06-23-2003 01:18 PM - edited 03-02-2019 08:21 AM
Hello,
I'm a beginner on Cisco so I have a stupid question maybe.
Can I use access-lists to redirect certain traffic (for example www) to a computer in my internal LAN? I have a 1605 router as connection to the Internet. I want to setup a webserver, how do I access it from the outside?
Help!
06-23-2003 03:51 PM
You can secure your router and internal network by applying access lists to the internet interface to only allow the traffic you want, eg http traffic to your web server.
The following URL describes how to use access lists and other ways of securing the router from unauthorised access
http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/nd2016.htm
06-24-2003 12:28 AM
You don't have any example how to direct http traffic to my webserver on the inside (192.168.1.5)? The router has IP 192.168.1.1 on the Lan.
Can't find any good example on Ciscos page.
06-24-2003 04:34 AM
You can use PAT (port addres translation) here is an example;
http://www.cisco.com/warp/public/794/827spat.html
I reccommend to access-list to block unwanted traffic not to redirect traffic to your web server.
Greetings,
Mathijs Versteeg
LEMONTREE
06-24-2003 06:01 AM
Sorry, I can't use NAT and PAT because I have only IOS 11.3. Must have atleast 12.1 for that, isn't it? I can't upgrade it either.
But is it possible to use access-lists to redirect traffic?
06-25-2003 04:50 AM
I also use a 1605 router. To support higher IOS versions I load the software from a tftp server creating more possibilities on the router.
you can use the boot system tftp command for this and place the right IOS image in the tftp root. You can use an free tftp server (i.e. downloadable @ www.solarwinds.net)
06-24-2003 12:32 PM
Can a list access-list like this work?
"access-list 101 permit tcp any host 192.168.1.5 eq www"
But what do I need more to get it to work?
06-24-2003 10:53 PM
The ACL is right.
All you have to do is to apply to the outside (WAN) interface of the router:
int serial0
ip access-group 101 in
HTH
06-29-2003 09:27 PM
The rest of the posts are fine... use PAT for the HTTP redirects from the outside to the inside and use the ACL to do the blocking & permissioning.
Couple things to be careful of and some suggestions:
1. Be aware that an ACL can be applied to both inbound and outbound on the interface. Just be careful.
2. Even though the "deny all" is implied at the end of the ACL you've created, it is recommended that you actually put one in. The advantage is that you are then able to see the failures when the logging is active. Otherwise they fall into a bit bucket. Helps with your diagnostics.
3. Suggest you use a readily available port sweep device (freeware) directed against your router to be absolutely sure only what you believe is open is open. If you do this, I further suggest that you do it over a cross-over network cable rather than on your ISP connection so as to prevent an inadvertent mis-direct.
Good luck.
06-30-2003 07:16 AM
I believe you will laso need a Static NAT translation defining what public IP maps tp the webserver
07-21-2003 11:34 AM
How would such a config line look like?
I can't figure it out..
06-30-2003 10:55 AM
In order for you to use a webserver, you must first assign it a public IP address. The private IP address you have assigned to your web server will not allow outside users to access your website. You will need at least one static IP (public) if you want to statically translate your private IP to a public IP. I noticed, however, that your IOS does not support NAT/PAT, so this would not work.
Another option if for you to obtain a public subnet (a 30 bit mask would work perfect). Assign one of the IP addresses as a secondary IP address on your router's ethernet port and assign the other IP to your server. In that case, then the previously posted access-list statement would work just fine, only you would replace the private IP with the public IP you assign the server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide