10-24-2019 05:38 AM - edited 10-24-2019 05:39 AM
Good day everyone. Im learning Cisco in CPT and now im trying to remove access from departments to "web"
192.0.2.1 - 2.5 - "Web pages in internet"
Example of ACL:
And it doesn`t work, i can ping or enter any "web" from any 172.16.3.0 for example.
I even tryed this:
and result is the same.
Full current config:
Current configuration : 2004 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname msk-arbat-gw1
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.2
description Dev.managment
encapsulation dot1Q 2
ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0.3
description Servers
encapsulation dot1Q 3
ip address 172.16.0.1 255.255.255.0
!
interface FastEthernet0/0.101
description PTO
encapsulation dot1Q 101
ip address 172.16.3.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.102
description FEO
encapsulation dot1Q 102
ip address 172.16.4.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.103
description Accountant
encapsulation dot1Q 103
ip address 172.16.5.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.104
description Other
encapsulation dot1Q 104
ip address 172.16.6.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.4
description Saint-Peterburg
encapsulation dot1Q 4
ip address 172.16.2.1 255.255.255.252
!
interface FastEthernet0/1.5
description Kemerovo
encapsulation dot1Q 5
ip address 172.16.2.17 255.255.255.252
!
interface FastEthernet0/1.6
encapsulation dot1Q 6
ip address 198.51.100.2 255.255.255.240
ip nat outside
!
interface Vlan1
no ip address
shutdown
!
ip nat pool main_pool 198.51.100.2 198.51.100.14 netmask 255.255.255.240
ip nat inside source list nat-inet pool main_pool overload
ip classless
ip route 172.16.16.0 255.255.248.0 172.16.2.2
ip route 172.16.2.4 255.255.255.252 172.16.2.2
ip route 172.16.24.0 255.255.252.0 172.16.2.18
ip route 0.0.0.0 0.0.0.0 198.51.100.1
!
ip flow-export version 9
!
!
ip access-list extended nat-inet
deny ip any any
!
no cdp run
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
10-24-2019 05:47 AM - edited 10-24-2019 05:49 AM
Looks like you didn't apply the ACL to an interface.
You probably need something like ip access-group nat_inet out on your WAN interface.
10-24-2019 06:35 AM
10-24-2019 05:48 AM - edited 10-24-2019 05:51 AM
Well,
Remove the default route and apply your configuration again and test.
clear ip nat translations
I really suggest to you use a firewall to control better your out and in traffic to INTERNET.
Regards,
10-24-2019 06:45 AM
10-24-2019 06:22 AM
Hi @Filk
Try this:
Return the confoigurations to the state where the desired networks had connectivity to the web servers (without filters).
Then make these settings:
access-list 101 deny tcp 172.16.3.0 0.0.0.255 192.0.2.0 0.0.0.3 www
access-list 101 deny tcp 172.16.3.0 0.0.0.255 192.0.2.4 0.0.0.1 www
access-list 101 permit ip any any
interface f0/0.101
ip access-group 101 in
This ACL denies access from that subointerface network to web servers .1 to .5
If you want another network to not have access to those web servers, you just have to create another ACL, edit the source network and apply it in the corresponding subinterface.
Regards
10-24-2019 06:38 AM
10-24-2019 06:48 AM
HI @Filk
ACLs can filter by:
Host
Network
Protocol
Port
For more specific filters, I recommend using a firewall, which has the ability to filter by URL, for example.
Regards
10-24-2019 07:02 AM - edited 10-24-2019 07:03 AM
I know about firewalls, but now I'm watching video courses where they successfully do this in the framework of NAT training and I just don’t understand why this does not work for me when its workin video. It makes me angry and I just want to understand what I'm doing wrong =)
Im using IP of "pages" and logicaly it must works.
ip access-list extended nat-inet
remark PTO
permit tcp 172.16.3.0 0.0.0.255 host 192.0.2.2 eq www
remark ACCOUNTING
permit ip 172.16.5.0 0.0.0.255 host 192.0.2.3
permit ip 172.16.5.0 0.0.0.255 host 192.0.2.4
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: