Extended ACL's 1

[prettymg]

Hello,

I have a Cisco 2500 with IOS 21.2 running. I have it connected to my broadband cablemodem and it works like a charm. I would like to lock down the track that passes through it and also host a ftp and webserver. The problem I'm having is when I try to access my server from outside my network, I am unable to get the requested port 80 and 21 request to my internal addresses (192.168.1.*). I pretty sure I can do this with an extended access-list but I am unsure of how do it. I have the following configuration below. Any help is greatly appreciated.


Current configuration : 2206 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname "Cisco-2514"
!
no logging console
enable password ##############
!
ip subnet-zero
!
!
!
!
interface Ethernet0
description Connection to WAN
ip address dhcp
ip nat outside
!
interface Ethernet1
description Connection to LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface Serial1
no ip address
shutdown
!
ip nat log translations syslog
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip http server
!

logging 192.168.1.2
access-list 1 permit 192.168.1.0 0.0.0.255

no cdp run
tftp-server flash
tftp-server flash 1
snmp-server community ######## RW
snmp-server community ######## RO
!
line con 0
line aux 0
line vty 0 4
password #################
login
!
end

 

[IPKONFIG]

You can use the "ip nat inside source static" command to do the task your wanting. I can't remember the exact context, but I think it's something like this:

ip nat inside source static 192.168.1.X udp 21 <outside ip> 21

that's close, but you might have to double check it when your actually do the config. Use the ?.

&quot;I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it.&quot;
- Jack Handey, Deep Thoughts

 

[prettymg]

Thanks for the quick response. I will try this and get back to you. So this would be the same for other protocols I want to access on my internal network?

 

[IPKONFIG]

Yeah, just make sure you change the UDP/TCP and the port numbers in question.

&quot;I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it.&quot;
- Jack Handey, Deep Thoughts

 

[IPKONFIG]

I just fired up an old router on my desk and here is what the command is:

ip nat inside source static (udp/tcp) (inside local IP) (local UPD/TCP port) (interface) (global UDP/TCP port)

Here is my config:

interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat outside
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed 100
full-duplex
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
ip nat inside source static udp 192.168.1.100 21 interface FastEthernet0/0 21
!
access-list 1 permit 192.168.1.0 0.0.0.255

&quot;I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it.&quot;
- Jack Handey, Deep Thoughts