Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
519
Views
5
Helpful
3
Replies

Block guest vlan from vpn tunnels

Gerald Vogt
Level 3
Level 3

‎11-25-2008 06:05 AM - edited ‎03-06-2019 02:39 AM

I have a office 1812 router with 12.4T. The router has an GRE tunnel into the corporate intranet. Multiple static routes send some destinations into the VPN tunnel.

For guests there is a separated guest VLAN on the router. Guests are supposed to get internet access only. They are not allowed to send traffic into the VPN tunnel nor access the office VLAN. The latter is easy set up with ACLs.

I could also set up ACLs to block traffic for destinations routed into the VPN tunnel. However, that is a list of some 20+ static routes and the list changes at times. If I used ACLs I would have to adjust the ACL each time I make changes to the VPN tunnel routing.

Is it possible to "force" routing of a VLAN into the internet only, ignoring any other static route which may exist?

Abridged configuration:

interface Tunnel0

ip address 10.10.10.10 255.255.255.252

tunnel source Dialer0

tunnel destination 1.2.3.4

!

interface FastEthernet0

no ip address

pppoe enable

pppoe-client dial-pool-number 1

!

interface Vlan99

description Guest VLAN

ip address 192.168.99.254 255.255.255.0

ip nat inside

!

interface Vlan10

description Main VLAN

ip address 192.168.10.254 255.255.255.0

ip nat inside

!

interface Dialer0

ip address 2.3.4.5 255.255.255.252

ip nat outside

dialer pool 1

dialer-group 1

!

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 20.20.20.0 255.255.255.0 10.0.0.9

ip route 20.20.21.64 255.255.255.192 10.0.0.9

etc.

The guests are not supposed to access the VPN tunnel destinations like 20.20.20.22. Guest traffic should always be routed to the default gateway through Dialer0. Is this possible other then by setting up and maintaining ACLs?

Labels:
0 Helpful
3 Replies 3

John Blakley
VIP Alumni
VIP Alumni

‎11-25-2008 10:27 AM

I don't think this is possible, but there may be an easier way of doing it.

You should create an ACL for your guest vlan99 like this:

ip access-list ext GUEST

deny ip 192.168.99.0 0.0.0.255 20.20.20.0 0.0.0.255

deny ip 192.168.99.0 0.0.0.255 20.20.21.64 0.0.0.63

deny ip 192.168.99.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 192.168.99.0 0.0.0.255 any

This would block any vlan99 traffic to anything over the tunnel or the office vlan. You WILL have to add any additional subnets as your network grows. Put this on your vlan99 interface inbound and it should work for you.

You MIGHT be able to do a route map as an alternative, but I've never tried this.

ip access-list ext GUEST

permit ip 192.168.99.0 0.0.0.255 any

route-map GUEST permit 5

match ip address GUEST

set default interface Dialer0

int vlan99

ip policy route-map GUEST

I'm not 100% confident that the route-map would work, but this tells it to send all traffic from vlan99 to Dialer0 as the default-interface. It may NOT block the traffic that you're wanting to block though.

HTH,

John

HTH, John *** Please rate all useful posts ***

Gerald Vogt
Level 3
Level 3
In response to John Blakley

‎11-25-2008 10:34 PM

Thank you. I know the ACL on the guest vlan interface. That's the way I do it at the moment. But it is cumbersome to maintain the access list and the static routes in sync.

After some thinking I actually think with ACLs it is better to filter the out traffic on the tunnel interface. Anything with source IP address 192.168.99.0/0.0.0.255 gets filtered and won't enter the tunnel. That's much shorter and the IP subnet of the guest subnet won't change.

The route map is a good idea and it seems to do what I want. You have to use "set interface Dialer0" instead of "set default interface Dialer0". The latter changes the default route, i.e. all statically routed traffic will still go into the VPN tunnels. The former forces routing of the guest traffic to the Dialer0 and into the internet. I have tested this and it works nicely.

Actually it works better then the ACLs. The IP addresses routed into the VPN tunnels are routable IP addresses (e.g. 20.20.20.30). Most of the servers are only accessible through VPN. But some servers are actually accessible through the open internet as well using the same IP address. Thus, if I filter destination 20.20.20.30 for guests, they are not able to access this IP address although it may be accessible through the open internet.

Using the policy routing I can force the traffic to go into the internet and guests can still access 20.20.20.30 but only through a direct connection through the internet and not through the VPN tunnel. That's exactly what I need.

Thanks for the idea with the route-map. That was what I was looking for...

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Gerald Vogt

‎11-26-2008 04:20 AM

Thank you for posting back! This is good stuff. :-)

John

HTH, John *** Please rate all useful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card