I want to use NAT and access-list to protect our web server with private ips 172.16.1.3 to .12
The following is the configuration file. If my web server ip is 172.16.1.3, then from outside I cannot get anything if I search pub_ip_3 If I added "access-list 101 permit tcp any any eq www", which is working fine. Can someone correct this problem? Also I know it is not good access list, especially icmp and telnet, I don't want to disable them, but what is good way to do it? Thank you very much Shawn ! version 12.0 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname 1605 ! boot system flash c1600-sy.mz.120-9.bin no logging console enable secret 5 $1$iMHN$BUS2hInuqH0G5AvS4FHc1/ ! ip subnet-zero no ip source-route ip telnet source-interface Ethernet0 ip name-server name_server_ip ! snmp community public ro 5 ! ! interface Ethernet0 ip address 172.16.1.1 255.255.255.0 no ip redirects no ip directed-broadcast ip nat inside no shutdown no ip route-cache no ip mroute-cache ! interface Ethernet1 ip address pub_ip-1 255.255.255.0 no ip directed-broadcast ip nat outside no shutdown no ip route-cache no ip mroute-cache ip access-group 101 in ip access-group 102 out ! ip nat inside source list 99 interface Ethernet1 overload ip nat inside source static 172.16.1.3 pub_ip_3 ip nat inside source static 172.16.1.4 Pub_ip_4 ip nat inside source static 172.16.1.5 pub_ip_5 ip nat inside source static 172.16.1.6 pub_ip_6 ip nat inside source static 172.16.1.7 pub_ip_7 ip nat inside source static 172.16.1.8 pub_ip_8 ip nat inside source static 172.16.1.9 pub_ip_9 ip nat inside source static 172.16.1.10 pub_ip_10 ip nat inside source static 172.16.1.11 pub_ip_11 ip nat inside source static 172.16.1.12 pub_ip_12 ip classless ip route 0.0.0.0 0.0.0.0 gateway ! access-list 99 permit 172.16.1.0 0.0.0.255 !permit all redirects access-list 101 permit icmp any any redirect ! !permit ping access-list 101 permit icmp any any echo ! !stop localhost from going anywhere access-list 101 deny ip 127.0.0.0 0.255.255.255 any ! !stop multicast from going anywhere access-list 101 deny ip 224.0.0.0 31.255.255.255 any ! !stop 172.16.1.0/24 from getting to anything access-list 101 deny ip 172.16.1.0 0.0.0.255 any ! !permit telnet from anywhere access-list 101 permit tcp any any eq telnet ! !permit anything from established connection access-list 101 permit tcp any any established ! !permit anyone to 172.16.1.0 port 2121--ftp server access-list 101 permit tcp any 172.16.1.0 0.0.0.255 eq 2121 ! !permit external dns servers to go anywhere access-list 101 permit ip host dns_ip any access-list 101 permit ip host dns_ip any ! !permit anyone to 172.16.1.0 port 80--web server access-list 101 permit tcp any 172.16.1.0 0.0.0.255 eq www ! !permit terminal service access-list 101 permit tcp any 172.16.1.0 0.0.0.255 eq 3389 ! !permit web sites analysis monitoring for Azeb access-list 101 permit tcp any 172.16.1.0 0.0.0.255 eq 8080 ! !permit SNMP for traffic monitor access-list 101 permit udp any any eq 161 access-list 101 permit udp any any eq 162 ! !permit ping from local to anywhere access-list 101 permit icmp any any ! !Access-list 102 is for outgoing traffic, which means any packet !leaving my network has a source address from my net so that it !will prevent people from sending spoofed packets via my net. access-list 102 permit ip 172.16.1.0 0.0.0.255 any access-list 102 permit ip 66.x.x.0 0.0.0.255 any access-list 102 deny ip any any ! !access-list 5 is for SNMP and Telnet access-list 5 permit 66.x.x.0 0.0.0.255 ! _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40092&t=40092 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
