Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
919
Views
0
Helpful
1
Replies

DMZ Public LAN

Go to solution
admin_2
Level 3
Level 3

‎03-19-2004 04:12 PM - edited ‎02-20-2020 11:18 PM

I am needing to setup a public LAN, we currently have a 2651 router running version 12.2(2)T1 of the IOS. We have the dual port ethernet and already have a stable private lan. I know that I have to create an access list for the F0/1 (public) port and have an ip address defined, when I do the no shutdown on the F0/1 I get the line up, protocol down. I am not seeing what would cause the protocol to keep down. The access list is defined:

permit icmp 207.228.41.56 0.0.0.7 any

deny ip any any

ON THE INBOUND of F0/1

and then

permit udp any host 207.228.41.62 eq domain

permit tcp any host 207.228.41.62 eq domain

permit tcp any host 207.228.41.62 eq www

permit tcp any host 207.228.41.62 eq ftp

permit tcp any host 207.228.41.62 eq smtp

permit icmp any 207.228.41.56 0.0.0.7 administratively-prohibited

permit icmp any 207.228.41.56 0.0.0.7 echo

permit icmp any 207.228.41.56 0.0.0.7 echo-reply

permit icmp any 207.228.41.56 0.0.0.7 packet-too-big

permit icmp any 207.228.41.56 0.0.0.7 time-exceeded

permit icmp any 207.228.41.56 0.0.0.7 traceroute

permit icmp any 207.228.41.56 0.0.0.7 unreachable

deny ip any any

ON THE INBOUND for S0/0 - line in from Internet

I can't ping anything on the F0/1 port.

Any help would be helpful, I have jumped with both feet into this; there is no one in house with any knowledge of CISCO command, and since everyone here knows I attended a couple a classes I have been dubbed the holder of the configurations.

Thank you for your time - a newbie. =-)

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎03-22-2004 03:12 PM

If your line protocol is down then forget about pinging anything on that interface until you get it up. Check your cabling and the speed/duplex settings on both the fa0/1 interface and the switch/hub you're connecting it into.

After that, remove the "permit icmp, deny any" ACL on the fa0/1 interface cause this will stop all return traffic from getting out. Just use the inbound ACL on s0/0 to protect that segment. You might also want to add the following:

permit tcp any host 207.228.41.62 eq ftp-data

to allow the FTP data channel through. Check you don't also need HTTPS access (in addition to www) and POP3 (in addition to SMTP), allow these in if necessary.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎03-22-2004 03:12 PM

If your line protocol is down then forget about pinging anything on that interface until you get it up. Check your cabling and the speed/duplex settings on both the fa0/1 interface and the switch/hub you're connecting it into.

After that, remove the "permit icmp, deny any" ACL on the fa0/1 interface cause this will stop all return traffic from getting out. Just use the inbound ACL on s0/0 to protect that segment. You might also want to add the following:

permit tcp any host 207.228.41.62 eq ftp-data

to allow the FTP data channel through. Check you don't also need HTTPS access (in addition to www) and POP3 (in addition to SMTP), allow these in if necessary.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card