dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
920

jspruill
@speakeasy.net

jspruill

Anon

Router Config assistance

I will do my best to explain this. I am in class and my teacher is also lost and lol I am trying my best to help him figure it out.

We have packet tracer that we are running larger size network but we only need a portion for this

we have a router.. attached to the router is a switch (.130)... to the switch 1 pc (.131) and 1 server (.132). On the other side is a whole 2 other networks that need access to the server and pc.

The server is a "web server" we want to allow only http traffic to the web server but allow anything to the pc or (network) on the other side of the switch as well. We are using ACL's to do this. Our current looks like this (done in packet tracer all fake ip's)

access-list 101 remark permit web traffic to web server
access-list 101 permit tcp any host 172.16.1.132 eq 80
access-list 101 permit ip any host 172.16.1.131

now although for all intensive purposes this works (.131 is the pc), we want to pretend there is a full network on the other side instead of just one computer. The port is fa0/0 and that ip is 172.16.1.129 255.255.255.192

is there any command that we can input that will allow us to deny every with the exception of webtraffic to the server (.132) while allowing all traffic to go to .131 (or if there was a whole network over that way) w/o typing that single host? or every other host on that subnet?
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

So if I got this right :

172.16.1.131 -> Switch1 / 172.16.1.130 -> Router1 -> 192.168.0.x, 192.168.1.x networks (for the sake of arguement)
172.16.1.132

And if I have it right, the two rules you need are
1) permit anything to 172.16.1.132 on port 80
2) permit anything to 172.16.1.x on anything except 172.16.1.132

From the way I read it, you should only have to add a 'deny ip any host 172.16.1.132' then
put in your 'permit ip any 172.16.1.0' and your ACL is complete. If you go back to your
ACL theory, the router processes entries 1 by 1 till it finds an EXACT match, then goes to
the next packet. If it doesn't find a match, it gets dropped by the implicit deny, so this
should do it.

Regards
aryoba
MVM
join:2002-08-22

aryoba to jspruill

MVM

to jspruill
said by jspruill :

is there any command that we can input that will allow us to deny every with the exception of webtraffic to the server (.132) while allowing all traffic to go to .131 (or if there was a whole network over that way) w/o typing that single host? or every other host on that subnet?

I'm unsure what exactly your requirement is. If I have to guess, you probably want to permit inbound web traffic only to 172.16.1.132, deny inbound web traffic to the rest of 172.16.1.129/26, permit inbound non-web traffic to the rest of 172.16.1.129/26.

Assuming that is your requirement, then the ACL 101 should look something like this

access-list 101 remark permit web traffic to web server
access-list 101 permit tcp any host 172.16.1.132 eq 80
access-list 101 deny ip any host 172.16.1.132
access-list 101 deny tcp any 172.16.1.129 0.0.0.63 eq 80
access-list 101 permit ip any 172.16.1.129 0.0.0.63

rolande
Certifiable
MVM,
join:2002-05-24
Dallas, TX
ARRIS BGW210-700
Cisco Meraki MR42

rolande to jspruill

MVM,

to jspruill
said by jspruill :

I will do my best to explain this. I am in class and my teacher is also lost and lol I am trying my best to help him figure it out.

OK, if your teacher is lost and doesn't know how to do this, I am very scared for the future of any of [his] students. That is simple transport layer filtering 101 and is not specific to any particular vendor's technology or platform.