how to configure the access list for my cisco 2600 router

Can any one advise me how should I configure the accesslist, and to tie to which interface, based on the case below :-

a 2600 with serial0   (connected to internet),  fastethernet (Connected to local network)

S0 :-   /

F0 :- /       (NAT-ed)

1.    <--->    (Web server)

2.   <---->    (FTP server)

3.   <---->    (DNS server)

4.     (NAT Pool) - Local users access internet using this ip address.

for the above mentioned (1)  to (3),  how should I configure the access-list, such that Internet users can only
   access the web server restricted  via port 80 ,
   access the FTP server restricted via  port 21,
  access the DNS server restricted via port  51.

other then the the 3 ports for the 3 server mentioned above, the rest of the ports of 1- 65535, to be closed from
accessing by intenet users.

thank you
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


static (inside,outside) tcp 80 80 netmask 0 0
static (inside,outside) tcp 21 80 netmask 0 0
static (inside,outside) tcp 51 51 netmask 0 0

access-list acl_inbound permit tcp any host eq www
access-list acl_inbound permit tcp any host eq 21
access-list acl_inbound permit tcp any host eq 51

Apply the access lists to the correct interface.

access-group acl_inbound in interface outside

Also, you can try this link.
tut404Author Commented:

I think you are you giving me the syntax of pix firewall   :)  

actually I am using a cisco route, please advise the correct syntax, thanks
tut404Author Commented:
in additional to that,

what about those users in my network?
they are suppose to use  (NAT Pool) to access internet.

the syntax given by you are of PIX, does it take care of my office users?

Please advise
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.

Sorry. I did not pay close enough attention to your question. I will look that up and get back to you.
DNS is port 53, not 51...

ip nat inside source static tcp 80 80 extendable
ip nat inside source static tcp 21 21 extendable
ip nat inside source static tcp 53 53 extendable
ip nat inside source static udp 53 53 extendable
ip nat inside source list 1 overload

access-list 1 permit
access-list 101 permit tcp any gt 1023 host eq 80
access-list 101 permit tcp any gt 1023 host eq 21
access-list 101 permit tcp any host eq 53
access-list 101 permit udp any host eq 53
access-list 101 permit tcp any any established

interface s0
 ip nat outside
 ip access-group 101 in
interface f0
 ip nat outside

Note that this config will not allow inbound mail or other services. There is an implicit deny at the end so anything not permitted via access list 101 will be blocked. If you only need to do DNS queries and don't maintain a zone that the internet needs from you then you can eliminate the tcp port 53 NAT and access list lines.
Oops, last config line should be
interface f0
 ip nat inside
tut404Author Commented:

thank for the fast reponse, as mentioned in your listing, is that a problem with :-
ip nat inside source list 1 overload

or should it be :-

ip nat inside source list 1 pool nat_name overload .

I notice after the '1'  it shouldn't be ip address .

can you advise, thanks
Yeah, I was typing fast and didn't check that command out  :-)

ip nat pool POOL prefix 32
ip nat inside source list 1 pool POOL overload
tut404Author Commented:

I think there is a problem,

the moment i type in  int s0
   "ip access-group 101 in"

trying to ping my S0 ip address and connecting ip address,
both cannot be ping,
but when I remove "ip access-group 101 in", it works again :)

therfore going nowhere now too, anyway I am trying out after
access list, based on yours as a base
Yes, my access list did exactly what you specified but you'll need to add to it to make sure you don't break something else...

access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any unreachable
You should download a copy of ethereal and experiment with things like traceroute so you can see what you need for that, and get a better idea of what needs to be allowed in. The "established" line in my list will allow any inbound tcp if it has the "ack" bit set, which is normally because it's part of a session started from inside.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tut404Author Commented:
anyway, the whole access-list cannot work at all.
due to the reason once the access-list 101 is tied to the serial 0 interface

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.