Solved: Access-list From WEB

estelamathew · ‎11-01-2010

Hello Friends,

i have a WEB Server and Exchange (OWA) servers in my internal network, I have a internet router 2821 with leased line and ADSL, i want to classify traffic in route map for these servers to pass through leased line and other users through ADSL how can i do that.

For ex :WEB Server ip add 10.10.10.10

Exchange IP add 10.10.10.11

Users IP Add : 10.10.0.0

Can anybody help me to write access-list for webservers and exchange (SMTP) servers so that they can initiate traffic and recieve from internet.

WEBSERVER: HTTP/HTTPS

OWA: HTTP/SMTP

Thanks

joyride_us2 · ‎11-01-2010

Hi,

you need policy-based routing with a 'set ip next-hop' statement in your route-map.

access-list WEBMAIL extended ip permit 1.host 10.10.10.10 any

access-list WEBMAIL extended ip permit 1.host 10.10.10.11 any

...

route-map WEBMAIL

match ip access-group WEBMAIL

set ip next-hop (or whatever is in your IOS for the same purpose!) IP_ADDRESS_LEASED_LINE

...

and finally ip route 0.0.0.0 0.0.0.0 IP_ADDRESS_ADSL_CONNECTION

on your inside interface (Fa0/0 for example) :

int Fa0/0

ip addres....

service-policy WEBMAIL in

The route-map will be evaluated before the routing table.

Hope this helps!

View solution in original post

joyride_us2 · ‎11-01-2010

By the way, I just checked the command : it is not a 'service-policy...' you want under your inside interface but an :

'ip poicy route-map WEBMAIL''

Cheers

View solution in original post

joyride_us2 · ‎11-01-2010

Hi,

1. the ACL on the outside interface is a security matter not a routing matter : be my guest!

2. no, the 'permit any' in the route-map is not necessary. The denied traffic will not be routed by any route-map statement and should be routed by regular routing table then. No dropped traffic.

View solution in original post

joyride_us2 · ‎11-01-2010

Hi,

you need policy-based routing with a 'set ip next-hop' statement in your route-map.

access-list WEBMAIL extended ip permit 1.host 10.10.10.10 any

access-list WEBMAIL extended ip permit 1.host 10.10.10.11 any

...

route-map WEBMAIL

match ip access-group WEBMAIL

set ip next-hop (or whatever is in your IOS for the same purpose!) IP_ADDRESS_LEASED_LINE

...

and finally ip route 0.0.0.0 0.0.0.0 IP_ADDRESS_ADSL_CONNECTION

on your inside interface (Fa0/0 for example) :

int Fa0/0

ip addres....

service-policy WEBMAIL in

The route-map will be evaluated before the routing table.

Hope this helps!

joyride_us2 · ‎11-01-2010

By the way, I just checked the command : it is not a 'service-policy...' you want under your inside interface but an :

'ip poicy route-map WEBMAIL''

Cheers

estelamathew · ‎11-01-2010

Hello Dear,

I hope there should be access-list for outside interface of internet router.???? for inbound traffic for HTTPS and HTTPand smtp .I want specific access-list on inside interface also i don't want to permit all protocol by specifying IP on internet router can u help me with inside and outside specific access-list.

I hope u missed route-map permit 20 for the users subnet otherwise they will be blocked??? correct me if i m wrong.

route-map WEBMAIL permit 10

match access-list ?????

set ip Next hop < ISP ADDRESS>

route-map WEBMAIL permit 20

match access-list 10

set interface dialer 0

access-list 10 permit 10.10.0.0 0.0.255.255

Thnaks

joyride_us2 · ‎11-01-2010

Hi,

1. the ACL on the outside interface is a security matter not a routing matter : be my guest!

2. no, the 'permit any' in the route-map is not necessary. The denied traffic will not be routed by any route-map statement and should be routed by regular routing table then. No dropped traffic.

estelamathew · ‎11-02-2010

thanks !!!!