Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access-list / Group??

Status
Not open for further replies.

SevenSins

IS-IT--Management
May 4, 2002
17
Hi!,

As I have already introduced my self in my previous post that I am new to Cisco routers, so please bare with me :)

I work mostly on Linux systems and the company just purchased a Cisco 2800 Series Router, What I want to ask is can we have a list of internal IP addresses in a group or something like a list and then just allow few ports to that list so the users in the list can only connect to those specified ports on the internet from within the LAN.

I know it works on a Linux system with IPtables as I am running it already, I don't want the users inside the LAN to have complete access to the internet via NAT.

e.g

list of internal users

Group1
192.168.1.2
192.168.1.3
192.168.1.4

then grant few ports

permit Group1 eq www
permit Group1 eq ftp
permit Group1 eq ssl
permit Group1 eq telnet



Any pointers would be highly appreciated.

Regards,
 
So no nat for just some users?

Just exclude those users from NAT by putting deny statements in for the host addresses. Seems like you are asking two different things. An acl goes like so...

router>en
router#conf t
router(config)#access-list 101 deny tcp host 10.10.10.11 any eq 80
router(config)#access-list 101 permit ip any any

This denies access to http from host 10.10.10.11

There is an implicit deny at the end of an acl once it is built, so be sure to add the permit at the end. If you are allowing only access from hosts to whatever via a certain port, then permit those, and that's it---everything else will be denied.

Burt
 
-you will use extended access list
-you will try to make the following :

for example to allow connection only for port 80 ) for a specific ip address (10.0.0.1), taking into consideration that http is a TCP connection type , you will write this command from configuration mode :

//[for www]
(config)#access-list 100 permit tcp host 10.0.0.1 host 0.0.0.0 eq 80

//[for telnet]
(config)#access-list 100 permit tcp host 10.0.0.1 host 0.0.0.0 eq 23

//[for ftp]
(config)#access-list 100 permit tcp host 10.0.0.1 host 0.0.0.0 eq 21

where 0.0.0.0 is the ip of the internet gateway or the web server or the destination you want to access.

then you want to apply the access list in the router interface [assume you will apply it to f0/0 of the router which is in the network you want ]

//[for ftp and http]
(config)#int f0/0
(config-if)#ip access group 100 in

//[for telnet you net a vty connection]
(config)#line vty 0 15 // assuming you have only 15 vty lines
(config)#acess-class 100 in


that's all .. and add other ips you want
()
 
of course my friends done it well , so i just wanted to illustrate the opposite case which u will permit them not deny
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top