Solved

basic acl help for cisco 1841 router

Posted on 2006-06-15
10
857 Views
Last Modified: 2008-02-01
hi, thanks for taking a look at my question.

i just bought an 1841 router and i have it configured for the network and internet access. next i need to configure it for my webserver. i'm not sure how to go about that. this is my first cisco router and being used to linksys routers, this is a whole new  ballgame. if someone could give me the correct syntax for this, i would appreciate it. the servers internal ip is 10.10.10.58.  i also have to set up port 21 and a few others as well. i'm am including my running config below.

thanks again.

mike


Building configuration...

Current configuration : 2614 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NN29$4LNrKgKxgVqNtGrOvT.r8/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip name-server 24.xxx.2xx.11
ip name-server 24.xx2.2xx.12
ip ddns update method sdm_ddns1
 HTTP
  !
!
username xxxxxxx privilege 15 secret 5 $1$4wnn$8.2XqyZae9xiXTvMylH18.
!
!
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
 ip address 10.xxx.xx.xxx 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 24.xxx.xxx.66 255.255.xxx.xxx
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.xxx.xxx.xxx permanent
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 3 interface FastEthernet0/1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.7
access-list 3 permit 10.10.10.0 0.0.0.255
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 4000 1000
end

0
Comment
Question by:mmelody22
  • 6
  • 4
10 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 16920760
For traffic to go outside from your internal network;

int fa0/0
ip nat inside

int fa0/1
ip nat outside

ip nat inside source list 5 interface fa0/1 overload

access-list 5 permit ip 10.xx.xx.0 0.0.0.255

The above will make sure all your internal clients can browse internet using PAT.

To allow webserver to be visible from internet;

ip nat inside source static <InternalWebServerIP> <PublicIPYOUWantForWebServer>

access-list 100 permit tcp any host <PublicIPYOUWantForWebServer> eq www

int fa0/1
ip access-group 100 in

Cheers,
Rajesh
0
 

Author Comment

by:mmelody22
ID: 16922466
hi, thanks for your help!

i tried entering that in.. but, it didnt work. i was a little confused about the last 2 entries: int fa0/1
                                                                                                                               ip access-group 100 in

here is the running config:


Building configuration...

Current configuration : 2852 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NN29$4LNrKgKxgVqNtGrOvT.r8/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip name-server 24.xx.xx.xxx
ip name-server 24.xx.xxx.xxx
ip ddns update method sdm_ddns1
 HTTP
 
!
!
usernamexxxxxprivilege 15 secret 5 $1$4wnn$8.2XqyZae9xiXTvMylH18.
!
!
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 24.xx.xx.xxx255.255.255.248
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.xx.xxx.xxpermanent
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 3 interface FastEthernet0/1 overload
ip nat inside source list 5 interface FastEthernet0/1 overload
ip nat inside source static 10.10.10.58 24.xxx.xx.xxx
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.7
access-list 3 permit 10.10.10.0 0.0.0.255
access-list 5 permit 10.10.10.0 0.0.0.255
access-list 100 permit tcp any host 24.xxx.xx.xxx eq www
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 4000 1000
end



thanks again
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16923017
what is not working ?

Your configuration is wrong though, type in these exactly;

no ip nat inside source list 3 interface FastEthernet0/1 overload

no access-list 3 permit 10.10.10.0 0.0.0.255

Then from an internal machine try accessing internet to see if it works.

Then have somebody from internet access your webserver address and see if that works. Post the results.

Cheers,
Rajesh
0
 

Author Comment

by:mmelody22
ID: 16926975
well, that did it! thank you....quick question. if i wanted to set up ftp access to this server..what would be the new entries? would it just be:

access-list 100 permit tcp any host 24.xx.xx.xxx eq ftp
access-list 100 permit tcp any host 24.xx.xxxx.xxeq ftp-data

or is there anything else?

also..if i wanted to open port 6129 and 6132 on a different server, i would have ot make a new static route and basically use the same command for the webserver substituting the ports? or would there be anything else? thanks so much!

if you want me to open another question to give you more points for these 2, i will..no problem.

thanks again.

mike
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16927137
No problem, the question is related so I'll answer it here itself.

Whatever you have is correct. Just have to proceed the way you mentioned there above.

Cheers,
Rajesh
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:mmelody22
ID: 16927155
ok..thanks again....

i just realized that i'm not getting through to .58 for www. i am, however hitting the router at .1 from my web domain. i thought it was a different problem. so, when i type in my web domain, i am getting the router login screen. what do u think that is? thats why i thought my ftp config might have been wrong.

here is the running config:


Building configuration...

Current configuration : 2685 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NN29$4LNrKgKxgVqNtGrOvT.r8/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip name-server 24.xx.xxx.xxx
ip name-server 24.xx.xxx.xxx
!
username mmelody2 privilege 15 secret 5 $1$4wnn$8.2XqyZae9xiXTvMylH18.
!
!
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 24.xx.xxx.xxx 255.xx.xx.xx
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.xx.xxx.xxx permanent
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 5 interface FastEthernet0/1 overload
ip nat inside source static 10.10.10.58 24.xx.xxx.xxx
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.7
access-list 5 remark SDM_ACL Category=16
access-list 5 permit 10.10.10.0 0.0.0.255
access-list 100 remark SDM_ACL Category=16
access-list 100 permit tcp any host 24.xx.xxx.xxx eq www
access-list 100 permit tcp any host 24.xx.xxx.xxx eq ftp
access-list 100 permit tcp any host 24.xx.xxx.xxx eq ftp-data
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 4000 1000
end

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16927173
So you're saying, from internet if you type 24.x.x.x in your browser you are getting router login prompt ? Is this address a unique address or the one used on the outside interface of the wan connection ?

Like Wan interface 24.1.1.1

Web 24.1.1.2

Isn't it how it is ? Because since you masked it all, I don't know.

You could do this to turn off the http service on the router and it should work fine though;

no ip http server

Cheers,
Rajesh
0
 

Author Comment

by:mmelody22
ID: 16927272
ok...i have a static ip used for the internet....webserver..etc. that ip is 24.xxx.xxx.66 which is also the wan ip. is that where i screwed up? i do have a block of 5 static ip addresses that i can use from my isp.

what do u recommend?

thansk again!

mike
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16928456
Yes :-) If you use the wan ip address itself, then router's http server will also listen on the same ip right ? So my suggestion would be to use one of the available static IP's for the webserver.

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16928458
Or continue as it is with http server turned off on the router until the next maintenance window and reconfigure the router.

Cheers,
Rajesh
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now