Sickgolem
asked on
Cisco 2610 ACL list
Hello,
we have a router with a 2 MB SDSL connection.
Public IP is 217.xxx.xxx.xxx
The router/gateway has the internal IP 192.168.0.200 The server behind 192.168.0.201
Every thing coming in should be forwarded to 192.168.0.201
This is what we want to setup for testing.
Then we want to allow only access from two special incoming IP addresses like 217.122.xxx.xx1, etc.
I add the config from the router.
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2MBSDSL
!
boot-start-marker
boot-end-marker
!
enable secret 5 cisco
clock timezone cst 0
clock summer-time EDT recurring
no aaa new-model
ip subnet-zero
no ip cef
!
!
!
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
interface Ethernet0/0
description SDSL
no ip address
ip nat outside
ip tcp adjust-mss 1452
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Ethernet1/0
description Internes Lan
ip address 192.168.0.200 255.255.255.0
ip nat inside
full-duplex
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname feste-ip/xxxxxxxxxxxxxxxxx xxxxxxxxxx x
ppp chap password 0 xxxxxxxxxxxxxxxxxxx
ppp pap sent-username feste-ip/xxxxxxxxxxxxxxxxx xxxxxxxxxx xxxxxxxx
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip nat inside source list 1 interface Dialer1 overload !
!
access-list 1 permit any
access-list 1 permit 192.168.0.0 0.0.0.255 access-list 101 permit tcp 192.0.168.0 0.0.0.255 any access-list 102 permit tcp 192.0.168.0 0.0.0.255 any dialer-list 1 protocol ip permit !
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
!
end
2MBSDSL#
Best regards
Thomas
we have a router with a 2 MB SDSL connection.
Public IP is 217.xxx.xxx.xxx
The router/gateway has the internal IP 192.168.0.200 The server behind 192.168.0.201
Every thing coming in should be forwarded to 192.168.0.201
This is what we want to setup for testing.
Then we want to allow only access from two special incoming IP addresses like 217.122.xxx.xx1, etc.
I add the config from the router.
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2MBSDSL
!
boot-start-marker
boot-end-marker
!
enable secret 5 cisco
clock timezone cst 0
clock summer-time EDT recurring
no aaa new-model
ip subnet-zero
no ip cef
!
!
!
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
interface Ethernet0/0
description SDSL
no ip address
ip nat outside
ip tcp adjust-mss 1452
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Ethernet1/0
description Internes Lan
ip address 192.168.0.200 255.255.255.0
ip nat inside
full-duplex
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname feste-ip/xxxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxxxxxxxxxxxxx
ppp pap sent-username feste-ip/xxxxxxxxxxxxxxxxx
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip nat inside source list 1 interface Dialer1 overload !
!
access-list 1 permit any
access-list 1 permit 192.168.0.0 0.0.0.255 access-list 101 permit tcp 192.0.168.0 0.0.0.255 any access-list 102 permit tcp 192.0.168.0 0.0.0.255 any dialer-list 1 protocol ip permit !
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
!
end
2MBSDSL#
Best regards
Thomas
ASKER
Hi,
I did the changes.
Change this:
> ip nat inside source list 1 interface Dialer1 overload !
To this
ip nat inside source static 192.168.0.201 <ip address of Dialer 1>
Problem is I can not reach from the public the internal machine 192.168.0.201.( http, no ftp)
show running
Current configuration : 1495 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2MBSDSL
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxx xxxxxx
enable password xxxxxxxxxxxxxxxxxx
clock timezone cst 0
clock summer-time EDT recurring
no aaa new-model
ip subnet-zero
no ip cef
!
!
!
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
interface Ethernet0/0
description SDSL
no ip address
ip nat outside
ip tcp adjust-mss 1452
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Ethernet1/0
description Internes Lan
ip address 192.168.0.200 255.255.255.0
ip nat inside
full-duplex
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname feste-ip/TBxxxxxxxxxxxxxxx xxxxxxxxxx xxxxxxx
ppp chap password 0 xxxxxxxxxxxxxxxx
ppp pap sent-username feste-ip/TBxxxxxxxxxxxxxxx xxxxxxxxxx xxx password 0 xxxxxxxxxxxxxxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip nat inside source static 192.168.0.201 217.91.102.2
!
!
access-list 1 permit any
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit tcp 192.0.168.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
!
end
I did the changes.
Change this:
> ip nat inside source list 1 interface Dialer1 overload !
To this
ip nat inside source static 192.168.0.201 <ip address of Dialer 1>
Problem is I can not reach from the public the internal machine 192.168.0.201.( http, no ftp)
show running
Current configuration : 1495 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2MBSDSL
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxx
clock timezone cst 0
clock summer-time EDT recurring
no aaa new-model
ip subnet-zero
no ip cef
!
!
!
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
interface Ethernet0/0
description SDSL
no ip address
ip nat outside
ip tcp adjust-mss 1452
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Ethernet1/0
description Internes Lan
ip address 192.168.0.200 255.255.255.0
ip nat inside
full-duplex
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname feste-ip/TBxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxxxxxxxxxx
ppp pap sent-username feste-ip/TBxxxxxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip nat inside source static 192.168.0.201 217.91.102.2
!
!
access-list 1 permit any
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit tcp 192.0.168.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
!
end
What is the default gateway setting on the system 192.0.168.201 ?
ASKER
Hi,
default gateway is 192.168.0.200
default gateway is 192.168.0.200
Since you have not yet applied any inbound access restrictions, it should be working if your www services are up on the server.
>ip nat inside source static 192.168.0.201 217.91.102.2
are you sure this is the correct IP address to use? Are you in DE?
>ip nat inside source static 192.168.0.201 217.91.102.2
are you sure this is the correct IP address to use? Are you in DE?
ASKER
I check again.
IP is correct. It is Germany. German-T-Com.
Thomas
IP is correct. It is Germany. German-T-Com.
Thomas
Can you post result of "show interface" post all interfaces..
ASKER
Sure
Dialer1
2MBSDSL#
2MBSDSL#show interface dialer1
Dialer1 is up, line protocol is up (spoofing)
Hardware is Unknown
Internet address is 217.91.102.2/32
MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
Keepalive set (10 sec)
DTR is pulsed for 1 seconds on reset
Interface is bound to Vi1
Last input never, output never, output hang never
Last clearing of "show interface" counters 10:47:43
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/16 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 42 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
4054 packets input, 82586 bytes
3660 packets output, 63575 bytes
Bound to:
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
MTU 1500 bytes, BW 56 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP
PPPoE vaccess, cloned from Dialer1
Vaccess status 0x44, loopback not set
Keepalive set (10 sec)
DTR is pulsed for 5 seconds on reset
Interface is bound to Di1 (Encapsulation PPP)
Last input 00:02:48, output never, output hang never
Last clearing of "show interface" counters 10:47:50
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
4076 packets input, 82976 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
3682 packets output, 63960 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
2MBSDSL#
ethernet 0/0
2MBSDSL#show interface ethernet 0/0
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is 0005.320b.e8c0 (bia 0005.320b.e8c0)
Description: SDSL
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 10:50:29, output 00:00:03, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
4094 packets input, 165172 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
7667 packets output, 461980 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
2MBSDSL#
ethernet 1/0
2MBSDSL#show interface ethernet 1/0
Ethernet1/0 is up, line protocol is up
Hardware is AmdP2, address is 0005.320b.e8d0 (bia 0005.320b.e8d0)
Description: Internes Lan
Internet address is 192.168.0.200/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 2000 bits/sec, 4 packets/sec
5 minute output rate 1000 bits/sec, 3 packets/sec
4008 packets input, 370922 bytes, 0 no buffer
Received 2071 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
7218 packets output, 653861 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
2MBSDSL#
MBSDSL#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES NVRAM up up
Ethernet1/0 192.168.0.200 YES NVRAM up up
Virtual-Access1 unassigned YES unset up up
Dialer1 217.91.102.2 YES IPCP up up
2MBSDSL#
Dialer1
2MBSDSL#
2MBSDSL#show interface dialer1
Dialer1 is up, line protocol is up (spoofing)
Hardware is Unknown
Internet address is 217.91.102.2/32
MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
Keepalive set (10 sec)
DTR is pulsed for 1 seconds on reset
Interface is bound to Vi1
Last input never, output never, output hang never
Last clearing of "show interface" counters 10:47:43
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/16 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 42 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
4054 packets input, 82586 bytes
3660 packets output, 63575 bytes
Bound to:
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
MTU 1500 bytes, BW 56 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP
PPPoE vaccess, cloned from Dialer1
Vaccess status 0x44, loopback not set
Keepalive set (10 sec)
DTR is pulsed for 5 seconds on reset
Interface is bound to Di1 (Encapsulation PPP)
Last input 00:02:48, output never, output hang never
Last clearing of "show interface" counters 10:47:50
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
4076 packets input, 82976 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
3682 packets output, 63960 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
2MBSDSL#
ethernet 0/0
2MBSDSL#show interface ethernet 0/0
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is 0005.320b.e8c0 (bia 0005.320b.e8c0)
Description: SDSL
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 10:50:29, output 00:00:03, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
4094 packets input, 165172 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
7667 packets output, 461980 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
2MBSDSL#
ethernet 1/0
2MBSDSL#show interface ethernet 1/0
Ethernet1/0 is up, line protocol is up
Hardware is AmdP2, address is 0005.320b.e8d0 (bia 0005.320b.e8d0)
Description: Internes Lan
Internet address is 192.168.0.200/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 2000 bits/sec, 4 packets/sec
5 minute output rate 1000 bits/sec, 3 packets/sec
4008 packets input, 370922 bytes, 0 no buffer
Received 2071 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
7218 packets output, 653861 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
2MBSDSL#
MBSDSL#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES NVRAM up up
Ethernet1/0 192.168.0.200 YES NVRAM up up
Virtual-Access1 unassigned YES unset up up
Dialer1 217.91.102.2 YES IPCP up up
2MBSDSL#
Can that server, 192.168.0.201, connect to anything using a web browser? i.e. https://www.experts-exchange.com
Can you ping anything from that one server?
OK, first, we must disable the router's own http server:
>ip http server
no ip http server
^^
Can you add an access-list, just so that we can see if it gets any "hits"
access-list 103 permit ip any host 217.91.102.2 eq 80
access-list 103 permit ip any any
interface dialer1
ip access-group 103 in
Make a few test tries, then post result of "show access-list 103"
Can you ping anything from that one server?
OK, first, we must disable the router's own http server:
>ip http server
no ip http server
^^
Can you add an access-list, just so that we can see if it gets any "hits"
access-list 103 permit ip any host 217.91.102.2 eq 80
access-list 103 permit ip any any
interface dialer1
ip access-group 103 in
Make a few test tries, then post result of "show access-list 103"
If that does not work, let's change the NAT around a little:
We'll change this:
>ip nat inside source static 192.168.0.201 217.91.102.2
to this, redirecting specific ports instead of "everything"
ip nat inside source list 1 interface dialer1 overload
ip nat inside source static tcp 192.168.0.201 80 217.91.102.2 80
ip nat inside source static tcp 192.168.0.201 443 217.91.102.2 443
ip nat inside source static tcp 192.168.0.201 25 217.91.102.2 25
<etc>
We'll change this:
>ip nat inside source static 192.168.0.201 217.91.102.2
to this, redirecting specific ports instead of "everything"
ip nat inside source list 1 interface dialer1 overload
ip nat inside source static tcp 192.168.0.201 80 217.91.102.2 80
ip nat inside source static tcp 192.168.0.201 443 217.91.102.2 443
ip nat inside source static tcp 192.168.0.201 25 217.91.102.2 25
<etc>
ASKER
Sorry,
I will check later and come back to you.
I will check later and come back to you.
ASKER
By redirecting the specific ports it is working
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Change this:
> ip nat inside source list 1 interface Dialer1 overload !
To this
ip nat inside source static 192.168.0.201 <ip address of Dialer 1>
For access restriction:
>Then we want to allow only access from two special incoming IP addresses like 217.122.xxx.xx1, etc.
access-list 103 permit ip host 217.122.xxx.xx1 <ip address of Dialer1>
access-list 103 permit ip host 217.122.xxx.xx2 <ip address of Dialer1>
Interface Dialer1
ip access-group 103 in