Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Help c2621 ACL - Inet/Dmz/Lan

Reply
Thread Tools

Help c2621 ACL - Inet/Dmz/Lan

 
 
Gudjon Bjarnason
Guest
Posts: n/a
 
      05-18-2004
Hello,

I would really appreciate help configuring my Cisco 2621.

Here is the scenario.

I have a separate internet/dmz which I need to connect to my LAN.

1x Serial ---- INTERNET
1x FastEthernet ---- DMZ
1x FastEthernet ---- LAN



I want INTERNET to have restricted access to DMZ (based on ACL)
I dont want LAN to access INTERNET
I dont want DMZ to access LAN
I dont want INTERNET to access LAN
I want LAN to have unrestricted access to DMZ
I want DMZ to have unrestricted access to INTERNET

Example:
I want to be able to map a drive to my DMZ servers from LAN.
I dont want DMZ servers to map or any access to LAN.



My LAN uses:
172.16.0.0 255.255.0.0


Here is my current config:
----------------------------------------------
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname c2621
!
logging buffered 65536 debugging
enable secret xxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
!
!
ip subnet-zero
!
isdn voice-call-failure 0
!
!
!
!
controller E1 0/0
framing NO-CRC4
channel-group 0 timeslots 1-31
!
!
!
!
!
interface FastEthernet0/0
description LAN
ip address 172.16.0.1 255.255.255.0
no ip directed-broadcast
duplex auto
speed auto
!
interface Serial0/0:0
description Internet
ip address 195.54.95.250 255.255.255.252
ip access-group 110 in
no ip directed-broadcast
!
interface FastEthernet0/1
description DMZ
ip address 195.54.85.65 255.255.255.192
ip access-group 112 in
ip access-group 113 out
no ip directed-broadcast
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0:0
no ip http server
!
access-list 110 deny udp any any eq 1434
access-list 110 deny ip 195.54.85.0 0.0.0.255 any
access-list 110 deny udp any any range netbios-ns netbios-ss
access-list 110 deny udp any any eq 135
access-list 110 permit ip any 195.54.85.0 0.0.0.255
access-list 110 deny ip any any log-input
!
access-list 112 deny udp any any eq 1434
access-list 112 deny ip 172.16.0.0 0.0.255.255 any
access-list 112 permit ip 195.54.85.64 0.0.0.63 any
access-list 112 deny udp any any eq bootps
access-list 112 deny ip any any log-input
!
access-list 113 deny udp any any eq 1434
access-list 113 permit udp any eq domain 195.54.85.64 0.0.0.63
access-list 113 permit ip 195.54.85.0 0.0.0.255 195.54.85.64 0.0.0.63
access-list 113 permit ip 172.16.0.0 0.0.255.255 any
access-list 113 permit tcp any 195.54.85.64 0.0.0.63 established
access-list 113 permit tcp any host 195.54.85.66 eq pop3
access-list 113 permit tcp any host 195.54.85.66 eq 443
access-list 113 permit tcp any host 195.54.85.67 eq 443
access-list 113 permit tcp any host 195.54.85.68 eq www
access-list 113 permit tcp any host 195.54.85.69 eq www
access-list 113 permit tcp any host 195.54.85.69 eq smtp
access-list 113 permit tcp any host 195.54.85.69 eq 8003
access-list 113 permit tcp any host 195.54.85.71 eq smtp
access-list 113 permit tcp any host 195.54.85.71 eq 8003
access-list 113 permit tcp any host 195.54.85.72 eq domain
access-list 113 permit udp any host 195.54.85.72 eq domain
access-list 113 permit tcp any host 195.54.85.72 eq 3389
access-list 113 permit tcp any host 195.54.85.73 eq www
access-list 113 permit tcp any host 195.54.85.74 eq www
access-list 113 permit tcp any host 195.54.85.76 eq www
access-list 113 permit tcp any host 195.54.85.81 eq www
access-list 113 permit tcp any 195.54.85.80 0.0.0.7 eq www
access-list 113 permit tcp any host 195.54.85.85 eq ftp
access-list 113 permit tcp any host 195.54.85.83 eq 3389
access-list 113 permit tcp any 195.54.85.80 0.0.0.7 eq 3389
access-list 113 permit tcp any host 195.54.85.89 eq www
access-list 113 permit tcp any host 195.54.85.89 eq ftp
access-list 113 permit tcp any host 195.54.85.90 eq www
access-list 113 permit tcp any host 195.54.85.94 eq 443
access-list 113 permit tcp any host 195.54.85.93 eq 3389
access-list 113 permit tcp any host 195.54.85.94 eq www
access-list 113 permit tcp any host 195.54.85.94 eq 3389
access-list 113 permit tcp any host 195.54.85.96 eq www
access-list 113 permit tcp any host 195.54.85.98 eq www
access-list 113 permit udp any host 195.54.85.108 eq isakmp
access-list 113 permit udp any host 195.54.85.108 eq 10000
access-list 113 permit udp any host 195.54.85.108 eq 4500
access-list 113 permit udp any host 195.54.85.108 eq 1701
access-list 113 permit tcp any host 195.54.85.108 eq 11000
access-list 113 permit esp any host 195.54.85.108
access-list 113 permit icmp any 195.54.85.64 0.0.0.63
access-list 113 deny tcp any any eq 17300
access-list 113 deny tcp any any eq 3128
access-list 113 deny tcp any any eq 1080
access-list 113 deny tcp any any eq ident
access-list 113 deny udp any any eq bootps
access-list 113 deny ip any any log-input
!
line con 0
transport input none
line aux 0
line vty 0 4
password 7 xxxxxxxxxxxxxxx
login
!
no scheduler allocate
end

----------------------------------------------

Thanks,
Gudjon Bjarnason
Denmark


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dhcp Relay Agent And Acl On Sw 3750, DHCP Relay Agent and ACL on Sw 3750 Vimokh Cisco 3 09-06-2006 02:16 AM
DOH! I need some ACL basic help! David Hodgson Cisco 3 08-18-2004 03:28 PM
PIX - Can extended ACL's be used as crypto ACL's on a PIX Shad T Cisco 0 06-29-2004 06:27 PM
Could show config on c2621 Sun Guonian Cisco 5 01-08-2004 04:38 PM
Newbie: Can someone help interpret this single line ACL Doc Holliday Cisco 5 12-28-2003 07:37 PM



Advertisments