Home > Archive > alt.certification.cisco > July 2002 > Access Lists





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Access Lists
merner

2002-07-31, 12:44 pm

I have a 2621 that I would like to set up a a firewall

fa0/0 216.191.x.x 255.255.255.0
fa0/1 10.0.0.0 255.255.255.0

there is a host on the 10.0.0.0 network at 10.0.0.16 that hosts mail and web server. I want to port forward any smtp or http packet to this host. How can this be done.

Thanks in advance.
siliconjock

2002-07-31, 2:25 pm

You'd need to provide more information. Is that ALL you want forwarded onto
that network? The access-list parameters depend on a lot of things. To do
ONLY what you've stated it could be done by:

router#config t
router(config)#access-list 101 permit tcp any host 10.0.0.16 eq www
router(config)#access-list 101 permit tcp any host 10.0.0.16 eq smtp
router(config)#int f0/1
router(config-if)#ip access-group 101 out

keep in mind the implicit deny any at the end of an access list....NO other
traffic other than that which maches these two statements would be forwarded
out of fa0/1

for more information check out www.cisco.com

Hope this helps some,
Levii


Robert Smales

2002-07-31, 4:25 pm

merner wrote:

>
> I have a 2621 that I would like to set up a a firewall
>
> fa0/0 216.191.x.x 255.255.255.0
> fa0/1 10.0.0.0 255.255.255.0
>
> there is a host on the 10.0.0.0 network at 10.0.0.16 that hosts mail and
> web server. I want to port forward any smtp or http packet to this
> host. How can this be done.

You'd need to do a bit of NAT, I would think:

ip nat inside static tcp 10.0.0.16 80 216.191.x.x 80 extendable
ip nat inside static tcp 10.0.0.16 25 216.191.x.x 25 extendable

int fa0/0
ip nat outside
!
int fa0/1
ip nat inside

Then you'd need to set up an access-list, something like

access-list 101 permit tcp any any established
access-list 101 permit tcp any host 10.0.0.16 eq 80
access-list 101 permit tcp any host 10.0.0.16 eq 25
(you'll probably want to let at least some icmp traffic through as well)

then do

int fa0/1
ip access-group 101 in


Robert Smales

2002-07-31, 4:25 pm

I wrote:


>
> Then you'd need to set up an access-list, something like
>
> access-list 101 permit tcp any any established
> access-list 101 permit tcp any host 10.0.0.16 eq 80
> access-list 101 permit tcp any host 10.0.0.16 eq 25
> (you'll probably want to let at least some icmp traffic through as well)
>
>

Oops! (a common gotcha) you'll also want to let in udp 53 to your
mail-server as well, otherwise it won't be able to look up mx records in
order to forward outgoing mail to joe.blow@somewhere.com

Robert


Sponsored Links





Free Braindumps | MCSE braindumps software forum

Copyright 2003 - 2008 examnotes.net