Solved

Access List for Cisco Router 2600

Posted on 2004-10-19
6
469 Views
Last Modified: 2010-04-17
Hi there
We have CISCO 2600 router.  Is it necessary to delete the existing ACL to make the new added changes work.  Do I need to copy the whole ACL i.e starting from the 'Current Configuration' till the 'end' or I can just copy each command 'access-list permit.........' individually.  Can you please tell me the easier way.
1- I tested copying it in the command prompt from a note pad, it keeps on adding the C pompt at the beginning of each command.
2-If I delete the Access list completeley, it means I cannot go back?
Help please
0
Comment
Question by:amanzoor
6 Comments
 

Expert Comment

by:ajablons
ID: 12350035
I'm not sure what you are trying to do, but you should be able to cut/paste from notepad.

copy the ACL from 'show running-config' into notepad or some text editor. You can then manipulate it and paste it into the router (config mode).

You can also do the lines individually.

What is your main goal ?
0
 
LVL 4

Author Comment

by:amanzoor
ID: 12351609
I am trying to map three external Ip addresses to a single internal Ip address i.e
redirect   66.207.100.153 to 10.10.10.101:81,  66.207.100.154 to 10.10.10.101:82 and  66.207.100.155 to 10.10.10.101:83
I am not sure where to write the commands for these? and the easier way to write/amend onto access list.  Do you want me to paste the running config here?
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 12352516
Those aren't things an access-list does.

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 8

Accepted Solution

by:
MarkDozier earned 125 total points
ID: 12355037
Actually the ACL is only part of the problem. The answer is  a combination of an ACL and NAT to accomplish the goal since the public IP are bing translated to provate IP.
I don't think you can send each IP to a specific port on the 10 network unless it tied to a specific application.

I can test this tomorrow evening unless you get a specific answer before then.
It would also help if you post you config

0
 
LVL 4

Author Comment

by:amanzoor
ID: 12357439
Thanks MarkDozier
I would also want to fit in this line to:
'access-list 101 permit tcp any host 216.185.84.189 eq 5336'

Here is my config:

clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
ip host accpac.ggw.net 199.243.98.20
ip host switch 10.10.10.253
ip name-server 207.176.128.2
ip name-server 216.185.84.94
ip name-server 206.186.75.138
ip name-server 209.5.210.134
!
ip inspect audit-trail
ip inspect name inter tcp
ip inspect name inter udp
ip inspect name inter ftp
ip inspect name inter http
ip inspect name inter smtp
ip inspect name inter tftp
ip inspect name inter cuseeme
ip inspect name inter h323
ip inspect name inter rcmd
ip inspect name inter realaudio
ip inspect name inter sqlnet
ip inspect name inter streamworks
ip inspect name inter vdolive
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 no ip directed-broadcast
 speed 100
 full-duplex
 fair-queue 64 256 0
!
interface FastEthernet0/0.10
 description CAMPUS VLAN
 encapsulation dot1Q 10
 ip address 10.10.10.254 255.255.255.0
 no ip redirects
 no ip directed-broadcast
 ip nat inside
!
interface FastEthernet0/0.801
 description CONNECTION TO other campus
 encapsulation dot1Q 801
 ip address 10.10.11.254 255.255.255.0
 no ip redirects
 no ip directed-broadcast
 ip nat inside
!
interface FastEthernet0/0.908
 description INTERNET VIA provider
 bandwidth 1000000
 encapsulation dot1Q 908
 ip address 216.185.84.62 255.255.255.252
 ip access-group 101 in
 no ip redirects
 no ip directed-broadcast
 ip nat outside
 ip inspect inter out
!
ip nat translation timeout 1600
ip nat pool inter 216.185.84.185 216.185.84.185 netmask 255.255.255.248
ip nat inside source list 1 pool inter overload
ip nat inside source static 10.10.10.18 216.185.84.187
ip nat inside source static 10.10.10.20 216.185.84.186
ip nat inside source static 10.10.10.99 216.185.84.190
ip nat inside source static 10.10.10.101 216.185.84.189
ip nat inside source static 10.10.10.3 216.185.84.188
ip nat inside source static tcp 10.10.10.20 8080 216.185.84.186 80 extendable
ip nat inside source static tcp 10.10.10.20 5336 216.185.84.186 5336 extendable
ip nat inside source static udp 10.10.10.20 500 216.185.84.186 500 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 216.185.84.61
no ip http server
!
!
map-list nat
!
map-list ip
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.11.0 0.0.0.255
access-list 98 permit 24.244.193.6
access-list 98 permit 216.94.53.126
access-list 101 permit tcp host 199.243.98.20 any eq 135
access-list 101 remark Inbound Internet Access List
access-list 101 permit tcp host 216.94.53.126 host 216.185.84.62 eq telnet
access-list 101 permit tcp host 24.244.193.6 host 216.185.84.62 eq telnet
access-list 101 permit esp any host 216.185.84.186
access-list 101 permit esp any host 216.185.84.187
access-list 101 permit ahp any host 216.185.84.186
access-list 101 permit ahp any host 216.185.84.187
access-list 101 permit tcp any host 216.185.84.186 eq www
access-list 101 permit tcp any host 216.185.84.186 eq 8080
access-list 101 permit tcp any host 216.185.84.186 eq 5336
access-list 101 permit udp any host 216.185.84.186 eq isakmp
access-list 101 permit udp any host 216.185.84.187 eq isakmp
access-list 101 permit tcp any host 216.185.84.187 eq smtp
access-list 101 permit tcp any host 216.185.84.187 eq www
access-list 101 permit tcp any host 216.185.84.187 eq 443
access-list 101 permit tcp any host 216.185.84.187 eq 8098
access-list 101 permit tcp any host 216.185.84.187 eq 8099
access-list 101 permit tcp any host 216.185.84.187 eq pop3
access-list 101 permit tcp any host 216.185.84.189 eq 1723
access-list 101 permit gre any host 216.185.84.189
access-list 101 permit tcp any host 216.185.84.189 eq www
access-list 101 permit tcp any host 216.185.84.189 eq smtp
access-list 101 permit tcp any host 216.185.84.189 eq pop3
access-list 101 permit tcp any host 216.185.84.189 eq 8080
access-list 101 permit tcp any host 216.185.84.189 eq 8383
access-list 101 permit tcp any host 216.185.84.189 eq 8181
access-list 101 permit tcp any host 216.185.84.189 eq 19815
access-list 101 permit tcp any host 216.185.84.189 eq 81
access-list 101 permit tcp any host 216.185.84.189 eq 82
access-list 101 permit tcp any host 216.185.84.189 eq 8093
access-list 101 permit tcp any host 216.185.84.188 eq ftp
access-list 101 permit tcp any host 216.185.84.190 eq www
access-list 101 permit ip any host 216.185.84.190
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 permit udp host 199.212.17.35 host 216.185.84.62 eq ntp
access-list 101 permit udp host 199.212.17.34 host 216.185.84.62 eq ntp
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any packet-too-big
access-list 101 deny   ip any any log
banner motd ^CC

*** UNAUTHORIZED ACCESS IS PROHIBITED!  ALL ACTIVITY IS LOGGED! ***

^C
!
line con 0
 exec-timeout 9 0
 password
 logging synchronous
 login
 transport input none
line aux 0
line vty 0 3
 exec-timeout 9 0
 password
 logging synchronous
 login
line vty 4
 exec-timeout 9 0
 password
 logging synchronous
 login
 transport input pad v120 telnet rlogin udptn
!
0
 
LVL 4

Author Comment

by:amanzoor
ID: 12380659
Hello MarkDozier
Have you received my comments dated 10/20?
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question