Problem with cisco ACL

Discussion in 'Cisco' started by fmorelle@gmail.com, Feb 21, 2005.

  1. Guest

    Hello,

    I'm looking for a solution for my config.
    I'm unable to go trough my router to access the web server and the FTP
    server. Could someone help me ?

    Thanks

    Here is my sh run:

    Current configuration : 3063 bytes
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Gateway
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 XXXX
    !
    username Administrator
    memory-size iomem 15
    no aaa new-model
    ip subnet-zero
    ip cef
    !
    !
    !
    ip inspect name fw tcp timeout 3600
    ip inspect name fw http timeout 3600
    ip inspect name fw ftp timeout 3600
    ip inspect name fw smtp timeout 3600
    ip inspect name fw udp timeout 15
    ip audit po max-events 100
    !
    !
    !
    !
    interface Ethernet0/0
    ip address 192.168.123.100 255.255.255.0
    ip nat inside
    ip inspect fw in
    no ip mroute-cache
    full-duplex
    no keepalive
    !
    interface Serial0/0
    no ip address
    shutdown
    !
    interface Ethernet0/1
    no ip address
    half-duplex
    pppoe enable
    pppoe-client dial-pool-number 1
    !
    interface Dialer1
    ip address negotiated
    ip access-group 104 in
    ip mtu 1492
    ip nat outside
    encapsulation ppp
    ip tcp adjust-mss 1452
    no ip mroute-cache
    dialer pool 1
    dialer remote-name redback
    dialer-group 1
    ppp authentication pap chap callin
    ppp chap hostname XXXX
    ppp chap password 0 XXXX
    ppp pap sent-username XXXX password 0 XXXX
    !
    ip nat inside source list 1 interface Dialer1 overload
    ip http server
    ip http port 8080
    no ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    !
    access-list 1 permit 192.168.123.0 0.0.0.255
    access-list 104 remark *** WEB + FTP ***
    access-list 104 permit tcp any host 192.168.123.193 eq www
    access-list 104 permit tcp any host 192.168.123.193 eq ftp
    access-list 104 remark *** Admin ***
    access-list 104 permit tcp any any eq telnet
    access-list 104 permit tcp any any eq 8080
    access-list 104 remark *** Host deny ***
    access-list 104 deny ip 10.0.0.0 0.255.255.255 any
    access-list 104 deny ip 127.0.0.0 0.255.255.255 any
    access-list 104 deny ip host 0.0.0.0 any
    access-list 104 deny ip any host 255.255.255.255
    access-list 104 deny ip host 255.255.255.255 any
    access-list 104 remark *** ICMP ***
    access-list 104 permit icmp any any administratively-prohibited
    access-list 104 permit icmp any any echo
    access-list 104 permit icmp any any echo-reply
    access-list 104 permit icmp any any packet-too-big
    access-list 104 permit icmp any any time-exceeded
    access-list 104 permit icmp any any traceroute
    access-list 104 permit icmp any any unreachable
    access-list 104 deny icmp any any
    access-list 104 deny ip any any
    dialer-list 1 protocol ip permit
    !
    !
    !
    !
    !
    banner motd ^C
    Access strictly prohibited
    ^C
    !
    line con 0
    exec-timeout 360 0
    line aux 0
    line vty 0 4
    exec-timeout 120 0
    privilege level 15
    password XXXXXX
    login
    !
    scheduler max-task-time 5000
    !
    !
    end
     
    , Feb 21, 2005
    #1
    1. Advertising

  2. RobO Guest

    Hi,

    You need to put in static nat statements.
    Something like this
    ip nat inside source static tcp www_server_ip 80 interface dialer 1 80
    ip nat inside source static tcp ftp_server_ip ftp-data interface dialer
    1 ftp-data
    ip nat inside source static tcp ftp_server_ip ftp interface dialer 1
    ftp

    You will need to pipe port 20 and 21 for ftp access make sure they both
    in your inbound access-list as you only have port 21.

    That should do the trick.

    Rob
     
    RobO, Feb 21, 2005
    #2
    1. Advertising

  3. kyle deyniel

    Joined:
    Feb 10, 2011
    Messages:
    1
    how can i deny the first 31 hosts of VLAN 40(10.16.0.0/20) to ping the last 2 hosts of VLAN 30, but VLAN 30(10.16.16.0/24) must be able to ping VLAN 40.
     
    kyle deyniel, Feb 10, 2011
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shad T
    Replies:
    0
    Views:
    657
    Shad T
    Jun 29, 2004
  2. Ronald de Leeuw
    Replies:
    1
    Views:
    3,940
  3. Vimokh
    Replies:
    3
    Views:
    5,730
    Vimokh
    Sep 6, 2006
  4. Vincent
    Replies:
    4
    Views:
    1,266
    Doug McIntyre
    Oct 10, 2006
  5. rinoel

    Cisco 2811 ACL problem!

    rinoel, Jul 26, 2009, in forum: Hardware
    Replies:
    7
    Views:
    3,036
    adeelasher
    Aug 24, 2009
Loading...

Share This Page