Solved: Static routing Cisco 1841

jansen1003 · ‎03-12-2012

Hi,

First my excuse for mistakes about English language , I m from Belgium.

My question is about static routing in a Cisco router 1841 in Packet Tracer simulation.

My configuration is in attachment.

The static routing in Router 1 and Router 2 are correct.

Now i want to configure the routing in Router 0 as follow:

PC 1 is allowed to route to Fa 0/0 , 192.168.1.71 on Router 1

PC 2 is allowed to route to Fa 0/0 , 192.168.2.71 on Router 2

I can configure Router 0 to route al possible ways to route (like in the attachment),

but that is not what i want

I want a selective routing so i can controll which LAN have permition to go (par example) on the outside inthernet and others not.

Thanks for replying

Friendly greetings , Marc

fb_webuser · ‎03-12-2012

You want to configure only routing:

PC 1 is allowed to route to Fa 0/0 , 192.168.1.71 on Router 1

PC 2 is allowed to route to Fa 0/0 , 192.168.2.71 on Router 2

And all other traffic drop?Am I right

---

Posted by WebUser Aleksandr Yanovskiy

View solution in original post

Jan Hrnko · ‎03-13-2012

Hi Marc,

As I said before, this can be achieved by use of ACLs. I will provide you with a few examples of two basic types of ACL.

Standard and Extended.

Standard ACLs are in range from 1-99 and are identified only by the source IP address and wildcard mask(complementary to mask). They can be used to permit or deny traffic incoming from some source network.

An quick example of standard ACL:

Let's say you want ONLY hosts from 192.168.6.0 255.255.255.0 and 192.168.6.0 255.255.255.0 to have access the hosts in the network 192.168.1.0 255.255.255.0

You would do such a routing policy on Router 1 by:

Router(config)#ip access-list standard 1 permit 192.168.6.0 0.0.0.255
Router(config-std-nacl)#permit 192.168.20.0 0.0.0.255
Router(config-std-nacl)#exit
Router(config)#interface fa0/0
Router(config-if)#ip access-group 1 out

You have first created an access-list. Then - on the interface fa0/0 - you have said that you permit only the hosts from network 192.168.6.0 on the outgoing traffic from int fa0/0 (outgoing means it is going OUT of the router on this port) .

Warning: Traffic from all other networks to the network will be blocked because there is an implicit deny any after the permit commands!!! This means all other than explicitely permitted traffic is dropped!

Best pratice for standard ACLs: Use them closes to the destination - because you can only specify the source.

Extended ACLs are great as you can specify not only source but destination also. They are in range 100-199.

An quick example of extended ACL:

Let's say you don't want the host from network 192.168.2.0 0.0.0.255 to access network 192.168.21.0 0.0.0.255 but they should be allowed to send traffic anywhere - just with that one network excluded.

You would do such a routing policy on Router 1 by:

Router(config)#ip access-list extended 101
Router(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.255 192.168.21.0 0.0.0.255
Router(config-ext-nacl)#permit ip any any
Router(config)#interface fa0/1
Router(config-if)#ip access-group 101 in

I have denied hosts fromdeny ip 192.168.2.0 0.0.0.255 to access network 192.168.21.0 0.0.0.255. Then I have permitted all other traffic explicitely by using permit ip any any because there is implicit deny any any after that. I have used it on the fa0/1 in the IN direction, because it can be filtered right there in the beginning.

Best pratice for extended ACLs: Use them closes to the source - as you know the source and destination, by using them closest to the source you will filter the traffic sooner. The packet donesn't need to be routed through whole network and then dropped near the destination (like when using Standard ACLs).

There is just more to be said about ACLs. This is only a scratch. Please, if you think this is what you are looking for, check out the link I have provided and learn it more in depth from there. If you have any further questions please feel free to ask!

Look for more information here:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Best regards,

Jan

View solution in original post

Jan Hrnko · ‎03-13-2012

Hi Marc,

many thanks for the rating! I am very happy to hear that information I have provided were helpful to you.

I couldn't acces network 192.168.21.0, also not the wireless on router 2

The problem is NOT the ACL. You are missing route to the network 192.168.201.0 on Router 1 - that's why you cannot access the wireless on router 2. You have to add route to the routing table on Router 1 and on Router 2 route back to 192.168.2.0.

Router1

Router(config)#ip route 192.168.201.0 255.255.255.0 ethernet 1/2

Router2

Router(config)#ip route 192.168.2.0 255.255.255.0 fastEthernet 0/0

This should solve the problem!

Best regards,

Jan

View solution in original post

Jan Hrnko · ‎03-12-2012

Hi Marc,

your english is just fine don't worry about that! I suppose that the feature you are looking for is ACL (access-control list)

ACL can be used in your case to deny or permit specific hosts or networks to access other networks or hosts.

Look for more information here:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Unfortunately I can't open .pkt on this computer but if you want, later this day I can post the exact commands you need to add to accomplish your task. If you want to know just the principles and the feature that you can use, please check out the link provided above. And also feel free to ask!

Best regards,

Jan

fb_webuser · ‎03-12-2012

You want to configure only routing:

PC 1 is allowed to route to Fa 0/0 , 192.168.1.71 on Router 1

PC 2 is allowed to route to Fa 0/0 , 192.168.2.71 on Router 2

And all other traffic drop?Am I right

---

Posted by WebUser Aleksandr Yanovskiy

jansen1003 · ‎03-13-2012

Hi Aleksandr,

Yes that is correct.

This is only a start for a larger network , I just want to know the principals how i can create selective routes.

thaks for your reply,

Jan Hrnko · ‎03-12-2012

Hi Marc,

I've opened the packet tracer scenario. Now lets discuss what exactly do you want to accomplish.

PC 1 is allowed to route to Fa 0/0 , 192.168.1.71 on Router 1

PC 2 is allowed to route to Fa 0/0 , 192.168.2.71 on Router 2

I don't quite understand this. If the PCs were just allowed to get to the fa0/0 of either router and no further they won't be able to communicate with other network (If the connection can go as far as the fa0/0 and no further - to the other lan).

I want a selective routing so i can controll which LAN have permition  to go (par example) on the outside inthernet and others not.

This can be achieved by using the ACLs I mentioned in post earlier. But the scenario you have provided is not a good example of doing that as it has no interface interconnected to ISP or some device with public IP address.

Please explain it to me in further. And feel free to ask!

Best regards,

Jan

jansen1003 · ‎03-13-2012

Hi Jan ,

This is just a piece off a larger network.

I want to know how selective routing will be accomplished.

Off course later on there will be a internet simulation to.

But some off the lan networks are not allowed to access internet.

I try to attach a new .pkt file. Maybe it is more clear why i need selective routing.

As you can see , now the routing is general, all LAN s can access eachother.

Thanks for your reply

jansen1003 · ‎03-13-2012

I attach here the more expanded expanded network.

Sorry for the late reply, but it is the time defference.

Thanks to you both.

PS: I m just a beginner with PT

Jan Hrnko · ‎03-13-2012

Hi Marc,

As I said before, this can be achieved by use of ACLs. I will provide you with a few examples of two basic types of ACL.

Standard and Extended.

Standard ACLs are in range from 1-99 and are identified only by the source IP address and wildcard mask(complementary to mask). They can be used to permit or deny traffic incoming from some source network.

An quick example of standard ACL:

Let's say you want ONLY hosts from 192.168.6.0 255.255.255.0 and 192.168.6.0 255.255.255.0 to have access the hosts in the network 192.168.1.0 255.255.255.0

You would do such a routing policy on Router 1 by:

Router(config)#ip access-list standard 1 permit 192.168.6.0 0.0.0.255
Router(config-std-nacl)#permit 192.168.20.0 0.0.0.255
Router(config-std-nacl)#exit
Router(config)#interface fa0/0
Router(config-if)#ip access-group 1 out

You have first created an access-list. Then - on the interface fa0/0 - you have said that you permit only the hosts from network 192.168.6.0 on the outgoing traffic from int fa0/0 (outgoing means it is going OUT of the router on this port) .

Warning: Traffic from all other networks to the network will be blocked because there is an implicit deny any after the permit commands!!! This means all other than explicitely permitted traffic is dropped!

Best pratice for standard ACLs: Use them closes to the destination - because you can only specify the source.

Extended ACLs are great as you can specify not only source but destination also. They are in range 100-199.

An quick example of extended ACL:

Let's say you don't want the host from network 192.168.2.0 0.0.0.255 to access network 192.168.21.0 0.0.0.255 but they should be allowed to send traffic anywhere - just with that one network excluded.

You would do such a routing policy on Router 1 by:

Router(config)#ip access-list extended 101
Router(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.255 192.168.21.0 0.0.0.255
Router(config-ext-nacl)#permit ip any any
Router(config)#interface fa0/1
Router(config-if)#ip access-group 101 in

I have denied hosts fromdeny ip 192.168.2.0 0.0.0.255 to access network 192.168.21.0 0.0.0.255. Then I have permitted all other traffic explicitely by using permit ip any any because there is implicit deny any any after that. I have used it on the fa0/1 in the IN direction, because it can be filtered right there in the beginning.

Best pratice for extended ACLs: Use them closes to the source - as you know the source and destination, by using them closest to the source you will filter the traffic sooner. The packet donesn't need to be routed through whole network and then dropped near the destination (like when using Standard ACLs).

There is just more to be said about ACLs. This is only a scratch. Please, if you think this is what you are looking for, check out the link I have provided and learn it more in depth from there. If you have any further questions please feel free to ask!

Look for more information here:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Best regards,

Jan

jansen1003 · ‎03-13-2012

Thanks very much Jan,

This is it, still I have a lot to study, but this is what i search for.

A lot of research and programming is now to come.

Only, when i programmes the following lines

Router(config)#ip access-list extended 101

Router(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.255 192.168.21.0 0.0.0.255

Router(config-ext-nacl)#permit ip any any

Router(config)#interface fa0/1

Router(config-if)#ip access-group 101 in

I couldn't acces network 192.168.21.0, also not the wireless on router 2

But this was very helpfull, thanks again,

Best regards,

Marc

Jan Hrnko · ‎03-13-2012

Hi Marc,

many thanks for the rating! I am very happy to hear that information I have provided were helpful to you.

I couldn't acces network 192.168.21.0, also not the wireless on router 2

The problem is NOT the ACL. You are missing route to the network 192.168.201.0 on Router 1 - that's why you cannot access the wireless on router 2. You have to add route to the routing table on Router 1 and on Router 2 route back to 192.168.2.0.

Router1

Router(config)#ip route 192.168.201.0 255.255.255.0 ethernet 1/2

Router2

Router(config)#ip route 192.168.2.0 255.255.255.0 fastEthernet 0/0

This should solve the problem!

Best regards,

Jan

jansen1003 · ‎03-13-2012

Hi Jan,

Off course that is the problem.

Sorry for the inconvenience.

Friendly regards,

Marc

jansen1003 · ‎03-15-2012

Hi Jan,

Maybe you are still on this discussion.

I encouterd another problem in Packet Tracer. The following message is displayed.

3 days ago I could open it without any problem

Friendly regards,

Marc

Jan Hrnko · ‎03-15-2012

Hi Marc,

Nice to see you again. Yes I am at your service . It looks like you have changed your version of packet tracer (haven't you installed a new one, or aren't you trying to open it in a older version on a different pc?). Maybe somebody has opened it in a newer version, saved and now you can't open it in yours. Please submit this file so I can verify it in my own PT. Have a nice day!

Best regards,

Jan

jansen1003 · ‎03-16-2012

Hi Jan,

As far as i know it is only opened and saved in Packet Tracer 5.3

I will attach the file here.

Thaks for helping out.

Friendly regards,

Marc