Solved

Cisco 2610 ACL list

Posted on 2004-10-04
13
260 Views
Last Modified: 2006-11-17
Hello,

we have a router with a 2 MB SDSL connection.

Public IP is 217.xxx.xxx.xxx
The router/gateway has the internal IP 192.168.0.200 The server behind 192.168.0.201

Every thing coming in should be forwarded to 192.168.0.201

This is what we want to setup for testing.

Then we want to allow only access from two special incoming IP addresses like 217.122.xxx.xx1, etc.
 

I add the config from the router.


version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2MBSDSL
!
boot-start-marker
boot-end-marker
!
enable secret 5 cisco
clock timezone cst 0
clock summer-time EDT recurring
no aaa new-model
ip subnet-zero
no ip cef
!
!
!
!
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
no ftp-server write-enable
!
!
!
!
interface Ethernet0/0
 description SDSL
 no ip address
 ip nat outside
 ip tcp adjust-mss 1452
 full-duplex
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Ethernet1/0
 description Internes Lan
 ip address 192.168.0.200 255.255.255.0
 ip nat inside
 full-duplex
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1452
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname feste-ip/xxxxxxxxxxxxxxxxxxxxxxxxxxxx
 ppp chap password 0 xxxxxxxxxxxxxxxxxxx
 ppp pap sent-username feste-ip/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip nat inside source list 1 interface Dialer1 overload !
!
access-list 1 permit any
access-list 1 permit 192.168.0.0 0.0.0.255 access-list 101 permit tcp 192.0.168.0 0.0.0.255 any access-list 102 permit tcp 192.0.168.0 0.0.0.255 any dialer-list 1 protocol ip permit !
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
!
end

2MBSDSL#

Best regards


Thomas
0
Comment
Question by:Sickgolem
  • 7
  • 6
13 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>Every thing coming in should be forwarded to 192.168.0.201

Change this:
  > ip nat inside source list 1 interface Dialer1 overload !
To this
   ip nat inside source static 192.168.0.201 <ip address of Dialer 1>

For access restriction:
 >Then we want to allow only access from two special incoming IP addresses like 217.122.xxx.xx1, etc.

access-list 103 permit ip host 217.122.xxx.xx1 <ip address of Dialer1>
access-list 103 permit ip host 217.122.xxx.xx2 <ip address of Dialer1>

Interface Dialer1
  ip access-group 103 in

 
0
 

Author Comment

by:Sickgolem
Comment Utility
Hi,

I did the changes.

Change this:
  > ip nat inside source list 1 interface Dialer1 overload !
To this
   ip nat inside source static 192.168.0.201 <ip address of Dialer 1>

Problem is I can not reach from the public the internal machine 192.168.0.201.( http, no ftp)

show running


Current configuration : 1495 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2MBSDSL
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxx

clock timezone cst 0
clock summer-time EDT recurring
no aaa new-model
ip subnet-zero
no ip cef
!
!
!
!
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
no ftp-server write-enable
!
!
!
!
interface Ethernet0/0
 description SDSL
 no ip address
 ip nat outside
 ip tcp adjust-mss 1452
 full-duplex
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Ethernet1/0
 description Internes Lan
 ip address 192.168.0.200 255.255.255.0
 ip nat inside
 full-duplex
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1452
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname feste-ip/TBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 ppp chap password 0 xxxxxxxxxxxxxxxx
 ppp pap sent-username feste-ip/TBxxxxxxxxxxxxxxxxxxxxxxxxxxxx password 0 xxxxxxxxxxxxxxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip nat inside source static 192.168.0.201 217.91.102.2
!
!
access-list 1 permit any
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit tcp 192.0.168.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
!
end




0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
What is the default gateway setting on the system 192.0.168.201 ?
0
 

Author Comment

by:Sickgolem
Comment Utility
Hi,

default gateway is 192.168.0.200
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Since you have not yet applied any inbound access restrictions, it should be working if your www services are up on the server.

>ip nat inside source static 192.168.0.201 217.91.102.2

are you sure this is the correct IP address to use? Are you in DE?
0
 

Author Comment

by:Sickgolem
Comment Utility
I check again.
IP is correct. It is Germany. German-T-Com.

Thomas
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Can you post result of "show interface" post all interfaces..
0
 

Author Comment

by:Sickgolem
Comment Utility
Sure

Dialer1

2MBSDSL#
2MBSDSL#show interface dialer1
Dialer1 is up, line protocol is up (spoofing)
  Hardware is Unknown
  Internet address is 217.91.102.2/32
  MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, loopback not set
  Keepalive set (10 sec)
  DTR is pulsed for 1 seconds on reset
  Interface is bound to Vi1
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 10:47:43
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/0/16 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 42 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     4054 packets input, 82586 bytes
     3660 packets output, 63575 bytes
Bound to:
Virtual-Access1 is up, line protocol is up
  Hardware is Virtual Access interface
  MTU 1500 bytes, BW 56 Kbit, DLY 100000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open
  Open: IPCP
  PPPoE vaccess, cloned from Dialer1
  Vaccess status 0x44, loopback not set
  Keepalive set (10 sec)
  DTR is pulsed for 5 seconds on reset
  Interface is bound to Di1 (Encapsulation PPP)
  Last input 00:02:48, output never, output hang never
  Last clearing of "show interface" counters 10:47:50
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     4076 packets input, 82976 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     3682 packets output, 63960 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
2MBSDSL#

ethernet 0/0

2MBSDSL#show interface ethernet 0/0
Ethernet0/0 is up, line protocol is up
  Hardware is AmdP2, address is 0005.320b.e8c0 (bia 0005.320b.e8c0)
  Description: SDSL
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 10:50:29, output 00:00:03, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     4094 packets input, 165172 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     7667 packets output, 461980 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
2MBSDSL#

ethernet 1/0

2MBSDSL#show interface ethernet 1/0
Ethernet1/0 is up, line protocol is up
  Hardware is AmdP2, address is 0005.320b.e8d0 (bia 0005.320b.e8d0)
  Description: Internes Lan
  Internet address is 192.168.0.200/24
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 2000 bits/sec, 4 packets/sec
  5 minute output rate 1000 bits/sec, 3 packets/sec
     4008 packets input, 370922 bytes, 0 no buffer
     Received 2071 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     7218 packets output, 653861 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
2MBSDSL#

MBSDSL#show ip  interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES NVRAM  up                    up  
Ethernet1/0                192.168.0.200   YES NVRAM  up                    up  
Virtual-Access1            unassigned      YES unset  up                    up  
Dialer1                    217.91.102.2    YES IPCP   up                    up  
2MBSDSL#
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Can that server, 192.168.0.201, connect to anything using a web browser? i.e. http://www.experts-exchange.com
Can you ping anything from that one server?

OK, first, we must disable the router's own http server:
  >ip http server
   no ip http server
  ^^
Can you add an access-list, just so that we can see if it gets any "hits"

access-list 103 permit ip any host 217.91.102.2 eq 80
access-list 103 permit ip any any
interface dialer1
 ip access-group 103 in

Make a few test tries, then post result of "show access-list 103"
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
If that does not work, let's change the NAT around a little:
We'll change this:
   >ip nat inside source static 192.168.0.201 217.91.102.2

to this, redirecting specific ports instead of "everything"
    ip nat inside source list 1 interface dialer1 overload
    ip nat inside source static tcp 192.168.0.201 80 217.91.102.2 80
    ip nat inside source static tcp 192.168.0.201 443 217.91.102.2 443
    ip nat inside source static tcp 192.168.0.201 25 217.91.102.2 25
   <etc>
0
 

Author Comment

by:Sickgolem
Comment Utility
Sorry,

I will check later and come back to you.
0
 

Author Comment

by:Sickgolem
Comment Utility
By redirecting the specific ports it is working
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 50 total points
Comment Utility
I didn't think we could meet your first requirement without a additional public IP address, but thought it was worth a shot..

>Every thing coming in should be forwarded to 192.168.0.201
Unless you can get another public IP, then you will have to settle on specific ports that you need.

0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now