how to configure the access list for my cisco 2600 router

Can any one advise me how should I configure the accesslist, and to tie to which interface, based on the case below :-

a 2600 with serial0   (connected to internet),  fastethernet (Connected to local network)

S0 :-  100.100.100.2   /255.255.255.252

F0 :-  192.168.50.154 /255.255.255.0       (NAT-ed)

1.    200.200.200.2    <--->  192.168.50.2    (Web server)

2.    200.200.200.3   <---->  192.168.50.3    (FTP server)

3.    200.200.200.4   <---->  192.168.50.4    (DNS server)

4.   200.200.200.5     (NAT Pool) - Local users access internet using this ip address.

for the above mentioned (1)  to (3),  how should I configure the access-list, such that Internet users can only
   access the web server restricted  via port 80 ,
   access the FTP server restricted via  port 21,
  access the DNS server restricted via port  51.

other then the the 3 ports for the 3 server mentioned above, the rest of the ports of 1- 65535, to be closed from
accessing by intenet users.

thank you
tut404Asked:
Who is Participating?
 
mikebernhardtCommented:
Yes, my access list did exactly what you specified but you'll need to add to it to make sure you don't break something else...

access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any unreachable
You should download a copy of ethereal and experiment with things like traceroute so you can see what you need for that, and get a better idea of what needs to be allowed in. The "established" line in my list will allow any inbound tcp if it has the "ack" bit set, which is normally because it's part of a session started from inside.
0
 
Mad_JasperCommented:


static (inside,outside) tcp 200.200.200.2 80 192.168.50.2 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp 200.200.200.3 21 192.168.50.3 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp 200.200.200.4 51 192.168.50.4 51 netmask 255.255.255.255 0 0

access-list acl_inbound permit tcp any host 200.200.200.2 eq www
access-list acl_inbound permit tcp any host 200.200.200.3 eq 21
access-list acl_inbound permit tcp any host 200.200.200.4 eq 51

Apply the access lists to the correct interface.

access-group acl_inbound in interface outside

Also, you can try this link.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic2
0
 
tut404Author Commented:
hi,

I think you are you giving me the syntax of pix firewall   :)  

actually I am using a cisco route, please advise the correct syntax, thanks
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
tut404Author Commented:
in additional to that,

what about those users in my network?
they are suppose to use 200.200.200.5  (NAT Pool) to access internet.

the syntax given by you are of PIX, does it take care of my office users?

Please advise
0
 
Mad_JasperCommented:
Sorry. I did not pay close enough attention to your question. I will look that up and get back to you.
0
 
mikebernhardtCommented:
DNS is port 53, not 51...

ip nat inside source static tcp 192.168.50.2 80 200.200.200.2 80 extendable
ip nat inside source static tcp 192.168.50.3 21 200.200.200.3 21 extendable
ip nat inside source static tcp 192.168.50.4 53 200.200.200.4 53 extendable
ip nat inside source static udp 192.168.50.4 53 200.200.200.4 53 extendable
ip nat inside source list 1 200.200.200.5 overload

access-list 1 permit 192.168.50.0 0.0.0.255
access-list 101 permit tcp any gt 1023 host 200.200.200.2 eq 80
access-list 101 permit tcp any gt 1023 host 200.200.200.3 eq 21
access-list 101 permit tcp any host 200.200.200.4 eq 53
access-list 101 permit udp any host 200.200.200.4 eq 53
access-list 101 permit tcp any any established

interface s0
 ip nat outside
 ip access-group 101 in
interface f0
 ip nat outside

Note that this config will not allow inbound mail or other services. There is an implicit deny at the end so anything not permitted via access list 101 will be blocked. If you only need to do DNS queries and don't maintain a zone that the internet needs from you then you can eliminate the tcp port 53 NAT and access list lines.
0
 
mikebernhardtCommented:
Oops, last config line should be
interface f0
 ip nat inside
0
 
tut404Author Commented:
hi,

thank for the fast reponse, as mentioned in your listing, is that a problem with :-
ip nat inside source list 1 200.200.200.5 overload

or should it be :-

ip nat inside source list 1 pool nat_name overload .

I notice after the '1'  it shouldn't be ip address .

can you advise, thanks
0
 
mikebernhardtCommented:
Yeah, I was typing fast and didn't check that command out  :-)

ip nat pool POOL 200.200.200.5 200.200.200.5 prefix 32
ip nat inside source list 1 pool POOL overload
0
 
tut404Author Commented:

I think there is a problem,

the moment i type in  int s0
   "ip access-group 101 in"

trying to ping my S0 ip address and connecting ip address,
both cannot be ping,
but when I remove "ip access-group 101 in", it works again :)

therfore going nowhere now too, anyway I am trying out after
access list, based on yours as a base
0
 
tut404Author Commented:
Hi,
anyway, the whole access-list cannot work at all.
due to the reason once the access-list 101 is tied to the serial 0 interface

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.