I have a LAN connected to WAN via Cisco 678. In between

the Cisco and the LAN is a NAT-ed switch. (network values

have been changed to protect the innocent)

Cisco to Switch network is 200.50.100.0

The LAN network is 192.168.10.0

Let's say for example that I want to allow the following

from the WAN into the LAN

100.50.7.0 - allow network to access LAN

100.70.8.8 - allow system to access LAN

100.90.9.0 - allow network to access LAN for FTP & Telnet only

100.100.10.7 - allow system to access LAN for FTP & Telnet only

deny anything else

Allow users on LAN to ftp, telnet, send/recv email, etc. to internet

so i setup some rules like so:

set filter 0 on allow incoming all 100.50.7.0 255.255.255.0

0.0.0.0 0.0.0.0 protocol TCP srcport 1-65535 destport 1-65535

set filter 1 on allow incoming all 100.70.8.8 255.255.255.255

0.0.0.0 0.0.0.0 protocol TCP srcport 1-65535 destport 1-65535

set filter 2 on allow incoming all 100.90.9.0 255.255.255.0

0.0.0.0 0.0.0.0 protocol TCP srcport 1-65535 destport 23-23

set filter 3 on allow incoming all 100.90.9.0 255.255.255.0

0.0.0.0 0.0.0.0 protocol TCP srcport 1-65535 destport 21-21

set filter 4 on allow incoming all 100.100.10.7 255.255.255.255

0.0.0.0 0.0.0.0 protocol TCP srcport 1-65535 destport 23-23

set filter 5 on allow incoming all 100.100.10.7 255.255.255.255

0.0.0.0 0.0.0.0 protocol TCP srcport 1-65535 destport 21-21

set filter 6 on allow outgoing all 0.0.0.0 0.0.0.0

0.0.0.0 0.0.0.0 protocol TCP srcport 1-65535 destport 1-65535

--- end of rules

okay, the last line was put in so that I could send mail from LAN

etc. Unfortunately, nothing could come in so I set up this rule

set filter 7 on allow incoming all 0.0.0.0 0.0.0.0

0.0.0.0 0.0.0.0 protocol TCP srcport 1-65535 destport 1-65535

which works great, but allows everything in, including addresses

I do not want to allow.

How do I lock out the work except for the networks and systems I

want to allow, and at the same time allow the users in the LAN to

use the internet?

thanx

ted