access list and nat

eonhanif09 · ‎11-07-2013

hi guys i really need some help on this

im trying to write this configuration that for a cisco 1800 router to allow access to given list of websites after writing the access list

and applying ii it kills my connection to the out side world below is the configuration, can some one please help ?

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.200.9.62

ip dhcp excluded-address 10.200.9.126

ip dhcp excluded-address 10.200.9.190

ip dhcp excluded-address 10.200.9.1

!

ip dhcp pool TEST1

network 10.200.9.0 255.255.255.192

default-router 10.200.9.62

dns-server 4.2.2.1

!

ip dhcp pool TEST2

network 10.200.9.64 255.255.255.192

default-router 10.200.9.126

dns-server 4.2.2.1

!

ip dhcp pool TEST3

network 10.200.9.128 255.255.255.192

default-router 10.200.9.190

dns-server 4.2.2.1

!

........

!

interface FastEthernet0

no ip address

duplex auto

speed auto

!

interface FastEthernet0.101

encapsulation dot1Q 101

ip address 10.200.9.62 255.255.255.192

ip access-group 101 in

ip helper-address 10.200.9.1

ip nat inside

ip virtual-reassembly

no snmp trap link-status

!

interface FastEthernet0.102

encapsulation dot1Q 102

ip address 10.200.9.126 255.255.255.192

ip helper-address 10.200.9.66

ip nat inside

ip virtual-reassembly

no snmp trap link-status

!

interface FastEthernet0.103

encapsulation dot1Q 103

ip address 10.200.9.190 255.255.255.192

ip helper-address 10.200.9.129

ip nat inside

ip virtual-reassembly

no snmp trap link-status

!

interface FastEthernet0.104

encapsulation dot1Q 104

ip address 10.200.9.193 255.255.255.192

no snmp trap link-status

!

interface FastEthernet1

ip address 192.168.0.199 255.255.255.0

ip nat outside

ip virtual-reassembly

speed auto

full-duplex

!

interface Async1

no ip address

encapsulation slip

!

ip route 0.0.0.0 0.0.0.0 FastEthernet1

!

no ip http server

no ip http secure-server

ip nat inside source list 101 interface FastEthernet1 overload

!

access-list 101 permit tcp 10.200.9.0 0.0.0.63 host 66.225.150.110 eq www

access-list 101 permit tcp 10.200.9.0 0.0.0.63 host 64.34.146.188 eq www

access-list 101 permit tcp 10.200.9.0 0.0.0.63 host 38.99.141.53 eq www

access-list 101 permit tcp 10.200.9.0 0.0.0.63 host 72.8.141.90 eq www

access-list 101 permit tcp 10.200.9.0 0.0.0.63 host 69.90.78.232 eq www

access-list 101 permit tcp 10.200.9.0 0.0.0.63 host 207.66.153.26 eq www

access-list 101 permit tcp 10.200.9.0 0.0.0.63 host 107.23.157.221 eq www

access-list 101 permit tcp 10.200.9.0 0.0.0.63 host 142.20.63.115 eq www

access-list 101 permit tcp 10.200.9.0 0.0.0.63 host 204.225.34.63 eq www

access-list 101 permit tcp 10.200.9.0 0.0.0.63 host 204.41.8.16 eq www

access-list 101 permit tcp 10.200.9.0 0.0.0.63 host 66.225.150.66 eq www

access-list 101 permit tcp 10.200.9.0 0.0.0.63 host 216.201.100.110 eq www

access-list 101 permit tcp 10.200.9.0 0.0.0.63 host 107.6.25.151 eq www

access-list 101 permit tcp 10.200.9.64 0.0.0.63 eq www any

access-list 101 permit tcp 10.200.9.128 0.0.0.63 eq www any

access-list 101 permit tcp 10.200.9.192 0.0.0.63 eq www any

!

John Blakley · ‎11-07-2013

You'll need to allow dns as well. Add:

access-list 101 permit udp 10.200.9.0 0.0.0.63 host 4.2.2.1 eq 53

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Richard Burts · ‎11-08-2013

I believe that John has correctly identified a significant issue in the access list and it certainly needs to be addressed. I have a couple of other comments.

If access list 101 is applied inbound on interface FastEthernet0.101 then all of the source addresses should be in subnet 10.200.9.0. So these lines in the access list will never match any traffic

access-list 101 permit tcp 10.200.9.64 0.0.0.63 eq www any

access-list 101 permit tcp 10.200.9.128 0.0.0.63 eq www any

access-list 101 permit tcp 10.200.9.192 0.0.0.63 eq www any

Also I notice that 3 of the interfaces have ip helper-address configured but the address specified in the helper address is in the local subnet. So the helper addresses will not be effective.

I would also comment that the static default route points just to the outbound interface. While that is fine if the interface is piont to point serial it can raise problems when the interface is Ethernet. So I would suggest that the default route should specify the next hop address.

HTH

Rick

HTH

Rick

eonhanif09 · ‎11-08-2013

i love this place, this is my first time here so let me say thank you to all you guys, i will look into this right now, i have my router and switch with me i will make these changes right now.

eonhanif09 · ‎11-12-2013

Alright guys so i made changes to the following codeing it is a little different than before;-

so the whole idea for this set up is that i want to beable to give clients on the 10.200.9.0 subnet internet access to only to the provided web sites anything thats out side of that the page would not load. The clients that are on the 10.200.9.64 and 192 network should have full access to the internet, below is the rewritten code.

The problem that i am running into is that the 10.200.9.0 subnet the pages take too long to load and times out.

Also Mr. Burts you stated that the helper address would not be effective (im a bit confuse on that part) should i have an access-list statment thats states "access-list 101 permit udp 10.200.9.1 0.0.0.0 (not sure from this point)"

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.200.9.62

ip dhcp excluded-address 10.200.9.126

ip dhcp excluded-address 10.200.9.190

ip dhcp excluded-address 10.200.9.1

ip dhcp excluded-address 10.200.9.194

!

ip dhcp pool test1

network 10.200.9.0 255.255.255.192

default-router 10.200.9.62

dns-server 4.2.2.1

!

ip dhcp pool test2

network 10.200.9.64 255.255.255.192

default-router 10.200.9.126

dns-server 4.2.2.1

!

ip dhcp pool test3

network 10.200.9.128 255.255.255.192

default-router 10.200.9.190

dns-server 4.2.2.1

!

...........

!

interface FastEthernet0

no ip address

duplex auto

speed auto

!

interface FastEthernet0.101

encapsulation dot1Q 101

ip address 10.200.9.62 255.255.255.192

ip access-group 101 in

ip helper-address 10.200.9.1

ip nat inside

ip virtual-reassembly

no snmp trap link-status

!

interface FastEthernet0.102

encapsulation dot1Q 102

ip address 10.200.9.126 255.255.255.192

ip helper-address 10.200.9.66

ip nat inside

ip virtual-reassembly

no snmp trap link-status

!

interface FastEthernet0.103

encapsulation dot1Q 103

ip address 10.200.9.190 255.255.255.192

ip helper-address 10.200.9.129

ip nat inside

ip virtual-reassembly

no snmp trap link-status

!

interface FastEthernet0.104

encapsulation dot1Q 104 native

ip address 10.200.9.193 255.255.255.192

no snmp trap link-status

!

interface FastEthernet1

ip address 172.27.69.125 255.255.255.0

ip nat outside

ip virtual-reassembly

speed auto

full-duplex

!

interface FastEthernet2

shutdown

!

interface FastEthernet3

shutdown

!

interface FastEthernet4

shutdown

!

interface FastEthernet5

shutdown

!

interface FastEthernet6

shutdown

!

interface FastEthernet7

shutdown

!

interface FastEthernet8

shutdown

!

interface FastEthernet9

shutdown

!

interface Vlan1

no ip address

!

interface Async1

no ip address

encapsulation slip

!

ip route 0.0.0.0 0.0.0.0 172.27.69.254

!

no ip http server

no ip http secure-server

ip nat inside source list NATLIST interface FastEthernet1 overload

!

ip access-list extended NATLIST

permit udp 10.200.9.0 0.0.0.63 host 4.2.2.1 eq domain

permit tcp 10.200.9.0 0.0.0.63 any eq www

permit tcp 10.200.9.128 0.0.0.63 any eq www

permit tcp 10.200.9.192 0.0.0.63 any eq www

permit tcp 10.200.9.64 0.0.0.63 any eq www

!

access-list 101 permit tcp any host 173.194.37.130 eq www

access-list 101 permit tcp any host 38.99.141.53 eq www

access-list 101 permit tcp any host 170.6.25.151 eq www

access-list 101 permit tcp any host 66.225.150.110 eq www

access-list 101 permit tcp any host 216.201.110.110 eq www

access-list 101 permit tcp any host 66.225.150.66 eq www

access-list 101 permit tcp any host 240.41.8.16 eq www

access-list 101 permit tcp any host 204.225.34.63 eq www

access-list 101 permit tcp any host 142.20.63.115 eq www

access-list 101 permit tcp any host 107.23.157.221 eq www

access-list 101 permit tcp any host 207.66.153.26 eq www

access-list 101 permit tcp any host 24.156.130.10 eq www

access-list 101 permit tcp any host 69.90.78.232 eq www

access-list 101 permit tcp any host 72.8.141.90 eq www

access-list 101 permit tcp any host 209.250.137.43 eq ftp

access-list 101 permit tcp any host 206.162.130.79 eq www

access-list 101 permit udp 10.200.9.0 0.0.0.63 host 4.2.2.1 eq domain

!

Thank you again for all the Help!!!!

Richard Burts · ‎11-12-2013

The first issue that I notice is in your address translation. You have a permit for subnet 10.200.9.0 for DNS. But none of the other subnets have permit for DNS. So no other subnet will be translated when they attempt to get to the DNS server. So your other subnets will be able to access things by IP but not by name.

How can I help you understand helper addresses better. The function of helper address is to take a local broadcast and forward it to somewhere outside of the local subnet. But your helper addresses each has an address that is in the subnet in which it is configured. For example the first one is

ip helper-address 10.200.9.1

But it is already in subnet 10.200.9.0. So 10.200.9.1 will already receive the broadcast. So why do you need helper address here? Perhaps if you tell us what you are attempting to accomplish in using helper address then we might be able to suggest how to accomplish that intention.

HTH

Rick

HTH

Rick