Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
0
Helpful
2
Replies

Routing question

rygar1234
Level 1
Level 1

‎05-25-2008 08:25 PM - edited ‎03-03-2019 10:05 PM

Hi again guys.

1811 router

2 public ip's 70.x.x.x 69.x.x.x

70.x.x.x is main local users ip -> (192.168.0.1)

I want to use the 69.x.x.x for wireless users with ip 192.168.2.1 (separate vlan 100)

Best way to implement it? also how do I deny the 192.168.2.1 access to the 192.168.0.1 subnet?

Thank you

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-26-2008 04:31 AM

Hello,

on your 1811 you have to use NAT.

You define two different NAT address pools one for public block 1 (70.x.x.x) and one for public block 2 (69.x.x.x).

You declare the interface(s) to the outer world as NAT outside using ip nat outside.

You define two standard IP ACLs that you use in combination with the addres pools to specify that 192.168.0./24 has to be translated into block1 and 192.168.2.0/24 into block2.

see the following link:

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1047771

Example:

access-list 11 permit 192.168.0.0 0.0.0.255

access-list 12 permit 192.168.2.0 0.0.0.255

ip nat pool block1 70.x.x.2 70.x.x.254 netmask 255.255.255.0

ip nat pool block2 69.x.x.2 69.x.x.254 netmask 255.255.255.0

! here the nat

ip nat inside source list 11 pool block1

ip nat inside source list 12 pool block2

int fas0/1

ip nat outside

int fas0/0.50

desc regular wired users here

ip nat inside

intfas0/0.100

desc wireless users here

ip nat inside

for the requirement you just need to use and extended outbound acl to deny traffic originated by 192.168.2.0/24

access-list 125 deny ip 192.168.2.0 0.0.0.255 any

access-list 125 permit ip any any

int fas0/0.50

desc regular wired users here

ip access-group 125 out

hope to help

Giuseppe

0 Helpful

rygar1234
Level 1
Level 1
In response to Giuseppe Larosa

‎05-26-2008 03:10 PM

Will this work?

access-list 110 permit ip 192.168.0.0 0.0.0.255 any

access-list 111 permit tcp host 192.168.0.50 any eq smtp

access-list 112 permit ip 192.168.2.0 0.0.0.255 any

!

access-list 112 remark Deny access to local network

access-list 112 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255

route-map dsl-nat-wireless permit 10

match ip address 112

match interface FastEthernet1

!

route-map exchange permit 10

match ip address 111

set ip next-hop verify-availability 70.x.x.x 1 track 10

!

route-map dsl-nat permit 10

match ip address 110

match interface FastEthernet1

!

route-map cable-nat permit 10

match ip address 110

match interface FastEthernet0

Also for NAT I have

ip nat inside source route-map cable-nat interface FastEthernet0 overload

ip nat inside source route-map dsl-nat interface FastEthernet1 overload

Do I need anything for dsl-nat-wireless?

ip nat inside source route-map dsl-nat-wireless interface FastEthernet1 overload

Thank you

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card