Solved

Cisco 2610 ACL list

Posted on 2004-10-04
13
270 Views
Last Modified: 2006-11-17
Hello,

we have a router with a 2 MB SDSL connection.

Public IP is 217.xxx.xxx.xxx
The router/gateway has the internal IP 192.168.0.200 The server behind 192.168.0.201

Every thing coming in should be forwarded to 192.168.0.201

This is what we want to setup for testing.

Then we want to allow only access from two special incoming IP addresses like 217.122.xxx.xx1, etc.
 

I add the config from the router.


version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2MBSDSL
!
boot-start-marker
boot-end-marker
!
enable secret 5 cisco
clock timezone cst 0
clock summer-time EDT recurring
no aaa new-model
ip subnet-zero
no ip cef
!
!
!
!
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
no ftp-server write-enable
!
!
!
!
interface Ethernet0/0
 description SDSL
 no ip address
 ip nat outside
 ip tcp adjust-mss 1452
 full-duplex
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Ethernet1/0
 description Internes Lan
 ip address 192.168.0.200 255.255.255.0
 ip nat inside
 full-duplex
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1452
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname feste-ip/xxxxxxxxxxxxxxxxxxxxxxxxxxxx
 ppp chap password 0 xxxxxxxxxxxxxxxxxxx
 ppp pap sent-username feste-ip/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip nat inside source list 1 interface Dialer1 overload !
!
access-list 1 permit any
access-list 1 permit 192.168.0.0 0.0.0.255 access-list 101 permit tcp 192.0.168.0 0.0.0.255 any access-list 102 permit tcp 192.0.168.0 0.0.0.255 any dialer-list 1 protocol ip permit !
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
!
end

2MBSDSL#

Best regards


Thomas
0
Comment
Question by:Sickgolem
  • 7
  • 6
13 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12220582
>Every thing coming in should be forwarded to 192.168.0.201

Change this:
  > ip nat inside source list 1 interface Dialer1 overload !
To this
   ip nat inside source static 192.168.0.201 <ip address of Dialer 1>

For access restriction:
 >Then we want to allow only access from two special incoming IP addresses like 217.122.xxx.xx1, etc.

access-list 103 permit ip host 217.122.xxx.xx1 <ip address of Dialer1>
access-list 103 permit ip host 217.122.xxx.xx2 <ip address of Dialer1>

Interface Dialer1
  ip access-group 103 in

 
0
 

Author Comment

by:Sickgolem
ID: 12224302
Hi,

I did the changes.

Change this:
  > ip nat inside source list 1 interface Dialer1 overload !
To this
   ip nat inside source static 192.168.0.201 <ip address of Dialer 1>

Problem is I can not reach from the public the internal machine 192.168.0.201.( http, no ftp)

show running


Current configuration : 1495 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2MBSDSL
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxx

clock timezone cst 0
clock summer-time EDT recurring
no aaa new-model
ip subnet-zero
no ip cef
!
!
!
!
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
no ftp-server write-enable
!
!
!
!
interface Ethernet0/0
 description SDSL
 no ip address
 ip nat outside
 ip tcp adjust-mss 1452
 full-duplex
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Ethernet1/0
 description Internes Lan
 ip address 192.168.0.200 255.255.255.0
 ip nat inside
 full-duplex
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1452
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname feste-ip/TBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 ppp chap password 0 xxxxxxxxxxxxxxxx
 ppp pap sent-username feste-ip/TBxxxxxxxxxxxxxxxxxxxxxxxxxxxx password 0 xxxxxxxxxxxxxxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip nat inside source static 192.168.0.201 217.91.102.2
!
!
access-list 1 permit any
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit tcp 192.0.168.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
!
end




0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12225960
What is the default gateway setting on the system 192.0.168.201 ?
0
 

Author Comment

by:Sickgolem
ID: 12226821
Hi,

default gateway is 192.168.0.200
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12226870
Since you have not yet applied any inbound access restrictions, it should be working if your www services are up on the server.

>ip nat inside source static 192.168.0.201 217.91.102.2

are you sure this is the correct IP address to use? Are you in DE?
0
 

Author Comment

by:Sickgolem
ID: 12227521
I check again.
IP is correct. It is Germany. German-T-Com.

Thomas
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12228775
Can you post result of "show interface" post all interfaces..
0
 

Author Comment

by:Sickgolem
ID: 12228879
Sure

Dialer1

2MBSDSL#
2MBSDSL#show interface dialer1
Dialer1 is up, line protocol is up (spoofing)
  Hardware is Unknown
  Internet address is 217.91.102.2/32
  MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, loopback not set
  Keepalive set (10 sec)
  DTR is pulsed for 1 seconds on reset
  Interface is bound to Vi1
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 10:47:43
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/0/16 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 42 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     4054 packets input, 82586 bytes
     3660 packets output, 63575 bytes
Bound to:
Virtual-Access1 is up, line protocol is up
  Hardware is Virtual Access interface
  MTU 1500 bytes, BW 56 Kbit, DLY 100000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open
  Open: IPCP
  PPPoE vaccess, cloned from Dialer1
  Vaccess status 0x44, loopback not set
  Keepalive set (10 sec)
  DTR is pulsed for 5 seconds on reset
  Interface is bound to Di1 (Encapsulation PPP)
  Last input 00:02:48, output never, output hang never
  Last clearing of "show interface" counters 10:47:50
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     4076 packets input, 82976 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     3682 packets output, 63960 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
2MBSDSL#

ethernet 0/0

2MBSDSL#show interface ethernet 0/0
Ethernet0/0 is up, line protocol is up
  Hardware is AmdP2, address is 0005.320b.e8c0 (bia 0005.320b.e8c0)
  Description: SDSL
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 10:50:29, output 00:00:03, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     4094 packets input, 165172 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     7667 packets output, 461980 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
2MBSDSL#

ethernet 1/0

2MBSDSL#show interface ethernet 1/0
Ethernet1/0 is up, line protocol is up
  Hardware is AmdP2, address is 0005.320b.e8d0 (bia 0005.320b.e8d0)
  Description: Internes Lan
  Internet address is 192.168.0.200/24
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 2000 bits/sec, 4 packets/sec
  5 minute output rate 1000 bits/sec, 3 packets/sec
     4008 packets input, 370922 bytes, 0 no buffer
     Received 2071 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     7218 packets output, 653861 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
2MBSDSL#

MBSDSL#show ip  interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES NVRAM  up                    up  
Ethernet1/0                192.168.0.200   YES NVRAM  up                    up  
Virtual-Access1            unassigned      YES unset  up                    up  
Dialer1                    217.91.102.2    YES IPCP   up                    up  
2MBSDSL#
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12229004
Can that server, 192.168.0.201, connect to anything using a web browser? i.e. http://www.experts-exchange.com
Can you ping anything from that one server?

OK, first, we must disable the router's own http server:
  >ip http server
   no ip http server
  ^^
Can you add an access-list, just so that we can see if it gets any "hits"

access-list 103 permit ip any host 217.91.102.2 eq 80
access-list 103 permit ip any any
interface dialer1
 ip access-group 103 in

Make a few test tries, then post result of "show access-list 103"
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12229055
If that does not work, let's change the NAT around a little:
We'll change this:
   >ip nat inside source static 192.168.0.201 217.91.102.2

to this, redirecting specific ports instead of "everything"
    ip nat inside source list 1 interface dialer1 overload
    ip nat inside source static tcp 192.168.0.201 80 217.91.102.2 80
    ip nat inside source static tcp 192.168.0.201 443 217.91.102.2 443
    ip nat inside source static tcp 192.168.0.201 25 217.91.102.2 25
   <etc>
0
 

Author Comment

by:Sickgolem
ID: 12229827
Sorry,

I will check later and come back to you.
0
 

Author Comment

by:Sickgolem
ID: 12238287
By redirecting the specific ports it is working
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 50 total points
ID: 12238329
I didn't think we could meet your first requirement without a additional public IP address, but thought it was worth a shot..

>Every thing coming in should be forwarded to 192.168.0.201
Unless you can get another public IP, then you will have to settle on specific ports that you need.

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Multicast in a layer 2 to layer 3 migration 1 51
Cisco iWAN 8 69
Network Config 9 71
BGP routing on Windows 2016 7 36
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now