You don't need to worry about permitting in to out..

The first one I think I need to write is this (to let my LAN traffic out):

Hercules(config)#access-list 101 deny ip any any

Hercules(config)#access-list 101 permit ip 192.168.5.0 0.0.0.255 any

Hercules(config)#int e0/0

Hercules(config-if)#ip access-group 101 out

^^ Ok, so delete this entirely? ^^

Even though you have a static NAT mapping to your mail and web server, you still need an ACL on your outside interface to permit only these 2 ports.

Then the implicit "deny any" will kick in and deny everything else. Trust me, ACLs come with time but they are really simple with small networks.

Ok, so I should write:

Hercules(config)#access-list 150 permit ip any any eq 25

Hercules(config)#access-list 150 permit ip any any eq 80

Hercules(config)#int e0/0

Hercules(config-if)#ip access-group 101 out (or in)?

It would be "in", right, because I want it to filter inbound packets on the outside interface...

So in total, if I understand you right, my entire ACL's would be...

Hercules(config)#access-list 102 deny ip 10.0.0.0 0.255.255.255 any

Hercules(config)#access-list 102 deny ip 127.0.0.0 0.255.255.255 any

Hercules(config)#access-list 102 deny ip 172.16.0.0 0.0.255.255 any

Hercules(config)#access-list 102 deny ip 192.168.0.0 0.0.255.255 any

Hercules(config)#access-list 102 deny ip 224.0.0.0 31.0.255.255 any

Don't I also need ONE permit statement in this ACL? What would that be?

Hercules(config)#int e0/1

Hercules(config-if)#ip access-group 102 out

Hercules(config)#access-list 150 permit ip any any eq 25

Hercules(config)#access-list 150 permit ip any any eq 80

Then I'll have an implicit "deny all".

Hercules(config)#int e0/0

Hercules(config-if)#ip access-group 150 in

Hercules(config)#ip nat inside source static tcp 192.168.5.1 80 int e0/1 80

Hercules(config)#ip nat inside source static tcp 192.168.5.1 25 int e0/1 25

Hercules(config)#int e0/0

Hercules(config-if)#ip nat outside

Hercules(config)#int e0/1

Hercules(config-if)#ip nat inside

Sorry, I am terrible at ACL's...

Many thanks!

Chris

great info great links

Thanks

This access-list which you have implemented on e0/1 i.e. Internal PORT. will itself block your internal traffic. Because the access says that deny anything for 192.168.0.0 network.

So what if I added Hercules(config)#access-list 102 permit ip 192.168.5.0 0.0.255.255 any - Since 192.168.5.0 is my LAN scheme. Then it should permit my traffic, right?

Secondly the NAT what you have given is not correct. Just go through this link,

http://www.tech-recipes.com/rx/713/cisco_how_to_configure_nat_network_address_translation

So how about:

Hercules(config)#access-list 1 permit 192.168.5.0

Hercules(config)#ip nat inside source list access-list 1 e0/0 overload

Hercules(config)#int e0/0

Hercules(config-if)#ip nat outside

Hercules(config)#int e0/1

Hercules(config-if)#ip nat inside

As you are saying that you are configured Web Server and MAIL in your local LAN and you get a Public IP through DHCP then it is not possible for you to host these servers outside world, as the public will be keep on chaiging right.

Actually, it IS possible. I do it now... But you're right, it's a PITA with DHCP. When my ISP does change my IP address (about twice a year), I have to reroute DNS with my registrar and wait a few days. But I'll need to forward ports through the 2611, so:

Hercules(config)#ip nat inside source static tcp 192.168.5.1 80 int e0/1 80

Hercules(config)#ip nat inside source static tcp 192.168.5.1 25 int e0/1 25

should work, right? Or should the interfaces in the above two commands be e0/0, not e0/1 like they are above?

Thanks guys for all your help.

Chris

So after reviewing all the replies from you fine gentlemen, I think I've got it... Remembering that my e0/0 is connected to the internet, e0/1 is connected to the LAN, and that I need to make sure people can still get to me web and mail server at 192.168.5.1, I now have:

Hercules(config)#access-list 1 permit 192.168.5.0

Hercules(config)#ip nat inside source list access-list 1 e0/0 overload

Hercules(config)#int e0/0

Hercules(config-if)#ip nat outside

Hercules(config)#int e0/1

Hercules(config-if)#ip nat inside

^^^^Is this correct for simply NAT'ing and getting all machines on my LAN to the web?^^^^

------------------------------------------------------------------------

Hercules(config)#ip nat inside source static tcp 192.168.5.1 80 int e0/1 80

Hercules(config)#ip nat inside source static tcp 192.168.5.1 25 int e0/1 25

Hercules(config)#access-list 150 permit ip any any eq 25

Hercules(config)#access-list 150 permit ip any any eq 80

Hercules(config-if)#ip access-group 150 e0/0 in

^^^^Is this correct for setting up port forwarding to my web & mail server while denying other traffic?^^^^

------------------------------------------------------------------------

Hercules(config)#access-list 102 deny ip 10.0.0.0 0.255.255.255 any

Hercules(config)#access-list 102 deny ip 127.0.0.0 0.255.255.255 any

Hercules(config)#access-list 102 deny ip 172.16.0.0 0.0.255.255 any

Hercules(config)#access-list 102 deny ip 192.168.0.0 0.0.255.255 any

Hercules(config)#access-list 102 deny ip 224.0.0.0 31.0.255.255 any

Hercules(config)#access-list 102 permit ip 192.168.5.0 0.0.0.255 any

Hercules(config)#int e0/1

Hercules(config-if)#ip access-group 102 out

^^^^Is this correct for setting an anti-spoofing, DoS-attempt ACL while still allowing my 192.168.5.0 network?^^^^

Are my ACL's applied to the right interfaces?

Are my ACL's and NAT going in the right direction?

I greatly appreciate your help, friends! I apologize for having such a hard time with this. Some of the things said, I understand, some I don't.

If, in fact, this is still wrong, could someone possibly rewrite my ACL's to be correct, explaining the differences? That may help me understand better.

Many continued thanks!

Chris

Guys, is the above correct?

I certainly don't want to be pushy, but I'd like to get going on this.

Thank you very, very much!

Chris