tut404
asked on
how to configure the access list for my cisco 2600 router
Can any one advise me how should I configure the accesslist, and to tie to which interface, based on the case below :-
a 2600 with serial0 (connected to internet), fastethernet (Connected to local network)
S0 :- 100.100.100.2 /255.255.255.252
F0 :- 192.168.50.154 /255.255.255.0 (NAT-ed)
1. 200.200.200.2 <---> 192.168.50.2 (Web server)
2. 200.200.200.3 <----> 192.168.50.3 (FTP server)
3. 200.200.200.4 <----> 192.168.50.4 (DNS server)
4. 200.200.200.5 (NAT Pool) - Local users access internet using this ip address.
for the above mentioned (1) to (3), how should I configure the access-list, such that Internet users can only
access the web server restricted via port 80 ,
access the FTP server restricted via port 21,
access the DNS server restricted via port 51.
other then the the 3 ports for the 3 server mentioned above, the rest of the ports of 1- 65535, to be closed from
accessing by intenet users.
thank you
a 2600 with serial0 (connected to internet), fastethernet (Connected to local network)
S0 :- 100.100.100.2 /255.255.255.252
F0 :- 192.168.50.154 /255.255.255.0 (NAT-ed)
1. 200.200.200.2 <---> 192.168.50.2 (Web server)
2. 200.200.200.3 <----> 192.168.50.3 (FTP server)
3. 200.200.200.4 <----> 192.168.50.4 (DNS server)
4. 200.200.200.5 (NAT Pool) - Local users access internet using this ip address.
for the above mentioned (1) to (3), how should I configure the access-list, such that Internet users can only
access the web server restricted via port 80 ,
access the FTP server restricted via port 21,
access the DNS server restricted via port 51.
other then the the 3 ports for the 3 server mentioned above, the rest of the ports of 1- 65535, to be closed from
accessing by intenet users.
thank you
ASKER
hi,
I think you are you giving me the syntax of pix firewall :)
actually I am using a cisco route, please advise the correct syntax, thanks
I think you are you giving me the syntax of pix firewall :)
actually I am using a cisco route, please advise the correct syntax, thanks
ASKER
in additional to that,
what about those users in my network?
they are suppose to use 200.200.200.5 (NAT Pool) to access internet.
the syntax given by you are of PIX, does it take care of my office users?
Please advise
what about those users in my network?
they are suppose to use 200.200.200.5 (NAT Pool) to access internet.
the syntax given by you are of PIX, does it take care of my office users?
Please advise
Sorry. I did not pay close enough attention to your question. I will look that up and get back to you.
DNS is port 53, not 51...
ip nat inside source static tcp 192.168.50.2 80 200.200.200.2 80 extendable
ip nat inside source static tcp 192.168.50.3 21 200.200.200.3 21 extendable
ip nat inside source static tcp 192.168.50.4 53 200.200.200.4 53 extendable
ip nat inside source static udp 192.168.50.4 53 200.200.200.4 53 extendable
ip nat inside source list 1 200.200.200.5 overload
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 101 permit tcp any gt 1023 host 200.200.200.2 eq 80
access-list 101 permit tcp any gt 1023 host 200.200.200.3 eq 21
access-list 101 permit tcp any host 200.200.200.4 eq 53
access-list 101 permit udp any host 200.200.200.4 eq 53
access-list 101 permit tcp any any established
interface s0
ip nat outside
ip access-group 101 in
interface f0
ip nat outside
Note that this config will not allow inbound mail or other services. There is an implicit deny at the end so anything not permitted via access list 101 will be blocked. If you only need to do DNS queries and don't maintain a zone that the internet needs from you then you can eliminate the tcp port 53 NAT and access list lines.
ip nat inside source static tcp 192.168.50.2 80 200.200.200.2 80 extendable
ip nat inside source static tcp 192.168.50.3 21 200.200.200.3 21 extendable
ip nat inside source static tcp 192.168.50.4 53 200.200.200.4 53 extendable
ip nat inside source static udp 192.168.50.4 53 200.200.200.4 53 extendable
ip nat inside source list 1 200.200.200.5 overload
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 101 permit tcp any gt 1023 host 200.200.200.2 eq 80
access-list 101 permit tcp any gt 1023 host 200.200.200.3 eq 21
access-list 101 permit tcp any host 200.200.200.4 eq 53
access-list 101 permit udp any host 200.200.200.4 eq 53
access-list 101 permit tcp any any established
interface s0
ip nat outside
ip access-group 101 in
interface f0
ip nat outside
Note that this config will not allow inbound mail or other services. There is an implicit deny at the end so anything not permitted via access list 101 will be blocked. If you only need to do DNS queries and don't maintain a zone that the internet needs from you then you can eliminate the tcp port 53 NAT and access list lines.
Oops, last config line should be
interface f0
ip nat inside
interface f0
ip nat inside
ASKER
hi,
thank for the fast reponse, as mentioned in your listing, is that a problem with :-
ip nat inside source list 1 200.200.200.5 overload
or should it be :-
ip nat inside source list 1 pool nat_name overload .
I notice after the '1' it shouldn't be ip address .
can you advise, thanks
thank for the fast reponse, as mentioned in your listing, is that a problem with :-
ip nat inside source list 1 200.200.200.5 overload
or should it be :-
ip nat inside source list 1 pool nat_name overload .
I notice after the '1' it shouldn't be ip address .
can you advise, thanks
Yeah, I was typing fast and didn't check that command out :-)
ip nat pool POOL 200.200.200.5 200.200.200.5 prefix 32
ip nat inside source list 1 pool POOL overload
ip nat pool POOL 200.200.200.5 200.200.200.5 prefix 32
ip nat inside source list 1 pool POOL overload
ASKER
I think there is a problem,
the moment i type in int s0
"ip access-group 101 in"
trying to ping my S0 ip address and connecting ip address,
both cannot be ping,
but when I remove "ip access-group 101 in", it works again :)
therfore going nowhere now too, anyway I am trying out after
access list, based on yours as a base
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
anyway, the whole access-list cannot work at all.
due to the reason once the access-list 101 is tied to the serial 0 interface
anyway, the whole access-list cannot work at all.
due to the reason once the access-list 101 is tied to the serial 0 interface
static (inside,outside) tcp 200.200.200.2 80 192.168.50.2 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp 200.200.200.3 21 192.168.50.3 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp 200.200.200.4 51 192.168.50.4 51 netmask 255.255.255.255 0 0
access-list acl_inbound permit tcp any host 200.200.200.2 eq www
access-list acl_inbound permit tcp any host 200.200.200.3 eq 21
access-list acl_inbound permit tcp any host 200.200.200.4 eq 51
Apply the access lists to the correct interface.
access-group acl_inbound in interface outside
Also, you can try this link.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic2