Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

DMZ Public LAN

I am needing to setup a public LAN, we currently have a 2651 router running version 12.2(2)T1 of the IOS. We have the dual port ethernet and already have a stable private lan. I know that I have to create an access list for the F0/1 (public) port and have an ip address defined, when I do the no shutdown on the F0/1 I get the line up, protocol down. I am not seeing what would cause the protocol to keep down. The access list is defined:

permit icmp 207.228.41.56 0.0.0.7 any

deny ip any any

ON THE INBOUND of F0/1

and then

permit udp any host 207.228.41.62 eq domain

permit tcp any host 207.228.41.62 eq domain

permit tcp any host 207.228.41.62 eq www

permit tcp any host 207.228.41.62 eq ftp

permit tcp any host 207.228.41.62 eq smtp

permit icmp any 207.228.41.56 0.0.0.7 administratively-prohibited

permit icmp any 207.228.41.56 0.0.0.7 echo

permit icmp any 207.228.41.56 0.0.0.7 echo-reply

permit icmp any 207.228.41.56 0.0.0.7 packet-too-big

permit icmp any 207.228.41.56 0.0.0.7 time-exceeded

permit icmp any 207.228.41.56 0.0.0.7 traceroute

permit icmp any 207.228.41.56 0.0.0.7 unreachable

deny ip any any

ON THE INBOUND for S0/0 - line in from Internet

I can't ping anything on the F0/1 port.

Any help would be helpful, I have jumped with both feet into this; there is no one in house with any knowledge of CISCO command, and since everyone here knows I attended a couple a classes I have been dubbed the holder of the configurations.

Thank you for your time - a newbie. =-)

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: DMZ Public LAN

If your line protocol is down then forget about pinging anything on that interface until you get it up. Check your cabling and the speed/duplex settings on both the fa0/1 interface and the switch/hub you're connecting it into.

After that, remove the "permit icmp, deny any" ACL on the fa0/1 interface cause this will stop all return traffic from getting out. Just use the inbound ACL on s0/0 to protect that segment. You might also want to add the following:

permit tcp any host 207.228.41.62 eq ftp-data

to allow the FTP data channel through. Check you don't also need HTTPS access (in addition to www) and POP3 (in addition to SMTP), allow these in if necessary.

1 REPLY
Cisco Employee

Re: DMZ Public LAN

If your line protocol is down then forget about pinging anything on that interface until you get it up. Check your cabling and the speed/duplex settings on both the fa0/1 interface and the switch/hub you're connecting it into.

After that, remove the "permit icmp, deny any" ACL on the fa0/1 interface cause this will stop all return traffic from getting out. Just use the inbound ACL on s0/0 to protect that segment. You might also want to add the following:

permit tcp any host 207.228.41.62 eq ftp-data

to allow the FTP data channel through. Check you don't also need HTTPS access (in addition to www) and POP3 (in addition to SMTP), allow these in if necessary.

126
Views
0
Helpful
1
Replies
CreatePlease to create content