Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login
Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

LINK TO THIS FORUM!

Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

Tek-Tips LinkedIn® Group

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site
Partner Button
(Download This Button Today!)

Feedback

"...Keep up the good work - excellent site - i'd been looking for something like this for ages !..."
More...

Geography

Where in the world do Tek-Tips members come from?
Click Here To Find Out!

Tek-Tips Shirts!

Get Tek-Tips Swag
Get your
Tek-Tips Forums
SWAG here!
Home > Forums > Communications Rack > Networking > Cisco: Routers Forum

ACL to have outside traffic hit inside web server

thread557-1685640
Read More Threads Like This One
Sniffer2112 (IS/IT--Management)
12 Jun 12 20:33
I thought I understood ACLs but when I tried to implement an ACL for port forwarding, I'd loose internet connection and could not reach the website from the outside. Could someone take a look at my config and see if I set it up right?

I thought the "permit tcp any host 10.1.1.200 eq www" would be the right command.


interface FastEthernet0/0 (to outside internet)
ip address dhcp
ip access-group 100 in
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1 (to inside LAN)
ip address 10.1.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
router eigrp 123
network 10.1.1.0 0.0.0.255
auto-summary
!
no ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 10 interface FastEthernet0/0 overload
!
ip access-list extended PREVENT_IP_SPOOFING (I know this is not yet set on any interface)
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
!
access-list 10 permit 10.1.1.0 0.0.0.255
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any host 10.1.1.200 eq www (10.1.1.200 is the web server IP)
access-list 100 permit ip any any


Any help would be greatly appreciated. Just when you think you understand something... leave it to real life to tell you differently. But that's how we learn best.

-Todd-
CCNA
MCTS: Sever 2008 AD Configuration
CompTIA: A+, Security+

**There are 10 types of people. Those that understand binary, and those that don't**

cisconooblet (TechnicalUser)
12 Jun 12 21:22
You need nat to port forward to your internal server. ACL permit any matches everything....except maybe icmp. I've never tried with a DHCP client enabled interface (your outside) but I don't see how that would work. Always used static addresses. Anyway config below might help you get and idea.

interface Ethernet0
ip address 192.168.1.xxx 255.255.255.0
ip nat inside
interface FastEthernet0
ip address xxx.xxx.xxx.xxx 255.255.252.0
ip nat outside

ip nat inside source list 7 interface FastEthernet0 overload
ip nat inside source static 192.168.1.YYY xxx.xxx.xxx.xxx
ip nat inside source static 192.168.1.ZZZ xxx.xxx.xxx.xxx
ip nat inside source static tcp 192.168.1.UUU 5080 xxx.xxx.xxx.xxx 5080
ip nat inside source static tcp 192.168.1.UUU 8088 xxx.xxx.xxx.xxx 8088

access-list 7 deny 192.168.1.YYY
access-list 7 deny 192.168.1.ZZZ
access-list 7 permit 192.168.1.0 0.0.0.255

CCNA, BCNE, Security+, Network +

Sniffer2112 (IS/IT--Management)
27 Jun 12 21:18
Thanks Cisconooblet for pointing me in the right direction.


Keeping the same config for ip nat inside (FA0/1) and ip nat outside (FA0/0)

I entered in the following commands and now when we type in our web address, it does hit our web server.....
# ip nat inside source list 101 int fa0/1 overload
# access-list 101 permit ip any any
# ip nat inside source static tcp 10.1.1.1 80 int fa0/1 80

-Todd-
CCNA
MCTS: Sever 2008 AD Configuration
CompTIA: A+, Security+

**There are 10 types of people. Those that understand binary, and those that don't**

Read More Threads Like This One

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Back To Cisco: Routers

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close