I provide dial-up access to users in the field through a 2811 router on my network. I need to create an access-list that severely limits access to my LAN but still allows them to get to my firewall and out to the world to access the Internet.
I have 4 internal networks they should not be able to access:
One internal network they should be able to access:
This is the current access-list I have in place (it is applied to my f0/0 LAN interface of the router outbound) but it is not working correctly:
permit tcp 192.168.216.0 0.0.0.225 host 192.168.200.210
permit tcp 192.168.216.0 0.0.0.255 192.168.0.0 0.0.0.255
permit tcp 192.168.216.0 0.0.0.255 host 192.168.200.21 eq 53
permit udp 192.168.216.0 0.0.0.255 host 192.168.200.21 eq 53
permit tcp 192.168.216.0 0.0.0.255 host 192.168.200.7 eq 53
permit udp 192.168.216.0 0.0.0.255 host 192.168.200.7 eq 53
permit icmp any any echo-reply
deny tcp 192.168.216.0 0.0.0.255 192.168.200.0 0.0.7.255
deny tcp 192.168.216.0 0.0.0.255 192.168.16.0 0.0.7.255
deny tcp 192.168.216.0 0.0.0.255 192.168.100.0 0.0.0.255
deny tcp 192.168.216.0 0.0.0.255 10.10.0.0 0.0.255.255
permit ip any any
I am not able to access websites that I have in the 192.168.0.0/24 network, but I can hit websites on the internet. The dial-in users are using my internal DNS servers and when I do an NSLookup for websites in my 192.168.0.0/24 subnet it comes back with the correct IP address so I know it can see it but it can't get there.
Any help is appreciated.
I do not know your network setup but I think if you add a ACL permitting all network to your server on tcp port 80. And place this at the top of the acl list. E>g
Ip permit tcp any host 192.168.0.X(ip address of the web server) EQ 80.
Do rate the solution if it works