Dismiss Notice
Join Physics Forums Today!
The friendliest, high quality science and math community on the planet! Everyone who loves science is here!

Cisco access lists

  1. Jan 26, 2006 #1


    User Avatar
    Gold Member

    please excuse the noob :rolleyes:

    Ok I have

    internet connection >> ext router >> webserver in dmz >> int router >> int lan consisting of 2pc's 2laptops.

    I'm floundering in setting up the access lists.
    It seems I can allow or deny everything but I can't be selective.

    I obviously want to allow all http requests to the server and it's responses.
    I have dynamic dns for the server so I have to allow that as well

    I understand that if I wish to view the server as a webpage I have to use a proxy to force the connection out of the network and back in.

    I have a hosts file that allows me direct access to the server (for editing puropses) from my pc.

    I'd really appreciate if anyone can push me in the right direction for setting up these access lists.

    Many thanks in advance
    and if I posted in the wrong place - apologies in advance.
  2. jcsd
  3. Jan 26, 2006 #2
    I am unsure what you are trying to do.

    Are you want to allow external to DMZ communications to a specific IP address on port 80? Or are you trying to access your server on port 80 from internal to DMZ?

    You say you have Dynamic DNS for your www server? Who is hosting this DNS? And if you are using some service like DynDNS then who admins that router on the edge of your network, you or yoru ISP?

    Typically for A DMZ you would have a Pool of public static IP addresses, and you would use a Firewall on the outside and inside of the DMZ. You would create create a Static NAT translation from your Global IP address to you local IP address, using an access list to determine which traffic meets the requirements...
  4. Jan 26, 2006 #3


    User Avatar

    Staff: Mentor

    Several of my clients use Access Contol Lists as a "router based firewall". Have you tried Cisco's website?

    http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scprt3/scacls.htm [Broken]

    http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_c/ [Broken]
    Last edited by a moderator: May 2, 2017
  5. Jan 26, 2006 #4


    User Avatar
    Gold Member

    I got totally lost on cisco's website :blush:

    I use dynDNS for the dynamic dns for the webserver.
    Everything this side of the isp cable modem is admined here by ourselves.

    I have to use a proxy to view own website other wise I get can not find server errors.

    Each time I add an access list I block either everything (can't see own website) or nothing.
  6. Jan 26, 2006 #5
    Well that would be more like x800 series with the HSEC bundle. Access lists are rudementary and arent really what one should call a firewall.

    I use them more in BGP routing policies for Macro programing and in other aspects of Router config to "select" a range of IP's to do something to, like NAT per example.

    Can you post your config, perhaps then I will know what u are trying to do, do a sh tech it removes all passwords.

    Right now I dont see how you have a DMZ, do you have a pool of static IP addresses? Are you doing NAT?
    Last edited: Jan 26, 2006
  7. Jan 26, 2006 #6


    User Avatar

    Staff: Mentor

    ACL is commonly referred to as "router based firewall" here, but no, it's not a real firewall. If you do them correctly they are very effective, but I don't recommend my customers do this unless they're just too cheap to buy an external firewall.

    Kia, have you tried calling the Cisco help desk? Is this for Wolram?
  8. Jan 26, 2006 #7

    This might help.. But you will have to tweak the lists you use, and use a advanced access list, so u can specify the port number.

    Due to the fact you arent using PIX's I am guessing you only have an outside and inside INT and not a DMZ int on your router. So you dont really have a proper DMZ

    What you need to do is NAT.

    Anyway I am just guessing because you havent given us anywhere near enough info...

    Have fun and good luck

    this will also help:
    Last edited: Jan 27, 2006
  9. Feb 1, 2006 #8


    User Avatar
    Gold Member

    Nope, not for wolram - this is my home network.

    Sorry Anttech some of your questions were way over my head.

    I'll try to explain my set up a bit better.

    I have a cable internet connection coming in.
    then a cisco 3600 router - from there either you go to the web server or to the second router a cisco 2600 and our internal network is after that.
    The routers to do NAT and I believe the web server is in a dmz being outside of the internal network.

    I can set it up (after some trial and error) that I can block everything through the second (internal router (2600)) that only "established" traffic is allowed however this then prevents me fro using Outlook Express to pull down yahoo emails and also blocks yahoo and msn messenger.
  10. Feb 1, 2006 #9
    ok that is clearer, but not enough info, Cisco Routers are highly complex :)

    (You have a 3600 at home?????? lol)

    To be honest that isnt really a DMZ, for a proper DMZ you would need a seperate Interface on your 3600 so 3 in total, 1 outside 1 inside and 1 DMZ.

    Can you do this please?

    On your 3600 log in and type this command "sh tech" then copy and paste the "show Run" part of your config. The show tech command will remove all passwords, if you want edit out your IP addresses, but if you do say if you have a public IP address on the outside Interface of the 3600 or a private one.

    Do the same for the 2600.

    This will allow me to look at the config and see what you have done wrong.

    I guess you have messed up your NAT config somewhere.
  11. Feb 9, 2006 #10


    User Avatar
    Gold Member

    thanks for your time on this. :cool:

    Yup! thats what we have! :biggrin:

    The NAT appears to work fine - it's just the access lists for the routers.
    I've pretty much got it working now except for it still blocks yahoo messenger (msn gets through ok) and for some reason I am also not able to pull my email via outlook express.

    More digging on what uses what ports I guess. :yuck:

    as for what routers we have - the ones in use are a 3620 with 2 fast ethernets and a 10Mb ethernet card and a token ring port, 2621 with 2 fast ethernets, and a catalyst 2900 switch (2924 I believe) 22tx & 2fx, but we also have cisco 3640, 2x cisco 2612, cisco 4051, cisco 4071, 1 bay area router, 1 bay switch and various items of bt equipment. - all at home!!! :surprised :biggrin:

    And the chance in the near future of acquiring a cisco 3680 :eek:

    doing the "show run" configs bits for you but I won't be able to post them until I get my other pc on line.

    I fried my hard drive yesterday (fixed it and recovered all data phew) but I am rebuilding. Hence I am using another pc but can't pass the text file between there and here.
  12. Feb 9, 2006 #11
    Are you a network engineer? thats a lot of toys :)
  13. Feb 9, 2006 #12


    User Avatar
    Gold Member

    I'm not but my partner, Steve, is a field engineer for Equant, although he doesn't get to use an skills really (mostly just install and download a pre-made config or un-install of equipment - so he's bored at work lol) although he is primarily a hardware component level engineer - but there isn't much call for them in this age of disposable everything.

    Personally I'm more software orientated but not to any serious level
  14. Feb 11, 2006 #13
    I would argue Engineering Inteligent network applications (To coin Cisco's new marketing ploy) is a form of "Software" engineering, although what you are doing is in the majorty lower level protocol manipulations. BUT nowadays theres a lot of higher level protocol manipulation. I have been reading the next big thing in network will be XML routing..

    Anyway.. I understand what you are saying.
Share this great discussion with others via Reddit, Google+, Twitter, or Facebook