access-list implementation

mcx-india · ‎09-19-2008

Hi

Could anybody help me to implement access list for traffic coming from internet to aparticular server with specific ports say 443,25 etc...and also allow telnet from internet to that router and deny other access.

Giuseppe Larosa · ‎09-19-2008

Hello Mcx,

you need to use an IP extended ACL.

Let's suppose that A.B.C.D is your public ip address associated with the router wan interface.

You need to configure static NAT in order to map services to the internal server

ip nat source inside static 10.10.10.20 tcp 25 A.B.C.D 25

ip nat source inside static 10.10.10.20 tcp 80 A.B.C.D 80

ip nat source inside static 10.10.10.20 tcp 443 A.B.C.D 443

int s0/0

ip nat outside

int e0/0

ip nat inside

access-list 121 permit tcp any A.B.C.D eq 25

access-list 121 permit tcp any A.B.C.D eq 80

access-list 121 permit tcp any A.B.C.D eq 443

access-list 121 permit tcp any A.B.C.D eq 23(*)

int ser0/0

access-group 121 in

(*) allowing telnet access from internet has to be carefully considered, I would suggest to use SSH and to restrict access with another ACL that is applied under line vty 0 4

access-list 25 permit host x.y.z.k

line vty 0 4

access-class 25 in

Hope to help

Giuseppe