#show config
Using 4444 out of 245752 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname vtel_r1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
no logging console
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip source-route
!
!
ip cef
!
!
no ip bootp server
no ip domain lookup
ip domain name vtel_r1.net
ip inspect max-incomplete high 20000000
ip inspect one-minute high 100000000
ip inspect tcp max-incomplete host 100000 block-time 0
ip inspect name DMZin tcp
ip inspect name DMZin udp
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1921375053
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1921375053
revocation-check none
rsakeypair TP-self-signed-1921377053
!
!
crypto pki certificate chain TP-self-signed-1921375053
certificate self-signed 01 nvram:IOS-Self-Sig#3301.cer
username vteladmin privilege 15 secret 5 $1$3WKI$seF393nxHIrEZVFD8n9TZ0
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address 10.252.4.2 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed 100
no cdp enable
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
ip access-group 103 in
ip access-group 104 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect DMZin in
ip virtual-reassembly
duplex full
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.252.4.1
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat translation timeout 300
ip nat pool poolsp10 netmask 255.255.255.248
address 19X.XX.XX.XX
ip nat inside source list 10 pool poolsp10
ip nat inside source static udp 10.10.10.30 41976 interface FastEthernet0/1 41976
ip nat inside source static tcp 10.10.10.30 42087 interface FastEthernet0/1 42087
!
access-list 2 deny any log
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 101 permit icmp any any
access-list 101 permit ip any any
access-list 101 permit tcp any host 10.252.4.2 eq 42087
access-list 101 permit udp any host 10.252.4.2 eq 41976
access-list 101 deny ip any host 10.252.3.2 log
access-list 103 permit icmp 10.10.10.0 0.0.0.255 any
access-list 103 permit tcp 10.10.10.0 0.0.0.255 any
access-list 103 permit udp 10.10.10.0 0.0.0.255 any
access-list 103 deny ip any any log
access-list 104 permit icmp any 10.10.10.0 0.0.0.255
access-list 104 deny ip any any log
snmp-server community public RO
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CC
This is a private computer system. Unauthorized access is prohibited.
^C
!
line con 0
exec-timeout 15 0
logging synchronous
login local
line aux 0
access-class 2 in
no exec
line vty 0 4
access-class 2 in
privilege level 15
login local
no exec
transport input none
line vty 5 15
access-class 2 in
privilege level 15
login local
no exec
transport input none
!
scheduler allocate 20000 1000
!
end

 

[plshlpme]

i would assume your ip access-list 104 is blocking it..
since these connections originate from outside you ned to allow them all the way in

is there a reason you have an inbound acl on your wan and lan?

 

[drew1701d]

no reason that I know of, I inherited this setup and never really understood the setup, I assumed it was part of the firewall functionality in the config, which ACL are you suggesting I remove and which should I modify?
TIA

 

[plshlpme]

well you have the required statements in your acl 101
but 104 if you want to leave it on will require


conf t
no access-list 104
access-list 104 permit icmp any 10.10.10.0 0.0.0.255
access-list 104 permit tcp any host 10.10.10.30 eq 42087
access-list 104 permit udp any host 10.10.10.30 eq 41976
access-list 104 deny ip any any log

 

[drew1701d]

Thanks for your response, that was the issue!



"I'm certifiable, not certified. It just means my answers are from experience...not a book