OK, I probably have lost my mind, but I cannot get this to work!
SERIAL 0/0 A.A.A.A 255.255.255.252
FastEthernet 0/0 Legitimate Class C B.B.B.0 255.255.255.0
FastEthernet 0/1 Class 10.1.1.0 255.255.255.0
Serial 0/2 10.101.101.105
Serial 0/0 is NAT overloaded for 10.1.1.0
B.B.B.0 remains clear IP addresses
I have an extended access list number 103 which denies the usual hacks
such as 16669 and SQL Server scans 1433, etc. I have applied this to
SER 0/0 (A.A.A.A) as
ip access-group 103 in
this seems to work!
However, I would like to achieve the following which has not been working.
Behind SER 0/2 is 10.2.2.0 255.255.255.0. I would like complete access from
my B.B.B.0 network as well as the 10.1.1.0 network to 10.2.2.0. On the other hand, the 10.2.2.0 network should only be provided access to www on 1 machine on the B.B.B.0 network., I have used the following
ip access-list 102 permit tcp 10.1.1.0 0.0.0.255 host B.B.B.1_MACHINE eq www
ip access-list 102 deny ip 10.1.1.0 0.0.0.255 any
Here's the fun, I have tried the following statements
ip access-group 102 in to SER 0/2
ip access-group 102 out to SER 0/2
ip access-group 102 in to FASTETH 0/0
ip access-group 102 out to FASTETH 0/0
I get a host of bad behaviors but nothing that works as expected.
The most wierd o which is when I try to telnet from a machine on
B.B.B.any to the router at 10.2.2.100 and it fails. Yet if I telnet to the
router on B.B.B.100 and telnet to 10.2.2.100 from inside there, it works!