isolate private subnets from each other

Unanswered Question
Sep 17th, 2008

cisco router 2651XM

IOS: c2600-adventerprisek9-mz.124-2.T.bin

My above router is fitted with a wic-adsl card that connects to the internet.

My router has two ethernet ports. One (F0/0) is configured on 172.16.1.x and the other (F0/1) is on 192.168.1.x and both ports connect to the internet okay.

Using the wizard in SDM 2.5 I set up a low level firewall, but I want to isolate the two subnets from each other, so that neither one can see the other but I don't want to disrupt the connections to the internet. Does anybody know what commands I could use to do this? attached is my running config. Thanks for any help.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Wed, 09/17/2008 - 11:52

Your ACL already does this. Access list 102 blocks the 192.168.1.0/24 network (network connected to Fa0/1) and access list 103 blocks 172.16.0.0 255.255.0.0 (network connected to e0/0).

Hope that helps.

tonyspcrepairs Wed, 09/17/2008 - 12:00

thanks, but from the 172.16.1.x network I can ping the 192.168.1.x numbers and they reply. And from the 172.16.12.x network I can view web pages stored on a 192.168.1.x machine, so there isn't isolation.

Collin Clark Wed, 09/17/2008 - 12:09

Yep, you're right, sorry I read it too fast. In SDM add the following rule to access list 102.

Deny IP Source Network 172.16.0.0 255.255.0.0 to Destination network 192.168.1.0 255.255.255.0

In access list 103 add the following rule-

Deny IP Source Network 192.168.1.0 255.255.255.0 to Destination network 172.16.0.0 255.255.0.0

I don't use SDM so I hope you understand what I'm trying to state. Also make sure each line above is above the 'permit IP any any' rule in the access list.

Let us know how it goes.

tonyspcrepairs Wed, 09/17/2008 - 14:10

I'm happy to enter the commands into the cli myself, I would rather do that than use SDM, but as a bungling newbie I have to trust the SDM wizard to do some things for me.

The (2nd) access list 103 command seemed to work ok but the (first) access list 102 command cut the internet off. I tried a couple of variations of it but no joy.

Collin Clark Thu, 09/18/2008 - 06:24

OK, from the CLI

<font size="2"></p><p>interface FastEthernet0/0</p><p> no ip access-group 102 in</p><p> </p><p>no access-list 102</p><p></p><p>access-list 102 remark auto generated by SDM firewall configuration</p><p>access-list 102 remark SDM_ACL Category=1</p><p>access-list 102 deny ip 192.168.1.0 0.0.0.255 any</p><p>access-list 102 deny ip host 255.255.255.255 any</p><p>access-list 102 deny ip 127.0.0.0 0.255.255.255 any</p><p>access-list 102 deny ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255</p><p>access-list 102 permit ip any any</p><p></p><p>interface FastEthernet0/0</p><p> ip access-group 102 in</p><p></font>

tonyspcrepairs Thu, 09/18/2008 - 08:41

yes colin I think this has done it. From 172.16.1.x I can no longer pibg the 192.168.1.x numbers, and I can't see any websites either, but I can still surf the internet from both 172xx and 198xx, which is great.

I erased the previous 103 rule yesterday, and today from 192.168.1.x I can only ping the cisco router, I can't ping any other address on the 172xx LAN, and I can't decide whether to leave as is.

To isolate the 192xxx LAN completely from the 172xxx lan here are some commands I'd like to run by you before I put them in:

These are my current commands on a-l 103:

access-list 103 remark auto generated by SDM firewall configuration

access-list 103 remark SDM_ACL Category=1

access-list 103 remark Auto generated by SDM for NTP (123) 212.13.194.96

access-list 103 permit udp host 212.13.194.96 eq ntp host 192.168.1.100 eq ntp

access-list 103 remark Auto generated by SDM for NTP (123) 212.13.194.87

access-list 103 permit udp host 212.13.194.87 eq ntp host 192.168.1.100 eq ntp

access-list 103 remark Auto generated by SDM for NTP (123) 212.13.194.71

access-list 103 permit udp host 212.13.194.71 eq ntp host 192.168.1.100 eq ntp

access-list 103 remark Auto generated by SDM for NTP (123) 62.84.188.34

access-list 103 permit udp host 62.84.188.34 eq ntp host 192.168.1.100 eq ntp

access-list 103 deny ip 172.16.0.0 0.0.255.255 any

access-list 103 deny ip host 255.255.255.255 any

access-list 103 deny ip 127.0.0.0 0.255.255.255 any

access-list 103 permit ip any any

I was thinking of deleting the last few lines and putting in this:

access-list 103 remark auto generated by SDM firewall configuration

access-list 103 remark SDM_ACL Category=1

access-list 103 deny ip 172.16.1.0 0.0.255.255 any

access-list 103 deny ip host 255.255.255.255 any

access-list 103 deny ip 127.0.0.0 0.255.255.255 any

access-list 103 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 103 permit ip any any

whaddya think?

tonyspcrepairs Thu, 09/18/2008 - 12:54

I've done those commands and all seems ok so far. Both subnets are unable to see each other and both subnets can still surf the net which is good. Naturally it will take a few days of use to make sure I haven't created bumps somewhere else. Thanks for your help Colin.

Actions

This Discussion