Solved

Access List for Cisco Router 2600

Posted on 2004-10-19
6
434 Views
Last Modified: 2010-04-17
Hi there
We have CISCO 2600 router.  Is it necessary to delete the existing ACL to make the new added changes work.  Do I need to copy the whole ACL i.e starting from the 'Current Configuration' till the 'end' or I can just copy each command 'access-list permit.........' individually.  Can you please tell me the easier way.
1- I tested copying it in the command prompt from a note pad, it keeps on adding the C pompt at the beginning of each command.
2-If I delete the Access list completeley, it means I cannot go back?
Help please
0
Comment
Question by:amanzoor
6 Comments
 

Expert Comment

by:ajablons
ID: 12350035
I'm not sure what you are trying to do, but you should be able to cut/paste from notepad.

copy the ACL from 'show running-config' into notepad or some text editor. You can then manipulate it and paste it into the router (config mode).

You can also do the lines individually.

What is your main goal ?
0
 
LVL 4

Author Comment

by:amanzoor
ID: 12351609
I am trying to map three external Ip addresses to a single internal Ip address i.e
redirect   66.207.100.153 to 10.10.10.101:81,  66.207.100.154 to 10.10.10.101:82 and  66.207.100.155 to 10.10.10.101:83
I am not sure where to write the commands for these? and the easier way to write/amend onto access list.  Do you want me to paste the running config here?
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 12352516
Those aren't things an access-list does.

0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 8

Accepted Solution

by:
MarkDozier earned 125 total points
ID: 12355037
Actually the ACL is only part of the problem. The answer is  a combination of an ACL and NAT to accomplish the goal since the public IP are bing translated to provate IP.
I don't think you can send each IP to a specific port on the 10 network unless it tied to a specific application.

I can test this tomorrow evening unless you get a specific answer before then.
It would also help if you post you config

0
 
LVL 4

Author Comment

by:amanzoor
ID: 12357439
Thanks MarkDozier
I would also want to fit in this line to:
'access-list 101 permit tcp any host 216.185.84.189 eq 5336'

Here is my config:

clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
ip host accpac.ggw.net 199.243.98.20
ip host switch 10.10.10.253
ip name-server 207.176.128.2
ip name-server 216.185.84.94
ip name-server 206.186.75.138
ip name-server 209.5.210.134
!
ip inspect audit-trail
ip inspect name inter tcp
ip inspect name inter udp
ip inspect name inter ftp
ip inspect name inter http
ip inspect name inter smtp
ip inspect name inter tftp
ip inspect name inter cuseeme
ip inspect name inter h323
ip inspect name inter rcmd
ip inspect name inter realaudio
ip inspect name inter sqlnet
ip inspect name inter streamworks
ip inspect name inter vdolive
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 no ip directed-broadcast
 speed 100
 full-duplex
 fair-queue 64 256 0
!
interface FastEthernet0/0.10
 description CAMPUS VLAN
 encapsulation dot1Q 10
 ip address 10.10.10.254 255.255.255.0
 no ip redirects
 no ip directed-broadcast
 ip nat inside
!
interface FastEthernet0/0.801
 description CONNECTION TO other campus
 encapsulation dot1Q 801
 ip address 10.10.11.254 255.255.255.0
 no ip redirects
 no ip directed-broadcast
 ip nat inside
!
interface FastEthernet0/0.908
 description INTERNET VIA provider
 bandwidth 1000000
 encapsulation dot1Q 908
 ip address 216.185.84.62 255.255.255.252
 ip access-group 101 in
 no ip redirects
 no ip directed-broadcast
 ip nat outside
 ip inspect inter out
!
ip nat translation timeout 1600
ip nat pool inter 216.185.84.185 216.185.84.185 netmask 255.255.255.248
ip nat inside source list 1 pool inter overload
ip nat inside source static 10.10.10.18 216.185.84.187
ip nat inside source static 10.10.10.20 216.185.84.186
ip nat inside source static 10.10.10.99 216.185.84.190
ip nat inside source static 10.10.10.101 216.185.84.189
ip nat inside source static 10.10.10.3 216.185.84.188
ip nat inside source static tcp 10.10.10.20 8080 216.185.84.186 80 extendable
ip nat inside source static tcp 10.10.10.20 5336 216.185.84.186 5336 extendable
ip nat inside source static udp 10.10.10.20 500 216.185.84.186 500 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 216.185.84.61
no ip http server
!
!
map-list nat
!
map-list ip
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.11.0 0.0.0.255
access-list 98 permit 24.244.193.6
access-list 98 permit 216.94.53.126
access-list 101 permit tcp host 199.243.98.20 any eq 135
access-list 101 remark Inbound Internet Access List
access-list 101 permit tcp host 216.94.53.126 host 216.185.84.62 eq telnet
access-list 101 permit tcp host 24.244.193.6 host 216.185.84.62 eq telnet
access-list 101 permit esp any host 216.185.84.186
access-list 101 permit esp any host 216.185.84.187
access-list 101 permit ahp any host 216.185.84.186
access-list 101 permit ahp any host 216.185.84.187
access-list 101 permit tcp any host 216.185.84.186 eq www
access-list 101 permit tcp any host 216.185.84.186 eq 8080
access-list 101 permit tcp any host 216.185.84.186 eq 5336
access-list 101 permit udp any host 216.185.84.186 eq isakmp
access-list 101 permit udp any host 216.185.84.187 eq isakmp
access-list 101 permit tcp any host 216.185.84.187 eq smtp
access-list 101 permit tcp any host 216.185.84.187 eq www
access-list 101 permit tcp any host 216.185.84.187 eq 443
access-list 101 permit tcp any host 216.185.84.187 eq 8098
access-list 101 permit tcp any host 216.185.84.187 eq 8099
access-list 101 permit tcp any host 216.185.84.187 eq pop3
access-list 101 permit tcp any host 216.185.84.189 eq 1723
access-list 101 permit gre any host 216.185.84.189
access-list 101 permit tcp any host 216.185.84.189 eq www
access-list 101 permit tcp any host 216.185.84.189 eq smtp
access-list 101 permit tcp any host 216.185.84.189 eq pop3
access-list 101 permit tcp any host 216.185.84.189 eq 8080
access-list 101 permit tcp any host 216.185.84.189 eq 8383
access-list 101 permit tcp any host 216.185.84.189 eq 8181
access-list 101 permit tcp any host 216.185.84.189 eq 19815
access-list 101 permit tcp any host 216.185.84.189 eq 81
access-list 101 permit tcp any host 216.185.84.189 eq 82
access-list 101 permit tcp any host 216.185.84.189 eq 8093
access-list 101 permit tcp any host 216.185.84.188 eq ftp
access-list 101 permit tcp any host 216.185.84.190 eq www
access-list 101 permit ip any host 216.185.84.190
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 permit udp host 199.212.17.35 host 216.185.84.62 eq ntp
access-list 101 permit udp host 199.212.17.34 host 216.185.84.62 eq ntp
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any packet-too-big
access-list 101 deny   ip any any log
banner motd ^CC

*** UNAUTHORIZED ACCESS IS PROHIBITED!  ALL ACTIVITY IS LOGGED! ***

^C
!
line con 0
 exec-timeout 9 0
 password
 logging synchronous
 login
 transport input none
line aux 0
line vty 0 3
 exec-timeout 9 0
 password
 logging synchronous
 login
line vty 4
 exec-timeout 9 0
 password
 logging synchronous
 login
 transport input pad v120 telnet rlogin udptn
!
0
 
LVL 4

Author Comment

by:amanzoor
ID: 12380659
Hello MarkDozier
Have you received my comments dated 10/20?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now