Solved

How can I allow return traffic on 1760 router?

Posted on 2008-10-03
34
406 Views
Last Modified: 2010-04-21
NOTE: I am a begginer - please be nice.

I have a 1760 router with the following IOS c1700-advipservicesk9-mz.124-13b - how do I allow all traffic originating from VLAN1 to return regardless of which VLAN they were sent to?

What I am trying to achieve in short is:
VLAN1 allowed Internet
VLAN1 allowed VLAN5

VLAN5 allowed Internet
VALN5 not allowed VLAN1

What I want is to restrict VLAN5 from accessing anything other than the Internet (ADSL WIC slot 1), although allow VLAN1 unrestricted access to VLAN5 - ie. Can access systems on VLAN5, transfer data to VLAN5 systems, TFTP to VLAN5 systems etc.

I can restrict VLAN5 no problems, although having issue with VLAN1.  have requested another person to look into it and also having trouble.




!
!
interface FastEthernet0/0.5
 ip access-group 105 out
!
interface FastEthernet0/0.1
 ip access-group 101 out
!
!
!
***
*** After attempting TFTP
***
Extended IP access list 101
    10 permit tcp any 192.168.20.0 0.0.0.255 established
    20 permit icmp any any echo-reply
    30 permit icmp any any unreachable
    40 permit icmp any any time-exceeded
    50 deny icmp any any
    60 permit udp any eq bootpc any eq bootps
    70 permit udp any range 1 1023 192.168.20.0 0.0.0.255 gt 1023
    75 permit udp any gt 1023 192.168.20.0 0.0.0.255 range 1 1023
    80 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255 (6 matches)
    90 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
    100 permit ip 192.168.20.0 0.0.0.255 any
    110 permit ip 192.168.21.0 0.0.0.255 any
Extended IP access list 105
    10 deny ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255
    20 permit ip any 192.168.15.0 0.0.0.255 (1 match)
 
***
*** After attempting to connect to VLAN5 via direct access in 
*** Windows Explorer (ie. \\192.168.15.50)
***
Extended IP access list 101
    10 permit tcp any 192.168.20.0 0.0.0.255 established
    20 permit icmp any any echo-reply
    30 permit icmp any any unreachable
    40 permit icmp any any time-exceeded
    50 deny icmp any any
    60 permit udp any eq bootpc any eq bootps
    70 permit udp any range 1 1023 192.168.20.0 0.0.0.255 gt 1023
    75 permit udp any gt 1023 192.168.20.0 0.0.0.255 range 1 1023
    80 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255 (6 matches)
    90 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
    100 permit ip 192.168.20.0 0.0.0.255 any
    110 permit ip 192.168.21.0 0.0.0.255 any
Extended IP access list 105
    10 deny ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255
    20 permit ip any 192.168.15.0 0.0.0.255 (14 matches)

Open in new window

0
Comment
Question by:InexperiencedPorkRoll
  • 15
  • 15
  • 4
34 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22638869
Hi! I'm always nice :) lol
You need to add the established clause to all items in the ACLs restricting the VLANs involved.
Here is the IOS command reference for the access-list command. It's long, but it explains exactly what every part of an ACL does - particularly the established clause.
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.html#wp1038375 
Cheers! Let me know if that helps!
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22639370
The ACLs need to be applied to the actual interfaces that have the ip
addresses bound to them.

Add an allow of any traffic to VLAN1  with the "established"  flag.

Or  alternatively,  use Reflexive ACLs.  
You have to use extended named IP ACLs to have reflexive entries.

These have greater processing overhead, but have the advantage of not
blindly allowing all packets to pass if the sender sets the right bits.
(Allowing with the 'established' flag essentially allows all TCP traffic that doesn't
contain SYN bits set in the packet)

Reflexive ACLs look like

ip access-list extended vlan1_out
! ....other entries....
permit tcp any any reflect  vlan1_traf_out  300
! ....other entries....

ip access-list extended vlan1_in
! ....other entries....
evaluate vlan1_traf_out





0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22639491
Thanks for the prompt responses.

In terms of the "establish" aspect, I thought it had already implemented in ACL 101:
10 permit tcp any 192.168.20.0 0.0.0.255 established

Doesnt that mean that any data outbound to 192.168.20/24 is allowed if initiated from 192.168.20/24? Or have I just lost myself in ACL abscurity?

Puggle >> I read that link and can only assume it was implemented correctly with my limited knowledge

Mysidia >> Where was I supposed to implement the allow? ACL for VLAN1 or ACL for VLAN5? It was set in ACL 101 due to the ACL being implemented "out" to the sub-interfaces allowing any traffic into 192.168.20/24.

Is there a requirements for the packets to be modified to allow or let the router recognise this command?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 23

Expert Comment

by:Mysidia
ID: 22639570
Access lists are logically applied to Layer 3  (router interfaces).
What ip ranges correspond to your VLANs?

You must have ip addresses  assigned to the router interfaces you are applying
ACLs to, or they don't make any sense...  (router port ACLs are at layer 3)


If  VLAN 1  should have unrestricted access to the others,  I don't think there
should be any deny entries in outbound ACL  101.

Stick the outbound entries in the access list of the VLAN whose outbound
access to many other interfaces is logically being restricted.


Use inbound ACLs when access to forward to an interface  from most other interfaces
is to be restricted.

0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22639606
Mysidia >> I have attached the codes for the DHCP/IP, and the router has an IP for all 3 VLANs that ends in 254.

ACL110 is exactly the same as ACL 105, only reversed for the IPs.

This is where I get confused by requiring different ACLs for inbound/outbound traffic, and 'when' to apply 'what', and 'where'. I still have not got my head around this aspect.

Im going to try a few different combos and see if I can logically wrap my head around your comment.


ip dhcp pool vlan1
   import all
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.254
   dns-server [DNSserver]
   lease 7
!
ip dhcp pool vlan5
   import all
   network 192.168.15.0 255.255.255.0
   default-router 192.168.15.254
   dns-server [DNSserver]
   lease 7
!
ip dhcp pool vlan10
   import all
   network 192.168.10.0 255.255.255.0
   default-router 192.168.15.254
   dns-server [DNSserver]
   lease 7
!
!
!
interface FastEthernet0/0
 no ip address
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 speed auto
!
interface FastEthernet0/0.1
 description vlan 1
 encapsulation dot1Q 1 native
 ip address 192.168.20.254 255.255.255.0
 ip access-group 101 out
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0.5
 description vlan 5
 encapsulation dot1Q 5
 ip address 192.168.15.254 255.255.255.0
 ip access-group 105 out
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0.10
 description vlan 10
 encapsulation dot1Q 10
 ip address 192.168.10.254 255.255.255.0
 ip access-group 110 out
 ip nat inside
 ip virtual-reassembly

Open in new window

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22639954
Hi InexperiencedPorkRoll (awesome name!):
All of your DHCP pools and default-router properties look good!
What you need to do with the VLANs and ACLs (if you want to allow bi-directional unrestricted acces between them) is just create one ACL allowing all traffic and apply it to all the subinterfaces in both directions.
Check out my example below (bold):

access-list 199 permit ip any any
!
interface FastEthernet0/0
 no ip address
ip access-group allow_all in
 ip access-group allow_all out

 ip nat inside
 ip virtual-reassembly
 speed auto
!
interface FastEthernet0/0.1
 description vlan 1
 encapsulation dot1Q 1 native
 ip address 192.168.20.254 255.255.255.0
ip access-group allow_all in
 ip access-group allow_all out

 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0.5
 description vlan 5
 encapsulation dot1Q 5
 ip address 192.168.15.254 255.255.255.0
ip access-group allow_all in
 ip access-group allow_all out

 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0.10
 description vlan 10
 encapsulation dot1Q 10
 ip address 192.168.10.254 255.255.255.0
ip access-group allow_all in
 ip access-group allow_all out

 ip nat inside
 ip virtual-reassembly
 
Cheers!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22639959
Scratch that - sorry I was using a named access-list at first and then changed it.
It would really be:
access-list 199 permit ip any any
!
interface FastEthernet0/0
no ip address
ip access-group 199 in
ip access-group 199 out

ip nat inside
ip virtual-reassembly
speed auto
!
interface FastEthernet0/0.1
description vlan 1
encapsulation dot1Q 1 native
ip address 192.168.20.254 255.255.255.0
ip access-group 199 in
ip access-group 199 out

ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.5
description vlan 5
encapsulation dot1Q 5
ip address 192.168.15.254 255.255.255.0
ip access-group 199 in
ip access-group 199 out

ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.10
description vlan 10
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
ip access-group 199 in
ip access-group 199 out

ip nat inside
ip virtual-reassembly
Cheers!
0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22639995
Hi Puggle,

Thanks -- first name that I came up with in a hurry ;).

In terms of the ACL -- Bi-Directional works, I need to control the actual access itself. To build on the first post:

VLAN1 allowed Internet
VLAN1 allowed VLAN5
VLAN1 allowed VLAN10

VLAN5 allowed Internet
VALN5 not allowed VLAN1
VALN5 not allowed VLAN10

VLAN1 allowed Internet
VLAN10 not allowed VLAN1
VLAN10 not allowed VLAN5

What I need is the ability to VLAN1 to have unrestricted access to the remaining VLANs (assuming it initiated the communication), while VLAN5 and 10 is only to the Internet (unless initiated from VLAN1).

I looked into the Reflexive and Established - I know its an ACL issue cause the establish will not ever show up and my connection from VLAN1 always ends up in the deny.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22640048
Okay then, so you'd do this instead:
access-list 199 permit ip any any
access-list 198 deny ip any any
access-list 197 deny ip any 192.168.10.0 255.255.255.0
access-list 197 permit ip any any
access-list 196 deny ip any 192.168.15.0 255.255.255.0
access-list 196 permit ip any any

!
interface FastEthernet0/0
no ip address
ip access-group 199 in
ip access-group 199 out

ip nat inside
ip virtual-reassembly
speed auto
!
interface FastEthernet0/0.1
description vlan 1
encapsulation dot1Q 1 native
ip address 192.168.20.254 255.255.255.0
ip access-group 198 in
ip access-group 199 out

ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.5
description vlan 5
encapsulation dot1Q 5
ip address 192.168.15.254 255.255.255.0
ip access-group 199 in
ip access-group 197 out

ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.10
description vlan 10
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
ip access-group 199 in
ip access-group 196 out

ip nat inside
ip virtual-reassembly  
 
What I did is instead of denying traffic to VLAN 1 from the others, I just denied all incoming traffic to VLAN 1.
Because I did that, I only need 1 deny rule for the other two VLANs to restrict them access to each other but permitting to everything else (remember VLAN 1 is denied from everywhere no matter what).
Tell me how that works!
Cheers!
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22642638
The above is an improvement in cleanliness, but  what about established connections?  Keeping in mind all UDP is blocked,  unless you do something differently.

To indicate/allow traffic of established connections  to pass, one might do

access-list 197 permit tcp any 192.168.10.0 0.0.0.255  established
access-list 197 deny ip any 192.168.10.0  0.0.0.255
access-list 197 permit ip any any

access-list 196 permit tcp any 192.168.10.0 0.0.0.255  established
access-list 196 deny ip any 192.168.15.0  0.0.0.255
access-list 196 permit ip any any



On most Cisco equipment other than PIXes you use wildcard bits 0.0.0.255  in your access lists  to denote a /24,
not  netmasks like 255.255.255.0.


0
 
LVL 23

Expert Comment

by:Mysidia
ID: 22642641
er
second one
access-list 196 permit tcp any 192.168.15.0 0.0.0.255  established

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22642673
What are you blocking UDP for? Using IP in the ACLs as I did allows everything (ICMP, IGMP, TCP, UDP, etc.), not just TCP.
He said he wants everything to work like normal except for the all or none restriction of communication between VLANs. My ACLs do that just fine. Adding TCP ACLs with established clauses add no extra functionality when everything is allowed in the first place.
Cheers!
0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643397
Hi Puggle,

That deny everything into VLAN1 kinda kills everything in relation to the server. Literally nothing comes through and not even the NATs to get the SMTP server running.

My comment and aim may be possibly confusing so I will elaborate on what I am trying to achieve as I have omitted a lot of the script.

==> VLAN1
This VLAN is where all the server and majority of users will be residing. This VLAN must have Internet access and must allow various ports come through via NATs and also PPTP (Virtual 192.168.21/24) must be able to communicate with this VLAN - although must not allow VLAN5 or 10 access unless initiated from VLAN1.

==> VLAN5 and 10
These VLANs will be used for Internet usage only - VLAN10 for public users at the foyer, VLAN5 for temporary staff, and personnel not from the company and allowing access to projectors and other equipment and also Internet.

==> My Idea
My idea was whether everything can be controlled from VLAN1 without having to get the users to change their ports in order to use different equipments.

For Example, a staff member on VLAN1 (using wireless) goes into the board room which has a projector in VLAN5, and wants to connect to this projector via IP and perform any presentation as required without having to get this staff to plug into the boardroom port to gain access to the projector.

Similarly, a visitor can come into the boardroom and simply connect to the same projector by plugging into the ethernet ports which is in VLAN5.


Of course you guys would understand the need for separation of network - especially with the amount of virus and malware that most systems these days arnt even aware are infected.

The script above seems to allow VLAN5 and 10 access to the Internet and disallow to other VLANs, although it also kills VLAN1's Internet access.

Puggle >> I was unable to use your subnet as did not respond to the correct IP ranges.

Mysidia >> I used your established code - although it does not seem to work with Puggles code, Im guessing thats because the ACL was not created with my idea above.

The more I'm working and palying around with Cisco - the more I'm realising that its like Microsoft Server! You can do the same thing 50 different ways and there are no right way (or wrong for that matter) - just a more effective/efficient or it just works (or not work in my case)!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22643451
PorkRoll, is that all the VLANs you have or are you only providing part of the config? You said nothing about servers before, nor about where they are located. I wouldn't have done that if I knew there were servers in there. :)
Are there any other requirements you haven't mentioned? Give me a minute and I'll have a new config for you.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22643457
So just to confirm -  VLAN 5 does not need access to servers?
Also - please elaborate on "I was unable to use your subnet as did not respond to the correct IP ranges".
You're exactly right - that's why someone who knows what they're doing is so much better than an amateur at Cisco - the amateur might be able to do it but it might be a mess, whereas a pro might be able to do it in a few very neat lines.
Cheers!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22643492
Hi there pork! Try this:
Note that I no longer use access-list 198
AND
that I changed your default-router in the  vlan10 DHCP pool to be on the 10 network so the machines don't flip when they can't get out of their network.
That should do it! Let me know if anything else comes up!

no access-list 199 permit ip any any
access-list 199 permit ip any any
no access-list 198
no access-list 197
access-list 197 deny ip any 192.168.20.0 255.255.255.0
access-list 197 deny ip any 192.168.10.0 255.255.255.0
access-list 197 permit ip any any
no access-list 196
access-list 196 deny ip any 192.168.20.0 255.255.255.0
access-list 196 deny ip any 192.168.15.0 255.255.255.0
access-list 196 permit ip any any 
!
interface FastEthernet0/0
no ip address
ip nat inside
ip virtual-reassembly
speed auto
no shutdown
!
interface FastEthernet0/0.1
description vlan 1
encapsulation dot1Q 1 native
ip address 192.168.20.254 255.255.255.0
ip access-group 199 in
ip access-group 199 out
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.5
description vlan 5
encapsulation dot1Q 5
ip address 192.168.15.254 255.255.255.0
ip access-group 199 in
ip access-group 197 out
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.10
description vlan 10
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
ip access-group 199 in
ip access-group 196 out
ip nat inside
ip virtual-reassembly   
!
ip dhcp pool vlan10
   network 192.168.10.0 255.255.255.0

Open in new window

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22643494
Oops - run this command too:

ip dhcp pool vlan10
   default-router 192.168.10.254

Open in new window

0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643504
I understand, I did leave out a hell of a lot as I only want to elaborate on the ACL - although I guess you and Mysidia had to make a few asumptions =)

* VLAN1 will have DC and Exchange
* VLAN10 "may" have a web server in the future
* VLAN 5 and 10 will have networked devices (eg. laptops, printers and projectors) connected
* PPTP has NOT been configured correctly- will eventually if I understand it, although this needs access to VLAN1

VLAN5 and 10 cannot access anything on VLAN1, although users on VLAN1 will need access to the web server on VLAN10 if I can get all of this working and client approves the server. Server on VLAN10 however will not need access to any server or any other VLANs and will be standalone.

I think that should be all the requirement.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22643511
Okay, well as it is that should work.
VLAN 1 has full access to and from anywhere that isn't otherwise denied elsewhere.
VLAN 5 has internet access but none to VLAN 1 or 10.

VLAN 10 has internet access but none to VLAN 1 or 5.
Cheers!
0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643513
Puggle, did you want me to email you my current config to assist with the script?
0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643535
Puggle, I didnt realise about the DHCP - thanks for the correction there which I completely missed.

I had to modify your subnet from 255.255.255.0 to 0.0.0.255 as it caused the IP to become like following:
access-list 197 deny ip any 0.0.0.0 0.0.0255

I implemented all your code and VLAN1 is good, although VLAN5 and 10 can access all of VLAN1.

This is what has been driving me nuts. I tested the connection with ping, tftp and file sharing, all were allowed into VLAN1 from 5 and 10.

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22643539
Oh woops. Lol. Sorry - been using an ASA all day.
They shouldn't be able to... Not with the explicit deny 192.168.20.0... that IS your VLAN 1 network ID, right?
Also, please post the config again just so I can see exactly whats up (the whole thing please). :)
0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643551
Puggle, that is correct for VLAN1.

Here is my complete script - will remove unnecessary ACLs once I can get a working set.
Current configuration : 5805 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rtr1760
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone AEST 10
ip cef
 
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.20.1 192.168.20.49
ip dhcp excluded-address 192.168.20.151 192.168.20.254
ip dhcp excluded-address 192.168.15.1 192.168.15.49
ip dhcp excluded-address 192.168.15.151 192.168.15.254
ip dhcp excluded-address 192.168.10.1 192.168.10.49
ip dhcp excluded-address 192.168.10.151 192.168.10.254
!
ip dhcp pool vlan1
   import all
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.254
   dns-server [DNSServer]
   lease 7
!
ip dhcp pool vlan5
   import all
   network 192.168.15.0 255.255.255.0
   default-router 192.168.15.254
   dns-server [DNSServer]
   lease 7
!
ip dhcp pool vlan10
   import all
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.254
   dns-server [DNSServer]
   lease 7
!
!
no ip domain lookup
ip inspect name firewall dns
ip inspect name firewall http
ip inspect name firewall https
ip inspect name firewall icmp
ip inspect name firewall smtp
ip inspect name firewall isakmp
ip inspect name firewall netshow
ip inspect name firewall pop3
ip inspect name firewall pptp
ip inspect name firewall tcp
ip inspect name firewall udp
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username test privilege 15 password 0 password
!
!
!
!
!
!
!
interface ATM0/0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0/0
 no ip address
 ip nat inside
 ip virtual-reassembly
 speed auto
!
interface FastEthernet0/0.1
 description vlan 1
 encapsulation dot1Q 1 native
 ip address 192.168.20.254 255.255.255.0
 ip access-group 199 in
 ip access-group 199 out
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0.5
 description vlan 5
 encapsulation dot1Q 5
 ip address 192.168.15.254 255.255.255.0
 ip access-group 199 in
 ip access-group 197 out
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0.10
 description vlan 10
 encapsulation dot1Q 10
 ip address 192.168.10.254 255.255.255.0
 ip access-group 199 in
 ip access-group 196 out
 ip nat inside
 ip virtual-reassembly
!
interface Virtual-Template1
 ip unnumbered Dialer0
 peer default ip address pool default
 ppp authentication ms-chap
!
interface Dialer0
 ip address negotiated
 ip access-group 120 in
 ip nat outside
 ip inspect firewall out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 [DIALER ACCESS OMITTED]
 ppp ipcp dns request
!
ip local pool default 192.168.21.50 192.168.21.150
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.20.188 18181 interface Dialer0 18181
ip nat inside source static tcp 192.168.20.188 5070 interface Dialer0 5070
ip nat inside source static tcp 192.168.20.188 8000 interface Dialer0 8000
ip nat inside source static tcp 192.168.20.2 20 interface Dialer0 20
ip nat inside source static tcp 192.168.20.2 21 interface Dialer0 21
ip nat inside source static tcp 192.168.20.2 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.20.2 8080 interface Dialer0 8080
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 101 remark ## VLAN 1
access-list 101 permit tcp any 192.168.20.0 0.0.0.255 established
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 deny   icmp any any
access-list 101 permit udp any eq bootpc any eq bootps
access-list 101 permit udp any range 1 1023 192.168.20.0 0.0.0.255 gt 1023
access-list 101 permit udp any gt 1023 192.168.20.0 0.0.0.255 range 1 1023
access-list 101 deny   ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 101 permit ip 192.168.21.0 0.0.0.255 any
access-list 105 remark ## VLAN 5
access-list 105 deny   ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 105 permit ip any 192.168.15.0 0.0.0.255
access-list 110 remark ## VLAN 10
access-list 110 deny   ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 permit ip any 192.168.10.0 0.0.0.255
access-list 120 remark ### allow NATs
access-list 120 permit gre any any
access-list 120 permit tcp any any eq ftp-data
access-list 120 permit tcp any any eq ftp
access-list 120 permit tcp any any eq smtp
access-list 120 permit tcp any any eq www
access-list 120 permit tcp any any eq 443
access-list 120 permit tcp any any eq 3389
access-list 120 permit tcp any any eq 8080
access-list 120 permit tcp any any eq 8000
access-list 120 permit tcp any any eq 5070
access-list 120 permit tcp any any eq 5900
access-list 120 permit tcp any any eq 18181
access-list 196 deny   ip any 192.168.20.0 0.0.0.255
access-list 196 deny   ip any 192.168.15.0 0.0.0.255
access-list 196 permit ip any any
access-list 197 deny   ip any 192.168.20.0 0.0.0.255
access-list 197 deny   ip any 192.168.10.0 0.0.0.255
access-list 197 permit ip any any
access-list 199 permit ip any any
dialer-list 2 protocol ip permit
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
end

Open in new window

0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 500 total points
ID: 22643659
Hi PorkRoll:
Try these commands - I don't know why access to VLAN 1 is not resricted from those 2 by the existing ACLS.
If this doesn't work then you have a problem somewhere else.

access-list 198 deny ip 192.168.15.0 0.0.0.255 any
access-list 198 deny ip 192.168.10.0 0.0.0.255 any
access-list 198 permit ip any any
interface FastEthernet0/0.1
ip access-group 198 in

Open in new window

0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643754
Hi Puggle,

I did the requirement - and it still will not forward.

Im guessing the problem is elsewhere -- great, more problem that I need to find.

Thanks heaps Puggle and Mysidia - all comments very very much appreciated.
0
 

Author Closing Comment

by:InexperiencedPorkRoll
ID: 31502954
I very much appreciate your help - thank you.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22643761
PorkRoll - try this: I reversed all the ACL applications. Just run these commands and then see if it works as intended.
Backup you running-config before doing this!
 

interface FastEthernet0/0.1
 ip access-group 198 out
 ip access-group 199 in
 
interface FastEthernet0/0.5
 ip access-group 199 out
 ip access-group 197 in
!
interface FastEthernet0/0.10
 ip access-group 199 out
 ip access-group 196 in

Open in new window

0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643782
I implemented the new ACL - it has blocked all access BETWEEN VLANs (including VLAN1), although works for the Internet for each individual VLAN, which is closer to what I had in mind.

I cleared the counters and attempted a TFTP transfer from VLAN1 to VLAN10 and the hits are as follows - which was similar to what I had initially of how to enable return traffic?
Extended IP access list 196
    10 deny ip any 192.168.20.0 0.0.0.255 (6 matches)
    20 deny ip any 192.168.15.0 0.0.0.255
    30 permit ip any any
Extended IP access list 197
    10 deny ip any 192.168.20.0 0.0.0.255
    20 deny ip any 192.168.10.0 0.0.0.255
    30 permit ip any any
Extended IP access list 198
    10 deny ip 192.168.15.0 0.0.0.255 any
    20 deny ip 192.168.10.0 0.0.0.255 any
    30 permit ip any any (2 matches)
Extended IP access list 199
    10 permit ip any any (28 matches)

Open in new window

0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643788
I then modified it to include an established tag and did the same TFTP transfer and missed the permit.
Extended IP access list 196
    10 permit tcp any 192.168.20.0 0.0.0.255 established
    20 deny ip any 192.168.20.0 0.0.0.255 (6 matches)
    30 deny ip any 192.168.15.0 0.0.0.255
    40 permit ip any any
Extended IP access list 197
    10 permit tcp any 192.168.20.0 0.0.0.255 established
    20 deny ip any 192.168.20.0 0.0.0.255
    30 deny ip any 192.168.10.0 0.0.0.255
    40 permit ip any any
Extended IP access list 198
    10 deny ip 192.168.15.0 0.0.0.255 any
    20 deny ip 192.168.10.0 0.0.0.255 any
    30 permit ip any any (8 matches)
Extended IP access list 199
    10 permit ip any any (143 matches)

Open in new window

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22643806
Hmmmm... let me set this up in my lab... give me a day or so and let me figure out what's going on, k?
0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643868
Hi Puggle, sure, cause there would be no point in this n00b trying if an expert is having difficulty.

Thanks again.
0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643888
Oh by the way, you may want to know that the 1960 is connected to a 2950 with port 16 as trunk.
Building configuration...
 
Current configuration : 2130 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SW2950
!
!
ip subnet-zero
!
no ip domain-lookup
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1-15
 spanning-tree portfast
!
interface FastEthernet0/16
 switchport mode trunk
 spanning-tree portfast
!
interface FastEthernet0/17-20
 switchport access vlan 5
 spanning-tree portfast
!
interface FastEthernet0/21-24
 switchport access vlan 10
 spanning-tree portfast
!
interface Vlan1
 ip address 192.168.20.253 255.255.255.0
 no ip route-cache
!
interface Vlan5
 ip address 192.168.15.253 255.255.255.0
 no ip route-cache
 shutdown
!
interface Vlan10
 no ip address
 no ip route-cache
 shutdown
!
ip default-gateway 192.168.20.254
no ip http server
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
!
end

Open in new window

0
 

Author Comment

by:InexperiencedPorkRoll
ID: 22643890
Correction above its the 1760 connected to 2950.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22652033
kk! Let me work this up when I get home tonight. Cheers!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question