08-17-2002 03:46 AM - edited 03-02-2019 12:44 AM
Hi ,
I have a ISDN dial up configured on the Router and I require a simple
configuration to be done which I am finding a small problem with , I
hope you could please suggest me a solution to it.
The requirement is that with the command
Access list 110 permit ip any any
All the ips on the network x.x.x.x are allowed to browse the internet,
download pop3 mails and every thing is fine .
But I would like to restrict only www to a few IP addresses
and only pop3 for a few IP addresses and No browsing
and everything for a few IP addresses ....
I know that the only way would be Access Lists , but I am not able
to understand where exactly the Access list are put on the interace
or as configuration below ...
Access-list 110 permit ip host x.x.x.x any
Access-list 110 permit tcp host x.x.x.1 any eq www
Access-list 110 permit tcp host x.x.x.2 any eq pop3
Access-list 110 deny any any
Do I Define this as the accesslist ( number 110 , the extened accesslist
Refering to the 'inside source list 110' command based on which the
nating is going to take place ....is this right or not , cause I did not
see this work at all , but if I give the command ...
Access-list 110 permit ip any any
All the computers on the LAN are able to browse the network and mail and
All without any problems.
please go through the configuration and let me know where changes have
to be made to bring about the above resutls insha Allah ..
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname Router
!
enable password router
!
no ip name-server
!
isdn switch-type basic-net3
!
ip subnet-zero
no ip domain-lookup
ip routing
!
interface Dialer 1
description connected to Internet
ip nat outside
ip address negotiated
no ip split-horizon
encapsulation ppp
dialer in-band
dialer idle-timeout 120
dialer string 4004444
dialer hold-queue 10
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname alco
ppp chap password 123123dafasd
ppp pap sent-username alco password 121232asdsad
no ppp multilink
no cdp enable
!
interface Ethernet 0
no shutdown
ip nat inside
description connected to EthernetLAN
ip address 192.168.0.100 255.255.255.0
keepalive 10
!
interface BRI 0
no shutdown
ip nat outside
description connected to Internet
no ip address
dialer rotary-group 1
!
! Dialer Control List 1
!
access-list 110 permit ip any any
no dialer-list 1
dialer-list 1 protocol ip permit
!
ip classless
!
! IP Static Routes
ip nat inside source-list 110 interface dialer 1 overload
ip route 0.0.0.0 0.0.0.0 Dialer 1
no ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
!
line console 0
exec-timeout 0 0
password router
login
!
line vty 0 4
password router
login
!
end
08-18-2002 06:59 AM
It seem little confusing to me, the list you specify at ip nat inside source list command is the range of IP addresses on which NAT operation will be performed, I dont think it is a good idea to use detailed extended ACLs there.
Better leave it as it is, the put a second list (100 for examle) for your filtering needs, and apply it inbound to Ethernet interface (so to control source IPs before they are NATted.
Hope this helps
Cagri
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide