Help c2621 ACL - Inet/Dmz/Lan

Discussion in 'Cisco' started by Gudjon Bjarnason, May 18, 2004.

  1. Hello,

    I would really appreciate help configuring my Cisco 2621.

    Here is the scenario.

    I have a separate internet/dmz which I need to connect to my LAN.

    1x Serial ---- INTERNET
    1x FastEthernet ---- DMZ
    1x FastEthernet ---- LAN



    I want INTERNET to have restricted access to DMZ (based on ACL)
    I dont want LAN to access INTERNET
    I dont want DMZ to access LAN
    I dont want INTERNET to access LAN
    I want LAN to have unrestricted access to DMZ
    I want DMZ to have unrestricted access to INTERNET

    Example:
    I want to be able to map a drive to my DMZ servers from LAN.
    I dont want DMZ servers to map or any access to LAN.



    My LAN uses:
    172.16.0.0 255.255.0.0


    Here is my current config:
    ----------------------------------------------
    !
    version 12.0
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname c2621
    !
    logging buffered 65536 debugging
    enable secret xxxxxxxxxxxxxxxxxxxxxxxxxxx
    !
    !
    !
    !
    !
    ip subnet-zero
    !
    isdn voice-call-failure 0
    !
    !
    !
    !
    controller E1 0/0
    framing NO-CRC4
    channel-group 0 timeslots 1-31
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    description LAN
    ip address 172.16.0.1 255.255.255.0
    no ip directed-broadcast
    duplex auto
    speed auto
    !
    interface Serial0/0:0
    description Internet
    ip address 195.54.95.250 255.255.255.252
    ip access-group 110 in
    no ip directed-broadcast
    !
    interface FastEthernet0/1
    description DMZ
    ip address 195.54.85.65 255.255.255.192
    ip access-group 112 in
    ip access-group 113 out
    no ip directed-broadcast
    duplex auto
    speed auto
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0/0:0
    no ip http server
    !
    access-list 110 deny udp any any eq 1434
    access-list 110 deny ip 195.54.85.0 0.0.0.255 any
    access-list 110 deny udp any any range netbios-ns netbios-ss
    access-list 110 deny udp any any eq 135
    access-list 110 permit ip any 195.54.85.0 0.0.0.255
    access-list 110 deny ip any any log-input
    !
    access-list 112 deny udp any any eq 1434
    access-list 112 deny ip 172.16.0.0 0.0.255.255 any
    access-list 112 permit ip 195.54.85.64 0.0.0.63 any
    access-list 112 deny udp any any eq bootps
    access-list 112 deny ip any any log-input
    !
    access-list 113 deny udp any any eq 1434
    access-list 113 permit udp any eq domain 195.54.85.64 0.0.0.63
    access-list 113 permit ip 195.54.85.0 0.0.0.255 195.54.85.64 0.0.0.63
    access-list 113 permit ip 172.16.0.0 0.0.255.255 any
    access-list 113 permit tcp any 195.54.85.64 0.0.0.63 established
    access-list 113 permit tcp any host 195.54.85.66 eq pop3
    access-list 113 permit tcp any host 195.54.85.66 eq 443
    access-list 113 permit tcp any host 195.54.85.67 eq 443
    access-list 113 permit tcp any host 195.54.85.68 eq www
    access-list 113 permit tcp any host 195.54.85.69 eq www
    access-list 113 permit tcp any host 195.54.85.69 eq smtp
    access-list 113 permit tcp any host 195.54.85.69 eq 8003
    access-list 113 permit tcp any host 195.54.85.71 eq smtp
    access-list 113 permit tcp any host 195.54.85.71 eq 8003
    access-list 113 permit tcp any host 195.54.85.72 eq domain
    access-list 113 permit udp any host 195.54.85.72 eq domain
    access-list 113 permit tcp any host 195.54.85.72 eq 3389
    access-list 113 permit tcp any host 195.54.85.73 eq www
    access-list 113 permit tcp any host 195.54.85.74 eq www
    access-list 113 permit tcp any host 195.54.85.76 eq www
    access-list 113 permit tcp any host 195.54.85.81 eq www
    access-list 113 permit tcp any 195.54.85.80 0.0.0.7 eq www
    access-list 113 permit tcp any host 195.54.85.85 eq ftp
    access-list 113 permit tcp any host 195.54.85.83 eq 3389
    access-list 113 permit tcp any 195.54.85.80 0.0.0.7 eq 3389
    access-list 113 permit tcp any host 195.54.85.89 eq www
    access-list 113 permit tcp any host 195.54.85.89 eq ftp
    access-list 113 permit tcp any host 195.54.85.90 eq www
    access-list 113 permit tcp any host 195.54.85.94 eq 443
    access-list 113 permit tcp any host 195.54.85.93 eq 3389
    access-list 113 permit tcp any host 195.54.85.94 eq www
    access-list 113 permit tcp any host 195.54.85.94 eq 3389
    access-list 113 permit tcp any host 195.54.85.96 eq www
    access-list 113 permit tcp any host 195.54.85.98 eq www
    access-list 113 permit udp any host 195.54.85.108 eq isakmp
    access-list 113 permit udp any host 195.54.85.108 eq 10000
    access-list 113 permit udp any host 195.54.85.108 eq 4500
    access-list 113 permit udp any host 195.54.85.108 eq 1701
    access-list 113 permit tcp any host 195.54.85.108 eq 11000
    access-list 113 permit esp any host 195.54.85.108
    access-list 113 permit icmp any 195.54.85.64 0.0.0.63
    access-list 113 deny tcp any any eq 17300
    access-list 113 deny tcp any any eq 3128
    access-list 113 deny tcp any any eq 1080
    access-list 113 deny tcp any any eq ident
    access-list 113 deny udp any any eq bootps
    access-list 113 deny ip any any log-input
    !
    line con 0
    transport input none
    line aux 0
    line vty 0 4
    password 7 xxxxxxxxxxxxxxx
    login
    !
    no scheduler allocate
    end

    ----------------------------------------------

    Thanks,
    Gudjon Bjarnason
    Denmark
     
    Gudjon Bjarnason, May 18, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sun Guonian

    Could show config on c2621

    Sun Guonian, Jan 7, 2004, in forum: Cisco
    Replies:
    5
    Views:
    7,547
    Hansang Bae
    Jan 8, 2004
  2. JohnC
    Replies:
    9
    Views:
    884
    Walter Roberson
    Dec 7, 2004
  3. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,918
    Walter Roberson
    Sep 25, 2005
  4. Ron Reaugh

    Inet Domain Name, Help.

    Ron Reaugh, Jun 29, 2004, in forum: Computer Support
    Replies:
    8
    Views:
    602
    Blinky the Shark
    Jun 30, 2004
  5. Jack
    Replies:
    0
    Views:
    704
Loading...

Share This Page