Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL issue

Hi Amrit,

I have a simple configuration, a DSL, some users browsing internet and sending/receiving e-mails,

and there's a public web server.

It seems to be all up and running, but in order to publish web server I have to open a lot of tcp ports

other than 80, because web server seems to answer through the port owned by client starting request.

This is the configuration:

webserver 192.168.100.253 , public 212.110.x.y, it's the LAN's proxy server

****************************************

version 12.3

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

no aaa new-model

ip subnet-zero

no ip source-route

!

!ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

interface Ethernet0

ip address 192.168.101.254 255.255.255.0 secondary

ip address 192.168.100.254 255.255.255.0

ip access-group 101 in

ip nat inside

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

!

interface Dialer0

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxxxxxxxxxxxxxxx

ppp chap password yyyyyyyyyyyyyyyyyyyy

!

ip nat inside source list 10 interface Dialer0 overload

ip nat inside source static tcp 192.168.100.253 22 212.110.x.y 22 extendable no-alias

ip nat inside source static tcp 192.168.100.253 80 212.110.x.y 80 extendable no-alias

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

no ip http secure-server

!

access-list 10 permit 192.168.100.0 0.0.0.255

!

dialer-list 1 protocol ip permit

!

access-list 101 permit icmp any any

access-list 101 permit tcp host 192.168.100.253 any eq domain

access-list 101 permit udp host 192.168.100.253 any eq domain

access-list 101 permit tcp host 192.168.100.253 any eq www

access-list 101 permit tcp host 192.168.100.253 any eq smtp

access-list 101 permit tcp host 192.168.100.253 any eq ftp

access-list 101 permit tcp host 192.168.100.253 any eq pop3

access-list 101 permit tcp host 192.168.100.253 any eq 1433

access-list 101 permit tcp 192.168.100.0 0.0.0.255 any eq pop3

access-list 101 permit tcp 192.168.100.0 0.0.0.255 any eq 1433

access-list 101 permit tcp 192.168.100.0 0.0.0.255 any eq ftp

access-list 101 permit tcp host 192.168.100.253 any range 0 10000 (without this line web is not published)

access-list 101 deny ip any any

!

line con 0

exec-timeout 120 0

login local

no modem enable

stopbits 1

line aux 0

line vty 0 4

access-class 30 in

exec-timeout 120 0

login local

!

scheduler max-task-time 5000

!

end

Regards

Alberto Brivio

1 REPLY

Re: ACL issue

Hi,

The web connection you are trying to filter are from

Any(dynamic port) to your web server(port 80)

This behavior is not changeble. I would modified your ACL to filter on incoming port, not outgoing.

access-list 101 permit tcp host 192.168.100.253 eq 80 any range 0 10000(You might reconsider the range, I think it depend on the client OS, better of with any ports)

114
Views
0
Helpful
1
Replies