[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 872
  • Last Modified:

basic acl help for cisco 1841 router

hi, thanks for taking a look at my question.

i just bought an 1841 router and i have it configured for the network and internet access. next i need to configure it for my webserver. i'm not sure how to go about that. this is my first cisco router and being used to linksys routers, this is a whole new  ballgame. if someone could give me the correct syntax for this, i would appreciate it. the servers internal ip is 10.10.10.58.  i also have to set up port 21 and a few others as well. i'm am including my running config below.

thanks again.

mike


Building configuration...

Current configuration : 2614 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NN29$4LNrKgKxgVqNtGrOvT.r8/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip name-server 24.xxx.2xx.11
ip name-server 24.xx2.2xx.12
ip ddns update method sdm_ddns1
 HTTP
  !
!
username xxxxxxx privilege 15 secret 5 $1$4wnn$8.2XqyZae9xiXTvMylH18.
!
!
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
 ip address 10.xxx.xx.xxx 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 24.xxx.xxx.66 255.255.xxx.xxx
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.xxx.xxx.xxx permanent
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 3 interface FastEthernet0/1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.7
access-list 3 permit 10.10.10.0 0.0.0.255
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 4000 1000
end

0
mmelody22
Asked:
mmelody22
  • 6
  • 4
1 Solution
 
rsivanandanCommented:
For traffic to go outside from your internal network;

int fa0/0
ip nat inside

int fa0/1
ip nat outside

ip nat inside source list 5 interface fa0/1 overload

access-list 5 permit ip 10.xx.xx.0 0.0.0.255

The above will make sure all your internal clients can browse internet using PAT.

To allow webserver to be visible from internet;

ip nat inside source static <InternalWebServerIP> <PublicIPYOUWantForWebServer>

access-list 100 permit tcp any host <PublicIPYOUWantForWebServer> eq www

int fa0/1
ip access-group 100 in

Cheers,
Rajesh
0
 
mmelody22Author Commented:
hi, thanks for your help!

i tried entering that in.. but, it didnt work. i was a little confused about the last 2 entries: int fa0/1
                                                                                                                               ip access-group 100 in

here is the running config:


Building configuration...

Current configuration : 2852 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NN29$4LNrKgKxgVqNtGrOvT.r8/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip name-server 24.xx.xx.xxx
ip name-server 24.xx.xxx.xxx
ip ddns update method sdm_ddns1
 HTTP
 
!
!
usernamexxxxxprivilege 15 secret 5 $1$4wnn$8.2XqyZae9xiXTvMylH18.
!
!
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 24.xx.xx.xxx255.255.255.248
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.xx.xxx.xxpermanent
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 3 interface FastEthernet0/1 overload
ip nat inside source list 5 interface FastEthernet0/1 overload
ip nat inside source static 10.10.10.58 24.xxx.xx.xxx
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.7
access-list 3 permit 10.10.10.0 0.0.0.255
access-list 5 permit 10.10.10.0 0.0.0.255
access-list 100 permit tcp any host 24.xxx.xx.xxx eq www
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 4000 1000
end



thanks again
0
 
rsivanandanCommented:
what is not working ?

Your configuration is wrong though, type in these exactly;

no ip nat inside source list 3 interface FastEthernet0/1 overload

no access-list 3 permit 10.10.10.0 0.0.0.255

Then from an internal machine try accessing internet to see if it works.

Then have somebody from internet access your webserver address and see if that works. Post the results.

Cheers,
Rajesh
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
mmelody22Author Commented:
well, that did it! thank you....quick question. if i wanted to set up ftp access to this server..what would be the new entries? would it just be:

access-list 100 permit tcp any host 24.xx.xx.xxx eq ftp
access-list 100 permit tcp any host 24.xx.xxxx.xxeq ftp-data

or is there anything else?

also..if i wanted to open port 6129 and 6132 on a different server, i would have ot make a new static route and basically use the same command for the webserver substituting the ports? or would there be anything else? thanks so much!

if you want me to open another question to give you more points for these 2, i will..no problem.

thanks again.

mike
0
 
rsivanandanCommented:
No problem, the question is related so I'll answer it here itself.

Whatever you have is correct. Just have to proceed the way you mentioned there above.

Cheers,
Rajesh
0
 
mmelody22Author Commented:
ok..thanks again....

i just realized that i'm not getting through to .58 for www. i am, however hitting the router at .1 from my web domain. i thought it was a different problem. so, when i type in my web domain, i am getting the router login screen. what do u think that is? thats why i thought my ftp config might have been wrong.

here is the running config:


Building configuration...

Current configuration : 2685 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NN29$4LNrKgKxgVqNtGrOvT.r8/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip name-server 24.xx.xxx.xxx
ip name-server 24.xx.xxx.xxx
!
username mmelody2 privilege 15 secret 5 $1$4wnn$8.2XqyZae9xiXTvMylH18.
!
!
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 24.xx.xxx.xxx 255.xx.xx.xx
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.xx.xxx.xxx permanent
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 5 interface FastEthernet0/1 overload
ip nat inside source static 10.10.10.58 24.xx.xxx.xxx
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.7
access-list 5 remark SDM_ACL Category=16
access-list 5 permit 10.10.10.0 0.0.0.255
access-list 100 remark SDM_ACL Category=16
access-list 100 permit tcp any host 24.xx.xxx.xxx eq www
access-list 100 permit tcp any host 24.xx.xxx.xxx eq ftp
access-list 100 permit tcp any host 24.xx.xxx.xxx eq ftp-data
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 4000 1000
end

0
 
rsivanandanCommented:
So you're saying, from internet if you type 24.x.x.x in your browser you are getting router login prompt ? Is this address a unique address or the one used on the outside interface of the wan connection ?

Like Wan interface 24.1.1.1

Web 24.1.1.2

Isn't it how it is ? Because since you masked it all, I don't know.

You could do this to turn off the http service on the router and it should work fine though;

no ip http server

Cheers,
Rajesh
0
 
mmelody22Author Commented:
ok...i have a static ip used for the internet....webserver..etc. that ip is 24.xxx.xxx.66 which is also the wan ip. is that where i screwed up? i do have a block of 5 static ip addresses that i can use from my isp.

what do u recommend?

thansk again!

mike
0
 
rsivanandanCommented:
Yes :-) If you use the wan ip address itself, then router's http server will also listen on the same ip right ? So my suggestion would be to use one of the available static IP's for the webserver.

Cheers,
Rajesh
0
 
rsivanandanCommented:
Or continue as it is with http server turned off on the router until the next maintenance window and reconfigure the router.

Cheers,
Rajesh
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now