Solved

Access-Control List question regarding two networks

Posted on 2004-04-06
35
407 Views
Last Modified: 2010-04-11
I have two networks divided by two Ethernet connections in my 1720 router.  I know how to config the basics in my router and I know the command line but I am having a hard time understanding what i need to do to let my 10.0.0.0 network access only a few ip's on my 192.169.0.0 network.  I have an access-list that consists of this:
_____
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 10 deny   10.0.0.0 0.0.255.255
access-list 10 permit any
access-list 101 permit tcp 192.168.0.0 0.0.255.255 any
no cdp run
_____

This access-list is not allowing the 10. network and 192 network to access each other which I want.  But what I do need to do is allow a few ip's to talk across each network.  So say I have a webserver and email server at address' 192.168.0.47 and 192.168.0.48 and a couple others.  What would the rules be that I need to add to keep the wall there but just allow access to those two specific IP's? 192.168.0.47 & 48.

Thanks in advance!

Mike.
0
Comment
Question by:mikerips
  • 15
  • 8
  • 4
  • +3
35 Comments
 

Expert Comment

by:S3T
ID: 10769801
Mike,

From what you have written above there are 3 access lists on this router. 1, 10, 101.
you could implement an access-list somthing like the following.

access-list 111 permit ip 10.0.0.0 0.0.255.255 192.168.0.47 0.0.0.0
access-list 111 permit ip 10.0.0.0 0.0.255.255 192.168.0.48 0.0.0.0
access-list 111 deny ip 10.0.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 111 permit ip any any


This list would allow the 10.0.0.0 network to access only the two specified ip addresses on the 192.168.0.0 network. It will also not allow any other traffic to cross over from the 10.0.0.0 network into the 192.168.0.0 network but allow the 10.0.0.0 network to reach  other networks. I hope that this helps you out a little. If there are any other specifications or circumstances please let me know. Thanks

S3T
0
 
LVL 4

Expert Comment

by:kruptos
ID: 10769822
I belive you are on the right track, what I would do is use extended access for the control of traffic for the last part, it will allow you to provide the source AND destination in the access list.

Just remember to allow after you deny or your list will be worthless, and pay attention to what interface you are putting the lists on :-)

Let me know if you need more help!

0
 
LVL 4

Expert Comment

by:kruptos
ID: 10769866
Nice answer S3T, maybe he will be cool and split the points :-) Great minds think alike :-)
0
 
LVL 8

Expert Comment

by:anil_u
ID: 10770063
Here are some General access list rules:
- A packet is compared with each line of the access list sequentially.
- Once there is a match, there is no further checking down the access list.
- There is an implicit "deny" at the end of each access list.
- Types of access lists:
- Standard -- source IP only (TCP/IP), or source and destination IPX address (IPX). There is no port or protocol information.
- Extended -- source and destination IP, protocol field (Network Layer), port number (Transport Layer). IPX uses sockets instead of ports.
- Access lists can be inbound or outbound.
- You can only assign one access list per interface, per protocol, or per direction. Example -- only 1 inbound and 1 outbound IP access lists per interface.
- Keep more specific rules on top, and more general rules towards the bottom. Also, keep "deny" on top and "permit" towards the bottom.
- Any time a new entry is added, it will be placed at the end of the access list.
- You CANNOT remove a single line from an access list (unless it is named). Doing so will remove the whole access list. Copy the access list to a text editor and make changes there.
- You can disable the implied "deny" at the end of an access list with "permit any".
- Create access lists first and then apply them to an interface.
- Access lists filter traffic passing through the router. They will NOT filter traffic originating from the router.
- Place IP standard access lists as close to the destination as possible.
- Place IP extended access lists as close to the source as possible.
- Standard IP access lists -- (1-99) -- "config t", "access-list 10 deny host 172.16.30.2".
- Block a particular host -- "access-list 10 deny 172.16.30.5 0.0.0.0". Block a range of hosts (mask the last field) -- "access-list 10 deny 172.16.30.0 0.0.0.255".
- Block all IPs belonging to networks from "172.16.8.0" to "172.16.15.0" -- "access-list 10 deny 172.16.8.0 0.0.7.255" -- "7" is the wildcard -- always 1 less than the block size, which in this case is "8".
- Each block size must start at "0". Example -- for block size "8", we have "0-7", "8-15", "16-23", etc.
- "any" = "0.0.0.0 255.255.255.255".
- Standard IP access list example -- "config t", "access-list 10 deny 172.16.40.0 0.0.0.255", "access-list 10 permit any", "int e0" (closest to destination), "ip access-group 10 out".
- Controlling VTY (telnet) access -- "config t", "access-list 50 permit 172.16.10.3", "line vty 0 4", "access-class 50 in" -- ONLY allow "172.16.10.3" to telnet in.
- Extended IP access lists -- (100-199) -- "config t", "access-list 110 deny tcp any host 172.16.30.2 eq 23 log", "access-list 110 permit ip any any", "int e0", "ip access-group 110 out".
- Monitoring IP access lists:
- "sh access-lists" -- display all access lists. No interface information is shown.
- "sh access-list 110" -- only display a single access list.
- "sh ip access-list" -- display only the IP access lists.
- "sh ip interface" -- display which interfaces have access lists set.
- "sh run" -- displays access lists and also which interfaces have access lists set.
- IPX access lists:
- IPX standard -- (800-899) -- source and destination IPX address -- "config t", "access-list 810 permit 20 40", "int e0", "ipx access-group 810 out".
- IPX extended -- (900-999) -- "config t", "access-list 910 deny -1 10 0 20 0", "access-list 910 permit -1 -1 0 -1 0", "int e0", "ipx access-group 910 in" -- "-1" always means "all" in IPX.
- IPX SAP filters -- (1000-1099) -- "config t", "access-list 1010 permit -1 4 Sales" -- "-1" means "all source addresses", "4" is the destination, "Sales" is a description.
! There are two ways to finish setting up this SAP access list:
- "int e0", "ipx input-sap-filter" -- stops SAP entries from being added to the SAP table of the router.
- "int e1", "ipx output-sap-filter" -- stops SAP entries from being propagated out of the router.
- Verifying IPX access lists:
- "sh ipx interface" -- displays interface information and access list association.
- "sh ipx access-list" -- displays access list contents -- "FFFFFFFF" in the output means "any".
0
 

Author Comment

by:mikerips
ID: 10775543
I did what S3T suggested and i get no reply from the 192.168.0.47 host.

Here is what I get:

Pinging 192.168.0.47 with 32 bytes of data:

Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.

Here is my access list config:

access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 10 deny   10.0.0.0 0.0.255.255
access-list 10 permit any
access-list 101 permit tcp 192.168.0.0 0.0.255.255 any
access-list 111 permit ip 10.0.0.0 0.0.255.255 host 192.168.0.47
access-list 111 permit ip 10.0.0.0 0.0.255.255 host 192.168.0.48
access-list 111 deny   ip 10.0.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 111 permit ip any any
no cdp run

Whats up?

Thanks for all the help!

M.
0
 

Expert Comment

by:S3T
ID: 10775712
Mike,

 Where do you have the access lists applied? on which interface and in or out? This is why I said in my previous post that you could IMPLEMENT an ACCESS LIST SOMETHING LIKE THIS. It is hard not knowing exatly where all of your other lists are applied. Looking at access list 10 it will deny all traffic from the 10.0.0.0 network.
Can you post a sh run.  Thanks


S3T
0
 

Author Comment

by:mikerips
ID: 10775886
Sorry bout the lack of info.

Here ya go:

no logging buffered
no logging buffered
logging rate-limit console 10 except errors
enable password
!
memory-size iomem 25
clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
no ip finger
ip name-server 216.146.70.3
ip name-server 216.146.72.3
ip dhcp excluded-address 192.168.0.1 192.168.0.99
!
ip dhcp pool dhcp-pool
   network 192.168.0.0 255.255.255.0
   dns-server 216.146.70.3 216.146.72.3
   default-router 192.168.0.1
   domain-name leestreet.com
   lease infinite
!
ip dhcp-server 192.168.0.1
!
!
!
interface Ethernet0
 description Tenant Subnet
 ip address 10.0.0.1 255.255.0.0
 ip nat inside
 half-duplex
 no cdp enable
!
interface FastEthernet0
 ip address 192.168.0.1 255.255.0.0
 ip access-group 10 out
 ip nat inside
 speed auto
 full-duplex
 no cdp enable
!
interface Serial0
 ip address 216.146.76.129 255.255.255.224
 ip nat outside
 encapsulation ppp
 service-module t1 timeslots 1-24
 service-module t1 remote-alarm-enable
 service-module t1 fdl att
 no cdp enable
!
ip nat pool nat-pool 216.146.76.131 216.146.76.135 netmask 255.255.255.224
ip nat inside source list 1 pool nat-pool overload
ip nat inside source static tcp 192.168.0.6 80 216.146.76.140 80 extendable
ip nat inside source static tcp 192.168.0.48 32000 216.146.76.148 32000 extendab
le
ip nat inside source static udp 192.168.0.48 32000 216.146.76.148 32000 extendab
le
ip nat inside source static tcp 192.168.0.47 32000 216.146.76.147 32000 extendab
le
ip nat inside source static udp 192.168.0.47 32000 216.146.76.147 32000 extendab
le
ip nat inside source static tcp 192.168.0.47 220 216.146.76.147 220 extendable
ip nat inside source static udp 192.168.0.47 220 216.146.76.147 220 extendable
ip nat inside source static tcp 192.168.0.47 143 216.146.76.147 143 extendable
ip nat inside source static udp 192.168.0.47 143 216.146.76.147 143 extendable
ip nat inside source static tcp 192.168.0.47 53 216.146.76.147 53 extendable
ip nat inside source static udp 192.168.0.47 53 216.146.76.147 53 extendable
ip nat inside source static tcp 192.168.0.47 21 216.146.76.147 21 extendable
ip nat inside source static udp 192.168.0.47 21 216.146.76.147 21 extendable
ip nat inside source static tcp 192.168.0.47 20 216.146.76.147 20 extendable
ip nat inside source static udp 192.168.0.47 20 216.146.76.147 20 extendable
ip nat inside source static udp 192.168.0.47 110 216.146.76.147 110 extendable
ip nat inside source static tcp 192.168.0.47 110 216.146.76.147 110 extendable
ip nat inside source static tcp 192.168.0.47 443 216.146.76.147 443 extendable
ip nat inside source static udp 192.168.0.47 25 216.146.76.147 25 extendable
ip nat inside source static tcp 192.168.0.47 3389 216.146.76.147 3389 extendable
ip nat inside source static tcp 192.168.0.48 25 216.146.76.148 25 extendable
ip nat inside source static tcp 192.168.0.48 110 216.146.76.148 110 extendable
ip nat inside source static udp 192.168.0.48 21 216.146.76.148 21 extendable
ip nat inside source static udp 192.168.0.48 53 216.146.76.148 53 extendable
ip nat inside source static udp 192.168.0.48 143 216.146.76.148 143 extendable
ip nat inside source static tcp 192.168.0.48 143 216.146.76.148 143 extendable
ip nat inside source static tcp 192.168.0.48 220 216.146.76.148 220 extendable
ip nat inside source static tcp 192.168.0.47 80 216.146.76.147 80 extendable
ip nat inside source static udp 192.168.0.2 80 216.146.76.136 80 extendable
ip nat inside source static udp 192.168.0.3 80 216.146.76.137 80 extendable
ip nat inside source static udp 192.168.0.4 80 216.146.76.138 80 extendable
ip nat inside source static udp 192.168.0.5 80 216.146.76.139 80 extendable
ip nat inside source static udp 192.168.0.8 80 216.146.76.142 80 extendable
ip nat inside source static udp 192.168.0.9 80 216.146.76.143 80 extendable
ip nat inside source static tcp 192.168.0.10 80 216.146.76.144 80 extendable
ip nat inside source static tcp 192.168.0.9 80 216.146.76.143 80 extendable
ip nat inside source static udp 192.168.0.6 80 216.146.76.140 80 extendable
ip nat inside source static udp 192.168.0.7 80 216.146.76.141 80 extendable
ip nat inside source static udp 192.168.0.10 80 216.146.76.144 80 extendable
ip nat inside source static udp 192.168.0.11 80 216.146.76.145 80 extendable
ip nat inside source static udp 192.168.0.12 80 216.146.76.146 80 extendable
ip nat inside source static tcp 192.168.0.12 80 216.146.76.146 80 extendable
ip nat inside source static tcp 192.168.0.11 80 216.146.76.145 80 extendable
ip nat inside source static tcp 192.168.0.8 80 216.146.76.142 80 extendable
ip nat inside source static tcp 192.168.0.7 80 216.146.76.141 80 extendable
ip nat inside source static tcp 192.168.0.3 80 216.146.76.137 80 extendable
ip nat inside source static tcp 192.168.0.2 80 216.146.76.136 80 extendable
ip nat inside source static tcp 192.168.0.47 25 216.146.76.147 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 216.146.76.130
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 10 deny   10.0.0.0 0.0.255.255
access-list 10 permit any
access-list 101 permit tcp 192.168.0.0 0.0.255.255 any
no cdp run
0
 

Accepted Solution

by:
S3T earned 200 total points
ID: 10776633
Mike,

If you are trying to ping 192.168.0.47 then you will also need to permit icmp from the 10.0.0.0 network. You have access list 10 applied to fastethernet out. This is where you should have applied the other access list. If you are trying it out and need to ping through then this should work. I just configured it in one of my training labs and it worked out fine.

access-list 102 permit ip 10.0.0.0 0.0.255.255 host 192.168.0.47
access-list 102 permit ip 10.0.0.0 0.0.255.255 host 192.168.0.48
access-list 102 permit icmp 10.0.0.0 0.0.255.255 host 192.168.0.47
access-list 102 permit icmp 10.0.0.0 0.0.255.255 host 192.168.0.48
access-list 102 deny ip 10.0.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 102 permit ip any any

Try this on int fa 1/0 out bound. Let me know if this helps you out. Sorry about the miscommunication earlier. Thanks.


S3T
0
 

Author Comment

by:mikerips
ID: 10776652
thanks so much but I have another question....  what is the command line to apply those access list to int fa 1/0.

Sorry I am a rookie...

M.
0
 

Expert Comment

by:S3T
ID: 10776705
Mike,

No problem.
once you are in the interface config mode.=  router(config-if)#
you will need to issue the following command.= ip access-group 102 out


I hope that this helps out. If there is anything else that you need help with just post up and someone will always help you out.
Thanks.


S3T
0
 

Author Comment

by:mikerips
ID: 10776805
Did what you said and it still didn't let me ping nor get to the web server via 192.168.0.47

Here is what we got:
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 10 deny   10.0.0.0 0.0.255.255
access-list 10 permit any
access-list 101 permit tcp 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 10.0.0.0 0.0.255.255 host 192.168.0.47
access-list 102 permit ip 10.0.0.0 0.0.255.255 host 192.168.0.48
access-list 102 permit icmp 10.0.0.0 0.0.255.255 host 192.168.0.47
access-list 102 permit icmp 10.0.0.0 0.0.255.255 host 192.168.0.48
access-list 102 deny   ip 10.0.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 102 permit ip any any
no cdp run
!
0
 

Author Comment

by:mikerips
ID: 10776821
Pinging 192.168.0.47 with 32 bytes of data:

Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 10791397
There are to many access-lists.
Do the following

conf t
! remove the current access-lists
no access-list 1
no access-list 10
no access-list 101
no access-list 102

! Allow network 10.0.0.0 access to the two hosts 192.168.1.0.0
ip access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
ip access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
! Deny network 10.0.0.0 access to any other hosts on 192.168.0.0
ip access-list 100 deny tcp 10.0.0.0 0.255.255.255 any
! Allow other networks access to network 192.168.0.0
ip access-list 100 permit any any

! Allow the two hosts on network 192.168.0.0 acess to 10.0.0.0
ip access-list 101 permit tcp host 192.168.0.47 any
ip access-list 101 permit tcp host 192.168.0.48 any
! Deny other hosts on 192.168.0.0 access to 10.0.0.0
ip access-list 101 deny tcp 192.168.0.0 any
! Permit other network access to 10.0.0.0
ip access-list 101 permit any any
 
! Apply the access lists to the interfaces
int f0
no ip access-group 10 out
ip access-group 100 out

int e0
access-group 101 out
ip access-group 101 out
0
 

Author Comment

by:mikerips
ID: 10825620
When entering the commands I get this:

Enter configuration commands, one per line.  End with CNTL/Z.
LEE_ST.(config)#no access-list 1
LEE_ST.(config)#no access-list 10
LEE_ST.(config)#no access-list 101
LEE_ST.(config)#no access-list 102
LEE_ST.(config)#$ist 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
ip access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
               ^
% Invalid input detected at '^' marker.
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 10832130
Sorry, my mistake.  Remove the ip infront of the access-list.
Should read:

! Allow network 10.0.0.0 access to the two hosts 192.168.1.0.0
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
! Deny network 10.0.0.0 access to any other hosts on 192.168.0.0
access-list 100 deny tcp 10.0.0.0 0.255.255.255 any
! Allow other networks access to network 192.168.0.0
access-list 100 permit any any

! Allow the two hosts on network 192.168.0.0 acess to 10.0.0.0
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
! Deny other hosts on 192.168.0.0 access to 10.0.0.0
access-list 101 deny tcp 192.168.0.0 any
! Permit other network access to 10.0.0.0
access-list 101 permit any any
 
! Apply the access lists to the interfaces
int f0
no ip access-group 10 out
ip access-group 100 out

int e0
ip access-group 101 out
0
 

Author Comment

by:mikerips
ID: 10869449
More errors:  Plus I couldn't get on the internet with either interface after doing this:.....  

LEE_ST.#config t
Enter configuration commands, one per line.  End with CNTL/Z.
LEE_ST.(config)#no access-list 1
LEE_ST.(config)#no access-list 10
LEE_ST.(config)#no access-list 101
LEE_ST.(config)#no access-list 102
LEE_ST.(config)#$work 10.0.0.0 access to the two hosts 192.168.1.0.0
LEE_ST.(config)#$ 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
LEE_ST.(config)#$ 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
LEE_ST.(config)#$ork 10.0.0.0 access to any other hosts on 192.168.0.0
LEE_ST.(config)#access-list 100 deny tcp 10.0.0.0 0.255.255.255 any
LEE_ST.(config)#! Allow other networks access to network 192.168.0.0
LEE_ST.(config)#access-list 100 permit any any
                                        ^
% Invalid input detected at '^' marker.

LEE_ST.(config)#$ two hosts on network 192.168.0.0 acess to 10.0.0.0
LEE_ST.(config)#access-list 101 permit tcp host 192.168.0.47 any
LEE_ST.(config)#access-list 101 permit tcp host 192.168.0.48 any
LEE_ST.(config)#! Deny other hosts on 192.168.0.0 access to 10.0.0.0
LEE_ST.(config)#access-list 101 deny tcp 192.168.0.0 any
                                                     ^
% Invalid input detected at '^' marker.

LEE_ST.(config)#! Permit other network access to 10.0.0.0
LEE_ST.(config)#access-list 101 permit any any
                                        ^
% Invalid input detected at '^' marker.

LEE_ST.(config)#int f0
LEE_ST.(config-if)#no ip access-group 10 out
LEE_ST.(config-if)#ip access-group 100 out
LEE_ST.(config-if)#int e0
LEE_ST.(config-if)#ip access-group 101 out
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 10869646
Forgive my typematic errors.
Sorry.  Also The other guys didn't point this out.

First error. tcp is missing.
should be:
access-list 100 permit tcp any any

second error. 0.0.0.255 is missing
should be access-list 101 deny tcp 192.168.0.0 0.0.0.255 any

Third error. tcp missing
should be access-list 101 permit tcp any any.

To correct these error you will need to clear these access-lists
by entering the following then start over as follows:

Config t

!Clear Access-lists
no access-list 100
no access-list 101

!Allow network 10.0.0.0 access to the two hosts 192.168.1.0.0
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
! Deny network 10.0.0.0 access to any other hosts on 192.168.0.0
access-list 100 deny tcp 10.0.0.0 0.255.255.255 any
! Allow other networks access to network 192.168.0.0
access-list 100 permit tcp  any any

! Allow the two hosts on network 192.168.0.0 acess to 10.0.0.0
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
! Deny other hosts on 192.168.0.0 access to 10.0.0.0
access-list 101 deny tcp 192.168.0.0 0.0.0.255 any
! Permit other network access to 10.0.0.0
access-list 101 permit tcp any any




Nb: There is no need to apply the above access-lists to the interface as they have been already applied.

Please also post the final configuration entered by typing: show run
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:mikerips
ID: 10870169
Okay so i did what you said and it took all the commands without any errors.  But the problem was this:  I could ping other machines on the 192.x.x.x network other than the two I want to be able to ping.  which is .47 and .48.  I also noticed that the internet wasn't working.  Please help.  
0
 

Author Comment

by:mikerips
ID: 10870176
LEE_ST.#show run
Building configuration...

Current configuration : 5664 bytes
!
version 12.1
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime

!
hostname LEE_ST.
!
no logging buffered
no logging buffered
logging rate-limit console 10 except errors
enable password
!
memory-size iomem 25
clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
no ip finger
ip name-server 216.146.70.3
ip name-server 216.146.72.3
ip dhcp excluded-address 192.168.0.1 192.168.0.99
!
ip dhcp pool dhcp-pool
   network 192.168.0.0 255.255.255.0
   dns-server 216.146.70.3 216.146.72.3
   default-router 192.168.0.1
   domain-name leestreet.com
   lease infinite
!
ip dhcp-server 192.168.0.1
!
!
!
interface Ethernet0
 description Tenant Subnet
 ip address 10.0.0.1 255.255.0.0
 ip nat inside
 half-duplex
 no cdp enable
!
interface FastEthernet0
 ip address 192.168.0.1 255.255.0.0
 ip access-group 10 out
 ip nat inside
 speed auto
 full-duplex
 no cdp enable
!
interface Serial0
 ip address 216.146.76.129 255.255.255.224
 ip nat outside
 encapsulation ppp
 service-module t1 timeslots 1-24
 service-module t1 remote-alarm-enable
 service-module t1 fdl att
 no cdp enable
!
ip nat pool nat-pool 216.146.76.131 216.146.76.135 netmask 255.255.255.224
ip nat inside source list 1 pool nat-pool overload
ip nat inside source static tcp 192.168.0.6 80 216.146.76.140 80 extendable
ip nat inside source static tcp 192.168.0.48 32000 216.146.76.148 32000 extendab
le
ip nat inside source static udp 192.168.0.48 32000 216.146.76.148 32000 extendab
le
ip nat inside source static tcp 192.168.0.47 32000 216.146.76.147 32000 extendab
le
ip nat inside source static udp 192.168.0.47 32000 216.146.76.147 32000 extendab
le
ip nat inside source static tcp 192.168.0.47 220 216.146.76.147 220 extendable
ip nat inside source static udp 192.168.0.47 220 216.146.76.147 220 extendable
ip nat inside source static tcp 192.168.0.47 143 216.146.76.147 143 extendable
ip nat inside source static udp 192.168.0.47 143 216.146.76.147 143 extendable
ip nat inside source static tcp 192.168.0.47 53 216.146.76.147 53 extendable
ip nat inside source static udp 192.168.0.47 53 216.146.76.147 53 extendable
ip nat inside source static tcp 192.168.0.47 21 216.146.76.147 21 extendable
ip nat inside source static udp 192.168.0.47 21 216.146.76.147 21 extendable
ip nat inside source static tcp 192.168.0.47 20 216.146.76.147 20 extendable
ip nat inside source static udp 192.168.0.47 20 216.146.76.147 20 extendable
ip nat inside source static udp 192.168.0.47 110 216.146.76.147 110 extendable
ip nat inside source static tcp 192.168.0.47 110 216.146.76.147 110 extendable
ip nat inside source static tcp 192.168.0.47 443 216.146.76.147 443 extendable
ip nat inside source static udp 192.168.0.47 25 216.146.76.147 25 extendable
ip nat inside source static tcp 192.168.0.47 3389 216.146.76.147 3389 extendable
ip nat inside source static tcp 192.168.0.48 25 216.146.76.148 25 extendable
ip nat inside source static tcp 192.168.0.48 110 216.146.76.148 110 extendable
ip nat inside source static udp 192.168.0.48 21 216.146.76.148 21 extendable
ip nat inside source static udp 192.168.0.48 53 216.146.76.148 53 extendable
ip nat inside source static udp 192.168.0.48 143 216.146.76.148 143 extendable
ip nat inside source static tcp 192.168.0.48 143 216.146.76.148 143 extendable
ip nat inside source static tcp 192.168.0.48 220 216.146.76.148 220 extendable
ip nat inside source static tcp 192.168.0.47 80 216.146.76.147 80 extendable
ip nat inside source static udp 192.168.0.2 80 216.146.76.136 80 extendable
ip nat inside source static udp 192.168.0.3 80 216.146.76.137 80 extendable
ip nat inside source static udp 192.168.0.4 80 216.146.76.138 80 extendable
ip nat inside source static udp 192.168.0.5 80 216.146.76.139 80 extendable
ip nat inside source static udp 192.168.0.8 80 216.146.76.142 80 extendable
ip nat inside source static udp 192.168.0.9 80 216.146.76.143 80 extendable
ip nat inside source static tcp 192.168.0.10 80 216.146.76.144 80 extendable
ip nat inside source static tcp 192.168.0.9 80 216.146.76.143 80 extendable
ip nat inside source static udp 192.168.0.6 80 216.146.76.140 80 extendable
ip nat inside source static udp 192.168.0.7 80 216.146.76.141 80 extendable
ip nat inside source static udp 192.168.0.10 80 216.146.76.144 80 extendable
ip nat inside source static udp 192.168.0.11 80 216.146.76.145 80 extendable
ip nat inside source static udp 192.168.0.12 80 216.146.76.146 80 extendable
ip nat inside source static tcp 192.168.0.12 80 216.146.76.146 80 extendable
ip nat inside source static tcp 192.168.0.11 80 216.146.76.145 80 extendable
ip nat inside source static tcp 192.168.0.8 80 216.146.76.142 80 extendable
ip nat inside source static tcp 192.168.0.7 80 216.146.76.141 80 extendable
ip nat inside source static tcp 192.168.0.3 80 216.146.76.137 80 extendable
ip nat inside source static tcp 192.168.0.2 80 216.146.76.136 80 extendable
ip nat inside source static tcp 192.168.0.47 25 216.146.76.147 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 216.146.76.130
no ip http server
!
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
access-list 100 deny   tcp 10.0.0.0 0.255.255.255 any
access-list 100 permit tcp any any
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
access-list 101 deny   tcp 192.168.0.0 0.0.0.255 any
access-list 101 permit tcp any any
no cdp run
!

!
end
0
 
LVL 4

Expert Comment

by:kruptos
ID: 10870218
dont you have oto put the Deny first in tho order, and then the permits?
0
 
LVL 4

Expert Comment

by:kruptos
ID: 10870233
If i am correct, it is reading from the top down, so you are permitting 2 ip addresses first, then you are denying all on the subnet....that will negate the first 2 that you permitted...i could be wrong, but i think that may be part of the problem.

0
 

Author Comment

by:mikerips
ID: 10870446
Still don't know how to implement it.
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 10875495
The problem is that traffic from both networks to the internet is being denied.

So we modify the access-lists be specific to which networks we deny traffic to

no access-list 100
no access-list 101

access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
access-list 100 deny   tcp 10.0.0.0 0.255.255.255 192.168.0.0 0.0.0.255
access-list 100 permit tcp any any
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
access-list 101 deny   tcp 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit tcp any any
0
 

Author Comment

by:mikerips
ID: 10881041
I went ahead and did that and this is what happened:  I could talk to any computer from the 10.x network to any computer on the 192.x network.  which is what i didn't want.  I could also talk to the internet from the 10.x network but not from the 192.x network.  This seems to be a touch access list.  Any more suggestions?  If it makes it any easier I wouldn't care if the 10.x network could talk to any computer ranging from 192.168.0.2 through 192.168.0.89.  But we cannot talk above 89.

Thanks again!!

Mike.
0
 

Author Comment

by:mikerips
ID: 10889801
Help!!  I will raise the points if needed.
0
 
LVL 16

Assisted Solution

by:Nyaema
Nyaema earned 200 total points
ID: 10928292
Try this modification and post the final 'show config' to see any other possible problems
Also post tracert from both networks.
ignore the statements starting with !

no access-list 100
no access-list 101

access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
! Deny any other connection from 10.x.x.x to any other host on 192.168.0.x
access-list 100 deny   tcp 10.0.0.0 0.255.255.255 192.168.0.0 0.0.0.255
! Allow internet access to 192.168.0.x
access-list 100 permit tcp any 192.168.0 0.0.0.255


access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
! Deny any other host on 192.168.0.x access to 10.0.0.0
access-list 101 deny   tcp 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
! Allow internet access to 10.0.0.0
access-list 101 permit tcp any 10.0.0.0 0.255.255.255
0
 

Author Comment

by:mikerips
ID: 11053218
That didn't work.  I am able to ping any node on the 192 network from the 10 network.  I am also unable to get out to the internet from the 10 network.  Here is the config:

interface Ethernet0
 description Tenant Subnet
 ip address 10.0.0.1 255.255.0.0
 ip nat inside
 half-duplex
 no cdp enable
!
interface FastEthernet0
 ip address 192.168.0.1 255.255.0.0
 ip access-group 10 out
 ip nat inside
 speed auto
 full-duplex
 no cdp enable
!
interface Serial0
 ip address 216.146.76.129 255.255.255.224
 ip nat outside
 encapsulation ppp
 service-module t1 timeslots 1-24
 service-module t1 remote-alarm-enable
 service-module t1 fdl att
 no cdp enable
!
ip nat pool nat-pool 216.146.76.131 216.146.76.135 netmask 255.255.255.224
ip nat inside source list 1 pool nat-pool overload
ip nat inside source static tcp 192.168.0.46 3389 216.146.76.146 3389 extendable
ip nat inside source static tcp 192.168.0.47 25 216.146.76.147 25 extendable
ip nat inside source static tcp 192.168.0.2 80 216.146.76.136 80 extendable
ip nat inside source static tcp 192.168.0.3 80 216.146.76.137 80 extendable
ip nat inside source static tcp 192.168.0.7 80 216.146.76.141 80 extendable
ip nat inside source static tcp 192.168.0.8 80 216.146.76.142 80 extendable
ip nat inside source static tcp 192.168.0.11 80 216.146.76.145 80 extendable
ip nat inside source static tcp 192.168.0.12 80 216.146.76.146 80 extendable
ip nat inside source static udp 192.168.0.12 80 216.146.76.146 80 extendable
ip nat inside source static udp 192.168.0.11 80 216.146.76.145 80 extendable
ip nat inside source static udp 192.168.0.10 80 216.146.76.144 80 extendable
ip nat inside source static udp 192.168.0.7 80 216.146.76.141 80 extendable
ip nat inside source static udp 192.168.0.6 80 216.146.76.140 80 extendable
ip nat inside source static tcp 192.168.0.9 80 216.146.76.143 80 extendable
ip nat inside source static tcp 192.168.0.10 80 216.146.76.144 80 extendable
ip nat inside source static udp 192.168.0.9 80 216.146.76.143 80 extendable
ip nat inside source static udp 192.168.0.8 80 216.146.76.142 80 extendable
ip nat inside source static udp 192.168.0.5 80 216.146.76.139 80 extendable
ip nat inside source static udp 192.168.0.4 80 216.146.76.138 80 extendable
ip nat inside source static udp 192.168.0.3 80 216.146.76.137 80 extendable
ip nat inside source static udp 192.168.0.2 80 216.146.76.136 80 extendable
ip nat inside source static tcp 192.168.0.47 80 216.146.76.147 80 extendable
ip nat inside source static tcp 192.168.0.48 220 216.146.76.148 220 extendable
ip nat inside source static tcp 192.168.0.48 143 216.146.76.148 143 extendable
ip nat inside source static udp 192.168.0.48 143 216.146.76.148 143 extendable
ip nat inside source static udp 192.168.0.48 53 216.146.76.148 53 extendable
ip nat inside source static udp 192.168.0.48 21 216.146.76.148 21 extendable
ip nat inside source static tcp 192.168.0.48 110 216.146.76.148 110 extendable
ip nat inside source static tcp 192.168.0.48 25 216.146.76.148 25 extendable
ip nat inside source static tcp 192.168.0.47 3389 216.146.76.147 3389 extendable
ip nat inside source static udp 192.168.0.47 25 216.146.76.147 25 extendable
ip nat inside source static tcp 192.168.0.47 443 216.146.76.147 443 extendable
ip nat inside source static tcp 192.168.0.47 110 216.146.76.147 110 extendable
ip nat inside source static udp 192.168.0.47 110 216.146.76.147 110 extendable
ip nat inside source static udp 192.168.0.47 20 216.146.76.147 20 extendable
ip nat inside source static tcp 192.168.0.47 20 216.146.76.147 20 extendable
ip nat inside source static udp 192.168.0.47 21 216.146.76.147 21 extendable
ip nat inside source static tcp 192.168.0.47 21 216.146.76.147 21 extendable
ip nat inside source static udp 192.168.0.47 53 216.146.76.147 53 extendable
ip nat inside source static tcp 192.168.0.47 53 216.146.76.147 53 extendable
ip nat inside source static udp 192.168.0.47 143 216.146.76.147 143 extendable
ip nat inside source static tcp 192.168.0.47 143 216.146.76.147 143 extendable
ip nat inside source static udp 192.168.0.47 220 216.146.76.147 220 extendable
ip nat inside source static tcp 192.168.0.47 220 216.146.76.147 220 extendable
ip nat inside source static udp 192.168.0.47 32000 216.146.76.147 32000 extendab
le
ip nat inside source static tcp 192.168.0.47 32000 216.146.76.147 32000 extendab
le
ip nat inside source static udp 192.168.0.48 32000 216.146.76.148 32000 extendab
le
ip nat inside source static tcp 192.168.0.48 32000 216.146.76.148 32000 extendab
le
ip nat inside source static tcp 192.168.0.6 80 216.146.76.140 80 extendable
ip nat inside source static tcp 192.168.0.48 80 216.146.76.148 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 216.146.76.130
no ip http server
!
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
access-list 100 deny   tcp 10.0.0.0 0.255.255.255 192.168.0.0 0.0.0.255
access-list 100 permit tcp any 192.168.0.0 0.0.0.255
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
access-list 101 deny   tcp 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit tcp any 10.0.0.0 0.255.255.255

___________

Here is the tracert's:

Tracing route to 192.168.0.47 over a maximum of 30 hops

  1     1 ms    <1 ms    <1 ms  10.0.0.1
  2    <1 ms    <1 ms    <1 ms  192.168.0.47
-------
C:\>tracert 10.0.0.37

Tracing route to 10.0.0.37 over a maximum of 30 hops

  1     *        *        *     Request timed out.
  2     *        *
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 11057068
The Ethernet interface seems to be down.
Check the ethernet cable connection.
Then type the following:

show int e0

Conf t
int e0
no shutdown
ctl+z

show int e0

post the results of the above command.
Also remove the access group 10 on interface e0



Also you have not applied the access-lists to the interfaces

conf t
int f0
no ip access-group 10 out
ip access-group 100 out

int e0
ip access-group 101 out


0
 

Author Comment

by:mikerips
ID: 11060170
I did what you said again and still not working.  I am unable to connect to the internet and i am able to ping the 192.x network from the 10.x network.

.#show int e0
Ethernet0 is up, line protocol is up
  Hardware is PQUICC Ethernet, address is 0004.dc0c.eaa5 (bia 0004.dc0c.eaa5)
  Description: Tenant Subnet
  Internet address is 10.0.0.1/16
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 14/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Half-duplex, 10BaseT
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 13000 bits/sec, 32 packets/sec
  5 minute output rate 586000 bits/sec, 45 packets/sec
     236375 packets input, 24477252 bytes, 0 no buffer
     Received 7641 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     283129 packets output, 267808745 bytes, 0 underruns(0/0/0)
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

___________Here is the running config-----

interface Ethernet0
 description Tenant Subnet
 ip address 10.0.0.1 255.255.0.0
 ip access-group 101 out
 ip nat inside
 half-duplex
 no cdp enable
!
interface FastEthernet0
 ip address 192.168.0.1 255.255.0.0
 ip access-group 100 out
 ip nat inside
 speed auto
 full-duplex
 no cdp enable
!
interface Serial0
 ip address 216.146.76.129 255.255.255.224
 ip nat outside
 encapsulation ppp
 service-module t1 timeslots 1-24
 service-module t1 remote-alarm-enable
 service-module t1 fdl att
 no cdp enable


access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
access-list 100 deny   tcp 10.0.0.0 0.255.255.255 192.168.0.0 0.0.0.255
access-list 100 permit tcp any 192.168.0.0 0.0.0.255
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
access-list 101 deny   tcp 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit tcp any 10.0.0.0 0.255.255.255
0
 
LVL 16

Expert Comment

by:Nyaema
ID: 11060613
okay

The access-list look okay.

I am not sure about your default root.

conf t
no ip route 0.0.0.0 0.0.0.0 216.146.76.130
ip route 0.0.0.0 0.0.0.0 Serial0


Try a tracert to microsoft.com
post results

0
 

Author Comment

by:mikerips
ID: 11061660
Okay,

I did what you said and here is what I get:

I cannot connect to the internet via my browser from the 10.x network.  Here is what I get:
C:\Documents and Settings\admin>ping google.com
Ping request could not find host google.com. Please check the name and try agai
.

I did a traceroute within the router to microsoft.com and here is what I get:

LEE_ST.#traceroute microsoft.com
Translating "microsoft.com"...domain server (216.146.70.3) [OK]

Type escape sequence to abort.
Tracing the route to microsoft.com (207.46.245.214)

  1 216.146.76.130 4 msec 4 msec 4 msec
  2 chi-core2-a6-0.networkgci.net (216.146.72.221) 4 msec 4 msec 4 msec
  3 chi-core1-fa5-0.networkgci.net (216.146.72.2) 8 msec 4 msec 4 msec
  4 f5.ba01.b002332-1.ord01.atlas.cogentco.com (66.28.28.153) 8 msec 4 msec 4 ms
ec
  5 g3-4.core02.ord01.atlas.cogentco.com (66.250.9.93) 4 msec 4 msec 4 msec
  6 p15-0.core01.ord01.atlas.cogentco.com (66.28.4.61) 128 msec 140 msec 4 msec
  7 p5-0.core01.sfo01.atlas.cogentco.com (66.28.4.185) 48 msec 52 msec 52 msec
  8 p4-0.core01.sjc01.atlas.cogentco.com (66.28.4.94) 52 msec 52 msec 52 msec
  9 p15-1.core01.sjc03.atlas.cogentco.com (154.54.2.234) 52 msec 52 msec 52 msec
 10 ge9-0.edge1.sjc1.us.msn.net (154.54.10.106) 52 msec 52 msec 52 msec
 11 po1.sjc-76cb-1a.ntwk.msn.net (207.46.34.137) 56 msec 60 msec 56 msec
 12 pos4-2.core1.pao1.ntwk.msn.net (207.46.34.174) 60 msec 60 msec 60 msec
 13 pos15-0.core1.sea1.ntwk.msn.net (207.46.33.29) 76 msec 76 msec 76 msec
 14 pos1-0.iusnixcpxc1201.ntwk.msn.net (207.46.36.210) 80 msec 76 msec 76 msec
 15 pos1-0.iustixcpdc1201.ntwk.msn.net (207.46.155.10) 80 msec 80 msec 80 msec
 16  *  *  *
 17  *  *  *
 18  *  *  *
 19  *  *  *
 20  *  *  *
 21  *  *  *
 22  *  *  *
 23  *  *  *
 24  *  *  *
 25  *  *  *
 26  *  *  *
 27  *  *  *
 28  *  *  *
 29  *  *  *
 30  *  *  *

I cannot ping the 192.x network to any node that I want... Here is what I get:

Pinging 192.168.0.47 with 32 bytes of data:

Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.
Reply from 10.0.0.1: Destination net unreachable.

Both networks are not connecting to the internet.  Here is my config:

interface Ethernet0
 description Tenant Subnet
 ip address 10.0.0.1 255.255.0.0
 ip access-group 101 out
 ip nat inside
 half-duplex
 no cdp enable
!
interface FastEthernet0
 ip address 192.168.0.1 255.255.0.0
 ip access-group 100 out
 ip nat inside
 speed auto
 full-duplex
 no cdp enable
!
interface Serial0
 ip address 216.146.76.129 255.255.255.224
 ip nat outside
 encapsulation ppp
 service-module t1 timeslots 1-24
 service-module t1 remote-alarm-enable
 service-module t1 fdl att
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.47
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.0.48
access-list 100 deny   tcp 10.0.0.0 0.255.255.255 192.168.0.0 0.0.0.255
access-list 100 permit tcp any 192.168.0.0 0.0.0.255
access-list 101 permit tcp host 192.168.0.47 any
access-list 101 permit tcp host 192.168.0.48 any
access-list 101 deny   tcp 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit tcp any 10.0.0.0 0.255.255.255
no cdp run

0
 
LVL 16

Expert Comment

by:Nyaema
ID: 11090749
When you do:
conf t
int f0
no access-group 100
int e0
no access-group 101
Ctl+z


Are you able to access the internet?
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 15718986
Alright, even if there no feedback if the final given solution is working, I still think, there is enough support provided,so the answers can be accepted.

Tolomir
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 15719024
BSP:

No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Split: S3T{http:#10776633} & Nyaema{http:#10928292}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Tolomir
EE Cleanup Volunteer




0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now