Link to home
Start Free TrialLog in
Avatar of Sickgolem
Sickgolem

asked on

Cisco 2610 ACL list

Hello,

we have a router with a 2 MB SDSL connection.

Public IP is 217.xxx.xxx.xxx
The router/gateway has the internal IP 192.168.0.200 The server behind 192.168.0.201

Every thing coming in should be forwarded to 192.168.0.201

This is what we want to setup for testing.

Then we want to allow only access from two special incoming IP addresses like 217.122.xxx.xx1, etc.
 

I add the config from the router.


version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2MBSDSL
!
boot-start-marker
boot-end-marker
!
enable secret 5 cisco
clock timezone cst 0
clock summer-time EDT recurring
no aaa new-model
ip subnet-zero
no ip cef
!
!
!
!
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
no ftp-server write-enable
!
!
!
!
interface Ethernet0/0
 description SDSL
 no ip address
 ip nat outside
 ip tcp adjust-mss 1452
 full-duplex
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Ethernet1/0
 description Internes Lan
 ip address 192.168.0.200 255.255.255.0
 ip nat inside
 full-duplex
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1452
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname feste-ip/xxxxxxxxxxxxxxxxxxxxxxxxxxxx
 ppp chap password 0 xxxxxxxxxxxxxxxxxxx
 ppp pap sent-username feste-ip/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip nat inside source list 1 interface Dialer1 overload !
!
access-list 1 permit any
access-list 1 permit 192.168.0.0 0.0.0.255 access-list 101 permit tcp 192.0.168.0 0.0.0.255 any access-list 102 permit tcp 192.0.168.0 0.0.0.255 any dialer-list 1 protocol ip permit !
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
!
end

2MBSDSL#

Best regards


Thomas
Avatar of Les Moore
Les Moore
Flag of United States of America image

>Every thing coming in should be forwarded to 192.168.0.201

Change this:
  > ip nat inside source list 1 interface Dialer1 overload !
To this
   ip nat inside source static 192.168.0.201 <ip address of Dialer 1>

For access restriction:
 >Then we want to allow only access from two special incoming IP addresses like 217.122.xxx.xx1, etc.

access-list 103 permit ip host 217.122.xxx.xx1 <ip address of Dialer1>
access-list 103 permit ip host 217.122.xxx.xx2 <ip address of Dialer1>

Interface Dialer1
  ip access-group 103 in

 
Avatar of Sickgolem
Sickgolem

ASKER

Hi,

I did the changes.

Change this:
  > ip nat inside source list 1 interface Dialer1 overload !
To this
   ip nat inside source static 192.168.0.201 <ip address of Dialer 1>

Problem is I can not reach from the public the internal machine 192.168.0.201.( http, no ftp)

show running


Current configuration : 1495 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2MBSDSL
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxx

clock timezone cst 0
clock summer-time EDT recurring
no aaa new-model
ip subnet-zero
no ip cef
!
!
!
!
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
no ftp-server write-enable
!
!
!
!
interface Ethernet0/0
 description SDSL
 no ip address
 ip nat outside
 ip tcp adjust-mss 1452
 full-duplex
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Ethernet1/0
 description Internes Lan
 ip address 192.168.0.200 255.255.255.0
 ip nat inside
 full-duplex
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1452
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname feste-ip/TBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 ppp chap password 0 xxxxxxxxxxxxxxxx
 ppp pap sent-username feste-ip/TBxxxxxxxxxxxxxxxxxxxxxxxxxxxx password 0 xxxxxxxxxxxxxxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip nat inside source static 192.168.0.201 217.91.102.2
!
!
access-list 1 permit any
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit tcp 192.0.168.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
!
end




What is the default gateway setting on the system 192.0.168.201 ?
Hi,

default gateway is 192.168.0.200
Since you have not yet applied any inbound access restrictions, it should be working if your www services are up on the server.

>ip nat inside source static 192.168.0.201 217.91.102.2

are you sure this is the correct IP address to use? Are you in DE?
I check again.
IP is correct. It is Germany. German-T-Com.

Thomas
Can you post result of "show interface" post all interfaces..
Sure

Dialer1

2MBSDSL#
2MBSDSL#show interface dialer1
Dialer1 is up, line protocol is up (spoofing)
  Hardware is Unknown
  Internet address is 217.91.102.2/32
  MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, loopback not set
  Keepalive set (10 sec)
  DTR is pulsed for 1 seconds on reset
  Interface is bound to Vi1
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 10:47:43
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/0/16 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 42 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     4054 packets input, 82586 bytes
     3660 packets output, 63575 bytes
Bound to:
Virtual-Access1 is up, line protocol is up
  Hardware is Virtual Access interface
  MTU 1500 bytes, BW 56 Kbit, DLY 100000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open
  Open: IPCP
  PPPoE vaccess, cloned from Dialer1
  Vaccess status 0x44, loopback not set
  Keepalive set (10 sec)
  DTR is pulsed for 5 seconds on reset
  Interface is bound to Di1 (Encapsulation PPP)
  Last input 00:02:48, output never, output hang never
  Last clearing of "show interface" counters 10:47:50
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     4076 packets input, 82976 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     3682 packets output, 63960 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
2MBSDSL#

ethernet 0/0

2MBSDSL#show interface ethernet 0/0
Ethernet0/0 is up, line protocol is up
  Hardware is AmdP2, address is 0005.320b.e8c0 (bia 0005.320b.e8c0)
  Description: SDSL
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 10:50:29, output 00:00:03, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     4094 packets input, 165172 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     7667 packets output, 461980 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
2MBSDSL#

ethernet 1/0

2MBSDSL#show interface ethernet 1/0
Ethernet1/0 is up, line protocol is up
  Hardware is AmdP2, address is 0005.320b.e8d0 (bia 0005.320b.e8d0)
  Description: Internes Lan
  Internet address is 192.168.0.200/24
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 2000 bits/sec, 4 packets/sec
  5 minute output rate 1000 bits/sec, 3 packets/sec
     4008 packets input, 370922 bytes, 0 no buffer
     Received 2071 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     7218 packets output, 653861 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
2MBSDSL#

MBSDSL#show ip  interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES NVRAM  up                    up  
Ethernet1/0                192.168.0.200   YES NVRAM  up                    up  
Virtual-Access1            unassigned      YES unset  up                    up  
Dialer1                    217.91.102.2    YES IPCP   up                    up  
2MBSDSL#
Can that server, 192.168.0.201, connect to anything using a web browser? i.e. https://www.experts-exchange.com
Can you ping anything from that one server?

OK, first, we must disable the router's own http server:
  >ip http server
   no ip http server
  ^^
Can you add an access-list, just so that we can see if it gets any "hits"

access-list 103 permit ip any host 217.91.102.2 eq 80
access-list 103 permit ip any any
interface dialer1
 ip access-group 103 in

Make a few test tries, then post result of "show access-list 103"
If that does not work, let's change the NAT around a little:
We'll change this:
   >ip nat inside source static 192.168.0.201 217.91.102.2

to this, redirecting specific ports instead of "everything"
    ip nat inside source list 1 interface dialer1 overload
    ip nat inside source static tcp 192.168.0.201 80 217.91.102.2 80
    ip nat inside source static tcp 192.168.0.201 443 217.91.102.2 443
    ip nat inside source static tcp 192.168.0.201 25 217.91.102.2 25
   <etc>
Sorry,

I will check later and come back to you.
By redirecting the specific ports it is working
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial