Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
703
Views
0
Helpful
3
Replies

Acces-list for VPN (Solved)

Go to solution
bvoit2pimp
Level 1
Level 1

‎02-11-2012 03:15 AM - edited ‎03-11-2019 03:28 PM

Hi,

I'm new to configuring routers en switches of cisco. But I've been able to get a cisco 861 router working with 2 vlan's.

My only problem is to seperate the 2 vlan's so they cannot reach eachother. I banged my head on getting these acces lists to work, but the only thing I've been able to is to not receive a DHCP adress at all, the rest I've tried both vlans where always able to ping eachother.

I'm very confused about how to configure these acces-lists (with the in and out and after all what I've tried its also beginning to confuse me in the source and destination ip)

some info :

Router = Cisco 861

Fastethernet 0 / 1 / 2 / 3 are configure in trunk mode  (to switch)

I have 4 switches where VLANs work (port 1 & 2 are VLAN1 , all other ports are VLAN10)

Switch info is :

1 x Cisco SF-200 48 port

3 x Cisco SF-300 24 port

What I want to achieve is :

- Both VLAN's receive their ip by DHCP from the router (so they still need to be able to receive DHCP)

- VLAN1 needs to be able to only connect to 2 ip's on VLAN10 (192.168.1.200  and 192.168.1.201)

- VLAN10 may not reach anything on VLAN1

Can someone help me with this ?  its not much but I don't find how to do this.

The acces-lists in the router config atm are totally wrong but it was to test what it did.

Thx in advance :-)

My router config :

Router#show run

Building configuration...

Current configuration : 2815 bytes

!

! Last configuration change at 15:11:46 UTC Wed Jan 4 2006

! NVRAM config last updated at 14:01:07 UTC Wed Jan 4 2006

! NVRAM config last updated at 14:01:07 UTC Wed Jan 4 2006

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

enable secret 5 $1$B2a.$abguCFXGb79.CGszFLQZf0

!

no aaa new-model

memory-size iomem 10

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1719798455

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1719798455

revocation-check none

rsakeypair TP-self-signed-1719798455

!

!        

!

!        

ip dhcp excluded-address 192.168.1.1

ip dhcp excluded-address 192.168.1.200 192.168.1.254

ip dhcp excluded-address 192.168.2.1

ip dhcp excluded-address 192.168.2.200 192.168.2.254

!

ip dhcp pool vlan10

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 195.130.130.1 195.130.130.129

!        

ip dhcp pool vlan 1

import all

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 195.130.130.1 195.130.130.129

!        

!

!        

ip name-server 195.130.130.129

ip name-server 195.130.130.1

ip name-server 195.130.131.4

no ip cef

!

!        

license udi pid CISCO861-K9 sn FCZ160390WV

!        

!

username ben privilege 15 secret 5 $1$DLkn$/cLYXwLSOiLSl5O/hH0Jw0

username ben2 privilege 15 password 0 xxxxxxx

!        

!

!        

!

!        

!

!        

!

!        

!

!        

interface FastEthernet0

switchport mode trunk

no ip address

!        

interface FastEthernet1

switchport mode trunk

no ip address

!        

interface FastEthernet2

switchport mode trunk

no ip address

!        

interface FastEthernet3

switchport mode trunk

no ip address

!        

interface FastEthernet4

ip address dhcp

ip nat outside

ip virtual-reassembly in

no ip route-cache

duplex auto

speed auto

!        

interface Vlan1

ip address 192.168.2.1 255.255.255.0

ip access-group 110 out

ip nat inside

ip nat enable

ip virtual-reassembly in

no ip route-cache

!        

interface Vlan10

ip address 192.168.1.1 255.255.255.0

ip access-group 101 in

ip nat inside

ip nat enable

ip virtual-reassembly in

!

ip forward-protocol nd

ip http server

ip http authentication local

no ip http secure-server

!        

ip nat inside source list 1 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 192.168.40.1 254

!

ip access-list standard vlan1

deny   192.168.1.0 0.0.0.255

ip access-list standard vlan10

deny   192.168.2.0 0.0.0.255

!        

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny   ip host 192.168.2.2 host 192.168.1.1

access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!        

line con 0

line aux 0

line vty 0 4

password xxxxxxx

login

transport input all

!

end   

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to bvoit2pimp

‎02-12-2012 05:42 PM

Hello Ben,

Great to know that you could solve it, please mark the question as answered so future users can learn

from your post.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎02-11-2012 09:03 AM

Hello Ben,

To acomplish this you will need a stateful firewall ( like ZBFW) or Reflexive ACLS,

I would help you with the reflexive ACL:

ip access-list extended test

     permit ip 192.168.2.0 0.0.0.255 host 192.168.1.200 reflect TEST

    permit ip 192.168.2.0 0.0.0.255 host 192.168.1.201 reflect  TEST

    deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 reflect  TEST

    permit ip any any  reflect  TEST

ip access-list extended reflexive

evaluate TEST

interface vlan 1

ip access-group test in

ip access-group reflexive out

ip access-list extended Vlan10

deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0 255 reflect

permit ip any any reflect

ip access-list extended reflexive2

evaluate Vlan 10

interface vlan10

ip access-group Vlan10 in

ip access-group reflexive2 out

Please give it a try with that and let me know

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
bvoit2pimp
Level 1
Level 1
In response to Julio Carvajal

‎02-12-2012 01:42 PM

Hi I was able to fix this without the reflexive ACL's.

I did it like this :

interface Vlan1

ip address 192.168.2.1 255.255.255.0

ip access-group inbound in

ip nat inside

ip nat enable

ip virtual-reassembly in

no ip route-cache

!        

interface Vlan10

ip address 192.168.1.1 255.255.255.0

ip access-group inbound10 in

ip nat inside

ip nat enable

ip virtual-reassembly in

!

ip forward-protocol nd

ip http server

ip http authentication local

no ip http secure-server

!        

ip nat inside source list 1 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 192.168.40.1 254

!

ip access-list extended inbound

permit ip 192.168.2.0 0.0.0.255 host 192.168.1.5

deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip any any

ip access-list extended inbound10

permit ip host 192.168.1.5 192.168.2.0 0.0.0.255

deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip any any

!        

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

!

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to bvoit2pimp

‎02-12-2012 05:42 PM

Hello Ben,

Great to know that you could solve it, please mark the question as answered so future users can learn

from your post.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card