mmelody22
asked on
basic acl help for cisco 1841 router
hi, thanks for taking a look at my question.
i just bought an 1841 router and i have it configured for the network and internet access. next i need to configure it for my webserver. i'm not sure how to go about that. this is my first cisco router and being used to linksys routers, this is a whole new ballgame. if someone could give me the correct syntax for this, i would appreciate it. the servers internal ip is 10.10.10.58. i also have to set up port 21 and a few others as well. i'm am including my running config below.
thanks again.
mike
Building configuration...
Current configuration : 2614 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NN29$4LNrKgKxgVqNtGrOvT .r8/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip name-server 24.xxx.2xx.11
ip name-server 24.xx2.2xx.12
ip ddns update method sdm_ddns1
HTTP
!
!
username xxxxxxx privilege 15 secret 5 $1$4wnn$8.2XqyZae9xiXTvMyl H18.
!
!
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO- FE 0$$ES_LAN$$FW_INSIDE$$ETH- LAN$
ip address 10.xxx.xx.xxx 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$$ETH-W AN$
ip address 24.xxx.xxx.66 255.255.xxx.xxx
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.xxx.xxx.xxx permanent
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 3 interface FastEthernet0/1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.7
access-list 3 permit 10.10.10.0 0.0.0.255
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 4000 1000
end
i just bought an 1841 router and i have it configured for the network and internet access. next i need to configure it for my webserver. i'm not sure how to go about that. this is my first cisco router and being used to linksys routers, this is a whole new ballgame. if someone could give me the correct syntax for this, i would appreciate it. the servers internal ip is 10.10.10.58. i also have to set up port 21 and a few others as well. i'm am including my running config below.
thanks again.
mike
Building configuration...
Current configuration : 2614 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NN29$4LNrKgKxgVqNtGrOvT
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip name-server 24.xxx.2xx.11
ip name-server 24.xx2.2xx.12
ip ddns update method sdm_ddns1
HTTP
!
!
username xxxxxxx privilege 15 secret 5 $1$4wnn$8.2XqyZae9xiXTvMyl
!
!
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.xxx.xx.xxx 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$$ETH-W
ip address 24.xxx.xxx.66 255.255.xxx.xxx
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.xxx.xxx.xxx permanent
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 3 interface FastEthernet0/1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.7
access-list 3 permit 10.10.10.0 0.0.0.255
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 4000 1000
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
what is not working ?
Your configuration is wrong though, type in these exactly;
no ip nat inside source list 3 interface FastEthernet0/1 overload
no access-list 3 permit 10.10.10.0 0.0.0.255
Then from an internal machine try accessing internet to see if it works.
Then have somebody from internet access your webserver address and see if that works. Post the results.
Cheers,
Rajesh
Your configuration is wrong though, type in these exactly;
no ip nat inside source list 3 interface FastEthernet0/1 overload
no access-list 3 permit 10.10.10.0 0.0.0.255
Then from an internal machine try accessing internet to see if it works.
Then have somebody from internet access your webserver address and see if that works. Post the results.
Cheers,
Rajesh
ASKER
well, that did it! thank you....quick question. if i wanted to set up ftp access to this server..what would be the new entries? would it just be:
access-list 100 permit tcp any host 24.xx.xx.xxx eq ftp
access-list 100 permit tcp any host 24.xx.xxxx.xxeq ftp-data
or is there anything else?
also..if i wanted to open port 6129 and 6132 on a different server, i would have ot make a new static route and basically use the same command for the webserver substituting the ports? or would there be anything else? thanks so much!
if you want me to open another question to give you more points for these 2, i will..no problem.
thanks again.
mike
access-list 100 permit tcp any host 24.xx.xx.xxx eq ftp
access-list 100 permit tcp any host 24.xx.xxxx.xxeq ftp-data
or is there anything else?
also..if i wanted to open port 6129 and 6132 on a different server, i would have ot make a new static route and basically use the same command for the webserver substituting the ports? or would there be anything else? thanks so much!
if you want me to open another question to give you more points for these 2, i will..no problem.
thanks again.
mike
No problem, the question is related so I'll answer it here itself.
Whatever you have is correct. Just have to proceed the way you mentioned there above.
Cheers,
Rajesh
Whatever you have is correct. Just have to proceed the way you mentioned there above.
Cheers,
Rajesh
ASKER
ok..thanks again....
i just realized that i'm not getting through to .58 for www. i am, however hitting the router at .1 from my web domain. i thought it was a different problem. so, when i type in my web domain, i am getting the router login screen. what do u think that is? thats why i thought my ftp config might have been wrong.
here is the running config:
Building configuration...
Current configuration : 2685 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NN29$4LNrKgKxgVqNtGrOvT .r8/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip name-server 24.xx.xxx.xxx
ip name-server 24.xx.xxx.xxx
!
username mmelody2 privilege 15 secret 5 $1$4wnn$8.2XqyZae9xiXTvMyl H18.
!
!
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO- FE 0$$ES_LAN$$FW_INSIDE$$ETH- LAN$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$$ETH-W AN$
ip address 24.xx.xxx.xxx 255.xx.xx.xx
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.xx.xxx.xxx permanent
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 5 interface FastEthernet0/1 overload
ip nat inside source static 10.10.10.58 24.xx.xxx.xxx
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.7
access-list 5 remark SDM_ACL Category=16
access-list 5 permit 10.10.10.0 0.0.0.255
access-list 100 remark SDM_ACL Category=16
access-list 100 permit tcp any host 24.xx.xxx.xxx eq www
access-list 100 permit tcp any host 24.xx.xxx.xxx eq ftp
access-list 100 permit tcp any host 24.xx.xxx.xxx eq ftp-data
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 4000 1000
end
i just realized that i'm not getting through to .58 for www. i am, however hitting the router at .1 from my web domain. i thought it was a different problem. so, when i type in my web domain, i am getting the router login screen. what do u think that is? thats why i thought my ftp config might have been wrong.
here is the running config:
Building configuration...
Current configuration : 2685 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NN29$4LNrKgKxgVqNtGrOvT
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip name-server 24.xx.xxx.xxx
ip name-server 24.xx.xxx.xxx
!
username mmelody2 privilege 15 secret 5 $1$4wnn$8.2XqyZae9xiXTvMyl
!
!
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$$ETH-W
ip address 24.xx.xxx.xxx 255.xx.xx.xx
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.xx.xxx.xxx permanent
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 5 interface FastEthernet0/1 overload
ip nat inside source static 10.10.10.58 24.xx.xxx.xxx
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.7
access-list 5 remark SDM_ACL Category=16
access-list 5 permit 10.10.10.0 0.0.0.255
access-list 100 remark SDM_ACL Category=16
access-list 100 permit tcp any host 24.xx.xxx.xxx eq www
access-list 100 permit tcp any host 24.xx.xxx.xxx eq ftp
access-list 100 permit tcp any host 24.xx.xxx.xxx eq ftp-data
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 4000 1000
end
So you're saying, from internet if you type 24.x.x.x in your browser you are getting router login prompt ? Is this address a unique address or the one used on the outside interface of the wan connection ?
Like Wan interface 24.1.1.1
Web 24.1.1.2
Isn't it how it is ? Because since you masked it all, I don't know.
You could do this to turn off the http service on the router and it should work fine though;
no ip http server
Cheers,
Rajesh
Like Wan interface 24.1.1.1
Web 24.1.1.2
Isn't it how it is ? Because since you masked it all, I don't know.
You could do this to turn off the http service on the router and it should work fine though;
no ip http server
Cheers,
Rajesh
ASKER
ok...i have a static ip used for the internet....webserver..etc . that ip is 24.xxx.xxx.66 which is also the wan ip. is that where i screwed up? i do have a block of 5 static ip addresses that i can use from my isp.
what do u recommend?
thansk again!
mike
what do u recommend?
thansk again!
mike
Yes :-) If you use the wan ip address itself, then router's http server will also listen on the same ip right ? So my suggestion would be to use one of the available static IP's for the webserver.
Cheers,
Rajesh
Cheers,
Rajesh
Or continue as it is with http server turned off on the router until the next maintenance window and reconfigure the router.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
i tried entering that in.. but, it didnt work. i was a little confused about the last 2 entries: int fa0/1
ip access-group 100 in
here is the running config:
Building configuration...
Current configuration : 2852 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NN29$4LNrKgKxgVqNtGrOvT
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip name-server 24.xx.xx.xxx
ip name-server 24.xx.xxx.xxx
ip ddns update method sdm_ddns1
HTTP
!
!
usernamexxxxxprivilege 15 secret 5 $1$4wnn$8.2XqyZae9xiXTvMyl
!
!
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$$ETH-W
ip address 24.xx.xx.xxx255.255.255.24
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.xx.xxx.xxpermanent
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 3 interface FastEthernet0/1 overload
ip nat inside source list 5 interface FastEthernet0/1 overload
ip nat inside source static 10.10.10.58 24.xxx.xx.xxx
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.7
access-list 3 permit 10.10.10.0 0.0.0.255
access-list 5 permit 10.10.10.0 0.0.0.255
access-list 100 permit tcp any host 24.xxx.xx.xxx eq www
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 4000 1000
end
thanks again