01-21-2008 12:21 PM - edited 03-05-2019 08:36 PM
Hi all, I have two domains connected via an 1811 router. I have one FA0 set to 172.17.1.145/16 and FA1 set to 192.168.250.200/24.
I have two NT4.0 domain controllers on the 172.17.x.x subnet.
I am trying to add file permissions to objects that are in the 172.17.x.x subnet. I am attempting to add permissions for users that exist in the 192.168.250.x subnet to files and folders in the 172.17.x.x subnet. I have two domain controllers 172.17.2.80 and 172.17.2.100. I cannot add permissions to 192.168.250.x users for resources in 172.17.x.x subnet.
In addition, I want to stop traffic originating from 172.17.x.x getting to 192.168.250.x unless it is from the two domain controllers 172.17.2.80 and 172.17.2.100.
Here is the access list i am using.
!
interface FastEthernet0
ip address 172.17.1.145 255.255.0.0
ip access-group 199 in
ip helper-address 192.168.250.13
ip helper-address 192.168.250.14
ip directed-broadcast
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
speed auto
half-duplex
!
interface FastEthernet1
ip address 192.168.250.200 255.255.255.0
ip helper-address 172.17.2.60
ip helper-address 172.17.2.30
ip helper-address 172.17.2.255
ip helper-address 172.17.255.255
ip helper-address 172.16.255.255
ip directed-broadcast
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation slip
!
interface Dialer1
no ip address
no cdp enable
!
ip forward-protocol udp netbios-ss
ip forward-protocol udp 42508
ip route 0.0.0.0 0.0.0.0 192.168.250.1
ip route 172.16.0.0 255.255.0.0 172.17.1.1
ip route 172.17.0.0 255.255.0.0 172.17.1.1
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0 overload
!
logging 172.17.1.31
access-list 3 permit any
access-list 110 deny ip 192.168.250.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 deny ip 192.168.250.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 110 permit ip 192.168.250.0 0.0.0.255 any
access-list 120 permit ip 192.168.250.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 120 permit ip 192.168.250.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 121 permit ip 192.168.250.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 121 permit ip 192.168.250.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 189 permit icmp any any echo-reply
access-list 189 permit tcp any any established
access-list 189 deny ip 172.16.0.0 0.0.255.255 any
access-list 189 deny ip 172.17.0.0 0.0.255.255 any
access-list 189 permit ip any any
access-list 198 permit ip 172.16.0.0 0.0.255.255 192.168.250.0 0.0.0.255
access-list 198 permit ip 172.17.0.0 0.0.255.255 192.168.250.0 0.0.0.255
access-list 199 permit ip host 172.17.2.80 any
access-list 199 permit ip host 172.17.2.100 any
access-list 199 permit udp any eq netbios-ns any
access-list 199 permit udp any eq netbios-dgm any
access-list 199 permit udp any eq netbios-ss any
access-list 199 permit tcp any any established
access-list 199 permit icmp any any echo-reply
access-list 199 deny ip 172.17.0.0 0.0.255.255 192.168.250.0 0.0.0.255
access-list 199 deny ip 172.16.0.0 0.0.255.255 192.168.250.0 0.0.0.255
access-list 199 permit ip any any
priority-list 1 protocol ip high
Do I need to pint my helper addresses to be the same?
01-25-2008 03:44 PM
Verify your ACL once again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide