?
Solved

how to configure the access list for my cisco 2600 router

Posted on 2006-04-19
11
Medium Priority
?
2,824 Views
Last Modified: 2009-07-29
Can any one advise me how should I configure the accesslist, and to tie to which interface, based on the case below :-

a 2600 with serial0   (connected to internet),  fastethernet (Connected to local network)

S0 :-  100.100.100.2   /255.255.255.252

F0 :-  192.168.50.154 /255.255.255.0       (NAT-ed)

1.    200.200.200.2    <--->  192.168.50.2    (Web server)

2.    200.200.200.3   <---->  192.168.50.3    (FTP server)

3.    200.200.200.4   <---->  192.168.50.4    (DNS server)

4.   200.200.200.5     (NAT Pool) - Local users access internet using this ip address.

for the above mentioned (1)  to (3),  how should I configure the access-list, such that Internet users can only
   access the web server restricted  via port 80 ,
   access the FTP server restricted via  port 21,
  access the DNS server restricted via port  51.

other then the the 3 ports for the 3 server mentioned above, the rest of the ports of 1- 65535, to be closed from
accessing by intenet users.

thank you
0
Comment
Question by:tut404
  • 5
  • 4
  • 2
11 Comments
 
LVL 5

Expert Comment

by:Mad_Jasper
ID: 16489330


static (inside,outside) tcp 200.200.200.2 80 192.168.50.2 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp 200.200.200.3 21 192.168.50.3 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp 200.200.200.4 51 192.168.50.4 51 netmask 255.255.255.255 0 0

access-list acl_inbound permit tcp any host 200.200.200.2 eq www
access-list acl_inbound permit tcp any host 200.200.200.3 eq 21
access-list acl_inbound permit tcp any host 200.200.200.4 eq 51

Apply the access lists to the correct interface.

access-group acl_inbound in interface outside

Also, you can try this link.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic2
0
 

Author Comment

by:tut404
ID: 16489712
hi,

I think you are you giving me the syntax of pix firewall   :)  

actually I am using a cisco route, please advise the correct syntax, thanks
0
 

Author Comment

by:tut404
ID: 16489761
in additional to that,

what about those users in my network?
they are suppose to use 200.200.200.5  (NAT Pool) to access internet.

the syntax given by you are of PIX, does it take care of my office users?

Please advise
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 
LVL 5

Expert Comment

by:Mad_Jasper
ID: 16489990
Sorry. I did not pay close enough attention to your question. I will look that up and get back to you.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16491056
DNS is port 53, not 51...

ip nat inside source static tcp 192.168.50.2 80 200.200.200.2 80 extendable
ip nat inside source static tcp 192.168.50.3 21 200.200.200.3 21 extendable
ip nat inside source static tcp 192.168.50.4 53 200.200.200.4 53 extendable
ip nat inside source static udp 192.168.50.4 53 200.200.200.4 53 extendable
ip nat inside source list 1 200.200.200.5 overload

access-list 1 permit 192.168.50.0 0.0.0.255
access-list 101 permit tcp any gt 1023 host 200.200.200.2 eq 80
access-list 101 permit tcp any gt 1023 host 200.200.200.3 eq 21
access-list 101 permit tcp any host 200.200.200.4 eq 53
access-list 101 permit udp any host 200.200.200.4 eq 53
access-list 101 permit tcp any any established

interface s0
 ip nat outside
 ip access-group 101 in
interface f0
 ip nat outside

Note that this config will not allow inbound mail or other services. There is an implicit deny at the end so anything not permitted via access list 101 will be blocked. If you only need to do DNS queries and don't maintain a zone that the internet needs from you then you can eliminate the tcp port 53 NAT and access list lines.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16491064
Oops, last config line should be
interface f0
 ip nat inside
0
 

Author Comment

by:tut404
ID: 16494125
hi,

thank for the fast reponse, as mentioned in your listing, is that a problem with :-
ip nat inside source list 1 200.200.200.5 overload

or should it be :-

ip nat inside source list 1 pool nat_name overload .

I notice after the '1'  it shouldn't be ip address .

can you advise, thanks
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16500714
Yeah, I was typing fast and didn't check that command out  :-)

ip nat pool POOL 200.200.200.5 200.200.200.5 prefix 32
ip nat inside source list 1 pool POOL overload
0
 

Author Comment

by:tut404
ID: 16505690

I think there is a problem,

the moment i type in  int s0
   "ip access-group 101 in"

trying to ping my S0 ip address and connecting ip address,
both cannot be ping,
but when I remove "ip access-group 101 in", it works again :)

therfore going nowhere now too, anyway I am trying out after
access list, based on yours as a base
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 1500 total points
ID: 16508719
Yes, my access list did exactly what you specified but you'll need to add to it to make sure you don't break something else...

access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any unreachable
You should download a copy of ethereal and experiment with things like traceroute so you can see what you need for that, and get a better idea of what needs to be allowed in. The "established" line in my list will allow any inbound tcp if it has the "ack" bit set, which is normally because it's part of a session started from inside.
0
 

Author Comment

by:tut404
ID: 16575150
Hi,
anyway, the whole access-list cannot work at all.
due to the reason once the access-list 101 is tied to the serial 0 interface

0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question