mikerips
asked on
Access-Control List question regarding two networks
I have two networks divided by two Ethernet connections in my 1720 router. I know how to config the basics in my router and I know the command line but I am having a hard time understanding what i need to do to let my 10.0.0.0 network access only a few ip's on my 192.169.0.0 network. I have an access-list that consists of this:
_____
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 10 deny 10.0.0.0 0.0.255.255
access-list 10 permit any
access-list 101 permit tcp 192.168.0.0 0.0.255.255 any
no cdp run
_____
This access-list is not allowing the 10. network and 192 network to access each other which I want. But what I do need to do is allow a few ip's to talk across each network. So say I have a webserver and email server at address' 192.168.0.47 and 192.168.0.48 and a couple others. What would the rules be that I need to add to keep the wall there but just allow access to those two specific IP's? 192.168.0.47 & 48.
Thanks in advance!
Mike.
_____
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 10 deny 10.0.0.0 0.0.255.255
access-list 10 permit any
access-list 101 permit tcp 192.168.0.0 0.0.255.255 any
no cdp run
_____
This access-list is not allowing the 10. network and 192 network to access each other which I want. But what I do need to do is allow a few ip's to talk across each network. So say I have a webserver and email server at address' 192.168.0.47 and 192.168.0.48 and a couple others. What would the rules be that I need to add to keep the wall there but just allow access to those two specific IP's? 192.168.0.47 & 48.
Thanks in advance!
Mike.
I belive you are on the right track, what I would do is use extended access for the control of traffic for the last part, it will allow you to provide the source AND destination in the access list.
Just remember to allow after you deny or your list will be worthless, and pay attention to what interface you are putting the lists on :-)
Let me know if you need more help!
Just remember to allow after you deny or your list will be worthless, and pay attention to what interface you are putting the lists on :-)
Let me know if you need more help!
Nice answer S3T, maybe he will be cool and split the points :-) Great minds think alike :-)
Here are some General access list rules:
- A packet is compared with each line of the access list sequentially.
- Once there is a match, there is no further checking down the access list.
- There is an implicit "deny" at the end of each access list.
- Types of access lists:
- Standard -- source IP only (TCP/IP), or source and destination IPX address (IPX). There is no port or protocol information.
- Extended -- source and destination IP, protocol field (Network Layer), port number (Transport Layer). IPX uses sockets instead of ports.
- Access lists can be inbound or outbound.
- You can only assign one access list per interface, per protocol, or per direction. Example -- only 1 inbound and 1 outbound IP access lists per interface.
- Keep more specific rules on top, and more general rules towards the bottom. Also, keep "deny" on top and "permit" towards the bottom.
- Any time a new entry is added, it will be placed at the end of the access list.
- You CANNOT remove a single line from an access list (unless it is named). Doing so will remove the whole access list. Copy the access list to a text editor and make changes there.
- You can disable the implied "deny" at the end of an access list with "permit any".
- Create access lists first and then apply them to an interface.
- Access lists filter traffic passing through the router. They will NOT filter traffic originating from the router.
- Place IP standard access lists as close to the destination as possible.
- Place IP extended access lists as close to the source as possible.
- Standard IP access lists -- (1-99) -- "config t", "access-list 10 deny host 172.16.30.2".
- Block a particular host -- "access-list 10 deny 172.16.30.5 0.0.0.0". Block a range of hosts (mask the last field) -- "access-list 10 deny 172.16.30.0 0.0.0.255".
- Block all IPs belonging to networks from "172.16.8.0" to "172.16.15.0" -- "access-list 10 deny 172.16.8.0 0.0.7.255" -- "7" is the wildcard -- always 1 less than the block size, which in this case is "8".
- Each block size must start at "0". Example -- for block size "8", we have "0-7", "8-15", "16-23", etc.
- "any" = "0.0.0.0 255.255.255.255".
- Standard IP access list example -- "config t", "access-list 10 deny 172.16.40.0 0.0.0.255", "access-list 10 permit any", "int e0" (closest to destination), "ip access-group 10 out".
- Controlling VTY (telnet) access -- "config t", "access-list 50 permit 172.16.10.3", "line vty 0 4", "access-class 50 in" -- ONLY allow "172.16.10.3" to telnet in.
- Extended IP access lists -- (100-199) -- "config t", "access-list 110 deny tcp any host 172.16.30.2 eq 23 log", "access-list 110 permit ip any any", "int e0", "ip access-group 110 out".
- Monitoring IP access lists:
- "sh access-lists" -- display all access lists. No interface information is shown.
- "sh access-list 110" -- only display a single access list.
- "sh ip access-list" -- display only the IP access lists.
- "sh ip interface" -- display which interfaces have access lists set.
- "sh run" -- displays access lists and also which interfaces have access lists set.
- IPX access lists:
- IPX standard -- (800-899) -- source and destination IPX address -- "config t", "access-list 810 permit 20 40", "int e0", "ipx access-group 810 out".
- IPX extended -- (900-999) -- "config t", "access-list 910 deny -1 10 0 20 0", "access-list 910 permit -1 -1 0 -1 0", "int e0", "ipx access-group 910 in" -- "-1" always means "all" in IPX.
- IPX SAP filters -- (1000-1099) -- "config t", "access-list 1010 permit -1 4 Sales" -- "-1" means "all source addresses", "4" is the destination, "Sales" is a description.
! There are two ways to finish setting up this SAP access list:
- "int e0", "ipx input-sap-filter" -- stops SAP entries from being added to the SAP table of the router.
- "int e1", "ipx output-sap-filter" -- stops SAP entries from being propagated out of the router.
- Verifying IPX access lists:
- "sh ipx interface" -- displays interface information and access list association.
- "sh ipx access-list" -- displays access list contents -- "FFFFFFFF" in the output means "any".
- A packet is compared with each line of the access list sequentially.
- Once there is a match, there is no further checking down the access list.
- There is an implicit "deny" at the end of each access list.
- Types of access lists:
- Standard -- source IP only (TCP/IP), or source and destination IPX address (IPX). There is no port or protocol information.
- Extended -- source and destination IP, protocol field (Network Layer), port number (Transport Layer). IPX uses sockets instead of ports.
- Access lists can be inbound or outbound.
- You can only assign one access list per interface, per protocol, or per direction. Example -- only 1 inbound and 1 outbound IP access lists per interface.
- Keep more specific rules on top, and more general rules towards the bottom. Also, keep "deny" on top and "permit" towards the bottom.
- Any time a new entry is added, it will be placed at the end of the access list.
- You CANNOT remove a single line from an access list (unless it is named). Doing so will remove the whole access list. Copy the access list to a text editor and make changes there.
- You can disable the implied "deny" at the end of an access list with "permit any".
- Create access lists first and then apply them to an interface.
- Access lists filter traffic passing through the router. They will NOT filter traffic originating from the router.
- Place IP standard access lists as close to the destination as possible.
- Place IP extended access lists as close to the source as possible.
- Standard IP access lists -- (1-99) -- "config t", "access-list 10 deny host 172.16.30.2".
- Block a particular host -- "access-list 10 deny 172.16.30.5 0.0.0.0". Block a range of hosts (mask the last field) -- "access-list 10 deny 172.16.30.0 0.0.0.255".
- Block all IPs belonging to networks from "172.16.8.0" to "172.16.15.0" -- "access-list 10 deny 172.16.8.0 0.0.7.255" -- "7" is the wildcard -- always 1 less than the block size, which in this case is "8".
- Each block size must start at "0". Example -- for block size "8", we have "0-7", "8-15", "16-23", etc.
- "any" = "0.0.0.0 255.255.255.255".
- Standard IP access list example -- "config t", "access-list 10 deny 172.16.40.0 0.0.0.255", "access-list 10 permit any", "int e0" (closest to destination), "ip access-group 10 out".
- Controlling VTY (telnet) access -- "config t", "access-list 50 permit 172.16.10.3", "line vty 0 4", "access-class 50 in" -- ONLY allow "172.16.10.3" to telnet in.
- Extended IP access lists -- (100-199) -- "config t", "access-list 110 deny tcp any host 172.16.30.2 eq 23 log", "access-list 110 permit ip any any", "int e0", "ip access-group 110 out".
- Monitoring IP access lists:
- "sh access-lists" -- display all access lists. No interface information is shown.
- "sh access-list 110" -- only display a single access list.
- "sh ip access-list" -- display only the IP access lists.
- "sh ip interface" -- display which interfaces have access lists set.
- "sh run" -- displays access lists and also which interfaces have access lists set.
- IPX access lists:
- IPX standard -- (800-899) -- source and destination IPX address -- "config t", "access-list 810 permit 20 40", "int e0", "ipx access-group 810 out".
- IPX extended -- (900-999) -- "config t", "access-list 910 deny -1 10 0 20 0", "access-list 910 permit -1 -1 0 -1 0", "int e0", "ipx access-group 910 in" -- "-1" always means "all" in IPX.
- IPX SAP filters -- (1000-1099) -- "config t", "access-list 1010 permit -1 4 Sales" -- "-1" means "all source addresses", "4" is the destination, "Sales" is a description.
! There are two ways to finish setting up this SAP access list:
- "int e0", "ipx input-sap-filter" -- stops SAP entries from being added to the SAP table of the router.
- "int e1", "ipx output-sap-filter" -- stops SAP entries from being propagated out of the router.
- Verifying IPX access lists:
- "sh ipx interface" -- displays interface information and access list association.
- "sh ipx access-list" -- displays access list contents -- "FFFFFFFF" in the output means "any".
ASKER
I did what S3T suggested and i get no reply from the 192.168.0.47 host.
Here is what I get:
Pinging 192.168.0.47 with 32 bytes of data:
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
Here is my access list config:
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 10 deny 10.0.0.0 0.0.255.255
access-list 10 permit any
access-list 101 permit tcp 192.168.0.0 0.0.255.255 any
access-list 111 permit ip 10.0.0.0 0.0.255.255 host 192.168.0.47
access-list 111 permit ip 10.0.0.0 0.0.255.255 host 192.168.0.48
access-list 111 deny ip 10.0.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 111 permit ip any any
no cdp run
Whats up?
Thanks for all the help!
M.
Here is what I get:
Pinging 192.168.0.47 with 32 bytes of data:
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
Here is my access list config:
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 10 deny 10.0.0.0 0.0.255.255
access-list 10 permit any
access-list 101 permit tcp 192.168.0.0 0.0.255.255 any
access-list 111 permit ip 10.0.0.0 0.0.255.255 host 192.168.0.47
access-list 111 permit ip 10.0.0.0 0.0.255.255 host 192.168.0.48
access-list 111 deny ip 10.0.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 111 permit ip any any
no cdp run
Whats up?
Thanks for all the help!
M.
Mike,
Where do you have the access lists applied? on which interface and in or out? This is why I said in my previous post that you could IMPLEMENT an ACCESS LIST SOMETHING LIKE THIS. It is hard not knowing exatly where all of your other lists are applied. Looking at access list 10 it will deny all traffic from the 10.0.0.0 network.
Can you post a sh run. Thanks
S3T
Where do you have the access lists applied? on which interface and in or out? This is why I said in my previous post that you could IMPLEMENT an ACCESS LIST SOMETHING LIKE THIS. It is hard not knowing exatly where all of your other lists are applied. Looking at access list 10 it will deny all traffic from the 10.0.0.0 network.
Can you post a sh run. Thanks
S3T
ASKER
Sorry bout the lack of info.
Here ya go:
no logging buffered
no logging buffered
logging rate-limit console 10 except errors
enable password
!
memory-size iomem 25
clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
no ip finger
ip name-server 216.146.70.3
ip name-server 216.146.72.3
ip dhcp excluded-address 192.168.0.1 192.168.0.99
!
ip dhcp pool dhcp-pool
network 192.168.0.0 255.255.255.0
dns-server 216.146.70.3 216.146.72.3
default-router 192.168.0.1
domain-name leestreet.com
lease infinite
!
ip dhcp-server 192.168.0.1
!
!
!
interface Ethernet0
description Tenant Subnet
ip address 10.0.0.1 255.255.0.0
ip nat inside
half-duplex
no cdp enable
!
interface FastEthernet0
ip address 192.168.0.1 255.255.0.0
ip access-group 10 out
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface Serial0
ip address 216.146.76.129 255.255.255.224
ip nat outside
encapsulation ppp
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
service-module t1 fdl att
no cdp enable
!
ip nat pool nat-pool 216.146.76.131 216.146.76.135 netmask 255.255.255.224
ip nat inside source list 1 pool nat-pool overload
ip nat inside source static tcp 192.168.0.6 80 216.146.76.140 80 extendable
ip nat inside source static tcp 192.168.0.48 32000 216.146.76.148 32000 extendab
le
ip nat inside source static udp 192.168.0.48 32000 216.146.76.148 32000 extendab
le
ip nat inside source static tcp 192.168.0.47 32000 216.146.76.147 32000 extendab
le
ip nat inside source static udp 192.168.0.47 32000 216.146.76.147 32000 extendab
le
ip nat inside source static tcp 192.168.0.47 220 216.146.76.147 220 extendable
ip nat inside source static udp 192.168.0.47 220 216.146.76.147 220 extendable
ip nat inside source static tcp 192.168.0.47 143 216.146.76.147 143 extendable
ip nat inside source static udp 192.168.0.47 143 216.146.76.147 143 extendable
ip nat inside source static tcp 192.168.0.47 53 216.146.76.147 53 extendable
ip nat inside source static udp 192.168.0.47 53 216.146.76.147 53 extendable
ip nat inside source static tcp 192.168.0.47 21 216.146.76.147 21 extendable
ip nat inside source static udp 192.168.0.47 21 216.146.76.147 21 extendable
ip nat inside source static tcp 192.168.0.47 20 216.146.76.147 20 extendable
ip nat inside source static udp 192.168.0.47 20 216.146.76.147 20 extendable
ip nat inside source static udp 192.168.0.47 110 216.146.76.147 110 extendable
ip nat inside source static tcp 192.168.0.47 110 216.146.76.147 110 extendable
ip nat inside source static tcp 192.168.0.47 443 216.146.76.147 443 extendable
ip nat inside source static udp 192.168.0.47 25 216.146.76.147 25 extendable
ip nat inside source static tcp 192.168.0.47 3389 216.146.76.147 3389 extendable
ip nat inside source static tcp 192.168.0.48 25 216.146.76.148 25 extendable
ip nat inside source static tcp 192.168.0.48 110 216.146.76.148 110 extendable
ip nat inside source static udp 192.168.0.48 21 216.146.76.148 21 extendable
ip nat inside source static udp 192.168.0.48 53 216.146.76.148 53 extendable
ip nat inside source static udp 192.168.0.48 143 216.146.76.148 143 extendable
ip nat inside source static tcp 192.168.0.48 143 216.146.76.148 143 extendable
ip nat inside source static tcp 192.168.0.48 220 216.146.76.148 220 extendable
ip nat inside source static tcp 192.168.0.47 80 216.146.76.147 80 extendable
ip nat inside source static udp 192.168.0.2 80 216.146.76.136 80 extendable
ip nat inside source static udp 192.168.0.3 80 216.146.76.137 80 extendable
ip nat inside source static udp 192.168.0.4 80 216.146.76.138 80 extendable
ip nat inside source static udp 192.168.0.5 80 216.146.76.139 80 extendable
ip nat inside source static udp 192.168.0.8 80 216.146.76.142 80 extendable
ip nat inside source static udp 192.168.0.9 80 216.146.76.143 80 extendable
ip nat inside source static tcp 192.168.0.10 80 216.146.76.144 80 extendable
ip nat inside source static tcp 192.168.0.9 80 216.146.76.143 80 extendable
ip nat inside source static udp 192.168.0.6 80 216.146.76.140 80 extendable
ip nat inside source static udp 192.168.0.7 80 216.146.76.141 80 extendable
ip nat inside source static udp 192.168.0.10 80 216.146.76.144 80 extendable
ip nat inside source static udp 192.168.0.11 80 216.146.76.145 80 extendable
ip nat inside source static udp 192.168.0.12 80 216.146.76.146 80 extendable
ip nat inside source static tcp 192.168.0.12 80 216.146.76.146 80 extendable
ip nat inside source static tcp 192.168.0.11 80 216.146.76.145 80 extendable
ip nat inside source static tcp 192.168.0.8 80 216.146.76.142 80 extendable
ip nat inside source static tcp 192.168.0.7 80 216.146.76.141 80 extendable
ip nat inside source static tcp 192.168.0.3 80 216.146.76.137 80 extendable
ip nat inside source static tcp 192.168.0.2 80 216.146.76.136 80 extendable
ip nat inside source static tcp 192.168.0.47 25 216.146.76.147 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 216.146.76.130
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 10 deny 10.0.0.0 0.0.255.255
access-list 10 permit any
access-list 101 permit tcp 192.168.0.0 0.0.255.255 any
no cdp run
Here ya go:
no logging buffered
no logging buffered
logging rate-limit console 10 except errors
enable password
!
memory-size iomem 25
clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
no ip finger
ip name-server 216.146.70.3
ip name-server 216.146.72.3
ip dhcp excluded-address 192.168.0.1 192.168.0.99
!
ip dhcp pool dhcp-pool
network 192.168.0.0 255.255.255.0
dns-server 216.146.70.3 216.146.72.3
default-router 192.168.0.1
domain-name leestreet.com
lease infinite
!
ip dhcp-server 192.168.0.1
!
!
!
interface Ethernet0
description Tenant Subnet
ip address 10.0.0.1 255.255.0.0
ip nat inside
half-duplex
no cdp enable
!
interface FastEthernet0
ip address 192.168.0.1 255.255.0.0
ip access-group 10 out
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface Serial0
ip address 216.146.76.129 255.255.255.224
ip nat outside
encapsulation ppp
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
service-module t1 fdl att
no cdp enable
!
ip nat pool nat-pool 216.146.76.131 216.146.76.135 netmask 255.255.255.224
ip nat inside source list 1 pool nat-pool overload
ip nat inside source static tcp 192.168.0.6 80 216.146.76.140 80 extendable
ip nat inside source static tcp 192.168.0.48 32000 216.146.76.148 32000 extendab
le
ip nat inside source static udp 192.168.0.48 32000 216.146.76.148 32000 extendab
le
ip nat inside source static tcp 192.168.0.47 32000 216.146.76.147 32000 extendab
le
ip nat inside source static udp 192.168.0.47 32000 216.146.76.147 32000 extendab
le
ip nat inside source static tcp 192.168.0.47 220 216.146.76.147 220 extendable
ip nat inside source static udp 192.168.0.47 220 216.146.76.147 220 extendable
ip nat inside source static tcp 192.168.0.47 143 216.146.76.147 143 extendable
ip nat inside source static udp 192.168.0.47 143 216.146.76.147 143 extendable
ip nat inside source static tcp 192.168.0.47 53 216.146.76.147 53 extendable
ip nat inside source static udp 192.168.0.47 53 216.146.76.147 53 extendable
ip nat inside source static tcp 192.168.0.47 21 216.146.76.147 21 extendable
ip nat inside source static udp 192.168.0.47 21 216.146.76.147 21 extendable
ip nat inside source static tcp 192.168.0.47 20 216.146.76.147 20 extendable
ip nat inside source static udp 192.168.0.47 20 216.146.76.147 20 extendable
ip nat inside source static udp 192.168.0.47 110 216.146.76.147 110 extendable
ip nat inside source static tcp 192.168.0.47 110 216.146.76.147 110 extendable
ip nat inside source static tcp 192.168.0.47 443 216.146.76.147 443 extendable
ip nat inside source static udp 192.168.0.47 25 216.146.76.147 25 extendable
ip nat inside source static tcp 192.168.0.47 3389 216.146.76.147 3389 extendable
ip nat inside source static tcp 192.168.0.48 25 216.146.76.148 25 extendable
ip nat inside source static tcp 192.168.0.48 110 216.146.76.148 110 extendable
ip nat inside source static udp 192.168.0.48 21 216.146.76.148 21 extendable
ip nat inside source static udp 192.168.0.48 53 216.146.76.148 53 extendable
ip nat inside source static udp 192.168.0.48 143 216.146.76.148 143 extendable
ip nat inside source static tcp 192.168.0.48 143 216.146.76.148 143 extendable
ip nat inside source static tcp 192.168.0.48 220 216.146.76.148 220 extendable
ip nat inside source static tcp 192.168.0.47 80 216.146.76.147 80 extendable
ip nat inside source static udp 192.168.0.2 80 216.146.76.136 80 extendable
ip nat inside source static udp 192.168.0.3 80 216.146.76.137 80 extendable
ip nat inside source static udp 192.168.0.4 80 216.146.76.138 80 extendable
ip nat inside source static udp 192.168.0.5 80 216.146.76.139 80 extendable
ip nat inside source static udp 192.168.0.8 80 216.146.76.142 80 extendable
ip nat inside source static udp 192.168.0.9 80 216.146.76.143 80 extendable
ip nat inside source static tcp 192.168.0.10 80 216.146.76.144 80 extendable
ip nat inside source static tcp 192.168.0.9 80 216.146.76.143 80 extendable
ip nat inside source static udp 192.168.0.6 80 216.146.76.140 80 extendable
ip nat inside source static udp 192.168.0.7 80 216.146.76.141 80 extendable
ip nat inside source static udp 192.168.0.10 80 216.146.76.144 80 extendable
ip nat inside source static udp 192.168.0.11 80 216.146.76.145 80 extendable
ip nat inside source static udp 192.168.0.12 80 216.146.76.146 80 extendable
ip nat inside source static tcp 192.168.0.12 80 216.146.76.146 80 extendable
ip nat inside source static tcp 192.168.0.11 80 216.146.76.145 80 extendable
ip nat inside source static tcp 192.168.0.8 80 216.146.76.142 80 extendable
ip nat inside source static tcp 192.168.0.7 80 216.146.76.141 80 extendable
ip nat inside source static tcp 192.168.0.3 80 216.146.76.137 80 extendable
ip nat inside source static tcp 192.168.0.2 80 216.146.76.136 80 extendable
ip nat inside source static tcp 192.168.0.47 25 216.146.76.147 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 216.146.76.130
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 10 deny 10.0.0.0 0.0.255.255
access-list 10 permit any
access-list 101 permit tcp 192.168.0.0 0.0.255.255 any
no cdp run
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks so much but I have another question.... what is the command line to apply those access list to int fa 1/0.
Sorry I am a rookie...
M.
Sorry I am a rookie...
M.
Mike,
No problem.
once you are in the interface config mode.= router(config-if)#
you will need to issue the following command.= ip access-group 102 out
I hope that this helps out. If there is anything else that you need help with just post up and someone will always help you out.
Thanks.
S3T
No problem.
once you are in the interface config mode.= router(config-if)#
you will need to issue the following command.= ip access-group 102 out
I hope that this helps out. If there is anything else that you need help with just post up and someone will always help you out.
Thanks.
S3T
ASKER
Did what you said and it still didn't let me ping nor get to the web server via 192.168.0.47
Here is what we got:
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 10 deny 10.0.0.0 0.0.255.255
access-list 10 permit any
access-list 101 permit tcp 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 10.0.0.0 0.0.255.255 host 192.168.0.47
access-list 102 permit ip 10.0.0.0 0.0.255.255 host 192.168.0.48
access-list 102 permit icmp 10.0.0.0 0.0.255.255 host 192.168.0.47
access-list 102 permit icmp 10.0.0.0 0.0.255.255 host 192.168.0.48
access-list 102 deny ip 10.0.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 102 permit ip any any
no cdp run
!
Here is what we got:
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 10 deny 10.0.0.0 0.0.255.255
access-list 10 permit any
access-list 101 permit tcp 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 10.0.0.0 0.0.255.255 host 192.168.0.47
access-list 102 permit ip 10.0.0.0 0.0.255.255 host 192.168.0.48
access-list 102 permit icmp 10.0.0.0 0.0.255.255 host 192.168.0.47
access-list 102 permit icmp 10.0.0.0 0.0.255.255 host 192.168.0.48
access-list 102 deny ip 10.0.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 102 permit ip any any
no cdp run
!
ASKER
Pinging 192.168.0.47 with 32 bytes of data:
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
There are to many access-lists.
Do the following
conf t
! remove the current access-lists
no access-list 1
no access-list 10
no access-list 101
no access-list 102
! Allow network 10.0.0.0 access to the two hosts 192.168.1.0.0
ip access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
ip access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
! Deny network 10.0.0.0 access to any other hosts on 192.168.0.0
ip access-list 100 deny tcp 10.0.0.0 0.255.255.255 any
! Allow other networks access to network 192.168.0.0
ip access-list 100 permit any any
! Allow the two hosts on network 192.168.0.0 acess to 10.0.0.0
ip access-list 101 permit tcp host 192.168.0.47 any
ip access-list 101 permit tcp host 192.168.0.48 any
! Deny other hosts on 192.168.0.0 access to 10.0.0.0
ip access-list 101 deny tcp 192.168.0.0 any
! Permit other network access to 10.0.0.0
ip access-list 101 permit any any
! Apply the access lists to the interfaces
int f0
no ip access-group 10 out
ip access-group 100 out
int e0
access-group 101 out
ip access-group 101 out
Do the following
conf t
! remove the current access-lists
no access-list 1
no access-list 10
no access-list 101
no access-list 102
! Allow network 10.0.0.0 access to the two hosts 192.168.1.0.0
ip access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
ip access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
! Deny network 10.0.0.0 access to any other hosts on 192.168.0.0
ip access-list 100 deny tcp 10.0.0.0 0.255.255.255 any
! Allow other networks access to network 192.168.0.0
ip access-list 100 permit any any
! Allow the two hosts on network 192.168.0.0 acess to 10.0.0.0
ip access-list 101 permit tcp host 192.168.0.47 any
ip access-list 101 permit tcp host 192.168.0.48 any
! Deny other hosts on 192.168.0.0 access to 10.0.0.0
ip access-list 101 deny tcp 192.168.0.0 any
! Permit other network access to 10.0.0.0
ip access-list 101 permit any any
! Apply the access lists to the interfaces
int f0
no ip access-group 10 out
ip access-group 100 out
int e0
access-group 101 out
ip access-group 101 out
ASKER
When entering the commands I get this:
Enter configuration commands, one per line. End with CNTL/Z.
LEE_ST.(config)#no access-list 1
LEE_ST.(config)#no access-list 10
LEE_ST.(config)#no access-list 101
LEE_ST.(config)#no access-list 102
LEE_ST.(config)#$ist 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
ip access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
^
% Invalid input detected at '^' marker.
Enter configuration commands, one per line. End with CNTL/Z.
LEE_ST.(config)#no access-list 1
LEE_ST.(config)#no access-list 10
LEE_ST.(config)#no access-list 101
LEE_ST.(config)#no access-list 102
LEE_ST.(config)#$ist 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
ip access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
^
% Invalid input detected at '^' marker.
Sorry, my mistake. Remove the ip infront of the access-list.
Should read:
! Allow network 10.0.0.0 access to the two hosts 192.168.1.0.0
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
! Deny network 10.0.0.0 access to any other hosts on 192.168.0.0
access-list 100 deny tcp 10.0.0.0 0.255.255.255 any
! Allow other networks access to network 192.168.0.0
access-list 100 permit any any
! Allow the two hosts on network 192.168.0.0 acess to 10.0.0.0
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
! Deny other hosts on 192.168.0.0 access to 10.0.0.0
access-list 101 deny tcp 192.168.0.0 any
! Permit other network access to 10.0.0.0
access-list 101 permit any any
! Apply the access lists to the interfaces
int f0
no ip access-group 10 out
ip access-group 100 out
int e0
ip access-group 101 out
Should read:
! Allow network 10.0.0.0 access to the two hosts 192.168.1.0.0
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
! Deny network 10.0.0.0 access to any other hosts on 192.168.0.0
access-list 100 deny tcp 10.0.0.0 0.255.255.255 any
! Allow other networks access to network 192.168.0.0
access-list 100 permit any any
! Allow the two hosts on network 192.168.0.0 acess to 10.0.0.0
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
! Deny other hosts on 192.168.0.0 access to 10.0.0.0
access-list 101 deny tcp 192.168.0.0 any
! Permit other network access to 10.0.0.0
access-list 101 permit any any
! Apply the access lists to the interfaces
int f0
no ip access-group 10 out
ip access-group 100 out
int e0
ip access-group 101 out
ASKER
More errors: Plus I couldn't get on the internet with either interface after doing this:.....
LEE_ST.#config t
Enter configuration commands, one per line. End with CNTL/Z.
LEE_ST.(config)#no access-list 1
LEE_ST.(config)#no access-list 10
LEE_ST.(config)#no access-list 101
LEE_ST.(config)#no access-list 102
LEE_ST.(config)#$work 10.0.0.0 access to the two hosts 192.168.1.0.0
LEE_ST.(config)#$ 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
LEE_ST.(config)#$ 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
LEE_ST.(config)#$ork 10.0.0.0 access to any other hosts on 192.168.0.0
LEE_ST.(config)#access-lis
LEE_ST.(config)#! Allow other networks access to network 192.168.0.0
LEE_ST.(config)#access-lis
^
% Invalid input detected at '^' marker.
LEE_ST.(config)#$ two hosts on network 192.168.0.0 acess to 10.0.0.0
LEE_ST.(config)#access-lis
LEE_ST.(config)#access-lis
LEE_ST.(config)#! Deny other hosts on 192.168.0.0 access to 10.0.0.0
LEE_ST.(config)#access-lis
^
% Invalid input detected at '^' marker.
LEE_ST.(config)#! Permit other network access to 10.0.0.0
LEE_ST.(config)#access-lis
^
% Invalid input detected at '^' marker.
LEE_ST.(config)#int f0
LEE_ST.(config-if)#no ip access-group 10 out
LEE_ST.(config-if)#ip access-group 100 out
LEE_ST.(config-if)#int e0
LEE_ST.(config-if)#ip access-group 101 out
LEE_ST.#config t
Enter configuration commands, one per line. End with CNTL/Z.
LEE_ST.(config)#no access-list 1
LEE_ST.(config)#no access-list 10
LEE_ST.(config)#no access-list 101
LEE_ST.(config)#no access-list 102
LEE_ST.(config)#$work 10.0.0.0 access to the two hosts 192.168.1.0.0
LEE_ST.(config)#$ 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
LEE_ST.(config)#$ 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
LEE_ST.(config)#$ork 10.0.0.0 access to any other hosts on 192.168.0.0
LEE_ST.(config)#access-lis
LEE_ST.(config)#! Allow other networks access to network 192.168.0.0
LEE_ST.(config)#access-lis
^
% Invalid input detected at '^' marker.
LEE_ST.(config)#$ two hosts on network 192.168.0.0 acess to 10.0.0.0
LEE_ST.(config)#access-lis
LEE_ST.(config)#access-lis
LEE_ST.(config)#! Deny other hosts on 192.168.0.0 access to 10.0.0.0
LEE_ST.(config)#access-lis
^
% Invalid input detected at '^' marker.
LEE_ST.(config)#! Permit other network access to 10.0.0.0
LEE_ST.(config)#access-lis
^
% Invalid input detected at '^' marker.
LEE_ST.(config)#int f0
LEE_ST.(config-if)#no ip access-group 10 out
LEE_ST.(config-if)#ip access-group 100 out
LEE_ST.(config-if)#int e0
LEE_ST.(config-if)#ip access-group 101 out
Forgive my typematic errors.
Sorry. Also The other guys didn't point this out.
First error. tcp is missing.
should be:
access-list 100 permit tcp any any
second error. 0.0.0.255 is missing
should be access-list 101 deny tcp 192.168.0.0 0.0.0.255 any
Third error. tcp missing
should be access-list 101 permit tcp any any.
To correct these error you will need to clear these access-lists
by entering the following then start over as follows:
Config t
!Clear Access-lists
no access-list 100
no access-list 101
!Allow network 10.0.0.0 access to the two hosts 192.168.1.0.0
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
! Deny network 10.0.0.0 access to any other hosts on 192.168.0.0
access-list 100 deny tcp 10.0.0.0 0.255.255.255 any
! Allow other networks access to network 192.168.0.0
access-list 100 permit tcp any any
! Allow the two hosts on network 192.168.0.0 acess to 10.0.0.0
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
! Deny other hosts on 192.168.0.0 access to 10.0.0.0
access-list 101 deny tcp 192.168.0.0 0.0.0.255 any
! Permit other network access to 10.0.0.0
access-list 101 permit tcp any any
Nb: There is no need to apply the above access-lists to the interface as they have been already applied.
Please also post the final configuration entered by typing: show run
Sorry. Also The other guys didn't point this out.
First error. tcp is missing.
should be:
access-list 100 permit tcp any any
second error. 0.0.0.255 is missing
should be access-list 101 deny tcp 192.168.0.0 0.0.0.255 any
Third error. tcp missing
should be access-list 101 permit tcp any any.
To correct these error you will need to clear these access-lists
by entering the following then start over as follows:
Config t
!Clear Access-lists
no access-list 100
no access-list 101
!Allow network 10.0.0.0 access to the two hosts 192.168.1.0.0
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
! Deny network 10.0.0.0 access to any other hosts on 192.168.0.0
access-list 100 deny tcp 10.0.0.0 0.255.255.255 any
! Allow other networks access to network 192.168.0.0
access-list 100 permit tcp any any
! Allow the two hosts on network 192.168.0.0 acess to 10.0.0.0
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
! Deny other hosts on 192.168.0.0 access to 10.0.0.0
access-list 101 deny tcp 192.168.0.0 0.0.0.255 any
! Permit other network access to 10.0.0.0
access-list 101 permit tcp any any
Nb: There is no need to apply the above access-lists to the interface as they have been already applied.
Please also post the final configuration entered by typing: show run
ASKER
Okay so i did what you said and it took all the commands without any errors. But the problem was this: I could ping other machines on the 192.x.x.x network other than the two I want to be able to ping. which is .47 and .48. I also noticed that the internet wasn't working. Please help.
ASKER
LEE_ST.#show run
Building configuration...
Current configuration : 5664 bytes
!
version 12.1
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
!
hostname LEE_ST.
!
no logging buffered
no logging buffered
logging rate-limit console 10 except errors
enable password
!
memory-size iomem 25
clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
no ip finger
ip name-server 216.146.70.3
ip name-server 216.146.72.3
ip dhcp excluded-address 192.168.0.1 192.168.0.99
!
ip dhcp pool dhcp-pool
network 192.168.0.0 255.255.255.0
dns-server 216.146.70.3 216.146.72.3
default-router 192.168.0.1
domain-name leestreet.com
lease infinite
!
ip dhcp-server 192.168.0.1
!
!
!
interface Ethernet0
description Tenant Subnet
ip address 10.0.0.1 255.255.0.0
ip nat inside
half-duplex
no cdp enable
!
interface FastEthernet0
ip address 192.168.0.1 255.255.0.0
ip access-group 10 out
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface Serial0
ip address 216.146.76.129 255.255.255.224
ip nat outside
encapsulation ppp
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
service-module t1 fdl att
no cdp enable
!
ip nat pool nat-pool 216.146.76.131 216.146.76.135 netmask 255.255.255.224
ip nat inside source list 1 pool nat-pool overload
ip nat inside source static tcp 192.168.0.6 80 216.146.76.140 80 extendable
ip nat inside source static tcp 192.168.0.48 32000 216.146.76.148 32000 extendab
le
ip nat inside source static udp 192.168.0.48 32000 216.146.76.148 32000 extendab
le
ip nat inside source static tcp 192.168.0.47 32000 216.146.76.147 32000 extendab
le
ip nat inside source static udp 192.168.0.47 32000 216.146.76.147 32000 extendab
le
ip nat inside source static tcp 192.168.0.47 220 216.146.76.147 220 extendable
ip nat inside source static udp 192.168.0.47 220 216.146.76.147 220 extendable
ip nat inside source static tcp 192.168.0.47 143 216.146.76.147 143 extendable
ip nat inside source static udp 192.168.0.47 143 216.146.76.147 143 extendable
ip nat inside source static tcp 192.168.0.47 53 216.146.76.147 53 extendable
ip nat inside source static udp 192.168.0.47 53 216.146.76.147 53 extendable
ip nat inside source static tcp 192.168.0.47 21 216.146.76.147 21 extendable
ip nat inside source static udp 192.168.0.47 21 216.146.76.147 21 extendable
ip nat inside source static tcp 192.168.0.47 20 216.146.76.147 20 extendable
ip nat inside source static udp 192.168.0.47 20 216.146.76.147 20 extendable
ip nat inside source static udp 192.168.0.47 110 216.146.76.147 110 extendable
ip nat inside source static tcp 192.168.0.47 110 216.146.76.147 110 extendable
ip nat inside source static tcp 192.168.0.47 443 216.146.76.147 443 extendable
ip nat inside source static udp 192.168.0.47 25 216.146.76.147 25 extendable
ip nat inside source static tcp 192.168.0.47 3389 216.146.76.147 3389 extendable
ip nat inside source static tcp 192.168.0.48 25 216.146.76.148 25 extendable
ip nat inside source static tcp 192.168.0.48 110 216.146.76.148 110 extendable
ip nat inside source static udp 192.168.0.48 21 216.146.76.148 21 extendable
ip nat inside source static udp 192.168.0.48 53 216.146.76.148 53 extendable
ip nat inside source static udp 192.168.0.48 143 216.146.76.148 143 extendable
ip nat inside source static tcp 192.168.0.48 143 216.146.76.148 143 extendable
ip nat inside source static tcp 192.168.0.48 220 216.146.76.148 220 extendable
ip nat inside source static tcp 192.168.0.47 80 216.146.76.147 80 extendable
ip nat inside source static udp 192.168.0.2 80 216.146.76.136 80 extendable
ip nat inside source static udp 192.168.0.3 80 216.146.76.137 80 extendable
ip nat inside source static udp 192.168.0.4 80 216.146.76.138 80 extendable
ip nat inside source static udp 192.168.0.5 80 216.146.76.139 80 extendable
ip nat inside source static udp 192.168.0.8 80 216.146.76.142 80 extendable
ip nat inside source static udp 192.168.0.9 80 216.146.76.143 80 extendable
ip nat inside source static tcp 192.168.0.10 80 216.146.76.144 80 extendable
ip nat inside source static tcp 192.168.0.9 80 216.146.76.143 80 extendable
ip nat inside source static udp 192.168.0.6 80 216.146.76.140 80 extendable
ip nat inside source static udp 192.168.0.7 80 216.146.76.141 80 extendable
ip nat inside source static udp 192.168.0.10 80 216.146.76.144 80 extendable
ip nat inside source static udp 192.168.0.11 80 216.146.76.145 80 extendable
ip nat inside source static udp 192.168.0.12 80 216.146.76.146 80 extendable
ip nat inside source static tcp 192.168.0.12 80 216.146.76.146 80 extendable
ip nat inside source static tcp 192.168.0.11 80 216.146.76.145 80 extendable
ip nat inside source static tcp 192.168.0.8 80 216.146.76.142 80 extendable
ip nat inside source static tcp 192.168.0.7 80 216.146.76.141 80 extendable
ip nat inside source static tcp 192.168.0.3 80 216.146.76.137 80 extendable
ip nat inside source static tcp 192.168.0.2 80 216.146.76.136 80 extendable
ip nat inside source static tcp 192.168.0.47 25 216.146.76.147 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 216.146.76.130
no ip http server
!
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
access-list 100 deny tcp 10.0.0.0 0.255.255.255 any
access-list 100 permit tcp any any
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
access-list 101 deny tcp 192.168.0.0 0.0.0.255 any
access-list 101 permit tcp any any
no cdp run
!
!
end
Building configuration...
Current configuration : 5664 bytes
!
version 12.1
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
!
hostname LEE_ST.
!
no logging buffered
no logging buffered
logging rate-limit console 10 except errors
enable password
!
memory-size iomem 25
clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
no ip finger
ip name-server 216.146.70.3
ip name-server 216.146.72.3
ip dhcp excluded-address 192.168.0.1 192.168.0.99
!
ip dhcp pool dhcp-pool
network 192.168.0.0 255.255.255.0
dns-server 216.146.70.3 216.146.72.3
default-router 192.168.0.1
domain-name leestreet.com
lease infinite
!
ip dhcp-server 192.168.0.1
!
!
!
interface Ethernet0
description Tenant Subnet
ip address 10.0.0.1 255.255.0.0
ip nat inside
half-duplex
no cdp enable
!
interface FastEthernet0
ip address 192.168.0.1 255.255.0.0
ip access-group 10 out
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface Serial0
ip address 216.146.76.129 255.255.255.224
ip nat outside
encapsulation ppp
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
service-module t1 fdl att
no cdp enable
!
ip nat pool nat-pool 216.146.76.131 216.146.76.135 netmask 255.255.255.224
ip nat inside source list 1 pool nat-pool overload
ip nat inside source static tcp 192.168.0.6 80 216.146.76.140 80 extendable
ip nat inside source static tcp 192.168.0.48 32000 216.146.76.148 32000 extendab
le
ip nat inside source static udp 192.168.0.48 32000 216.146.76.148 32000 extendab
le
ip nat inside source static tcp 192.168.0.47 32000 216.146.76.147 32000 extendab
le
ip nat inside source static udp 192.168.0.47 32000 216.146.76.147 32000 extendab
le
ip nat inside source static tcp 192.168.0.47 220 216.146.76.147 220 extendable
ip nat inside source static udp 192.168.0.47 220 216.146.76.147 220 extendable
ip nat inside source static tcp 192.168.0.47 143 216.146.76.147 143 extendable
ip nat inside source static udp 192.168.0.47 143 216.146.76.147 143 extendable
ip nat inside source static tcp 192.168.0.47 53 216.146.76.147 53 extendable
ip nat inside source static udp 192.168.0.47 53 216.146.76.147 53 extendable
ip nat inside source static tcp 192.168.0.47 21 216.146.76.147 21 extendable
ip nat inside source static udp 192.168.0.47 21 216.146.76.147 21 extendable
ip nat inside source static tcp 192.168.0.47 20 216.146.76.147 20 extendable
ip nat inside source static udp 192.168.0.47 20 216.146.76.147 20 extendable
ip nat inside source static udp 192.168.0.47 110 216.146.76.147 110 extendable
ip nat inside source static tcp 192.168.0.47 110 216.146.76.147 110 extendable
ip nat inside source static tcp 192.168.0.47 443 216.146.76.147 443 extendable
ip nat inside source static udp 192.168.0.47 25 216.146.76.147 25 extendable
ip nat inside source static tcp 192.168.0.47 3389 216.146.76.147 3389 extendable
ip nat inside source static tcp 192.168.0.48 25 216.146.76.148 25 extendable
ip nat inside source static tcp 192.168.0.48 110 216.146.76.148 110 extendable
ip nat inside source static udp 192.168.0.48 21 216.146.76.148 21 extendable
ip nat inside source static udp 192.168.0.48 53 216.146.76.148 53 extendable
ip nat inside source static udp 192.168.0.48 143 216.146.76.148 143 extendable
ip nat inside source static tcp 192.168.0.48 143 216.146.76.148 143 extendable
ip nat inside source static tcp 192.168.0.48 220 216.146.76.148 220 extendable
ip nat inside source static tcp 192.168.0.47 80 216.146.76.147 80 extendable
ip nat inside source static udp 192.168.0.2 80 216.146.76.136 80 extendable
ip nat inside source static udp 192.168.0.3 80 216.146.76.137 80 extendable
ip nat inside source static udp 192.168.0.4 80 216.146.76.138 80 extendable
ip nat inside source static udp 192.168.0.5 80 216.146.76.139 80 extendable
ip nat inside source static udp 192.168.0.8 80 216.146.76.142 80 extendable
ip nat inside source static udp 192.168.0.9 80 216.146.76.143 80 extendable
ip nat inside source static tcp 192.168.0.10 80 216.146.76.144 80 extendable
ip nat inside source static tcp 192.168.0.9 80 216.146.76.143 80 extendable
ip nat inside source static udp 192.168.0.6 80 216.146.76.140 80 extendable
ip nat inside source static udp 192.168.0.7 80 216.146.76.141 80 extendable
ip nat inside source static udp 192.168.0.10 80 216.146.76.144 80 extendable
ip nat inside source static udp 192.168.0.11 80 216.146.76.145 80 extendable
ip nat inside source static udp 192.168.0.12 80 216.146.76.146 80 extendable
ip nat inside source static tcp 192.168.0.12 80 216.146.76.146 80 extendable
ip nat inside source static tcp 192.168.0.11 80 216.146.76.145 80 extendable
ip nat inside source static tcp 192.168.0.8 80 216.146.76.142 80 extendable
ip nat inside source static tcp 192.168.0.7 80 216.146.76.141 80 extendable
ip nat inside source static tcp 192.168.0.3 80 216.146.76.137 80 extendable
ip nat inside source static tcp 192.168.0.2 80 216.146.76.136 80 extendable
ip nat inside source static tcp 192.168.0.47 25 216.146.76.147 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 216.146.76.130
no ip http server
!
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
access-list 100 deny tcp 10.0.0.0 0.255.255.255 any
access-list 100 permit tcp any any
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
access-list 101 deny tcp 192.168.0.0 0.0.0.255 any
access-list 101 permit tcp any any
no cdp run
!
!
end
dont you have oto put the Deny first in tho order, and then the permits?
If i am correct, it is reading from the top down, so you are permitting 2 ip addresses first, then you are denying all on the subnet....that will negate the first 2 that you permitted...i could be wrong, but i think that may be part of the problem.
ASKER
Still don't know how to implement it.
The problem is that traffic from both networks to the internet is being denied.
So we modify the access-lists be specific to which networks we deny traffic to
no access-list 100
no access-list 101
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
access-list 100 deny tcp 10.0.0.0 0.255.255.255 192.168.0.0 0.0.0.255
access-list 100 permit tcp any any
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
access-list 101 deny tcp 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit tcp any any
So we modify the access-lists be specific to which networks we deny traffic to
no access-list 100
no access-list 101
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
access-list 100 deny tcp 10.0.0.0 0.255.255.255 192.168.0.0 0.0.0.255
access-list 100 permit tcp any any
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
access-list 101 deny tcp 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit tcp any any
ASKER
I went ahead and did that and this is what happened: I could talk to any computer from the 10.x network to any computer on the 192.x network. which is what i didn't want. I could also talk to the internet from the 10.x network but not from the 192.x network. This seems to be a touch access list. Any more suggestions? If it makes it any easier I wouldn't care if the 10.x network could talk to any computer ranging from 192.168.0.2 through 192.168.0.89. But we cannot talk above 89.
Thanks again!!
Mike.
Thanks again!!
Mike.
ASKER
Help!! I will raise the points if needed.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That didn't work. I am able to ping any node on the 192 network from the 10 network. I am also unable to get out to the internet from the 10 network. Here is the config:
interface Ethernet0
description Tenant Subnet
ip address 10.0.0.1 255.255.0.0
ip nat inside
half-duplex
no cdp enable
!
interface FastEthernet0
ip address 192.168.0.1 255.255.0.0
ip access-group 10 out
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface Serial0
ip address 216.146.76.129 255.255.255.224
ip nat outside
encapsulation ppp
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
service-module t1 fdl att
no cdp enable
!
ip nat pool nat-pool 216.146.76.131 216.146.76.135 netmask 255.255.255.224
ip nat inside source list 1 pool nat-pool overload
ip nat inside source static tcp 192.168.0.46 3389 216.146.76.146 3389 extendable
ip nat inside source static tcp 192.168.0.47 25 216.146.76.147 25 extendable
ip nat inside source static tcp 192.168.0.2 80 216.146.76.136 80 extendable
ip nat inside source static tcp 192.168.0.3 80 216.146.76.137 80 extendable
ip nat inside source static tcp 192.168.0.7 80 216.146.76.141 80 extendable
ip nat inside source static tcp 192.168.0.8 80 216.146.76.142 80 extendable
ip nat inside source static tcp 192.168.0.11 80 216.146.76.145 80 extendable
ip nat inside source static tcp 192.168.0.12 80 216.146.76.146 80 extendable
ip nat inside source static udp 192.168.0.12 80 216.146.76.146 80 extendable
ip nat inside source static udp 192.168.0.11 80 216.146.76.145 80 extendable
ip nat inside source static udp 192.168.0.10 80 216.146.76.144 80 extendable
ip nat inside source static udp 192.168.0.7 80 216.146.76.141 80 extendable
ip nat inside source static udp 192.168.0.6 80 216.146.76.140 80 extendable
ip nat inside source static tcp 192.168.0.9 80 216.146.76.143 80 extendable
ip nat inside source static tcp 192.168.0.10 80 216.146.76.144 80 extendable
ip nat inside source static udp 192.168.0.9 80 216.146.76.143 80 extendable
ip nat inside source static udp 192.168.0.8 80 216.146.76.142 80 extendable
ip nat inside source static udp 192.168.0.5 80 216.146.76.139 80 extendable
ip nat inside source static udp 192.168.0.4 80 216.146.76.138 80 extendable
ip nat inside source static udp 192.168.0.3 80 216.146.76.137 80 extendable
ip nat inside source static udp 192.168.0.2 80 216.146.76.136 80 extendable
ip nat inside source static tcp 192.168.0.47 80 216.146.76.147 80 extendable
ip nat inside source static tcp 192.168.0.48 220 216.146.76.148 220 extendable
ip nat inside source static tcp 192.168.0.48 143 216.146.76.148 143 extendable
ip nat inside source static udp 192.168.0.48 143 216.146.76.148 143 extendable
ip nat inside source static udp 192.168.0.48 53 216.146.76.148 53 extendable
ip nat inside source static udp 192.168.0.48 21 216.146.76.148 21 extendable
ip nat inside source static tcp 192.168.0.48 110 216.146.76.148 110 extendable
ip nat inside source static tcp 192.168.0.48 25 216.146.76.148 25 extendable
ip nat inside source static tcp 192.168.0.47 3389 216.146.76.147 3389 extendable
ip nat inside source static udp 192.168.0.47 25 216.146.76.147 25 extendable
ip nat inside source static tcp 192.168.0.47 443 216.146.76.147 443 extendable
ip nat inside source static tcp 192.168.0.47 110 216.146.76.147 110 extendable
ip nat inside source static udp 192.168.0.47 110 216.146.76.147 110 extendable
ip nat inside source static udp 192.168.0.47 20 216.146.76.147 20 extendable
ip nat inside source static tcp 192.168.0.47 20 216.146.76.147 20 extendable
ip nat inside source static udp 192.168.0.47 21 216.146.76.147 21 extendable
ip nat inside source static tcp 192.168.0.47 21 216.146.76.147 21 extendable
ip nat inside source static udp 192.168.0.47 53 216.146.76.147 53 extendable
ip nat inside source static tcp 192.168.0.47 53 216.146.76.147 53 extendable
ip nat inside source static udp 192.168.0.47 143 216.146.76.147 143 extendable
ip nat inside source static tcp 192.168.0.47 143 216.146.76.147 143 extendable
ip nat inside source static udp 192.168.0.47 220 216.146.76.147 220 extendable
ip nat inside source static tcp 192.168.0.47 220 216.146.76.147 220 extendable
ip nat inside source static udp 192.168.0.47 32000 216.146.76.147 32000 extendab
le
ip nat inside source static tcp 192.168.0.47 32000 216.146.76.147 32000 extendab
le
ip nat inside source static udp 192.168.0.48 32000 216.146.76.148 32000 extendab
le
ip nat inside source static tcp 192.168.0.48 32000 216.146.76.148 32000 extendab
le
ip nat inside source static tcp 192.168.0.6 80 216.146.76.140 80 extendable
ip nat inside source static tcp 192.168.0.48 80 216.146.76.148 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 216.146.76.130
no ip http server
!
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
access-list 100 deny tcp 10.0.0.0 0.255.255.255 192.168.0.0 0.0.0.255
access-list 100 permit tcp any 192.168.0.0 0.0.0.255
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
access-list 101 deny tcp 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit tcp any 10.0.0.0 0.255.255.255
___________
Here is the tracert's:
Tracing route to 192.168.0.47 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 10.0.0.1
2 <1 ms <1 ms <1 ms 192.168.0.47
-------
C:\>tracert 10.0.0.37
Tracing route to 10.0.0.37 over a maximum of 30 hops
1 * * * Request timed out.
2 * *
interface Ethernet0
description Tenant Subnet
ip address 10.0.0.1 255.255.0.0
ip nat inside
half-duplex
no cdp enable
!
interface FastEthernet0
ip address 192.168.0.1 255.255.0.0
ip access-group 10 out
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface Serial0
ip address 216.146.76.129 255.255.255.224
ip nat outside
encapsulation ppp
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
service-module t1 fdl att
no cdp enable
!
ip nat pool nat-pool 216.146.76.131 216.146.76.135 netmask 255.255.255.224
ip nat inside source list 1 pool nat-pool overload
ip nat inside source static tcp 192.168.0.46 3389 216.146.76.146 3389 extendable
ip nat inside source static tcp 192.168.0.47 25 216.146.76.147 25 extendable
ip nat inside source static tcp 192.168.0.2 80 216.146.76.136 80 extendable
ip nat inside source static tcp 192.168.0.3 80 216.146.76.137 80 extendable
ip nat inside source static tcp 192.168.0.7 80 216.146.76.141 80 extendable
ip nat inside source static tcp 192.168.0.8 80 216.146.76.142 80 extendable
ip nat inside source static tcp 192.168.0.11 80 216.146.76.145 80 extendable
ip nat inside source static tcp 192.168.0.12 80 216.146.76.146 80 extendable
ip nat inside source static udp 192.168.0.12 80 216.146.76.146 80 extendable
ip nat inside source static udp 192.168.0.11 80 216.146.76.145 80 extendable
ip nat inside source static udp 192.168.0.10 80 216.146.76.144 80 extendable
ip nat inside source static udp 192.168.0.7 80 216.146.76.141 80 extendable
ip nat inside source static udp 192.168.0.6 80 216.146.76.140 80 extendable
ip nat inside source static tcp 192.168.0.9 80 216.146.76.143 80 extendable
ip nat inside source static tcp 192.168.0.10 80 216.146.76.144 80 extendable
ip nat inside source static udp 192.168.0.9 80 216.146.76.143 80 extendable
ip nat inside source static udp 192.168.0.8 80 216.146.76.142 80 extendable
ip nat inside source static udp 192.168.0.5 80 216.146.76.139 80 extendable
ip nat inside source static udp 192.168.0.4 80 216.146.76.138 80 extendable
ip nat inside source static udp 192.168.0.3 80 216.146.76.137 80 extendable
ip nat inside source static udp 192.168.0.2 80 216.146.76.136 80 extendable
ip nat inside source static tcp 192.168.0.47 80 216.146.76.147 80 extendable
ip nat inside source static tcp 192.168.0.48 220 216.146.76.148 220 extendable
ip nat inside source static tcp 192.168.0.48 143 216.146.76.148 143 extendable
ip nat inside source static udp 192.168.0.48 143 216.146.76.148 143 extendable
ip nat inside source static udp 192.168.0.48 53 216.146.76.148 53 extendable
ip nat inside source static udp 192.168.0.48 21 216.146.76.148 21 extendable
ip nat inside source static tcp 192.168.0.48 110 216.146.76.148 110 extendable
ip nat inside source static tcp 192.168.0.48 25 216.146.76.148 25 extendable
ip nat inside source static tcp 192.168.0.47 3389 216.146.76.147 3389 extendable
ip nat inside source static udp 192.168.0.47 25 216.146.76.147 25 extendable
ip nat inside source static tcp 192.168.0.47 443 216.146.76.147 443 extendable
ip nat inside source static tcp 192.168.0.47 110 216.146.76.147 110 extendable
ip nat inside source static udp 192.168.0.47 110 216.146.76.147 110 extendable
ip nat inside source static udp 192.168.0.47 20 216.146.76.147 20 extendable
ip nat inside source static tcp 192.168.0.47 20 216.146.76.147 20 extendable
ip nat inside source static udp 192.168.0.47 21 216.146.76.147 21 extendable
ip nat inside source static tcp 192.168.0.47 21 216.146.76.147 21 extendable
ip nat inside source static udp 192.168.0.47 53 216.146.76.147 53 extendable
ip nat inside source static tcp 192.168.0.47 53 216.146.76.147 53 extendable
ip nat inside source static udp 192.168.0.47 143 216.146.76.147 143 extendable
ip nat inside source static tcp 192.168.0.47 143 216.146.76.147 143 extendable
ip nat inside source static udp 192.168.0.47 220 216.146.76.147 220 extendable
ip nat inside source static tcp 192.168.0.47 220 216.146.76.147 220 extendable
ip nat inside source static udp 192.168.0.47 32000 216.146.76.147 32000 extendab
le
ip nat inside source static tcp 192.168.0.47 32000 216.146.76.147 32000 extendab
le
ip nat inside source static udp 192.168.0.48 32000 216.146.76.148 32000 extendab
le
ip nat inside source static tcp 192.168.0.48 32000 216.146.76.148 32000 extendab
le
ip nat inside source static tcp 192.168.0.6 80 216.146.76.140 80 extendable
ip nat inside source static tcp 192.168.0.48 80 216.146.76.148 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 216.146.76.130
no ip http server
!
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
access-list 100 deny tcp 10.0.0.0 0.255.255.255 192.168.0.0 0.0.0.255
access-list 100 permit tcp any 192.168.0.0 0.0.0.255
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
access-list 101 deny tcp 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit tcp any 10.0.0.0 0.255.255.255
___________
Here is the tracert's:
Tracing route to 192.168.0.47 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 10.0.0.1
2 <1 ms <1 ms <1 ms 192.168.0.47
-------
C:\>tracert 10.0.0.37
Tracing route to 10.0.0.37 over a maximum of 30 hops
1 * * * Request timed out.
2 * *
The Ethernet interface seems to be down.
Check the ethernet cable connection.
Then type the following:
show int e0
Conf t
int e0
no shutdown
ctl+z
show int e0
post the results of the above command.
Also remove the access group 10 on interface e0
Also you have not applied the access-lists to the interfaces
conf t
int f0
no ip access-group 10 out
ip access-group 100 out
int e0
ip access-group 101 out
Check the ethernet cable connection.
Then type the following:
show int e0
Conf t
int e0
no shutdown
ctl+z
show int e0
post the results of the above command.
Also remove the access group 10 on interface e0
Also you have not applied the access-lists to the interfaces
conf t
int f0
no ip access-group 10 out
ip access-group 100 out
int e0
ip access-group 101 out
ASKER
I did what you said again and still not working. I am unable to connect to the internet and i am able to ping the 192.x network from the 10.x network.
.#show int e0
Ethernet0 is up, line protocol is up
Hardware is PQUICC Ethernet, address is 0004.dc0c.eaa5 (bia 0004.dc0c.eaa5)
Description: Tenant Subnet
Internet address is 10.0.0.1/16
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 14/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 10BaseT
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 13000 bits/sec, 32 packets/sec
5 minute output rate 586000 bits/sec, 45 packets/sec
236375 packets input, 24477252 bytes, 0 no buffer
Received 7641 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
283129 packets output, 267808745 bytes, 0 underruns(0/0/0)
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
___________Here is the running config-----
interface Ethernet0
description Tenant Subnet
ip address 10.0.0.1 255.255.0.0
ip access-group 101 out
ip nat inside
half-duplex
no cdp enable
!
interface FastEthernet0
ip address 192.168.0.1 255.255.0.0
ip access-group 100 out
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface Serial0
ip address 216.146.76.129 255.255.255.224
ip nat outside
encapsulation ppp
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
service-module t1 fdl att
no cdp enable
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
access-list 100 deny tcp 10.0.0.0 0.255.255.255 192.168.0.0 0.0.0.255
access-list 100 permit tcp any 192.168.0.0 0.0.0.255
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
access-list 101 deny tcp 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit tcp any 10.0.0.0 0.255.255.255
.#show int e0
Ethernet0 is up, line protocol is up
Hardware is PQUICC Ethernet, address is 0004.dc0c.eaa5 (bia 0004.dc0c.eaa5)
Description: Tenant Subnet
Internet address is 10.0.0.1/16
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 14/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 10BaseT
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 13000 bits/sec, 32 packets/sec
5 minute output rate 586000 bits/sec, 45 packets/sec
236375 packets input, 24477252 bytes, 0 no buffer
Received 7641 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
283129 packets output, 267808745 bytes, 0 underruns(0/0/0)
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
___________Here is the running config-----
interface Ethernet0
description Tenant Subnet
ip address 10.0.0.1 255.255.0.0
ip access-group 101 out
ip nat inside
half-duplex
no cdp enable
!
interface FastEthernet0
ip address 192.168.0.1 255.255.0.0
ip access-group 100 out
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface Serial0
ip address 216.146.76.129 255.255.255.224
ip nat outside
encapsulation ppp
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
service-module t1 fdl att
no cdp enable
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
access-list 100 deny tcp 10.0.0.0 0.255.255.255 192.168.0.0 0.0.0.255
access-list 100 permit tcp any 192.168.0.0 0.0.0.255
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
access-list 101 deny tcp 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit tcp any 10.0.0.0 0.255.255.255
okay
The access-list look okay.
I am not sure about your default root.
conf t
no ip route 0.0.0.0 0.0.0.0 216.146.76.130
ip route 0.0.0.0 0.0.0.0 Serial0
Try a tracert to microsoft.com
post results
The access-list look okay.
I am not sure about your default root.
conf t
no ip route 0.0.0.0 0.0.0.0 216.146.76.130
ip route 0.0.0.0 0.0.0.0 Serial0
Try a tracert to microsoft.com
post results
ASKER
Okay,
I did what you said and here is what I get:
I cannot connect to the internet via my browser from the 10.x network. Here is what I get:
C:\Documents and Settings\admin>ping google.com
Ping request could not find host google.com. Please check the name and try agai
.
I did a traceroute within the router to microsoft.com and here is what I get:
LEE_ST.#traceroute microsoft.com
Translating "microsoft.com"...domain server (216.146.70.3) [OK]
Type escape sequence to abort.
Tracing the route to microsoft.com (207.46.245.214)
1 216.146.76.130 4 msec 4 msec 4 msec
2 chi-core2-a6-0.networkgci.
3 chi-core1-fa5-0.networkgci
4 f5.ba01.b002332-1.ord01.at
ec
5 g3-4.core02.ord01.atlas.co
6 p15-0.core01.ord01.atlas.c
7 p5-0.core01.sfo01.atlas.co
8 p4-0.core01.sjc01.atlas.co
9 p15-1.core01.sjc03.atlas.c
10 ge9-0.edge1.sjc1.us.msn.ne
11 po1.sjc-76cb-1a.ntwk.msn.n
12 pos4-2.core1.pao1.ntwk.msn
13 pos15-0.core1.sea1.ntwk.ms
14 pos1-0.iusnixcpxc1201.ntwk
15 pos1-0.iustixcpdc1201.ntwk
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
I cannot ping the 192.x network to any node that I want... Here is what I get:
Pinging 192.168.0.47 with 32 bytes of data:
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
Both networks are not connecting to the internet. Here is my config:
interface Ethernet0
description Tenant Subnet
ip address 10.0.0.1 255.255.0.0
ip access-group 101 out
ip nat inside
half-duplex
no cdp enable
!
interface FastEthernet0
ip address 192.168.0.1 255.255.0.0
ip access-group 100 out
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface Serial0
ip address 216.146.76.129 255.255.255.224
ip nat outside
encapsulation ppp
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
service-module t1 fdl att
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
access-list 100 deny tcp 10.0.0.0 0.255.255.255 192.168.0.0 0.0.0.255
access-list 100 permit tcp any 192.168.0.0 0.0.0.255
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
access-list 101 deny tcp 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit tcp any 10.0.0.0 0.255.255.255
no cdp run
I did what you said and here is what I get:
I cannot connect to the internet via my browser from the 10.x network. Here is what I get:
C:\Documents and Settings\admin>ping google.com
Ping request could not find host google.com. Please check the name and try agai
.
I did a traceroute within the router to microsoft.com and here is what I get:
LEE_ST.#traceroute microsoft.com
Translating "microsoft.com"...domain server (216.146.70.3) [OK]
Type escape sequence to abort.
Tracing the route to microsoft.com (207.46.245.214)
1 216.146.76.130 4 msec 4 msec 4 msec
2 chi-core2-a6-0.networkgci.
3 chi-core1-fa5-0.networkgci
4 f5.ba01.b002332-1.ord01.at
ec
5 g3-4.core02.ord01.atlas.co
6 p15-0.core01.ord01.atlas.c
7 p5-0.core01.sfo01.atlas.co
8 p4-0.core01.sjc01.atlas.co
9 p15-1.core01.sjc03.atlas.c
10 ge9-0.edge1.sjc1.us.msn.ne
11 po1.sjc-76cb-1a.ntwk.msn.n
12 pos4-2.core1.pao1.ntwk.msn
13 pos15-0.core1.sea1.ntwk.ms
14 pos1-0.iusnixcpxc1201.ntwk
15 pos1-0.iustixcpdc1201.ntwk
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
I cannot ping the 192.x network to any node that I want... Here is what I get:
Pinging 192.168.0.47 with 32 bytes of data:
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
Both networks are not connecting to the internet. Here is my config:
interface Ethernet0
description Tenant Subnet
ip address 10.0.0.1 255.255.0.0
ip access-group 101 out
ip nat inside
half-duplex
no cdp enable
!
interface FastEthernet0
ip address 192.168.0.1 255.255.0.0
ip access-group 100 out
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface Serial0
ip address 216.146.76.129 255.255.255.224
ip nat outside
encapsulation ppp
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
service-module t1 fdl att
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
access-list 100 deny tcp 10.0.0.0 0.255.255.255 192.168.0.0 0.0.0.255
access-list 100 permit tcp any 192.168.0.0 0.0.0.255
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
access-list 101 deny tcp 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit tcp any 10.0.0.0 0.255.255.255
no cdp run
When you do:
conf t
int f0
no access-group 100
int e0
no access-group 101
Ctl+z
Are you able to access the internet?
conf t
int f0
no access-group 100
int e0
no access-group 101
Ctl+z
Are you able to access the internet?
Alright, even if there no feedback if the final given solution is working, I still think, there is enough support provided,so the answers can be accepted.
Tolomir
Tolomir
BSP:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Split: S3T{http:#10776633} & Nyaema{http:#10928292}
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
Tolomir
EE Cleanup Volunteer
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Split: S3T{http:#10776633} & Nyaema{http:#10928292}
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
Tolomir
EE Cleanup Volunteer
From what you have written above there are 3 access lists on this router. 1, 10, 101.
you could implement an access-list somthing like the following.
access-list 111 permit ip 10.0.0.0 0.0.255.255 192.168.0.47 0.0.0.0
access-list 111 permit ip 10.0.0.0 0.0.255.255 192.168.0.48 0.0.0.0
access-list 111 deny ip 10.0.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 111 permit ip any any
This list would allow the 10.0.0.0 network to access only the two specified ip addresses on the 192.168.0.0 network. It will also not allow any other traffic to cross over from the 10.0.0.0 network into the 192.168.0.0 network but allow the 10.0.0.0 network to reach other networks. I hope that this helps you out a little. If there are any other specifications or circumstances please let me know. Thanks
S3T