Access-List setup

[CNP]

I'm having trouble figuring out how to set up access lists on a router doing NAT. The static NAT is already set up, but I'm having trouble figuring out how to use access-lists to secure it.

The goal is to block all incoming traffic, then open specific ports to specific hosts, and allow any outbound traffic. There are two class C subnets on the network. We'll refer to the outside subnets as 10.1.1.0 and 10.1.2.0, and the inside subnets as 192.168.1.0 and 192.168.2.0.

Can anyone give some examples of access-list commands that would close off all incoming traffic and then open traffic on

http://www(port

80) headed for 10.1.1.10 (translated to 192.168.1.10)? I think I can figure out how to do the same for other ports from there. Thanks in advance.

Rich

 

[ChrisAC]

access-list 101 permit tcp any 10.1.1.0 0.0.0.255 established
access-list 101 permit udp any 10.1.1.0 0.0.0.255 established
access-list 101 permit tcp any host 10.1.1.10 eq 80
access-list 101 permit tcp any host mailserver eq 25
access-list 101 permit icmp any any
access-list 101 deny ip any any log

.... something like that!!

Chris.

************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************