Cisco Access Lists: Setting Up for Internet Connection

[*Kia*]

please excuse the noob

Ok I have

internet connection >> ext router >> webserver in dmz >> int router >> int lan consisting of 2pc's 2laptops.

I'm floundering in setting up the access lists.
It seems I can allow or deny everything but I can't be selective.

I obviously want to allow all http requests to the server and it's responses.
I have dynamic dns for the server so I have to allow that as well

I understand that if I wish to view the server as a webpage I have to use a proxy to force the connection out of the network and back in.

I have a hosts file that allows me direct access to the server (for editing puropses) from my pc.

I'd really appreciate if anyone can push me in the right direction for setting up these access lists.

Many thanks in advance
and if I posted in the wrong place - apologies in advance.

 

[Anttech]

I am unsure what you are trying to do.

Are you want to allow external to DMZ communications to a specific IP address on port 80? Or are you trying to access your server on port 80 from internal to DMZ?

You say you have Dynamic DNS for your www server? Who is hosting this DNS? And if you are using some service like DynDNS then who admins that router on the edge of your network, you or yoru ISP?

Typically for A DMZ you would have a Pool of public static IP addresses, and you would use a Firewall on the outside and inside of the DMZ. You would create create a Static NAT translation from your Global IP address to you local IP address, using an access list to determine which traffic meets the requirements...

 

[Evo]

please excuse the noob

Ok I have

internet connection >> ext router >> webserver in dmz >> int router >> int lan consisting of 2pc's 2laptops.

I'm floundering in setting up the access lists.
It seems I can allow or deny everything but I can't be selective.

I obviously want to allow all http requests to the server and it's responses.
I have dynamic dns for the server so I have to allow that as well

I understand that if I wish to view the server as a webpage I have to use a proxy to force the connection out of the network and back in.

I have a hosts file that allows me direct access to the server (for editing puropses) from my pc.

I'd really appreciate if anyone can push me in the right direction for setting up these access lists.

Many thanks in advance
and if I posted in the wrong place - apologies in advance.

Several of my clients use Access Contol Lists as a "router based firewall". Have you tried Cisco's website?

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scprt3/scacls.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_c/

 

[*Kia*]

I got totally lost on cisco's website :blush:

I use dynDNS for the dynamic dns for the webserver.
Everything this side of the isp cable modem is admined here by ourselves.

I have to use a proxy to view own website other wise I get can not find server errors.

Each time I add an access list I block either everything (can't see own website) or nothing.

 

[Anttech]

"router based firewall"

Well that would be more like x800 series with the HSEC bundle. Access lists are rudementary and arent really what one should call a firewall.

I use them more in BGP routing policies for Macro programing and in other aspects of Router config to "select" a range of IP's to do something to, like NAT per example.

Can you post your config, perhaps then I will know what u are trying to do, do a sh tech it removes all passwords.

Right now I don't see how you have a DMZ, do you have a pool of static IP addresses? Are you doing NAT?

 

[Evo]

Well that would be more like x800 series with the HSEC bundle. Access lists are rudementary and arent really what one should call a firewall.

ACL is commonly referred to as "router based firewall" here, but no, it's not a real firewall. If you do them correctly they are very effective, but I don't recommend my customers do this unless they're just too cheap to buy an external firewall.

Kia, have you tried calling the Cisco help desk? Is this for Wolram?

 

[Anttech]

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml

This might help.. But you will have to tweak the lists you use, and use a advanced access list, so u can specify the port number.

Due to the fact you arent using PIX's I am guessing you only have an outside and inside INT and not a DMZ int on your router. So you don't really have a proper DMZ

What you need to do is NAT.

Anyway I am just guessing because you haven't given us anywhere near enough info...

Have fun and good luck

this will also help:
http://www.cisco.com/pcgi-bin/search/search.pl?sourceid=Mozilla-search&searchPhrase=ip+nat

 

[*Kia*]

Nope, not for wolram - this is my home network.

Sorry Anttech some of your questions were way over my head.

I'll try to explain my set up a bit better.

I have a cable internet connection coming in.
then a cisco 3600 router - from there either you go to the web server or to the second router a cisco 2600 and our internal network is after that.
The routers to do NAT and I believe the web server is in a dmz being outside of the internal network.

I can set it up (after some trial and error) that I can block everything through the second (internal router (2600)) that only "established" traffic is allowed however this then prevents me fro using Outlook Express to pull down yahoo emails and also blocks yahoo and msn messenger.

 

[Anttech]

ok that is clearer, but not enough info, Cisco Routers are highly complex :)

(You have a 3600 at home? lol)

To be honest that isn't really a DMZ, for a proper DMZ you would need a separate Interface on your 3600 so 3 in total, 1 outside 1 inside and 1 DMZ.

Can you do this please?

On your 3600 log in and type this command "sh tech" then copy and paste the "show Run" part of your config. The show tech command will remove all passwords, if you want edit out your IP addresses, but if you do say if you have a public IP address on the outside Interface of the 3600 or a private one.

Do the same for the 2600.

This will allow me to look at the config and see what you have done wrong.

I guess you have messed up your NAT config somewhere.

 

[*Kia*]

thanks for your time on this.

a proper DMZ you would need a separate Interface on your 3600 so 3 in total, 1 outside 1 inside and 1 DMZ

Yup! that's what we have!

The NAT appears to work fine - it's just the access lists for the routers.
I've pretty much got it working now except for it still blocks yahoo messenger (msn gets through ok) and for some reason I am also not able to pull my email via outlook express.

More digging on what uses what ports I guess. :yuck:

as for what routers we have - the ones in use are a 3620 with 2 fast ethernets and a 10Mb ethernet card and a token ring port, 2621 with 2 fast ethernets, and a catalyst 2900 switch (2924 I believe) 22tx & 2fx, but we also have cisco 3640, 2x cisco 2612, cisco 4051, cisco 4071, 1 bay area router, 1 bay switch and various items of bt equipment. - all at home!

And the chance in the near future of acquiring a cisco 3680

doing the "show run" configs bits for you but I won't be able to post them until I get my other pc on line.

I fried my hard drive yesterday (fixed it and recovered all data phew) but I am rebuilding. Hence I am using another pc but can't pass the text file between there and here.

 

[Anttech]

Are you a network engineer? that's a lot of toys :)

 

[*Kia*]

I'm not but my partner, Steve, is a field engineer for Equant, although he doesn't get to use an skills really (mostly just install and download a pre-made config or un-install of equipment - so he's bored at work lol) although he is primarily a hardware component level engineer - but there isn't much call for them in this age of disposable everything.

Personally I'm more software orientated but not to any serious level

 

[Anttech]

Personally I'm more software orientated but not to any serious level

I would argue Engineering Inteligent network applications (To coin Cisco's new marketing ploy) is a form of "Software" engineering, although what you are doing is in the majorty lower level protocol manipulations. BUT nowadays there's a lot of higher level protocol manipulation. I have been reading the next big thing in network will be XML routing..

Anyway.. I understand what you are saying.