configuring acls on cisco 851w

dubeaukb
dubeaukb used Ask the Experts™
on
Hello again.

I am not too familiar with the command lines for configuring acls.

here is what I am trying to do.

I want to allow everyday traffic and a few others.
I need them to be accessible from the outside in.

Here are the ports i think i would need open.
110 (pop)
143 (imap)
25 (smtp)
80 (www)
3389 (RDP)

running config:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname EECROUTER
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip dhcp excluded-address 10.10.10.1
!
!
ip cef
ip domain name energyelectric.org
ip name-server 64.65.208.6
ip name-server 64.65.223.6
!
!
crypto pki trustpoint TP-self-signed-3751714289
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3751714289
 revocation-check none
 rsakeypair TP-self-signed-3751714289
!
!
crypto pki certificate chain TP-self-signed-3751714289
 certificate self-signed 01
  30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33373531 37313432 3839301E 170D3032 30333037 32333039
  30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37353137
  31343238 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CC11 F97A7B2B 84B641C1 A90B1928 012323E5 0352023D 80FFFEEB DDBA08E4
  C647A0F4 44AA0538 4A8777A8 9640FB04 B6A42049 D6A73440 696514DD FEAA2D58
  B815B33F A86E54CB 8148C9B5 EC0EE5C0 EB2B38BD 8A887298 C7A012D4 6580F1A7
  97860AFA 2B60E73D 224F9FB4 5761C29A 9F094C54 FE31FADA 537C8916 01D35ECA
  751F0203 010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603
  551D1104 20301E82 1C454543 524F5554 45522E65 6E657267 79656C65 63747269
  632E6F72 67301F06 03551D23 04183016 80142BDD D850A86B 762C1A8A A235D5C0
  9EB7A537 F597301D 0603551D 0E041604 142BDDD8 50A86B76 2C1A8AA2 35D5C09E
  B7A537F5 97300D06 092A8648 86F70D01 01040500 03818100 6C1DD01A 15299AE0
  366318CD EFE933BB 54C85B1C F516660F 9DA822DB B89D36BD C20EB5C9 30D1FED8
  9B234B56 72013D15 74358F57 98ED4F66 7029FD16 32FA556F 1C0CFFBA BB9E1E89
  12B6F090 0C014034 3F787CA1 4761F589 B58462B5 25652BCE 42B93D3E 9BDF5333
  8618BE00 4C3F103F B772E5FE AE7985EC 7F558D3D CAFE56E0
  quit
username Xadmin privilege 15 secret 5 $1$1omP$H4G38NfRe5wBOXqZo3sPG0
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description WAN$ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 72.xxx.xxx.xxx255.255.255.248
 ip verify unicast reverse-path
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Vlan1
 description LAN$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.10.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 72.xxx.xxx.xxx
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list ACL1 interface FastEthernet4 overload
!
ip access-list standard ACL1
 remark SDM_ACL Category=2
 permit any
!
no cdp run
_____________
I was told my router is currently "wide open" with no ACLs.

so why wouldn't I be able to access these ports?
specifically the 110 & 143 to have mobile devices connect to my exchange.
I opened SDM (not a fan) just to check the NAT and it is set to 000.000.000.000-255.255.255.255 to 72.xxx.xxx.xxx Dynamic, would this be an issue as well?

Please advise, thank you.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Robert Sutton JrSenior Network Manager

Commented:
You final question: That ip route is routing ALL your internal traffic to what is assumed as your gateway on F/Ethernet4 w/ the 72.xxx.xxx address(Basically from inside to OUT).

Do you have a set of resources on static Ips that your ACLs need to be pointing too or?
Senior Network Manager
Commented:
Or, if you'd like to read oabout it on your own, you can follow the link below which gives a basic tutorial of how acl's work.
http://www.networkclue.com/routing/Cisco/access-lists/index.aspx

Hope this helps.

Author

Commented:
so would the commands be something along these lines?

access-list 101 permit tcp 192.10.0.0 0.0.0.255 any eq 80
access-list 101 permit tcp 192.10.0.0 0.0.0.255 any eq 25
access-list 101 permit tcp 192.10.0.0 0.0.0.255 any eq 443
access-list 101 permit tcp 192.10.0.0 0.0.0.255 any eq 110
access-list 101 permit tcp 192.10.0.0 0.0.0.255 any eq 143
access-list 101 permit tcp 192.10.0.0 0.0.0.255 any eq 3389
access-list 102 permit tcp 192.10.0.0 0.0.0.255 established

conf t
int fe0/4
access-group 101 out
access-group 102 in

are there any default ports that should be open?

Author

Commented:
I have one static IP that all these services point to.

All my services are running off of one box.

Author

Commented:
Thank you for the site reference.
I was able to easily understand the ACLs, however some of the commands are different on the cisco 800 series.
Steps I took:
I configured the ACLs.
I had to configure the NATs.

Thank you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial