• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 505
  • Last Modified:

Cisco Router Question

I have a subnetwork of my local LAN.  It is connected via a Cisco router.  I have several PC's on that secluded network.  It was setup before I started here.  My LAN address is 196.197.198.0 - 196.197.198.255.  I know it is ugly.  I inherited it..

The secluded LAN is 192.168.254.0 - 192.168.254.255.  The router is currently setup to allow access from any machine on the 196.197.198.xxx to access the machine on the secluded LAN with an IP address of 192.168.254.56.

What I want to do is also allow access to the machine on the secluded LAN with an IP address of 192.168.254.51.  I want want 1 machine on the 196.197.198.xxx LAN to access it.  The IP address of that machine is 196.197.198.110.

So in summary, I want all 196.197.198.xxx machines to be able to access 192.168.254.56 (whicj is working now just fine)  I also want only 196.197.198.110 to be able to access 192.168.254.51 along with 192.168.254.56.  I have attached my config.  I am close.  I am able to ping from 196.197.198.110 to 192.168.254.51 but unable to connect to it?  Am I missing something simple??

version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!

!
no logging buffered
logging rate-limit console 10 except errors
enable secret 5 $1$9CMG$43UoJ/hJBsDq4NX2bRzSV1
!
memory-size iomem 25
ip subnet-zero
no ip finger
no ip domain-lookup
!
no ip dhcp-client network-discovery
!
!
!
interface Ethernet0
 ip address 192.168.254.5 255.255.255.0
 no ip route-cache
 half-duplex
 no cdp enable
!
interface FastEthernet0
 ip address 196.197.198.240 255.255.255.0
 ip access-group 111 in
 no ip route-cache
 speed auto
 full-duplex
 no cdp enable
!
router eigrp 100
 network 192.168.254.0
 network 196.197.198.0
 no auto-summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 196.197.198.117    -----  This is another router on my network -----
no ip http server
!        
access-list 100 permit udp host 196.197.198.110 host 192.168.254.51 eq 5450
access-list 100 permit tcp host 196.197.198.110 host 192.168.254.51 eq 5450

access-list 111 permit udp 196.197.198.0 0.0.0.255 host 192.168.254.56 eq 5450
access-list 111 permit tcp 196.197.198.0 0.0.0.255 host 192.168.254.56 eq 5450

access-list 111 permit tcp any 192.168.254.0 0.0.0.255 established

access-list 111 permit eigrp any any
access-list 111 permit udp any host 192.168.254.56 eq netbios-ns
access-list 111 permit tcp any any range 137 138
access-list 111 permit udp any any range netbios-ns netbios-dgm
access-list 111 permit icmp any any
access-list 111 permit udp any eq domain any

no cdp run
!
line con 0
 exec-timeout 0 0
 transport input none
line aux 0
line vty 0 4
 password 7 08264D54180C000E
 login
!
end
0
chadd25
Asked:
chadd25
1 Solution
 
pseudocyberCommented:
>>So in summary, I want all 196.197.198.xxx machines to be able to access 192.168.254.56 (whicj is working now just fine)  I also want only 196.197.198.110 to be able to access 192.168.254.51 along with 192.168.254.56.

I believe, you just need to add these two lines.

access-list 111 permit ip host 196.197.198.110 host 192.168.254.51
access-list 111 permit ip host 196.197.198.110 host 192.168.254.56

This line is allowing your pings to succeed:  access-list 111 permit icmp any any
0
 
BILJAXCommented:
192.168.254.255

That's not a valid host.
0
 
ZoidlingCommented:
I understand that access from 196.197.198.110 to 192.169.254.56 is already working, so you shouldn't need to add the second line that pseudocyber suggests:
access-list 111 permit ip host 196.197.918.110 host 192.168.254.56

Adding the other line pseudocyber suggests should work, but may give you unexpected results:
access-list 111 permit ip host 196.197.198.110 host 192.168.254.51

If you use this, be sure to test from 192.168.254.51 and verify things are working as you intend.

If you're getting unintended results on the above config, you may have better luck omitting the above and adding the following 2 lines:
access-list 111 permit udp host 196.197.198.110 host 192.168.254.51 eq 5450
access-list 111 permit tcp host 196.197.198.110 host 192.168.254.51 eq 5450

Alternatively, if you no longer use or need ACL 100, edit your config text file to just change 'access-list 100' to 'access-list 111' in each of those two lines.
0
 
chadd25Author Commented:
It turns out I am able to connect from 196.197.198.110 to 192.168.254.51 over port 5450 using my original configuration posted above.  I need full access though.  It looks like I need to remove the port setting in acl 100.  What is the correct syntax to open up full access.

Replace :

access-list 100 permit udp host 196.197.198.110 host 192.168.254.51 eq 5450
access-list 100 permit tcp host 196.197.198.110 host 192.168.254.51 eq 5450

with

access-list 100 permit udp host 196.197.198.110 host 192.168.254.51 any any
access-list 100 permit tcp host 196.197.198.110 host 192.168.254.51 any any

or

access-list 100 permit udp host 196.197.198.110 host 192.168.254.51
access-list 100 permit tcp host 196.197.198.110 host 192.168.254.51


Thanks
0
 
BILJAXCommented:
access-list 100 permit udp host 196.197.198.110 host 192.168.254.51 any any
access-list 100 permit tcp host 196.197.198.110 host 192.168.254.51 any any
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now