(supersedes )
hi, I'm newbie in cisco's world, and dont know too much about access lists. I have to read :) I have a 827 w/ IOS 12.3 w/FW I used a config generator found on a .nz site to make some basic firewall rules. The FW works great and the syslog don't stop reporting the background noise of the Internet. I'm able to surf and even to connect my corporate VPN. But even with my "nat inside rules" added to this squeleton, my web server is not reacheable from internet. The syslog report an access list 101 rule when I try to access. %SEC-6-IPACCESSLOGP: list 101 denied tcp xx.xx.xx.xx(4886) -> yy.yy.yy.yy(80), 1 packet
I'm sure the rules i used to build the config are too restrictive to permit servers inside. So I tried to add some "permit" in the access lists like : access-list 102 permit tcp any any eq www log access-list 101 permit tcp any any eq www log
I tried lots more permit without success. Lan is 192.168.250.x and router has 250.250
I also need a tcp 1723 and GRE for VPN incomings The rules tried :
--------------------------------------------------- ip inspect name firewall tcp ip inspect name firewall udp ip inspect name firewall cuseeme ip inspect name firewall h323 ip inspect name firewall rcmd ip inspect name firewall realaudio ip inspect name firewall streamworks ip inspect name firewall vdolive ip inspect name firewall sqlnet ip inspect name firewall tftp ip inspect name firewall ftp ! ! interface Ethernet0 ip address 192.168.250.250 255.255.255.0 ip access-group 102 in ip nat inside hold-queue 100 out ! interface ATM0 no ip address atm vc-per-vp 64 no atm ilmi-keepalive dsl operating-mode auto pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface Dialer1 ip address negotiated ip access-group 101 in no ip redirects no ip unreachables ip nat outside ip inspect firewall out encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname login ppp chap password 7 pass ppp pap sent-username login password 7 pass hold-queue 224 in ! ip nat inside source list 1 interface Dialer1 overload ip nat inside source list 102 interface Dialer1 overload ip nat inside source static tcp 192.168.250.253 80 interface Dialer1 80 ip nat inside source static tcp 192.168.250.253 1723 interface Dialer1
1723ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http secure-server ! logging 192.168.250.253 access-list 1 remark The local LAN. access-list 1 permit 192.168.250.0 0.0.0.255 access-list 2 remark Where management can be done from. access-list 2 permit 192.168.250.0 0.0.0.255 access-list 23 permit 192.168.250.0 0.0.0.255 access-list 101 permit gre any host 192.168.250.253 access-list 101 remark Traffic allowed to enter the router from the access-list 101 deny ip 0.0.0.0 0.255.255.255 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 169.254.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.0.2.0 0.0.0.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 198.18.0.0 0.1.255.255 any access-list 101 deny ip 224.0.0.0 0.15.255.255 any access-list 101 deny ip any host 255.255.255.255 access-list 101 permit tcp any any eq 1723 access-list 101 permit gre any any access-list 101 permit tcp any any eq 22 access-list 101 permit tcp any any eq telnet access-list 101 permit icmp any any unreachable access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any packet-too-big access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any traceroute access-list 101 permit icmp any any administratively-prohibited access-list 101 deny icmp any any echo access-list 101 deny ip any any log access-list 101 permit tcp any any eq www access-list 102 remark Traffic allowed to enter the router from the Ethernet access-list 102 permit ip any host 192.168.250.250 access-list 102 deny ip any host 192.168.250.255 access-list 102 deny udp any any eq tftp log access-list 102 deny ip any 0.0.0.0 0.255.255.255 log access-list 102 deny ip any 10.0.0.0 0.255.255.255 log access-list 102 deny ip any 127.0.0.0 0.255.255.255 log access-list 102 deny ip any 169.254.0.0 0.0.255.255 log access-list 102 deny ip any 172.16.0.0 0.15.255.255 log access-list 102 deny ip any 192.0.2.0 0.0.0.255 log access-list 102 deny ip any 192.168.0.0 0.0.255.255 log access-list 102 deny ip any 198.18.0.0 0.1.255.255 log access-list 102 deny udp any any eq 135 log access-list 102 deny tcp any any eq 135 log access-list 102 deny udp any any eq netbios-ns log access-list 102 deny udp any any eq netbios-dgm log access-list 102 deny tcp any any eq 445 log access-list 102 permit ip 192.168.250.0 0.0.0.255 any access-list 102 permit ip any host 255.255.255.255 access-list 102 deny ip any any log dialer-list 1 protocol ip permit