05-25-2008 08:25 PM - edited 03-03-2019 10:05 PM
Hi again guys.
1811 router
2 public ip's 70.x.x.x 69.x.x.x
70.x.x.x is main local users ip -> (192.168.0.1)
I want to use the 69.x.x.x for wireless users with ip 192.168.2.1 (separate vlan 100)
Best way to implement it? also how do I deny the 192.168.2.1 access to the 192.168.0.1 subnet?
Thank you
05-26-2008 04:31 AM
Hello,
on your 1811 you have to use NAT.
You define two different NAT address pools one for public block 1 (70.x.x.x) and one for public block 2 (69.x.x.x).
You declare the interface(s) to the outer world as NAT outside using ip nat outside.
You define two standard IP ACLs that you use in combination with the addres pools to specify that 192.168.0./24 has to be translated into block1 and 192.168.2.0/24 into block2.
see the following link:
Example:
access-list 11 permit 192.168.0.0 0.0.0.255
access-list 12 permit 192.168.2.0 0.0.0.255
ip nat pool block1 70.x.x.2 70.x.x.254 netmask 255.255.255.0
ip nat pool block2 69.x.x.2 69.x.x.254 netmask 255.255.255.0
! here the nat
ip nat inside source list 11 pool block1
ip nat inside source list 12 pool block2
int fas0/1
ip nat outside
int fas0/0.50
desc regular wired users here
ip nat inside
intfas0/0.100
desc wireless users here
ip nat inside
for the requirement you just need to use and extended outbound acl to deny traffic originated by 192.168.2.0/24
access-list 125 deny ip 192.168.2.0 0.0.0.255 any
access-list 125 permit ip any any
int fas0/0.50
desc regular wired users here
ip access-group 125 out
hope to help
Giuseppe
05-26-2008 03:10 PM
Will this work?
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
access-list 111 permit tcp host 192.168.0.50 any eq smtp
access-list 112 permit ip 192.168.2.0 0.0.0.255 any
!
access-list 112 remark Deny access to local network
access-list 112 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
route-map dsl-nat-wireless permit 10
match ip address 112
match interface FastEthernet1
!
route-map exchange permit 10
match ip address 111
set ip next-hop verify-availability 70.x.x.x 1 track 10
!
route-map dsl-nat permit 10
match ip address 110
match interface FastEthernet1
!
route-map cable-nat permit 10
match ip address 110
match interface FastEthernet0
Also for NAT I have
ip nat inside source route-map cable-nat interface FastEthernet0 overload
ip nat inside source route-map dsl-nat interface FastEthernet1 overload
Do I need anything for dsl-nat-wireless?
ip nat inside source route-map dsl-nat-wireless interface FastEthernet1 overload
Thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: