- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2018 04:00 AM - edited 02-21-2020 07:42 AM
Hello
I want to create an access control list on a router that does the following:
1) access control list to deny all inbound traffic with network addresses matching internal-registered IP address
2) Deny all ICMP echo request traffic
3) Deny all inbound Microsoft Active Directory
4) Deny all inbound Microsoft SQL Server Ports
5) Deny all Microsoft Domain Local Broadcast
6) Allow traffic to SMTP server
7) Allow traffic to internal IMAP Server
I have to also remove this
ip nat inside source list 100 interface Serial1/0 overload from my start-up configuration
My Router0 configuration is as under:
Router#show run
Router#show running-config
Building configuration...
Current configuration : 1344 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 10.1.11.10 255.255.255.0
ip nat inside
duplex auto
speed auto
standby 1 ip 10.1.11.12
standby 1 priority 110
standby 1 preempt
!
interface Serial1/0
ip address 203.1.1.2 255.255.255.0
ip nat outside
!
interface Serial1/1
no ip address
clock rate 2000000
shutdown
!
interface Serial1/2
no ip address
clock rate 2000000
shutdown
!
interface Serial1/3
no ip address
clock rate 2000000
shutdown
!
interface Serial1/4
no ip address
clock rate 2000000
shutdown
!
interface Serial1/5
no ip address
clock rate 2000000
shutdown
!
interface Serial1/6
no ip address
clock rate 2000000
shutdown
!
interface Serial1/7
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 100 interface Serial1/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 203.1.1.1
ip route 10.1.20.0 255.255.255.0 10.1.11.1
!
ip flow-export version 9
!
!
!
no cdp run
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2018 09:02 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2018 09:07 AM
Can 8.8.8.8 ping 203.1.1.1?
Which router your traffic is routed out of can you see if traffic is being natted? Ping from one of the PCs and run "show ip nat translations" on the router that traffic is routed through
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2018 09:10 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2018 09:17 AM
What is the output??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2018 09:23 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2018 09:31 AM
Which router is the primary? Please show the output of "show standby"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2018 09:40 AM
FastEthernet0/1 - Group 1
State is Active
5 state changes, last state change 00:00:27
Virtual IP address is 10.1.11.12
Active virtual MAC address is 0000.0C07.AC01
Local virtual MAC address is 0000.0C07.AC01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.993 secs
Preemption enabled
Active router is local
Standby router is 10.1.11.11, priority 100 (expires in 6 sec)
Priority 110 (configured 110)
Group name is hsrp-Fa0/1-1 (default)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2018 09:47 AM
Please upload the running-config
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2018 09:51 AM
Building configuration...
Current configuration : 2205 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname Router
!
!
!
enable secret 5 $1$mERr$Hx2QiWoH8y5il7TEorRvk/
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 10.1.11.10 255.255.255.0
ip nat inside
duplex auto
speed auto
standby 1 ip 10.1.11.12
standby 1 priority 110
standby 1 preempt
!
interface Serial1/0
ip address 203.1.1.2 255.255.255.0
ip access-group WAN_ACL in
ip nat outside
!
interface Serial1/1
no ip address
clock rate 2000000
shutdown
!
interface Serial1/2
no ip address
clock rate 2000000
shutdown
!
interface Serial1/3
no ip address
clock rate 2000000
shutdown
!
interface Serial1/4
no ip address
clock rate 2000000
shutdown
!
interface Serial1/5
no ip address
clock rate 2000000
shutdown
!
interface Serial1/6
no ip address
clock rate 2000000
shutdown
!
interface Serial1/7
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 100 interface Serial1/0 overload
ip nat inside source static tcp 10.1.11.20 25 203.1.1.2 25
ip nat inside source static tcp 10.1.11.20 143 203.1.1.2 143
ip nat inside source static tcp 10.1.11.20 993 203.1.1.2 993
ip classless
ip route 0.0.0.0 0.0.0.0 203.1.1.1
ip route 10.1.20.0 255.255.255.0 10.1.11.1
!
ip flow-export version 9
!
!
ip access-list extended WAN_ACL
permit tcp any host 203.1.1.2 eq smtp
permit tcp any host 203.1.1.2 eq 993
permit tcp any host 203.1.1.2 eq 443
permit tcp any host 203.1.1.2 eq 143
permit udp any host 203.1.1.2 eq 443
permit tcp any host 203.1.1.2 eq domain
permit udp any host 203.1.1.2 eq domain
permit icmp any any echo-reply
permit icmp any any unreachable
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.0.15.255 any
deny ip any any
!
no cdp run
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2018 10:00 AM
Add (above the deny ip any any rule)
ip access-list extended WAN_ACL
permit tcp any eq 80 host 203.1.1.2
A stateful firewall in this instance would be better (in the real world), this allows return traffic without having to explicitly permit the return traffic.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2018 10:05 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2018 10:13 AM
If you run the command "show ip access-list WAN_ACL"
BRANCH-1-RTR(config)#do sh ip access-list WAN_ACL
Extended IP access list WAN_ACL
10 permit tcp any host 2.2.2.1 eq www (6 matches)
20 deny ip any any log (299 matches)
Have a look at the sequence numbers, you would then add a sequence number lower than 20, E.g:
BRANCH-1-RTR(config)#15 permit icmp any host 2.2.2.1
BRANCH-1-RTR#show ip access-lists WAN_ACL
Extended IP access list WAN_ACL
10 permit tcp any host 2.2.2.1 eq www (6 matches)
15 permit icmp any host 2.2.2.1 (4 matches)
20 deny ip any any log-input (327 matches)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2018 10:27 AM
Router(config)#do sh ip access-list WAN_ACL
Extended IP access list WAN_ACL
permit tcp any host 203.1.1.2 eq smtp
permit tcp any host 203.1.1.2 eq 993
permit tcp any host 203.1.1.2 eq 443
permit tcp any host 203.1.1.2 eq 143
permit udp any host 203.1.1.2 eq 443
permit tcp any host 203.1.1.2 eq domain
permit udp any host 203.1.1.2 eq domain
permit icmp any any echo-reply
permit icmp any any unreachable
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.0.15.255 any
deny ip any any
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2018 10:29 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2018 10:40 AM
Hello RJI I know this topic is different from this one but I shall be grateful if you kindly give me an idea
Attach is the image file showing server having two different NIC connected to two different Layer 2 switch. Now my query
1) How in packet tracer we can use NIC teaming in server
2) if suppose one link goes down how it can transfer it to other link as shown in the image file

- « Previous
-
- 1
- 2
- Next »