Probably simple, please help

[shaneh0]

Hi,

I'm a C programmer and no nothing about routers. I work for a small company and we have a 3 man IT dept. Me, a Network Admin and a Server Admin.

Three days ago our network admin was arrested by the FBI for computer fraud.

So we have this issue where I installed a new workstaion yesterday. We only allow some users access to the internet. I'm sure this access is controlled by the router and I'm guessing it's something as simple as adding a mac address to an access list but I really have no clue.

I was hoping someone could give me a little info on how I would go about doing this with a cisco 1605 router.

Thanks!!!

 

[IPKONFIG]

Why don't you show the config in this post (minus the passwords and community strings of course) and we'll take a look at it.

 

[shaneh0]

Not to be a dolt, but how would I go about getting the config?

Thanks for your help!!!!!

 

[IPKONFIG]

Log into the router, from the user exec mode, type "enable", enter the password, and then type "sho run" this will give you the output. Copy this into a text file and then omit any sensitive information, the rest paste to this forum.

 

[shaneh0]

Ok, here it is.

I replaced the password and the IP address with x's.

Thanks for your help!

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname lockreyrouter1
!
no logging console
enable secret 5 $1$Bnmo$SXbPd7LXIsXRlClIsCJQF/
enable password xxxxxx
!
ip subnet-zero
ip name-server 209.45.202.1
ip name-server 216.111.65.217
ip inspect name fwout tcp
ip inspect name fwout udp
ip inspect name fwout tftp
ip inspect name fwout cuseeme
ip inspect name fwout realaudio
ip inspect name fwout streamworks
ip inspect name fwout sqlnet
ip inspect name fwout rcmd
ip inspect name fwout ftp
ip inspect name fwin udp
ip inspect name fwin tcp
clock timezone Eastern -5
!
!
!
interface Ethernet0
description Connection to Totalink
ip address xxx.xx.xxx.xxx 255.255.255.192
ip access-group 101 in
no ip directed-broadcast
ip nat outside
ip inspect fwin in
ip inspect fwout out
!
interface Ethernet1
description Connection to LAN
ip address 10.1.1.1 255.255.255.0
ip access-group 102 in
no ip directed-broadcast
ip nat inside
no ip route-cache
!
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source static tcp 10.1.1.3 21 xxx.xxx.xxx.xxx 21 extendable
ip nat inside source static tcp 10.1.1.5 3389 xxx.xxx.xxx.xxx 3389 extendable
ip nat inside source static udp 10.1.1.3 5632 xxx.xxx.xxx.xxx 5632 extendable
ip nat inside source static tcp 10.1.1.3 5631 xxx.xxx.xxx.xxx 5631 extendable
ip nat inside source static tcp 10.1.1.3 80 xxx.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp 10.1.1.3 110 xxx.xxx.xxx.xxx 110 extendable
ip nat inside source static tcp 10.1.1.3 25 xxx.xxx.xxx.xxx 25 extendable
ip nat inside source static tcp 10.1.1.5 1494 xxx.xxx.xxx.xxx 1494 extendable
ip nat inside source static tcp 10.1.1.90 1680 xxx.xxx.xxx.xxx 1680 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 209.45.202.195
!
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq 1680
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq 1494
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq ftp
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq telnet
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq www
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq pop3
access-list 101 permit tcp 209.45.202.0 0.0.0.255 host xxx.xxx.xxx.xxx eq 5631
access-list 101 permit udp 209.45.202.0 0.0.0.255 host xxx.xxx.xxx.xxx eq 5632
access-list 101 permit tcp 208.4.8.0 0.0.0.255 host xxx.xxx.xxx.xxx eq 5631
access-list 101 permit udp 208.4.8.0 0.0.0.255 host xxx.xxx.xxx.xxx eq 5632
access-list 101 permit tcp 209.45.202.0 0.0.0.255 host xxx.xxx.xxx.xxx eq 3389
access-list 101 permit tcp 208.4.8.0 0.0.0.255 host xxx.xxx.xxx.xxx eq 3389
access-list 102 permit ip 0.0.0.1 255.255.255.0 any
access-list 102 permit ip 0.0.0.2 255.255.255.0 any
access-list 102 permit ip 0.0.0.3 255.255.255.0 any
access-list 102 permit ip 0.0.0.4 255.255.255.0 any
access-list 102 permit ip 0.0.0.5 255.255.255.0 any
access-list 102 permit ip 0.0.0.6 255.255.255.0 any
access-list 102 permit ip 0.0.0.50 255.255.255.0 any
access-list 102 permit ip 0.0.0.51 255.255.255.0 any
access-list 102 permit ip 0.0.0.52 255.255.255.0 any
access-list 102 permit ip 0.0.0.53 255.255.255.0 any
access-list 102 permit ip 0.0.0.54 255.255.255.0 any
access-list 102 permit ip 0.0.0.55 255.255.255.0 any
access-list 102 permit ip 0.0.0.56 255.255.255.0 any
access-list 102 permit ip 0.0.0.57 255.255.255.0 any
access-list 102 permit ip 0.0.0.58 255.255.255.0 any
access-list 102 permit ip 0.0.0.59 255.255.255.0 any
access-list 102 permit ip 0.0.0.60 255.255.255.0 any
access-list 102 permit ip 0.0.0.61 255.255.255.0 any
access-list 102 permit ip 0.0.0.62 255.255.255.0 any
access-list 102 permit ip 0.0.0.63 255.255.255.0 any
access-list 102 permit ip 0.0.0.64 255.255.255.0 any
access-list 102 permit ip 0.0.0.65 255.255.255.0 any
access-list 102 permit ip 0.0.0.72 255.255.255.0 any
access-list 102 deny tcp any any eq www
access-list 102 permit ip any any
!
line con 0
exec-timeout 0 0
password xxxxxx
transport input none
line vty 0 4
password xxxxxx
login
!
end

 

[IPKONFIG]

Ok, what is the IP address of the workstation you just hooked up? And what do you want it to do? Web traffic?

 

[shaneh0]

10.1.1.113

Yes, web traffic

 

[IPKONFIG]

try this

config t
access-list 102 permit ip 0.0.0.113 255.255.255.0 any
end
wr

 

[oj88]

IPKONFIG wrote:
>try this
>
>config t
>access-list 102 permit ip 0.0.0.113 255.255.255.0 any
>end
>wr

The access-list should be:
access-list 102 permit ip 10.1.1.113 0.0.0.0 any

But if it's JUST web traffic (TCP port 80) ONLY:
access-list 102 permit tcp 10.1.1.113 0.0.0.0 eq www

You will need to re-write all of access-list 102. Just copy all access-list 102 statements into notepad and insert the above command in such a way that it should be the 3rd line before the last, like so:

.
.
.
access-list 102 permit ip 0.0.0.65 255.255.255.0 any
access-list 102 permit ip 0.0.0.72 255.255.255.0 any
access-list 102 permit ip 10.1.1.113 0.0.0.0 any <-- insert here
access-list 102 deny tcp any any eq www
access-list 102 permit ip any any

Now, go to the router and enter &quot;config t&quot; while in the &quot;#&quot; prompt (enable mode).

Then type &quot;no access-list 102&quot; then press enter. Go to your notepad and copy everything. Then go back to the router and paste the notepad's contents in there.

Once copying is done, type &quot;end&quot; and press enter.

Verify that everything is in there by typing &quot;sh ip access-list 102&quot;.

If everything is in there (as compared to the notepad), type &quot;write&quot; and press enter to save the config.

Piece of cake, huh?



Orlando Palomar Jr
CCIE# 11206, CCNP
CIPT Operations Specialist
Phil-Data Business Systems, Inc.

 

[IPKONFIG]

Orlando is right, you have to put that statement in your access list by re-doing the whole access list. I apologize if this caused any issues. Although, I don't understand why access list 102 even exists in the first place. Just wondering is all.

 

[shaneh0]

&quot; Although, I don't understand why access list 102 even exists in the first place. Just wondering is all.&quot;

why is that?

 

[IPKONFIG]

I'm just assuming that all your users are listed in access list 102. If that's not the case, then I understand the access list. If I'm correct, then the access list is worthless.

 

[shaneh0]

No, we are a manufacturing company and we have about 25 computers throughout the factory. None of the factory PCs have access to the internet, only the offices.

 

[IPKONFIG]

Question answered. Thanks.

 

[shaneh0]

Thank you!!! I will rewrite this list today. Hopefully all hell doesn't break loose

 

[IPKONFIG]

If your going to rewrite it, I'd suggest you add this command.

service password-encryption

This way, it will encrypt all your passwords. FYI