ACL to have outside traffic hit inside web server

[Sniffer2112]

I thought I understood ACLs but when I tried to implement an ACL for port forwarding, I'd loose internet connection and could not reach the website from the outside. Could someone take a look at my config and see if I set it up right?

I thought the "permit tcp any host 10.1.1.200 eq www" would be the right command.


interface FastEthernet0/0 (to outside internet)
ip address dhcp
ip access-group 100 in
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1 (to inside LAN)
ip address 10.1.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
router eigrp 123
network 10.1.1.0 0.0.0.255
auto-summary
!
no ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 10 interface FastEthernet0/0 overload
!
ip access-list extended PREVENT_IP_SPOOFING (I know this is not yet set on any interface)
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
!
access-list 10 permit 10.1.1.0 0.0.0.255
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any host 10.1.1.200 eq www (10.1.1.200 is the web server IP)
access-list 100 permit ip any any


Any help would be greatly appreciated. Just when you think you understand something... leave it to real life to tell you differently. But that's how we learn best.

-Todd-
CCNA
MCTS: Sever 2008 AD Configuration
CompTIA: A+, Security+

**There are 10 types of people. Those that understand binary, and those that don't**

 

[cisconooblet]

You need nat to port forward to your internal server. ACL permit any matches everything....except maybe icmp. I've never tried with a DHCP client enabled interface (your outside) but I don't see how that would work. Always used static addresses. Anyway config below might help you get and idea.

interface Ethernet0
ip address 192.168.1.xxx 255.255.255.0
ip nat inside
interface FastEthernet0
ip address xxx.xxx.xxx.xxx 255.255.252.0
ip nat outside

ip nat inside source list 7 interface FastEthernet0 overload
ip nat inside source static 192.168.1.YYY xxx.xxx.xxx.xxx
ip nat inside source static 192.168.1.ZZZ xxx.xxx.xxx.xxx
ip nat inside source static tcp 192.168.1.UUU 5080 xxx.xxx.xxx.xxx 5080
ip nat inside source static tcp 192.168.1.UUU 8088 xxx.xxx.xxx.xxx 8088

access-list 7 deny 192.168.1.YYY
access-list 7 deny 192.168.1.ZZZ
access-list 7 permit 192.168.1.0 0.0.0.255

CCNA, BCNE, Security+, Network +

 

[Sniffer2112]

Thanks Cisconooblet for pointing me in the right direction.


Keeping the same config for ip nat inside (FA0/1) and ip nat outside (FA0/0)

I entered in the following commands and now when we type in our web address, it does hit our web server.....
# ip nat inside source list 101 int fa0/1 overload
# access-list 101 permit ip any any
# ip nat inside source static tcp 10.1.1.1 80 int fa0/1 80

-Todd-
CCNA
MCTS: Sever 2008 AD Configuration
CompTIA: A+, Security+

**There are 10 types of people. Those that understand binary, and those that don't**