I've received a request from an equipment provider to access their equipment for trouble shooting purposes. I'm required to setup a "port forward" and need some assistance. They've request the following ports be forwarded, 21,23, 80. I've can make this work properly by moving the policy above the admin access, however, if I need to access the netvana from the public netowrk, I can no longer do so. Is there a way I can access both?
Thanks for any ideas
- Thanks for posting your question on the forum!
There is a conflict as to which ports will access which device. Whichever rule is on top will be the one that is used while the other will not. There are a couple of options to allow access for your equipment provider but maintaining remote admin access to the NetVanta. However, it depends on your public static IP address situation.
1. If you have multiple public static IPs available, then you can use one static IP address to configure your port forward while using the other to access the NetVanta.
2. If you have a single public IP address to use, then you will need to either:
A. Change the ports you are using to access the NetVanta. This can be changed in the "IP Services" page on the GUI. However, once this change is made, you will need to modify your Admin Access rule so that traffic to the new ports are allowed. The change will not be automatic.
OR
B. Configure port translation for the equipment provider. You can give them the static IP and port to use to access each service and then simply translate the destination IP address and destination port to the correct port. The thread below shows a customer setting up something similar:
Please do not hesitate to let us know if you have any further questions.
Thanks,
Noor
- Thanks for posting your question on the forum!
There is a conflict as to which ports will access which device. Whichever rule is on top will be the one that is used while the other will not. There are a couple of options to allow access for your equipment provider but maintaining remote admin access to the NetVanta. However, it depends on your public static IP address situation.
1. If you have multiple public static IPs available, then you can use one static IP address to configure your port forward while using the other to access the NetVanta.
2. If you have a single public IP address to use, then you will need to either:
A. Change the ports you are using to access the NetVanta. This can be changed in the "IP Services" page on the GUI. However, once this change is made, you will need to modify your Admin Access rule so that traffic to the new ports are allowed. The change will not be automatic.
OR
B. Configure port translation for the equipment provider. You can give them the static IP and port to use to access each service and then simply translate the destination IP address and destination port to the correct port. The thread below shows a customer setting up something similar:
Please do not hesitate to let us know if you have any further questions.
Thanks,
Noor
Follow up question....Netvanta3448
Customer has added a policy for https to an exchange server above my https for admin.
They only have 1 static public IP address.
I still have ssh to the box and now must config via the CLI.
I will need to change services I guess and then do a port forward
I was wondering if there were any how to's on this
- First, you will need to change the port that HTTPS access uses on the NetVanta. As mentioned above, this can be changed on the "IP Services" page under the 'System' section of the navigation panel on the left.
Second, you will need to create an "allow" rule on the security zone assigned to the WAN interface. This "allow" rule should have the destination security zone set to "self" and destination port set to whatever port you specified in the "IP Services" page.
It is important to remember that the rule must be moved above any other rules which may match the traffic you are trying to allow.
Please do not hesitate to let us know if you have any further questions.
Thanks,
Noor
Thank You noor,
so I am doing this from the CLI (since I no longer have web access).....
I need to delete the https
As a side note I am not the only one programmng this....
I have 2 access-list that coontain https rules:
ip access-list extended web-acl-4
remark Admin Access
permit tcp any any eq ssh log
permit icmp any any echo log
ip access-list extended wizard-remote-access
remark Admin Access
permit tcp any any eq ssh log
permit tcp any any eq ssh log
permit icmp any any echo log
ip access-list extended web-acl-24
remark "Exchange Server"
permit tcp any any eq https log
other permit rules...
The only reference I see to these are: (in order of appears in the show-run)
ip policy-class "public WAN"
allow list web-acl-4 self
ip policy-class Public
some nat rules
nat destination list web-acl-24 address X.X.X.X
more nat rules
allow list wizard-remote access self
interface eth 0/1
ip access-policy Public
So it looks as though I can safely delete the "public WAN" policy class since it isn't assign to a port.
I can then delete ip access-list web-acl-4 since it appears only in the "public WAN" policy class.
(I hate clutter)
I don't know how to change the IP Services via the CLI (haven't found that branch yet) to change the port number the web GUI will use.
So once I figure out how to do that...(Google Fu is failing me)
add to the existing
ip access-list extended wizard-remote-access
permit tcp any self <new_port_number> log (I am not sure of the self destination here)
Since this this is an exclusive rule, I don't think I will need to move it up, but if I did, then how would I move it up the list via the CLI?
- You are correct that you can delete "public WAN" as long as you do not already have it assigned to an interface.
The command to change the HTTPs port is "ip http secure-server <TCP port". This command must be issued from config mode in the CLI.
Based on your firewall configuration, I would probably just an entry to the ACL 'wizard-remote-access' that looked like this:
permit tcp any any eq <TCP port> self log
You should be okay with leaving the rule in its place as long as none of the above rules will match what you have set the new TCP port to be.
I hope that answers your questions but let us know if you have any further ones.
Thanks,
Noor
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor