Routing question

Unanswered Question
May 25th, 2008

Hi again guys.

1811 router

2 public ip's 70.x.x.x 69.x.x.x

70.x.x.x is main local users ip -> (192.168.0.1)

I want to use the 69.x.x.x for wireless users with ip 192.168.2.1 (separate vlan 100)

Best way to implement it? also how do I deny the 192.168.2.1 access to the 192.168.0.1 subnet?

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Mon, 05/26/2008 - 04:31

Hello,

on your 1811 you have to use NAT.

You define two different NAT address pools one for public block 1 (70.x.x.x) and one for public block 2 (69.x.x.x).

You declare the interface(s) to the outer world as NAT outside using ip nat outside.

You define two standard IP ACLs that you use in combination with the addres pools to specify that 192.168.0./24 has to be translated into block1 and 192.168.2.0/24 into block2.

see the following link:

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1047771

Example:

access-list 11 permit 192.168.0.0 0.0.0.255

access-list 12 permit 192.168.2.0 0.0.0.255

ip nat pool block1 70.x.x.2 70.x.x.254 netmask 255.255.255.0

ip nat pool block2 69.x.x.2 69.x.x.254 netmask 255.255.255.0

! here the nat

ip nat inside source list 11 pool block1

ip nat inside source list 12 pool block2

int fas0/1

ip nat outside

int fas0/0.50

desc regular wired users here

ip nat inside

intfas0/0.100

desc wireless users here

ip nat inside

for the requirement you just need to use and extended outbound acl to deny traffic originated by 192.168.2.0/24

access-list 125 deny ip 192.168.2.0 0.0.0.255 any

access-list 125 permit ip any any

int fas0/0.50

desc regular wired users here

ip access-group 125 out

hope to help

Giuseppe

rygar1234 Mon, 05/26/2008 - 15:10

Will this work?

access-list 110 permit ip 192.168.0.0 0.0.0.255 any

access-list 111 permit tcp host 192.168.0.50 any eq smtp

access-list 112 permit ip 192.168.2.0 0.0.0.255 any

!

access-list 112 remark Deny access to local network

access-list 112 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255

route-map dsl-nat-wireless permit 10

match ip address 112

match interface FastEthernet1

!

route-map exchange permit 10

match ip address 111

set ip next-hop verify-availability 70.x.x.x 1 track 10

!

route-map dsl-nat permit 10

match ip address 110

match interface FastEthernet1

!

route-map cable-nat permit 10

match ip address 110

match interface FastEthernet0

Also for NAT I have

ip nat inside source route-map cable-nat interface FastEthernet0 overload

ip nat inside source route-map dsl-nat interface FastEthernet1 overload

Do I need anything for dsl-nat-wireless?

ip nat inside source route-map dsl-nat-wireless interface FastEthernet1 overload

Thank you

Actions

This Discussion