Limit Internet Access by IP or Port 1

[backpedal]

Hi, I'm learning CISCO at the moment and was wondering if you can help me. My 877W Router is configured with DHCP from 10.10.10.2 to 10.10.10.254 and any PC which is connected to the router can get internet access. 10.10.10.1 is the router.

My question is can someone tell me :

a. How I limit internet access so say only IP addresses 10.10.10.2, 10.10.10.3 can get internet access and no-one else can but the other clients 10.10.10.4 etc can still talk to the other PC's on the LAN.

b. How I limit internet acess by fastethernet port so say ports 1,2 and 3 can get internet access but port 4 cannot.

I've posted by config below if it helps. I very much appreicate help with my learning curve.


!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$6xU0$mx0hYL/cwv7Gp6fTsowG.1
!
no aaa new-model
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2763833099
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2763833099
revocation-check none
rsakeypair TP-self-signed-2763833099
!
!
crypto pki certificate chain TP-self-signed-2763833099
certificate self-signed 01
30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373633 38333330 3939301E 170D3037 30393035 30393333
34325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37363338
33333039 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100F2D9 630E469B 870E4D13 C3B805DA A96E8D7C 07FEDC4E 0640C883 7AEBC832
7D2B133A B6F60BD1 96C59D47 D968E2A6 1F702199 5C6C0DED A27D1859 235C1C4C
53AF017E F33CD3FC 8E9F8512 764625B4 B67B4040 C846874F 6DD90784 1F7E24FB
8DF7AC89 B41FD39D E9920BBC A1EAA55E 8D2F4E35 49977DA1 7C19836B 8B74E746
C6D30203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 18526F75 7465722E 74686566 616D696C 796E6573 732E636F
6D301F06 03551D23 04183016 801474B3 BF6A504C 6CA1E6E6 92917EAA C9983B1A
762D301D 0603551D 0E041604 1474B3BF 6A504C6C A1E6E692 917EAAC9 983B1A76
2D300D06 092A8648 86F70D01 01040500 03818100 22DA971F FBF3F2A2 BCB1CF2A
DB66FF1D 3CB83D25 8E6E477B F1048494 A87FEF51 4E58B2BB EC35826A E4089D58
71694061 F753DA03 B3780930 72ECC721 32EAE9BA 2DA59FC1 92356DDD DA01C2B7
FE25BC08 69E48932 E1BD535A 92459E17 4650432E 94B33212 0864580B 2F8F2557
DB513372 0033174B 2618BDCB 54A21DE9 5016F221
quit
!
!
!
dot11 ssid thefamilyness
authentication open
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool1
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
!
!
no ip bootp server
no ip domain lookup
ip domain name thefamilyness.com
ip name-server 62.241.163.200
ip name-server 62.241.162.201
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
multilink bundle-name authenticated
!
!
username backpedal privilege 15 secret 5 $1$JJfw$N5mybaPKR/lruGFu9Ju8x.
username helen.chandler privilege 15 secret 5 $1$5yU/$hHdYNrK1xVwFRmN/ALX6h/
username michael.chandler privilege 15 secret 5 $1$LSdT$4NWr3I633S//re23HoKra1
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no snmp trap link-status
pvc 0/38
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
ssid thefamilyness
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname axrh56@xtreme5.pipex.net
ppp chap password 7 030052190900244E4F
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.10.10.10 80 interface Dialer0 80
ip nat inside source list 1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 62.241.162.201 eq domain any
access-list 101 permit udp host 62.241.163.200 eq domain any
access-list 101 permit tcp any any eq www
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec 
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------

banner login Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500

!
webvpn cef
end

 

[computerhighguy]

a) This is what controls who has access to the Internet

ip nat inside source list 1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255

Change

access-list 1 permit 10.10.10.0 0.0.0.255

to

access-list 1 permit host 10.10.10.2

That will allow only 10.10.10.2 to get access to the Internet. There is always an implicit deny at the end of an Access list so all others will be denied.

b) Change the VLAN assignemnt (assuming the router supports vlans) on Fast ethernet port 4. Depending on what you want to do, you can just use the router to route between the two vlans. Shouldn't be a big deal but the other vlan will have to a different IP structure. Unless you add that IP structure to access list 1, they will not have Internet access.

It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)

 

[backpedal]

Thanks

 

[burtsbees]

Your 2 questions are different...you only want 2 hosts to access the internet, yet there are 4 ports---you say that you only want fa4 to have internet access...which is it?
Also,
access-list 10 permit host 10.10.10.2
will only allow 10.10.10.2, and not 10.10.10.3
Instead of reconfiguring NAT, just add an extended acl, like this...

access-list 110 permit tcp host 10.10.10.2 any eq 80
access-list 110 permit tcp host 10.10.10.3 any eq 80
access-list 110 deny tcp any any eq 80
access-list 110 permit ip any any
Then apply it outbound to vlan 1...
int vlan1
ip access-class 110 out

Burt

 

[burtsbees]

Wait...what are 10.0.0.2 and 10.0.0.3 plugged into?

Burt

 

[backpedal]

Burt, 10.0.0.2 is plugged into fe2 and 10.0.0.3 is plugged into fe3