02-20-2003 12:02 PM - edited 02-20-2020 09:20 PM
I am try to secure my network from the outside world using FW IOS on a 2621.
I have created the ACL's I think I need but am not sure what Interface they need to be applied on and in what direction in/out. I have supplied a copy of my config. without the ACL's applied to the interfaces.
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname OOPINTRT100
!
no logging console
!
!
ip subnet-zero
no ip finger
ip domain-name ALTER.NET
ip name-server 198.6.1.2
ip name-server 172.31.3.9
!
ip inspect dns-timeout 30
ip inspect name to_internet ftp timeout 900
ip inspect name to_internet http timeout 300
ip inspect name to_internet smtp
ip inspect name to_internet tftp
ip inspect name to_internet udp timeout 30
ip inspect name to_internet tcp timeout 43200
ip inspect name to_internet cuseeme
ip inspect name to_internet h323
ip inspect name to_internet rcmd
ip inspect name to_internet realaudio
ip inspect name to_internet rtsp
ip inspect name to_internet sqlnet
ip inspect name to_internet streamworks
ip inspect name to_internet vdolive
ip inspect name to_internet fragment maximum 256 timeout 10
ip inspect name to_internet netshow
ip audit notify log
ip audit po max-events 100
!
!
interface FastEthernet0/0
description To NYCT Gateway Server
ip address 66.66.66.65 255.255.255.192
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface Serial0/0
bandwidth 1536
no ip address
encapsulation frame-relay IETF
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description Circuit wcomoh36544
bandwidth 1536
ip address 66.66.66.1 255.255.255.192
ip nat outside
no ip mroute-cache
no cdp enable
frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/1
description TO OFFICE INTERNET
ip address 172.31.0.100 255.255.0.0
ip nat inside
ip inspect to_internet out
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
ip nat pool OHIO 66.66.66.2 66.66.66.2 netmask 255.255.255.192
ip nat inside source list internet_out pool OHIO overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route 10.0.0.0 255.0.0.0 63.114.65.66
ip route 172.17.0.0 255.255.0.0 172.31.0.1
ip route 172.21.0.0 255.255.0.0 172.31.0.1
ip route 172.29.0.0 255.255.0.0 172.31.0.1
no ip http server
!
!
ip access-list extended NYCTA_out
permit tcp any any
permit udp any any
permit icmp any any
permit ip 10.0.0.0 0.0.0.255 any
!
!
ip access-list extended internet_in
deny ip 192.168.0.0 0.0.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
permit tcp any any eq 5900
permit tcp any any eq 50
permit tcp any any eq 51
permit udp any any eq isakmp
permit icmp any any echo-reply
permit icmp any any administratively-prohibited
permit icmp any any traceroute
permit icmp any any unreachable
permit icmp any any time-exceeded
deny icmp any any redirect
permit tcp any any eq 22
permit ip 10.0.0.0 0.0.0.255 any
deny ip any any
ip access-list extended internet_out
permit tcp any any
permit udp any any
permit icmp any any
permit ip 172.16.0.0 0.15.255.255 any
02-24-2003 05:55 AM
Based on your config, you will apply "internet_in" inbound on the serial0/0.1 interface. I can not tell which interface you would apply the "NYCTA_out" list on because although you have a route for the 10.x.x.x subnet, it points to a next-hop address of 63.114.65.66. You do not have an interface configured on this router that is connected to the 63 network, so the router will route traffic out the frame connection to your ISP to get to the 10.x.x.x subnet. Since the 10.x.x.x subnet is a private unrouteable subnet, this will not work. If you mis-typed the next hop address and the 10 subnet is really connected to the FastEthernet0/0 interface, you would apply the "NYCTA_out" list inbound on the fast ethernet 0/0 interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide