From: John Kim (albugkim@xxxxxxxxxxx)
Date: Thu Sep 06 2001 - 18:08:09 GMT-3
David,
If you want to put ACL for the incoming traffic on your router, you should
change your access-list 100 as follows:
access-list 100 permit ip host 63.161.251.7 any
access-list 100 permit ip host 63.161.251.1 any
access-list 100 permit tcp host 63.161.251.2 eq 443 any
access-list 100 permit tcp host 63.161.251.2 eq 80 any
access-list 100 permit tcp host 63.161.251.2 eq 25 any
access-list 100 permit tcp host 63.161.251.4 eq 53 any
access-list 100 permit tcp host 63.161.251.5 eq 53 any
access-list 100 permit udp host 63.161.251.4 eq 53 any
access-list 100 permit udp host 63.161.251.5 eq 53 any
access-list 100 permit udp host 63.161.251.4 eq 123 any
access-list 100 permit icmp any any echo
access-list 100 permit icmp host 63.161.251.2 any echo-reply
access-list 100 deny ip any any log
Or you can change your access-list for outgoing traffic without changing
your access-list by changing ip access-group 100 in to ip access-group 100
out.
John Kim
>From: Jerry Toomey <jetoomey@yahoo.com>
>Reply-To: Jerry Toomey <jetoomey@yahoo.com>
>To: "Davis, David" <DDavis@foxgal.com>, ccielab@groupstudy.com
>Subject: Re: Internet Firewall Router IOS Config
>Date: Thu, 6 Sep 2001 13:40:16 -0700 (PDT)
>
>David,
>Shouldn't your access-list use the Outside Global IP address instead of
>the Inside Local IP?
>
>Why don't you add these to your access list (before any deny):
>access-list 100 permit tcp any host 17.0.17.254 eq 53
>access-list 100 permit tcp any host 17.0.19.254 eq 53
>access-list 100 permit udp any host 17.0.17.254 eq 53
>access-list 100 permit udp any host 17.0.19.254 eq 53
>
>Then, do a "sho access-list 100" and see where the hits are coming from.
>Look for "(xxx matches)".
>
>Jerry
>--- "Davis, David" <DDavis@foxgal.com> wrote:
> > I have been using all my CCIE-candidate access-list & NAT
> > troubleshooting skills to figure out the config on our new
> > firewall/router but with no luck. When this access-list is put in place,
> > DNS inquiries from the servers that the access-list permits on port 53
> > (for DNS) stop working.
> >
> > Is this access-list configured correctly for DNS?
> >
> > Any help is appreciated!
> >
> > Thanks,
> > David
> >
> > The servers on 63.161.251.4 and .5 are our two DNS servers that do not
> > function once the access-list is put in place.
> >
> >
> >
> > !
> > ! Last configuration change at 03:11:43 CST Wed Mar 3 1993 by root
> > ! NVRAM config last updated at 03:23:44 CST Wed Mar 3 1993 by root
> > !
> > version 12.0
> > service timestamps debug uptime
> > service timestamps log uptime
> > service password-encryption
> > !
> > hostname inetrouter
> > !
> > logging buffered 4096 notifications
> > enable secret 5 $1$xZE9$KX4QfCbWvk.x1zFXLGHHg.
> > !
> > username root privilege 15 password 7 05070F1924455A1C09
> > memory-size iomem 20
> > clock timezone CST -6
> > clock summer-time CDT recurring
> > ip subnet-zero
> > no ip source-route
> > ip rcmd rsh-enable
> > ip rcmd remote-host root 17.0.26.1 root enable
> > ip rcmd remote-username root
> > no ip domain-lookup
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > interface Ethernet0/0
> > ip address 192.168.0.1 255.255.255.252 secondary
> > ip address 192.168.1.1 255.255.255.252 secondary
> > ip address 17.0.21.21 255.0.0.0
> > no ip directed-broadcast
> > no ip proxy-arp
> > ip nat inside
> > no cdp enable
> > !
> > interface Serial0/0
> > description Internet T1
> > ip address 144.232.221.38 255.255.255.252
> > ip access-group 100 in
> > no ip directed-broadcast
> > no ip proxy-arp
> > ip nat outside
> > encapsulation ppp
> > no cdp enable
> > !
> > ip nat inside source static 17.0.27.254 63.161.251.9
> > ip nat inside source static 17.0.18.254 63.161.251.8
> > ip nat inside source static 17.0.26.1 63.161.251.6
> > ip nat inside source static 17.0.17.254 63.161.251.4
> > ip nat inside source static 17.0.39.254 63.161.251.3
> > ip nat inside source static 17.0.19.254 63.161.251.5
> > ip nat inside source static 192.168.0.2 63.161.251.1
> > ip nat inside source static 192.168.1.2 63.161.251.7
> > ip nat inside source static 17.0.22.254 63.161.251.2
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 Serial0/0 2
> > no ip http server
> > !
> > logging 17.0.19.254
> > access-list 100 permit ip any host 63.161.251.7
> > access-list 100 permit ip any host 63.161.251.1
> > access-list 100 permit tcp any host 63.161.251.2 eq 443
> > access-list 100 permit tcp any host 63.161.251.2 eq 80
> > access-list 100 permit tcp any host 63.161.251.2 eq 25
> > access-list 100 permit tcp any host 63.161.251.4 eq 53
> > access-list 100 permit tcp any host 63.161.251.5 eq 53
> > access-list 100 permit udp any host 63.161.251.4 eq 53
> > access-list 100 permit udp any host 63.161.251.5 eq 53
> > access-list 100 permit udp any host 63.161.251.4 eq 123
> > access-list 100 permit icmp any any echo-reply
> > access-list 100 permit icmp any host 63.161.251.2 echo
> > access-list 100 deny ip any any log
> > no cdp run
> > !
> > line con 0
> > exec-timeout 0 0
> > login local
> > transport input none
> > line aux 0
> > password 7 14141B180F0B
> > line vty 0 4
> > login local
> > !
> > ntp clock-period 17208398
> > ntp server 17.253.100.1
> > no scheduler allocate
> > end
> > **Please read:http://www.groupstudy.com/list/posting.html
>=====
>Jerry Toomey of http://www.wansend.com can be reached at 877-690-2578
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:15 GMT-3