>Howdy
>
>can someone here please help me out with the following:
>
>I have a cisco4k with 2 serial ports, one ether.
>
>eth0 is Lan A
>ser0 is Lan B
>ser1 is the Internet line
>
>I want everyone on Lan A to be able to acess Lan B, and
>everyone on Lan B to be able to access Lan A. (all ports)
>
>Secondly, I want the Internet server (proxy, etc) on Lan
>A a.b.c.15 to be able to access any machine on the Internet,
>and any machine on the Internet to access it.
>
>What do I need to do to the following access lists to make
>the above work?
>
>! allow Lan A access to Lan B
>access-list <num> permit a.b.c.0 255.255.255.0 a.b.d.0 255.255.255.0
>! allow Lan B access to Lan A
>access-list <num> permit a.b.d.0 255.255.255.0 a.b.c.0 255.255.255.0
>! allow sun1 (Internet server) access to Internet
>access-list <num> permit a.b.c.15 255.255.255.? 0.0.0.0 0.0.0.0
>! allow Internet access to sun1
>access-list <num> permit 0.0.0.0 0.0.0.0 a.b.c.15 255.255.255.?
>! deny everything else
>access-list <num> deny 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
>
First, you need to check the software version of your cisco router, I'm not
sure all version can supports the filter function.
Second, in my personal opinion, it's just a little bit danger to use *one*
router to connect your internal network and Internet.
Third, when you build a filter (access-list), there is no *network mask*
(sometime is called subnet mask) something like "255.255.255.0". They called
"source wildcard bits", so, the access-list you defined should be:
! allow Lan A access to Lan B
access-list <num> permit ip a.b.c.0 0.0.0.255 a.b.d.0 0.0.0.255
! allow Lan B access to Lan A
access-list <num> permit a.b.d.0 0.0.0.255 a.b.c.0 0.0.0.255
Just take a look from the ftp://ftp.greatcircle.com/pub/FAQ, I think that
will be helpful to you. They got a sample filter there.
Fourth, if you want to get higher security to your internet host, you need
to build some more filter to deny some special ports from the outside such
as telnet, etc.
Finally, you should build another filter to deny any access to your router
from the outside (internet), therefore, you can be sure that nonone can
change the configuration of your router from the outside. Here is an example:
! allow all stations in Lan A to access the router
access-list 1 permit a.b.c.0 0.0.0.255
If you have any other questions, please let me know.
-------------------------------------------------------------
Quentin Sherman (Qi Xue) Network & Security Consultant
Servicio de Impuestos Internos Working Phon: 56-2 6921371
Teatinos 120, Santiago, Chile Working Fax: 56-2 6921501
e-mail: qsherman @
sii .
cl WWW: http://www.sii.cl
-------------------------------------------------------------
|
|
