IN/OUT TRAFFIC5.5 WE ARE PERFORMING THE IN/OUT TRAFFIC (How to work the website on locally and globally)
# Configuration of HQ Router
Router(config)# hostname HQHQ(config)# ip name-server 8.8.8.8
HQ(config)# ip domain name local.center
HQ(config)# username Cisco@123 privilege 15 password 0 Cisco@123
!
HQ(config)# interface Serial0/0/1
HQ(config-if)# description Connected to ISP
HQ(config-if)# ip address 11.120.228.211 255.255.255.252
HQ(config-if)# ip nat outside
HQ(config-if)# negotiation auto
HQ(config-if)# no mop enabled
HQ(config-if)# exit
!
HQ(config)# interface GigabitEthernet0/1
HQ(config-if)# description Connected to ISP
HQ(config-if)# ip address 192.168.5.2 255.255.255.0
HQ(config-if)# ip nat inside
HQ(config-if)# negotiation auto
HQ(config-if)# exit
!
HQ(config)# interface GigabitEthernet0
HQ(config-if)# vrf forwarding Mgmt-intf
HQ(config-if)# description Connected to ManagementPort
HQ(config-if)# ip address 192.168.36.14 255.255.255.0
HQ(config-if)# negotiation auto
HQ(config-if)# exit
!
HQ(config)# ip forward-protocol nd
HQ(config)# ip http server
HQ(config)# ip http authentication local
HQ(config)# ip http secure-server
HQ(config)# ip nat pool Pool_2010 164.100.223.10 164.100.223.10 netmask 255.255.255.0
HQ(config)# ip nat pool Pool_2020 164.100.223.20 164.100.223.20 netmask 255.255.255.0
!
HQ(config)# ip nat inside source static udp 192.168.13.17 53 164.100.223.10 53 extendable
HQ(config)# ip nat inside source static tcp 192.168.13.39 443 164.100.223.20 443 extendable
!
HQ(config)# ip nat inside source list 2010 pool Pool_2010 overload
HQ(config)# ip nat inside source list 2011 pool Pool_201 overload
HQ(config)# ip nat inside source list 2020 pool Pool_2020 overload
!
HQ(config)# ip route 0.0.0.0 0.0.0.0 11.120.228.210
!
HQ(config)# ip ssh time-out 30
!
HQ(config)# ip access-list extended 2010
HQ(config)# description whitelist outbound traffic throught Pool_2010
HQ(config-ext-nacl)# permit tcp host 192.168.13.17 any
HQ(config-ext-nacl)# permit tcp host 192.168.13.17 host 139.59.81.101 eq www
HQ(config-ext-nacl)# permit tcp host 192.168.13.17 host 139.59.81.101 eq 443
HQ(config-ext-nacl)# permit icmp host 192.168.13.17 any
HQ(config-ext-nacl)# permit tcp host 192.168.13.17 host 8.8.8.8 eq domain
HQ(config-ext-nacl)# permit udp host 192.168.13.17 host 8.8.8.8 eq domain
HQ(config-ext-nacl)# exit
!
HQ(config)# ip access-list extended 2020
HQ(config)# description whitelist outbound traffic throught Pool_2020
HQ(config-ext-nacl)# permit tcp host 192.168.13.39 any
HQ(config-ext-nacl)# permit tcp host 192.168.13.39 host 139.59.81.101 eq www
HQ(config-ext-nacl)# permit tcp host 192.168.13.39 host 139.59.81.101 eq 443
HQ(config-ext-nacl)# permit icmp host 192.168.13.39 any
HQ(config-ext-nacl)# permit tcp host 192.168.13.39 host 8.8.8.8 eq domain
HQ(config-ext-nacl)# permit udp host 192.168.13.39 host 8.8.8.8 eq domain
HQ(config-ext-nacl)# exit
!
HQ(config)# ip access-list extended 2011
HQ(config)# description Internet access for update the servers i.e 192.168.13.38
HQ(config-ext-nacl)# permit tcp host 192.168.13.138 any
HQ(config-ext-nacl)# permit tcp host 192.168.13.175 any
HQ(config-ext-nacl)# permit tcp host 192.168.13.158 any
HQ(config-ext-nacl)# permit icmp host 192.168.13.34 any
HQ(config-ext-nacl)# exit
Note: One more pattern of configuration in cisco router for internet accessibility to the servers, as per mentioned below
HQ(config)# object-group network Internet-ACL
HQ(config)# description Internet access for update the servers i.e 192.168.13.38
HQ(config)# host 192.168.13.138
HQ(config)# host 192.168.13.175
HQ(config)# host 192.168.13.158
HQ(config)# host 192.168.13.34
!
HQ(config)# ip access-list extended Internet-ACL
HQ(config)# permit ip object-group Internet-ACL any
!
HQ(config)# ip nat inside source list Internet-ACL overload
: STANDARD ACLs
Standard ACLs are the oldest type of ACL. They date back to as early as Cisco IOS Software Release 8.3. Standard ACLs control traffic by the comparison of the source address of the IP packets to the addresses configured in the ACL.This is the command syntax format of a standard ACL, as per mentioned below.
access-list
: EXTENDED ACLs
Extended ACLs were introduced in Cisco IOS Software Release 8.3. Extended ACLs control traffic by the comparison of the source and destination addresses of the IP packets to the addresses configured in the ACL.This is the command syntax format of extended ACLs. Lines are wrapped here for space considerations.
IP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} protocol source source-wildcard destination destination-wildcard [precedence precedence]
[tos tos] [log|log-input] [time-range time-range-name]
ICMP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} icmp source source-wildcard destination destination-wildcard
[icmp-type [icmp-code] |icmp-message]
[precedence precedence] [tos tos] [log|log-input]
[time-range time-range-name]
TCP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} tcp source source-wildcard [operator [port]]
destination destination-wildcard [operator [port]]
[established] [precedence precedence] [tos tos]
[log|log-input] [time-range time-range-name]
UDP
access-list access-list-number
[dynamic dynamic-name [timeout minutes]]
{deny|permit} udp source source-wildcard [operator [port]]
destination destination-wildcard [operator [port]]
[precedence precedence] [tos tos] [log|log-input]
[time-range time-range-name]
Be updated into yourself and improve lives through DIT
https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15243-19.html
0 Comments