Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Access-list From WEB

Hello Friends,

i have a WEB Server and Exchange (OWA) servers in my internal network, I have a internet router 2821 with leased line and ADSL, i want to classify traffic in route map for these servers to pass through leased line and other users through ADSL how can i do that.

For ex :WEB Server ip add   10.10.10.10

            Exchange IP add     10.10.10.11

               Users IP Add :      10.10.0.0

Can anybody help me to write access-list for webservers and exchange (SMTP) servers so that they can initiate traffic and recieve from internet.

WEBSERVER: HTTP/HTTPS

OWA: HTTP/SMTP

Thanks

3 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: Access-list From WEB

Hi,

you need policy-based routing with a 'set ip next-hop' statement in your route-map.

access-list WEBMAIL extended ip permit 1.host 10.10.10.10 any

access-list WEBMAIL extended ip permit 1.host 10.10.10.11 any

...

route-map WEBMAIL

match ip access-group WEBMAIL

set ip next-hop (or whatever is in your IOS for the same purpose!) IP_ADDRESS_LEASED_LINE


...

and finally ip route 0.0.0.0 0.0.0.0 IP_ADDRESS_ADSL_CONNECTION

on your inside interface (Fa0/0 for example) :

int Fa0/0

ip addres....

service-policy WEBMAIL in

The route-map will be evaluated before the routing table.

Hope this helps!

New Member

Re: Access-list From WEB

By the way, I just checked the command : it is not a 'service-policy...' you want under your inside interface but an :

'ip poicy route-map WEBMAIL''

Cheers

New Member

Re: Access-list From WEB

Hi,

1. the ACL on the outside interface is a security matter not a routing matter : be my guest!

2. no, the 'permit any' in the route-map is not necessary. The denied traffic will not be routed by any route-map statement and should be routed by regular routing table then. No dropped traffic.

5 REPLIES
New Member

Re: Access-list From WEB

Hi,

you need policy-based routing with a 'set ip next-hop' statement in your route-map.

access-list WEBMAIL extended ip permit 1.host 10.10.10.10 any

access-list WEBMAIL extended ip permit 1.host 10.10.10.11 any

...

route-map WEBMAIL

match ip access-group WEBMAIL

set ip next-hop (or whatever is in your IOS for the same purpose!) IP_ADDRESS_LEASED_LINE


...

and finally ip route 0.0.0.0 0.0.0.0 IP_ADDRESS_ADSL_CONNECTION

on your inside interface (Fa0/0 for example) :

int Fa0/0

ip addres....

service-policy WEBMAIL in

The route-map will be evaluated before the routing table.

Hope this helps!

New Member

Re: Access-list From WEB

By the way, I just checked the command : it is not a 'service-policy...' you want under your inside interface but an :

'ip poicy route-map WEBMAIL''

Cheers

New Member

Re: Access-list From WEB

Hello Dear,

I hope there should be access-list for outside interface of internet router.???? for  inbound traffic for HTTPS and HTTPand smtp .I want specific access-list on inside interface also  i don't want to permit all protocol by specifying IP on  internet router can u help me with inside and outside specific access-list.

I hope u missed route-map permit 20 for the users subnet otherwise they will be blocked??? correct me if i m wrong.

route-map WEBMAIL permit 10

match access-list ?????

set  ip Next hop  < ISP ADDRESS>

route-map WEBMAIL permit 20

match access-list 10

set interface dialer 0

access-list 10 permit 10.10.0.0 0.0.255.255

Thnaks

New Member

Re: Access-list From WEB

Hi,

1. the ACL on the outside interface is a security matter not a routing matter : be my guest!

2. no, the 'permit any' in the route-map is not necessary. The denied traffic will not be routed by any route-map statement and should be routed by regular routing table then. No dropped traffic.

New Member

Re: Access-list From WEB

thanks !!!!

206
Views
0
Helpful
5
Replies
CreatePlease to create content