Re: Can I use access-lists to redirect certain traffic?

gold78 · ‎06-23-2003

Hello,

I'm a beginner on Cisco so I have a stupid question maybe.

Can I use access-lists to redirect certain traffic (for example www) to a computer in my internal LAN? I have a 1605 router as connection to the Internet. I want to setup a webserver, how do I access it from the outside?

Help!

rsissons · ‎06-23-2003

You can secure your router and internal network by applying access lists to the internet interface to only allow the traffic you want, eg http traffic to your web server.

The following URL describes how to use access lists and other ways of securing the router from unauthorised access

http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/nd2016.htm

gold78 · ‎06-24-2003

You don't have any example how to direct http traffic to my webserver on the inside (192.168.1.5)? The router has IP 192.168.1.1 on the Lan.

Can't find any good example on Ciscos page.

mathijs.versteeg · ‎06-24-2003

You can use PAT (port addres translation) here is an example;

http://www.cisco.com/warp/public/794/827spat.html

I reccommend to access-list to block unwanted traffic not to redirect traffic to your web server.

Greetings,

Mathijs Versteeg

LEMONTREE

gold78 · ‎06-24-2003

Sorry, I can't use NAT and PAT because I have only IOS 11.3. Must have atleast 12.1 for that, isn't it? I can't upgrade it either.

But is it possible to use access-lists to redirect traffic?

mathijs.versteeg · ‎06-25-2003

I also use a 1605 router. To support higher IOS versions I load the software from a tftp server creating more possibilities on the router.

you can use the boot system tftp command for this and place the right IOS image in the tftp root. You can use an free tftp server (i.e. downloadable @ www.solarwinds.net)

http://www.cisco.com/en/US/products/sw/iosswrel/ps1826/products_command_summary_chapter09186a00800d9b4b.html#xtocid82864

gold78 · ‎06-24-2003

Can a list access-list like this work?

"access-list 101 permit tcp any host 192.168.1.5 eq www"

But what do I need more to get it to work?

jolmo · ‎06-24-2003

The ACL is right.

All you have to do is to apply to the outside (WAN) interface of the router:

int serial0

ip access-group 101 in

HTH

dwallwork · ‎06-29-2003

The rest of the posts are fine... use PAT for the HTTP redirects from the outside to the inside and use the ACL to do the blocking & permissioning.

Couple things to be careful of and some suggestions:

1. Be aware that an ACL can be applied to both inbound and outbound on the interface. Just be careful.

2. Even though the "deny all" is implied at the end of the ACL you've created, it is recommended that you actually put one in. The advantage is that you are then able to see the failures when the logging is active. Otherwise they fall into a bit bucket. Helps with your diagnostics.

3. Suggest you use a readily available port sweep device (freeware) directed against your router to be absolutely sure only what you believe is open is open. If you do this, I further suggest that you do it over a cross-over network cable rather than on your ISP connection so as to prevent an inadvertent mis-direct.

Good luck.

support · ‎06-30-2003

I believe you will laso need a Static NAT translation defining what public IP maps tp the webserver

gold78 · ‎07-21-2003

How would such a config line look like?

I can't figure it out..

forbesl · ‎06-30-2003

In order for you to use a webserver, you must first assign it a public IP address. The private IP address you have assigned to your web server will not allow outside users to access your website. You will need at least one static IP (public) if you want to statically translate your private IP to a public IP. I noticed, however, that your IOS does not support NAT/PAT, so this would not work.

Another option if for you to obtain a public subnet (a 30 bit mask would work perfect). Assign one of the IP addresses as a secondary IP address on your router's ethernet port and assign the other IP to your server. In that case, then the previously posted access-list statement would work just fine, only you would replace the private IP with the public IP you assign the server.