Solved

How can I allow return traffic on 1760 router?

Posted on 2008-10-03
34
396 Views
Last Modified: 2010-04-21
NOTE: I am a begginer - please be nice.

I have a 1760 router with the following IOS c1700-advipservicesk9-mz.124-13b - how do I allow all traffic originating from VLAN1 to return regardless of which VLAN they were sent to?

What I am trying to achieve in short is:
VLAN1 allowed Internet
VLAN1 allowed VLAN5

VLAN5 allowed Internet
VALN5 not allowed VLAN1

What I want is to restrict VLAN5 from accessing anything other than the Internet (ADSL WIC slot 1), although allow VLAN1 unrestricted access to VLAN5 - ie. Can access systems on VLAN5, transfer data to VLAN5 systems, TFTP to VLAN5 systems etc.

I can restrict VLAN5 no problems, although having issue with VLAN1.  have requested another person to look into it and also having trouble.




!

!

interface FastEthernet0/0.5

 ip access-group 105 out

!

interface FastEthernet0/0.1

 ip access-group 101 out

!

!

!

***

*** After attempting TFTP

***

Extended IP access list 101

    10 permit tcp any 192.168.20.0 0.0.0.255 established

    20 permit icmp any any echo-reply

    30 permit icmp any any unreachable

    40 permit icmp any any time-exceeded

    50 deny icmp any any

    60 permit udp any eq bootpc any eq bootps

    70 permit udp any range 1 1023 192.168.20.0 0.0.0.255 gt 1023

    75 permit udp any gt 1023 192.168.20.0 0.0.0.255 range 1 1023

    80 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255 (6 matches)

    90 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

    100 permit ip 192.168.20.0 0.0.0.255 any

    110 permit ip 192.168.21.0 0.0.0.255 any

Extended IP access list 105

    10 deny ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255

    20 permit ip any 192.168.15.0 0.0.0.255 (1 match)
 

***

*** After attempting to connect to VLAN5 via direct access in 

*** Windows Explorer (ie. \\192.168.15.50)

***

Extended IP access list 101

    10 permit tcp any 192.168.20.0 0.0.0.255 established

    20 permit icmp any any echo-reply

    30 permit icmp any any unreachable

    40 permit icmp any any time-exceeded

    50 deny icmp any any

    60 permit udp any eq bootpc any eq bootps

    70 permit udp any range 1 1023 192.168.20.0 0.0.0.255 gt 1023

    75 permit udp any gt 1023 192.168.20.0 0.0.0.255 range 1 1023

    80 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255 (6 matches)

    90 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

    100 permit ip 192.168.20.0 0.0.0.255 any

    110 permit ip 192.168.21.0 0.0.0.255 any

Extended IP access list 105

    10 deny ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255

    20 permit ip any 192.168.15.0 0.0.0.255 (14 matches)

Open in new window

0
Comment
Question by:InexperiencedPorkRoll
  • 15
  • 15
  • 4
34 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22638869
Hi! I'm always nice :) lol
You need to add the established clause to all items in the ACLs restricting the VLANs involved.
Here is the IOS command reference for the access-list command. It's long, but it explains exactly what every part of an ACL does - particularly the established clause.
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.html#wp1038375
Cheers! Let me know if that helps!
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22639370
The ACLs need to be applied to the actual interfaces that have the ip
addresses bound to them.

Add an allow of any traffic to VLAN1  with the "established"  flag.

Or  alternatively,  use Reflexive ACLs.  
You have to use extended named IP ACLs to have reflexive entries.

These have greater processing overhead, but have the advantage of not
blindly allowing all packets to pass if the sender sets the right bits.
(Allowing with the 'established' flag essentially allows all TCP traffic that doesn't
contain SYN bits set in the packet)

Reflexive ACLs look like

ip access-list extended vlan1_out
! ....other entries....
permit tcp any any reflect  vlan1_traf_out  300
! ....other entries....

ip access-list extended vlan1_in
! ....other entries....
evaluate vlan1_traf_out





0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22639491
Thanks for the prompt responses.

In terms of the "establish" aspect, I thought it had already implemented in ACL 101:
10 permit tcp any 192.168.20.0 0.0.0.255 established

Doesnt that mean that any data outbound to 192.168.20/24 is allowed if initiated from 192.168.20/24? Or have I just lost myself in ACL abscurity?

Puggle >> I read that link and can only assume it was implemented correctly with my limited knowledge

Mysidia >> Where was I supposed to implement the allow? ACL for VLAN1 or ACL for VLAN5? It was set in ACL 101 due to the ACL being implemented "out" to the sub-interfaces allowing any traffic into 192.168.20/24.

Is there a requirements for the packets to be modified to allow or let the router recognise this command?
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22639570
Access lists are logically applied to Layer 3  (router interfaces).
What ip ranges correspond to your VLANs?

You must have ip addresses  assigned to the router interfaces you are applying
ACLs to, or they don't make any sense...  (router port ACLs are at layer 3)


If  VLAN 1  should have unrestricted access to the others,  I don't think there
should be any deny entries in outbound ACL  101.

Stick the outbound entries in the access list of the VLAN whose outbound
access to many other interfaces is logically being restricted.


Use inbound ACLs when access to forward to an interface  from most other interfaces
is to be restricted.

0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22639606
Mysidia >> I have attached the codes for the DHCP/IP, and the router has an IP for all 3 VLANs that ends in 254.

ACL110 is exactly the same as ACL 105, only reversed for the IPs.

This is where I get confused by requiring different ACLs for inbound/outbound traffic, and 'when' to apply 'what', and 'where'. I still have not got my head around this aspect.

Im going to try a few different combos and see if I can logically wrap my head around your comment.


ip dhcp pool vlan1

   import all

   network 192.168.20.0 255.255.255.0

   default-router 192.168.20.254

   dns-server [DNSserver]

   lease 7

!

ip dhcp pool vlan5

   import all

   network 192.168.15.0 255.255.255.0

   default-router 192.168.15.254

   dns-server [DNSserver]

   lease 7

!

ip dhcp pool vlan10

   import all

   network 192.168.10.0 255.255.255.0

   default-router 192.168.15.254

   dns-server [DNSserver]

   lease 7

!

!

!

interface FastEthernet0/0

 no ip address

 ip access-group 100 in

 ip nat inside

 ip virtual-reassembly

 speed auto

!

interface FastEthernet0/0.1

 description vlan 1

 encapsulation dot1Q 1 native

 ip address 192.168.20.254 255.255.255.0

 ip access-group 101 out

 ip nat inside

 ip virtual-reassembly

!

interface FastEthernet0/0.5

 description vlan 5

 encapsulation dot1Q 5

 ip address 192.168.15.254 255.255.255.0

 ip access-group 105 out

 ip nat inside

 ip virtual-reassembly

!

interface FastEthernet0/0.10

 description vlan 10

 encapsulation dot1Q 10

 ip address 192.168.10.254 255.255.255.0

 ip access-group 110 out

 ip nat inside

 ip virtual-reassembly

Open in new window

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22639954
Hi InexperiencedPorkRoll (awesome name!):
All of your DHCP pools and default-router properties look good!
What you need to do with the VLANs and ACLs (if you want to allow bi-directional unrestricted acces between them) is just create one ACL allowing all traffic and apply it to all the subinterfaces in both directions.
Check out my example below (bold):

access-list 199 permit ip any any
!
interface FastEthernet0/0
 no ip address
ip access-group allow_all in
 ip access-group allow_all out

 ip nat inside
 ip virtual-reassembly
 speed auto
!
interface FastEthernet0/0.1
 description vlan 1
 encapsulation dot1Q 1 native
 ip address 192.168.20.254 255.255.255.0
ip access-group allow_all in
 ip access-group allow_all out

 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0.5
 description vlan 5
 encapsulation dot1Q 5
 ip address 192.168.15.254 255.255.255.0
ip access-group allow_all in
 ip access-group allow_all out

 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0.10
 description vlan 10
 encapsulation dot1Q 10
 ip address 192.168.10.254 255.255.255.0
ip access-group allow_all in
 ip access-group allow_all out

 ip nat inside
 ip virtual-reassembly
 
Cheers!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22639959
Scratch that - sorry I was using a named access-list at first and then changed it.
It would really be:
access-list 199 permit ip any any
!
interface FastEthernet0/0
no ip address
ip access-group 199 in
ip access-group 199 out

ip nat inside
ip virtual-reassembly
speed auto
!
interface FastEthernet0/0.1
description vlan 1
encapsulation dot1Q 1 native
ip address 192.168.20.254 255.255.255.0
ip access-group 199 in
ip access-group 199 out

ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.5
description vlan 5
encapsulation dot1Q 5
ip address 192.168.15.254 255.255.255.0
ip access-group 199 in
ip access-group 199 out

ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.10
description vlan 10
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
ip access-group 199 in
ip access-group 199 out

ip nat inside
ip virtual-reassembly
Cheers!
0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22639995
Hi Puggle,

Thanks -- first name that I came up with in a hurry ;).

In terms of the ACL -- Bi-Directional works, I need to control the actual access itself. To build on the first post:

VLAN1 allowed Internet
VLAN1 allowed VLAN5
VLAN1 allowed VLAN10

VLAN5 allowed Internet
VALN5 not allowed VLAN1
VALN5 not allowed VLAN10

VLAN1 allowed Internet
VLAN10 not allowed VLAN1
VLAN10 not allowed VLAN5

What I need is the ability to VLAN1 to have unrestricted access to the remaining VLANs (assuming it initiated the communication), while VLAN5 and 10 is only to the Internet (unless initiated from VLAN1).

I looked into the Reflexive and Established - I know its an ACL issue cause the establish will not ever show up and my connection from VLAN1 always ends up in the deny.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22640048
Okay then, so you'd do this instead:
access-list 199 permit ip any any
access-list 198 deny ip any any
access-list 197 deny ip any 192.168.10.0 255.255.255.0
access-list 197 permit ip any any
access-list 196 deny ip any 192.168.15.0 255.255.255.0
access-list 196 permit ip any any

!
interface FastEthernet0/0
no ip address
ip access-group 199 in
ip access-group 199 out

ip nat inside
ip virtual-reassembly
speed auto
!
interface FastEthernet0/0.1
description vlan 1
encapsulation dot1Q 1 native
ip address 192.168.20.254 255.255.255.0
ip access-group 198 in
ip access-group 199 out

ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.5
description vlan 5
encapsulation dot1Q 5
ip address 192.168.15.254 255.255.255.0
ip access-group 199 in
ip access-group 197 out

ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.10
description vlan 10
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
ip access-group 199 in
ip access-group 196 out

ip nat inside
ip virtual-reassembly  
 
What I did is instead of denying traffic to VLAN 1 from the others, I just denied all incoming traffic to VLAN 1.
Because I did that, I only need 1 deny rule for the other two VLANs to restrict them access to each other but permitting to everything else (remember VLAN 1 is denied from everywhere no matter what).
Tell me how that works!
Cheers!
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22642638
The above is an improvement in cleanliness, but  what about established connections?  Keeping in mind all UDP is blocked,  unless you do something differently.

To indicate/allow traffic of established connections  to pass, one might do

access-list 197 permit tcp any 192.168.10.0 0.0.0.255  established
access-list 197 deny ip any 192.168.10.0  0.0.0.255
access-list 197 permit ip any any

access-list 196 permit tcp any 192.168.10.0 0.0.0.255  established
access-list 196 deny ip any 192.168.15.0  0.0.0.255
access-list 196 permit ip any any



On most Cisco equipment other than PIXes you use wildcard bits 0.0.0.255  in your access lists  to denote a /24,
not  netmasks like 255.255.255.0.


0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22642641
er
second one
access-list 196 permit tcp any 192.168.15.0 0.0.0.255  established

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22642673
What are you blocking UDP for? Using IP in the ACLs as I did allows everything (ICMP, IGMP, TCP, UDP, etc.), not just TCP.
He said he wants everything to work like normal except for the all or none restriction of communication between VLANs. My ACLs do that just fine. Adding TCP ACLs with established clauses add no extra functionality when everything is allowed in the first place.
Cheers!
0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643397
Hi Puggle,

That deny everything into VLAN1 kinda kills everything in relation to the server. Literally nothing comes through and not even the NATs to get the SMTP server running.

My comment and aim may be possibly confusing so I will elaborate on what I am trying to achieve as I have omitted a lot of the script.

==> VLAN1
This VLAN is where all the server and majority of users will be residing. This VLAN must have Internet access and must allow various ports come through via NATs and also PPTP (Virtual 192.168.21/24) must be able to communicate with this VLAN - although must not allow VLAN5 or 10 access unless initiated from VLAN1.

==> VLAN5 and 10
These VLANs will be used for Internet usage only - VLAN10 for public users at the foyer, VLAN5 for temporary staff, and personnel not from the company and allowing access to projectors and other equipment and also Internet.

==> My Idea
My idea was whether everything can be controlled from VLAN1 without having to get the users to change their ports in order to use different equipments.

For Example, a staff member on VLAN1 (using wireless) goes into the board room which has a projector in VLAN5, and wants to connect to this projector via IP and perform any presentation as required without having to get this staff to plug into the boardroom port to gain access to the projector.

Similarly, a visitor can come into the boardroom and simply connect to the same projector by plugging into the ethernet ports which is in VLAN5.


Of course you guys would understand the need for separation of network - especially with the amount of virus and malware that most systems these days arnt even aware are infected.

The script above seems to allow VLAN5 and 10 access to the Internet and disallow to other VLANs, although it also kills VLAN1's Internet access.

Puggle >> I was unable to use your subnet as did not respond to the correct IP ranges.

Mysidia >> I used your established code - although it does not seem to work with Puggles code, Im guessing thats because the ACL was not created with my idea above.

The more I'm working and palying around with Cisco - the more I'm realising that its like Microsoft Server! You can do the same thing 50 different ways and there are no right way (or wrong for that matter) - just a more effective/efficient or it just works (or not work in my case)!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22643451
PorkRoll, is that all the VLANs you have or are you only providing part of the config? You said nothing about servers before, nor about where they are located. I wouldn't have done that if I knew there were servers in there. :)
Are there any other requirements you haven't mentioned? Give me a minute and I'll have a new config for you.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22643457
So just to confirm -  VLAN 5 does not need access to servers?
Also - please elaborate on "I was unable to use your subnet as did not respond to the correct IP ranges".
You're exactly right - that's why someone who knows what they're doing is so much better than an amateur at Cisco - the amateur might be able to do it but it might be a mess, whereas a pro might be able to do it in a few very neat lines.
Cheers!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22643492
Hi there pork! Try this:
Note that I no longer use access-list 198
AND
that I changed your default-router in the  vlan10 DHCP pool to be on the 10 network so the machines don't flip when they can't get out of their network.
That should do it! Let me know if anything else comes up!

no access-list 199 permit ip any any

access-list 199 permit ip any any

no access-list 198

no access-list 197

access-list 197 deny ip any 192.168.20.0 255.255.255.0

access-list 197 deny ip any 192.168.10.0 255.255.255.0

access-list 197 permit ip any any

no access-list 196

access-list 196 deny ip any 192.168.20.0 255.255.255.0

access-list 196 deny ip any 192.168.15.0 255.255.255.0

access-list 196 permit ip any any 

!

interface FastEthernet0/0

no ip address

ip nat inside

ip virtual-reassembly

speed auto

no shutdown

!

interface FastEthernet0/0.1

description vlan 1

encapsulation dot1Q 1 native

ip address 192.168.20.254 255.255.255.0

ip access-group 199 in

ip access-group 199 out

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0.5

description vlan 5

encapsulation dot1Q 5

ip address 192.168.15.254 255.255.255.0

ip access-group 199 in

ip access-group 197 out

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0.10

description vlan 10

encapsulation dot1Q 10

ip address 192.168.10.254 255.255.255.0

ip access-group 199 in

ip access-group 196 out

ip nat inside

ip virtual-reassembly   

!

ip dhcp pool vlan10

   network 192.168.10.0 255.255.255.0

Open in new window

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22643494
Oops - run this command too:

ip dhcp pool vlan10

   default-router 192.168.10.254

Open in new window

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:InexperiencedPorkRoll
ID: 22643504
I understand, I did leave out a hell of a lot as I only want to elaborate on the ACL - although I guess you and Mysidia had to make a few asumptions =)

* VLAN1 will have DC and Exchange
* VLAN10 "may" have a web server in the future
* VLAN 5 and 10 will have networked devices (eg. laptops, printers and projectors) connected
* PPTP has NOT been configured correctly- will eventually if I understand it, although this needs access to VLAN1

VLAN5 and 10 cannot access anything on VLAN1, although users on VLAN1 will need access to the web server on VLAN10 if I can get all of this working and client approves the server. Server on VLAN10 however will not need access to any server or any other VLANs and will be standalone.

I think that should be all the requirement.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22643511
Okay, well as it is that should work.
VLAN 1 has full access to and from anywhere that isn't otherwise denied elsewhere.
VLAN 5 has internet access but none to VLAN 1 or 10.

VLAN 10 has internet access but none to VLAN 1 or 5.
Cheers!
0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643513
Puggle, did you want me to email you my current config to assist with the script?
0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643535
Puggle, I didnt realise about the DHCP - thanks for the correction there which I completely missed.

I had to modify your subnet from 255.255.255.0 to 0.0.0.255 as it caused the IP to become like following:
access-list 197 deny ip any 0.0.0.0 0.0.0255

I implemented all your code and VLAN1 is good, although VLAN5 and 10 can access all of VLAN1.

This is what has been driving me nuts. I tested the connection with ping, tftp and file sharing, all were allowed into VLAN1 from 5 and 10.

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22643539
Oh woops. Lol. Sorry - been using an ASA all day.
They shouldn't be able to... Not with the explicit deny 192.168.20.0... that IS your VLAN 1 network ID, right?
Also, please post the config again just so I can see exactly whats up (the whole thing please). :)
0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643551
Puggle, that is correct for VLAN1.

Here is my complete script - will remove unnecessary ACLs once I can get a working set.
Current configuration : 5805 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Rtr1760

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

clock timezone AEST 10

ip cef
 

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.20.1 192.168.20.49

ip dhcp excluded-address 192.168.20.151 192.168.20.254

ip dhcp excluded-address 192.168.15.1 192.168.15.49

ip dhcp excluded-address 192.168.15.151 192.168.15.254

ip dhcp excluded-address 192.168.10.1 192.168.10.49

ip dhcp excluded-address 192.168.10.151 192.168.10.254

!

ip dhcp pool vlan1

   import all

   network 192.168.20.0 255.255.255.0

   default-router 192.168.20.254

   dns-server [DNSServer]

   lease 7

!

ip dhcp pool vlan5

   import all

   network 192.168.15.0 255.255.255.0

   default-router 192.168.15.254

   dns-server [DNSServer]

   lease 7

!

ip dhcp pool vlan10

   import all

   network 192.168.10.0 255.255.255.0

   default-router 192.168.10.254

   dns-server [DNSServer]

   lease 7

!

!

no ip domain lookup

ip inspect name firewall dns

ip inspect name firewall http

ip inspect name firewall https

ip inspect name firewall icmp

ip inspect name firewall smtp

ip inspect name firewall isakmp

ip inspect name firewall netshow

ip inspect name firewall pop3

ip inspect name firewall pptp

ip inspect name firewall tcp

ip inspect name firewall udp

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

 accept-dialin

  protocol pptp

  virtual-template 1

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username test privilege 15 password 0 password

!

!

!

!

!

!

!

interface ATM0/0

 no ip address

 no ip mroute-cache

 no atm ilmi-keepalive

 dsl operating-mode auto

 hold-queue 224 in

 pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

 !

!

interface FastEthernet0/0

 no ip address

 ip nat inside

 ip virtual-reassembly

 speed auto

!

interface FastEthernet0/0.1

 description vlan 1

 encapsulation dot1Q 1 native

 ip address 192.168.20.254 255.255.255.0

 ip access-group 199 in

 ip access-group 199 out

 ip nat inside

 ip virtual-reassembly

!

interface FastEthernet0/0.5

 description vlan 5

 encapsulation dot1Q 5

 ip address 192.168.15.254 255.255.255.0

 ip access-group 199 in

 ip access-group 197 out

 ip nat inside

 ip virtual-reassembly

!

interface FastEthernet0/0.10

 description vlan 10

 encapsulation dot1Q 10

 ip address 192.168.10.254 255.255.255.0

 ip access-group 199 in

 ip access-group 196 out

 ip nat inside

 ip virtual-reassembly

!

interface Virtual-Template1

 ip unnumbered Dialer0

 peer default ip address pool default

 ppp authentication ms-chap

!

interface Dialer0

 ip address negotiated

 ip access-group 120 in

 ip nat outside

 ip inspect firewall out

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 [DIALER ACCESS OMITTED]

 ppp ipcp dns request

!

ip local pool default 192.168.21.50 192.168.21.150

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.20.188 18181 interface Dialer0 18181

ip nat inside source static tcp 192.168.20.188 5070 interface Dialer0 5070

ip nat inside source static tcp 192.168.20.188 8000 interface Dialer0 8000

ip nat inside source static tcp 192.168.20.2 20 interface Dialer0 20

ip nat inside source static tcp 192.168.20.2 21 interface Dialer0 21

ip nat inside source static tcp 192.168.20.2 3389 interface Dialer0 3389

ip nat inside source static tcp 192.168.20.2 8080 interface Dialer0 8080

!

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 101 remark ## VLAN 1

access-list 101 permit tcp any 192.168.20.0 0.0.0.255 established

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 deny   icmp any any

access-list 101 permit udp any eq bootpc any eq bootps

access-list 101 permit udp any range 1 1023 192.168.20.0 0.0.0.255 gt 1023

access-list 101 permit udp any gt 1023 192.168.20.0 0.0.0.255 range 1 1023

access-list 101 deny   ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 permit ip 192.168.20.0 0.0.0.255 any

access-list 101 permit ip 192.168.21.0 0.0.0.255 any

access-list 105 remark ## VLAN 5

access-list 105 deny   ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 105 permit ip any 192.168.15.0 0.0.0.255

access-list 110 remark ## VLAN 10

access-list 110 deny   ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 110 permit ip any 192.168.10.0 0.0.0.255

access-list 120 remark ### allow NATs

access-list 120 permit gre any any

access-list 120 permit tcp any any eq ftp-data

access-list 120 permit tcp any any eq ftp

access-list 120 permit tcp any any eq smtp

access-list 120 permit tcp any any eq www

access-list 120 permit tcp any any eq 443

access-list 120 permit tcp any any eq 3389

access-list 120 permit tcp any any eq 8080

access-list 120 permit tcp any any eq 8000

access-list 120 permit tcp any any eq 5070

access-list 120 permit tcp any any eq 5900

access-list 120 permit tcp any any eq 18181

access-list 196 deny   ip any 192.168.20.0 0.0.0.255

access-list 196 deny   ip any 192.168.15.0 0.0.0.255

access-list 196 permit ip any any

access-list 197 deny   ip any 192.168.20.0 0.0.0.255

access-list 197 deny   ip any 192.168.10.0 0.0.0.255

access-list 197 permit ip any any

access-list 199 permit ip any any

dialer-list 2 protocol ip permit

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

 login

!

end

Open in new window

0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 500 total points
ID: 22643659
Hi PorkRoll:
Try these commands - I don't know why access to VLAN 1 is not resricted from those 2 by the existing ACLS.
If this doesn't work then you have a problem somewhere else.

access-list 198 deny ip 192.168.15.0 0.0.0.255 any

access-list 198 deny ip 192.168.10.0 0.0.0.255 any

access-list 198 permit ip any any

interface FastEthernet0/0.1

ip access-group 198 in

Open in new window

0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643754
Hi Puggle,

I did the requirement - and it still will not forward.

Im guessing the problem is elsewhere -- great, more problem that I need to find.

Thanks heaps Puggle and Mysidia - all comments very very much appreciated.
0
 

Author Closing Comment

by:InexperiencedPorkRoll
ID: 31502954
I very much appreciate your help - thank you.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22643761
PorkRoll - try this: I reversed all the ACL applications. Just run these commands and then see if it works as intended.
Backup you running-config before doing this!
 

interface FastEthernet0/0.1

 ip access-group 198 out

 ip access-group 199 in
 

interface FastEthernet0/0.5

 ip access-group 199 out

 ip access-group 197 in

!

interface FastEthernet0/0.10

 ip access-group 199 out

 ip access-group 196 in

Open in new window

0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643782
I implemented the new ACL - it has blocked all access BETWEEN VLANs (including VLAN1), although works for the Internet for each individual VLAN, which is closer to what I had in mind.

I cleared the counters and attempted a TFTP transfer from VLAN1 to VLAN10 and the hits are as follows - which was similar to what I had initially of how to enable return traffic?
Extended IP access list 196

    10 deny ip any 192.168.20.0 0.0.0.255 (6 matches)

    20 deny ip any 192.168.15.0 0.0.0.255

    30 permit ip any any

Extended IP access list 197

    10 deny ip any 192.168.20.0 0.0.0.255

    20 deny ip any 192.168.10.0 0.0.0.255

    30 permit ip any any

Extended IP access list 198

    10 deny ip 192.168.15.0 0.0.0.255 any

    20 deny ip 192.168.10.0 0.0.0.255 any

    30 permit ip any any (2 matches)

Extended IP access list 199

    10 permit ip any any (28 matches)

Open in new window

0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643788
I then modified it to include an established tag and did the same TFTP transfer and missed the permit.
Extended IP access list 196

    10 permit tcp any 192.168.20.0 0.0.0.255 established

    20 deny ip any 192.168.20.0 0.0.0.255 (6 matches)

    30 deny ip any 192.168.15.0 0.0.0.255

    40 permit ip any any

Extended IP access list 197

    10 permit tcp any 192.168.20.0 0.0.0.255 established

    20 deny ip any 192.168.20.0 0.0.0.255

    30 deny ip any 192.168.10.0 0.0.0.255

    40 permit ip any any

Extended IP access list 198

    10 deny ip 192.168.15.0 0.0.0.255 any

    20 deny ip 192.168.10.0 0.0.0.255 any

    30 permit ip any any (8 matches)

Extended IP access list 199

    10 permit ip any any (143 matches)

Open in new window

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22643806
Hmmmm... let me set this up in my lab... give me a day or so and let me figure out what's going on, k?
0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643868
Hi Puggle, sure, cause there would be no point in this n00b trying if an expert is having difficulty.

Thanks again.
0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643888
Oh by the way, you may want to know that the 1960 is connected to a 2950 with port 16 as trunk.
Building configuration...
 

Current configuration : 2130 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname SW2950

!

!

ip subnet-zero

!

no ip domain-lookup

!

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

!

!

!

interface FastEthernet0/1-15

 spanning-tree portfast

!

interface FastEthernet0/16

 switchport mode trunk

 spanning-tree portfast

!

interface FastEthernet0/17-20

 switchport access vlan 5

 spanning-tree portfast

!

interface FastEthernet0/21-24

 switchport access vlan 10

 spanning-tree portfast

!

interface Vlan1

 ip address 192.168.20.253 255.255.255.0

 no ip route-cache

!

interface Vlan5

 ip address 192.168.15.253 255.255.255.0

 no ip route-cache

 shutdown

!

interface Vlan10

 no ip address

 no ip route-cache

 shutdown

!

ip default-gateway 192.168.20.254

no ip http server

!

line con 0

line vty 0 4

 login

line vty 5 15

 login

!

!

end

Open in new window

0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643890
Correction above its the 1760 connected to 2950.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22652033
kk! Let me work this up when I get home tonight. Cheers!
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
Hello All, I have been training on Multicast for a while now and whenever I start the topic , I find out that my friends /  Colleagues mention that they do not know how to test Multicast Joins. As most of the multicast would be video traffic and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now