Cisco 1100G multiple VLAN's
I have recently been asked my management of the company I work for to setup customer internet access in our showroom, since I do not have any free hardware I was hoping to be able to use a Cisco 1100G we have deployed with a second SSID.
I have run into problems setting up VLAN's as the Cisco 870 router already has a VLAN on our work subnet (172.16.1.0) and since employees still need to use it and access resources on that network I can't see how I can do that without a gateway in between the AP and my other servers.
My plan (sans the VLANs)
Customer laptop -> Cisco 1100G (SSID: customer-ap) -> Cisco Catalyst 2950 -> Cisco 870
Employees -> Cisco 1100G (SSID: glg-ap) -> Cisco Catalyst 2950 -> Work servers / Cisco 870
I'll admit I haven't had a lot of experience with the VLAN's so I might be looking at things the wrong way but I have endeavored to research the subject on Cisco's site and done a fair bit of googling.
I'm currently considering either a separate physical AP or re purposing the 1100G as it doesn't see a large amount of use at the moment but I would rather do the above if possible.
Any suggestions as to how I could segment the traffic from each SSID would be appreciated as that's my ultimate goal.
I have run into problems setting up VLAN's as the Cisco 870 router already has a VLAN on our work subnet (172.16.1.0) and since employees still need to use it and access resources on that network I can't see how I can do that without a gateway in between the AP and my other servers.
My plan (sans the VLANs)
Customer laptop -> Cisco 1100G (SSID: customer-ap) -> Cisco Catalyst 2950 -> Cisco 870
Employees -> Cisco 1100G (SSID: glg-ap) -> Cisco Catalyst 2950 -> Work servers / Cisco 870
I'll admit I haven't had a lot of experience with the VLAN's so I might be looking at things the wrong way but I have endeavored to research the subject on Cisco's site and done a fair bit of googling.
I'm currently considering either a separate physical AP or re purposing the 1100G as it doesn't see a large amount of use at the moment but I would rather do the above if possible.
Any suggestions as to how I could segment the traffic from each SSID would be appreciated as that's my ultimate goal.
ASKER
@that1guy15
In regards to the trunk port (I just did some reading on the function) it seems it will solve my problems of having a port as a member of multiple VLAN's.
The problem I have had with that approach you are describing is that this put our employees using that AP onto a different subnet as well meaning that without an intermediate gateway they won't be able to access company resources.
I can implement ACL's on the Catalyst to prevent traffic between VLAN's but I thought by definition traffic from VLAN1 -> VLAN3 wouldn't work without some sort of VLAN bridging anyway?
In regards to the trunk port (I just did some reading on the function) it seems it will solve my problems of having a port as a member of multiple VLAN's.
The problem I have had with that approach you are describing is that this put our employees using that AP onto a different subnet as well meaning that without an intermediate gateway they won't be able to access company resources.
I can implement ACL's on the Catalyst to prevent traffic between VLAN's but I thought by definition traffic from VLAN1 -> VLAN3 wouldn't work without some sort of VLAN bridging anyway?
"The problem I have had with that approach you are describing is that this put our employees using that AP onto a different subnet as well meaning that without an intermediate gateway they won't be able to access company resources."
The main objective is to separate your corporate traffic from the customer traffic. Using the configuration I gave above customers will only be able to connect to the customer VLAN, Traffic from that VLAN wlil not be able to access any other network until it reaches the 870. From the 870 you can control which VLANs that traffic accesses.
Make sense?
The main objective is to separate your corporate traffic from the customer traffic. Using the configuration I gave above customers will only be able to connect to the customer VLAN, Traffic from that VLAN wlil not be able to access any other network until it reaches the 870. From the 870 you can control which VLANs that traffic accesses.
Make sense?
ASKER
That all makes sense but as I said the problem was that since the AP can only have one IP address so it cannot have different IP address per VLAN or IP aliases (As far as the GUI is concerned anyway).
To be honest I haven't looked at the IOS side of the 1100G as everything seemed to work through the GUI for what I had wanted until that point.
Onto my progress:
I was able to create VLAN's no problem but had a lot of trouble getting lost in various tutorials I found while googling on VLAN, VTP and other VLAN tagging protocols.
Should I be using VTP to propagate the VLAN's or just statistically assign them seeing as there are only 3 total devices, what encapsulation should I be using and whats the best way to test a configuration?
The layout im looking at so far is:
Customer -> customers (VLAN 3) -> Catalyst 2950 (VLAN 3 on Fastethernet 0/23) -> Cisco 870 (VLAN 3 on Fastethernet 1)
Employee -> glgap (VLAN1) -> Catalyst 2950 (VLAN 1 of fastethernet 0/23) -> Rest of network
Thanks for the hlep so far, this is kind of my crash course in VLAN's that I had been planning to get into eventually but not on such short notice.
To be honest I haven't looked at the IOS side of the 1100G as everything seemed to work through the GUI for what I had wanted until that point.
Onto my progress:
I was able to create VLAN's no problem but had a lot of trouble getting lost in various tutorials I found while googling on VLAN, VTP and other VLAN tagging protocols.
Should I be using VTP to propagate the VLAN's or just statistically assign them seeing as there are only 3 total devices, what encapsulation should I be using and whats the best way to test a configuration?
The layout im looking at so far is:
Customer -> customers (VLAN 3) -> Catalyst 2950 (VLAN 3 on Fastethernet 0/23) -> Cisco 870 (VLAN 3 on Fastethernet 1)
Employee -> glgap (VLAN1) -> Catalyst 2950 (VLAN 1 of fastethernet 0/23) -> Rest of network
Thanks for the hlep so far, this is kind of my crash course in VLAN's that I had been planning to get into eventually but not on such short notice.
"the problem was that since the AP can only have one IP address so it cannot have different IP address per VLAN or IP aliases (As far as the GUI is concerned anyway)."
Since the AP is a layer 2 device the IP address is only for administrative purposes not controlling traffic flow. So 1 ip is fine. So you will have your corporate VLAN with an ip on your corp network and then you will have your customer VLAN with no IP on your customer network.
"Should I be using VTP to propagate the VLAN's or just statistically assign them seeing as there are only 3 total devices, what encapsulation should I be using and whats the best way to test a configuration?"
Nah since you only have a few devices I would not bother with VTP. Just create them statically. You will want to use IEEE 801.q (dot1) encapsulation since this is the only protocol the 2950 supports.
To test connect to the customer network through wireless and verify you can access resources in that network and that you can not access anything in the corp network. Do the same for the corp network for testing.
"Customer -> customers (VLAN 3) -> Catalyst 2950 (VLAN 3 on Fastethernet 0/23) -> Cisco 870 (VLAN 3 on Fastethernet 1)
Employee -> glgap (VLAN1) -> Catalyst 2950 (VLAN 1 of fastethernet 0/23) -> Rest of network"
This setup will work but a better suggestion would be to set up the port(s) between the AP and the 2950 as trunk ports. This will allow all VLANs on the AP to use one port to access the 2950. You can also have multiple trunk ports running to the 2950 and load balance them. Either way though in your setup it will be fine.
Since the AP is a layer 2 device the IP address is only for administrative purposes not controlling traffic flow. So 1 ip is fine. So you will have your corporate VLAN with an ip on your corp network and then you will have your customer VLAN with no IP on your customer network.
"Should I be using VTP to propagate the VLAN's or just statistically assign them seeing as there are only 3 total devices, what encapsulation should I be using and whats the best way to test a configuration?"
Nah since you only have a few devices I would not bother with VTP. Just create them statically. You will want to use IEEE 801.q (dot1) encapsulation since this is the only protocol the 2950 supports.
To test connect to the customer network through wireless and verify you can access resources in that network and that you can not access anything in the corp network. Do the same for the corp network for testing.
"Customer -> customers (VLAN 3) -> Catalyst 2950 (VLAN 3 on Fastethernet 0/23) -> Cisco 870 (VLAN 3 on Fastethernet 1)
Employee -> glgap (VLAN1) -> Catalyst 2950 (VLAN 1 of fastethernet 0/23) -> Rest of network"
This setup will work but a better suggestion would be to set up the port(s) between the AP and the 2950 as trunk ports. This will allow all VLANs on the AP to use one port to access the 2950. You can also have multiple trunk ports running to the 2950 and load balance them. Either way though in your setup it will be fine.
ASKER
Alright that clears up a lot of my questions but I still have a couple more regarding the exact setup.
In regards to the trunk port(s) since my AP is connecting directly to the 2950 so I need to enable trunk ports on both ends or only on the receiving end (2950)?
Do you know the commands I should be running for IOS based devices to setup a VLAN, I have a lot of different tutorials and there are different ways of adding them (vlan database and interface config).
Lastly will it be necessary to have an IP address for the VLAN on the 870 or won't it need one being layer 2?
In regards to the trunk port(s) since my AP is connecting directly to the 2950 so I need to enable trunk ports on both ends or only on the receiving end (2950)?
Do you know the commands I should be running for IOS based devices to setup a VLAN, I have a lot of different tutorials and there are different ways of adding them (vlan database and interface config).
Lastly will it be necessary to have an IP address for the VLAN on the 870 or won't it need one being layer 2?
"In regards to the trunk port(s) since my AP is connecting directly to the 2950 so I need to enable trunk ports on both ends or only on the receiving end (2950)?"
Both ends
"Do you know the commands I should be running for IOS based devices to setup a VLAN, I have a lot of different tutorials and there are different ways of adding them (vlan database and interface config)."
VLAN database is the old way of configuring VLANs. With the 2950 you will want to use:
config t
vlan 20
name customer
to create a trunk port use:
int f0/0
switchport mode trunk
"Lastly will it be necessary to have an IP address for the VLAN on the 870 or won't it need one being layer 2?"
yes give it an IP addrss of the subnet it is in. This will be the default gateway for all devices on the VLAN
Both ends
"Do you know the commands I should be running for IOS based devices to setup a VLAN, I have a lot of different tutorials and there are different ways of adding them (vlan database and interface config)."
VLAN database is the old way of configuring VLANs. With the 2950 you will want to use:
config t
vlan 20
name customer
to create a trunk port use:
int f0/0
switchport mode trunk
"Lastly will it be necessary to have an IP address for the VLAN on the 870 or won't it need one being layer 2?"
yes give it an IP addrss of the subnet it is in. This will be the default gateway for all devices on the VLAN
ASKER
Just an update to reflect the fact management have decided a seperate AP is a more time effective solution to this problem.
I have since configured the new AP (Linksys WAP 2000) with VLAN's but the traffic keeps leaking and getting a DHCP lease from our PDC and not the Cisco router.
The DHCP scope im using from the Cisco 870 is as follows:
Pool customer :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 0
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
192.168.0.1 192.168.0.1 - 192.168.0.254 0
I have checked all my setings but can't figure out why traffic is leaving VLAN3 (and ignoring the DHCP scope) while routing back through another one of the Fast Ethernet interfaces to get a DHCP lease. FYI I have confirmed that the port isn't trunking and is set in access mode.
I have since configured the new AP (Linksys WAP 2000) with VLAN's but the traffic keeps leaking and getting a DHCP lease from our PDC and not the Cisco router.
The DHCP scope im using from the Cisco 870 is as follows:
Pool customer :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 0
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
192.168.0.1 192.168.0.1 - 192.168.0.254 0
I have checked all my setings but can't figure out why traffic is leaving VLAN3 (and ignoring the DHCP scope) while routing back through another one of the Fast Ethernet interfaces to get a DHCP lease. FYI I have confirmed that the port isn't trunking and is set in access mode.
So the Linksys AP is used to connect both SSIDs like you were going to setup with the 1100G?
Also Im guessing the Linksys AP is connecting to the 2950?
If both VLANs exist on the Linksys AP and the AP connects to the 2950 with a single port then you will still need to use trunk ports to pass the respective VLANs to their proper network. The 2950 will still have a single trunk port to the 870.
Also Im guessing the Linksys AP is connecting to the 2950?
If both VLANs exist on the Linksys AP and the AP connects to the 2950 with a single port then you will still need to use trunk ports to pass the respective VLANs to their proper network. The 2950 will still have a single trunk port to the 870.
ASKER
No the Linksys WAP2000 is to be dedicated to customer traffic and the existing Cisco 1100G will be used exclusively by employees.
Im connecting the Linksys WAP2000 directly to the Cisco 870 (At least until I get a good grasp of VLAN's) to simplify the process.
Im connecting the Linksys WAP2000 directly to the Cisco 870 (At least until I get a good grasp of VLAN's) to simplify the process.
If you are connecting the new AP directly to the 870 you will still need to create a separate VLAN to segregate the traffic.
From the command line of the 870:
Router(config)#vlan 2
Router(config)#description
Router(config)#exit
Router(config)# interface FastEthernet 2
Router(config-if)# switchport access vlan 2 <------assigns port fe2 to VLAN 2 (use whichever port you want)
Router(config-if)#exit
Router(config)#wr mem <---saves the config
You can then plug the new AP into this port and you should be fine
From the command line of the 870:
Router(config)#vlan 2
Router(config)#description
Router(config)#exit
Router(config)# interface FastEthernet 2
Router(config-if)# switchport access vlan 2 <------assigns port fe2 to VLAN 2 (use whichever port you want)
Router(config-if)#exit
Router(config)#wr mem <---saves the config
You can then plug the new AP into this port and you should be fine
Check this link out for a little more information
http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/dhcpvlan.html#wp999406
http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/dhcpvlan.html#wp999406
ASKER
I have made some progress since last update, the VLAN seems to be working as while connected exclusively to the AP I cannot ping any hosts on 172.16.1.X and I will be testing this by removing the VLAN later on.
I have enabled NAT for VLAN 3 but im not able to get outside the network, I have checked the NAT configuration in SDM and the "automatic" NAT rule which provides internet access at the moment only seems to include our 10.0.0.0 range.
On another note DHCP suddenly started working on the VLAN today (It steadfast refused to work yesterday) so wireless clients can get leases now.
Lastly I can still ping the interfaces on the other VLAN's (10.0.0.1 and 172.16.1.250) but I assume thats because I have trunking enabled on the Cisco VLAN.
I have enabled NAT for VLAN 3 but im not able to get outside the network, I have checked the NAT configuration in SDM and the "automatic" NAT rule which provides internet access at the moment only seems to include our 10.0.0.0 range.
On another note DHCP suddenly started working on the VLAN today (It steadfast refused to work yesterday) so wireless clients can get leases now.
Lastly I can still ping the interfaces on the other VLAN's (10.0.0.1 and 172.16.1.250) but I assume thats because I have trunking enabled on the Cisco VLAN.
"I have enabled NAT for VLAN 3 but im not able to get outside the network, I have checked the NAT configuration in SDM and the "automatic" NAT rule which provides internet access at the moment only seems to include our 10.0.0.0 range."
Im not too familiar with the cisco SDM (much more comfortable with the CLI) so i can not give details. The NAT rule that you already have set up you should just be able to change the network being translated (10.0.0.0) to all networks which is 0.0.0.0 0.0.0.0. sometimes it is listed out as 0.0.0.0/0. This should get your NAT going for any inside network trying to get out.
Im not too familiar with the cisco SDM (much more comfortable with the CLI) so i can not give details. The NAT rule that you already have set up you should just be able to change the network being translated (10.0.0.0) to all networks which is 0.0.0.0 0.0.0.0. sometimes it is listed out as 0.0.0.0/0. This should get your NAT going for any inside network trying to get out.
ASKER
So the source network doesn't need to match my VLAN (192.168.0.1), it looked as though I might of needed to create a separate NAT rule for that VLAN.
That is what the 0.0.0.0/0 statement says. All 0's means match any IP address or network. If you wanted to create a separate NAT statement that would be fine too.
ASKER
I thought the 0.0.0.0 network you were referring to was the destination network and not the source?(Unless I have the NAT theory backwards)
No your destinations network (address being translated too) is going to be one of your public IP address. The source network can be any range of IP address.
ASKER
I think there must be something awray in either my Firewall or NAT configuration as I'm still not having any luck.
I can connect to the AP, get a DHCP lease, ping the AP and router but not able to get outside to the internet, this is what my relevant Cisco config looks like.
VLAN 2:
!
interface Vlan2
ip address 172.16.1.250 255.255.255.0
ip nat inside
ip virtual-reassembly
!
NAT:
ip nat inside source list 120 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.2 25 150.101.226.42 25 extendable
ip nat inside source static tcp 10.0.0.2 80 150.101.226.42 80 extendable
ip nat inside source static tcp 10.0.0.2 110 150.101.226.42 110 extendable
ip nat inside source static tcp 10.0.0.2 443 150.101.226.42 443 extendable
ip nat inside source static tcp 10.0.0.2 3389 150.101.226.42 3389 extendable
ip nat inside source static tcp 10.0.0.2 4125 150.101.226.42 4125 extendable
ip nat inside source static tcp 10.0.0.2 5900 150.101.226.42 5900 extendable
!
I can connect to the AP, get a DHCP lease, ping the AP and router but not able to get outside to the internet, this is what my relevant Cisco config looks like.
VLAN 2:
!
interface Vlan2
ip address 172.16.1.250 255.255.255.0
ip nat inside
ip virtual-reassembly
!
NAT:
ip nat inside source list 120 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.2 25 150.101.226.42 25 extendable
ip nat inside source static tcp 10.0.0.2 80 150.101.226.42 80 extendable
ip nat inside source static tcp 10.0.0.2 110 150.101.226.42 110 extendable
ip nat inside source static tcp 10.0.0.2 443 150.101.226.42 443 extendable
ip nat inside source static tcp 10.0.0.2 3389 150.101.226.42 3389 extendable
ip nat inside source static tcp 10.0.0.2 4125 150.101.226.42 4125 extendable
ip nat inside source static tcp 10.0.0.2 5900 150.101.226.42 5900 extendable
!
Will you post the config for source list 120 from this NAT statement?
ip nat inside source list 120 interface Dialer0 overload
ip nat inside source list 120 interface Dialer0 overload
ASKER
Here's the access-list:
access-list 102 remark SDM_ACL Category=17
access-list 102 permit udp any host External IP address eq non500-isakmp
access-list 102 permit udp any host External IP address eq isakmp
access-list 102 permit esp any host External IP address
access-list 102 permit ahp any host External IP address
access-list 102 permit gre any host External IP address
access-list 102 permit tcp host 150.101.243.85 eq telnet host External IP address
access-list 102 permit tcp host 150.101.243.87 eq telnet host External IP address
access-list 102 permit tcp host 203.122.250.103 eq telnet host External IP address
access-list 102 permit tcp host 150.101.81.146 eq telnet host External IP address
access-list 102 permit tcp host 203.166.110.41 range 1700 1710 host External IP address
access-list 102 permit tcp host 203.166.110.40 range 9100 9505 host External IP address
access-list 102 permit tcp host 203.25.40.102 eq ftp host External IP address
access-list 102 permit tcp host 210.50.2.234 eq ftp host External IP address
access-list 102 permit tcp any host External IP address eq telnet
access-list 102 deny tcp any host External IP address eq 22
access-list 102 deny tcp any host External IP address eq cmd
access-list 102 deny udp any host External IP address eq snmp
access-list 102 permit tcp any host External IP address eq 5900
access-list 102 permit tcp host 203.122.227.198 host External IP address eq 3389
access-list 102 permit tcp any host External IP address eq 4125
access-list 102 permit tcp any host External IP address eq pop3
access-list 102 permit tcp any host External IP address eq www
access-list 102 permit tcp any host External IP address eq 443
access-list 102 permit tcp any host External IP address eq smtp
access-list 102 permit udp host 192.231.203.132 eq domain host External IP address
access-list 102 permit udp host 192.231.203.3 eq domain host External IP address
access-list 102 remark Auto generated by SDM for NTP (123) 192.231.203.132
access-list 102 permit udp host 192.231.203.132 eq ntp host External IP address eq ntp
access-list 102 deny ip 10.0.0.0 0.0.0.255 any
access-list 102 permit icmp host 150.101.81.146 host External IP address echo
access-list 102 permit icmp host 203.122.234.3 host External IP address echo
access-list 102 permit icmp host 203.122.250.103 host External IP address echo
access-list 102 permit icmp host 150.101.243.85 host External IP address echo
access-list 102 permit icmp host 150.101.243.87 host External IP address echo
access-list 102 permit icmp host 203.122.227.198 host External IP address echo
access-list 102 permit icmp any host External IP address echo-reply
access-list 102 permit icmp any host External IP address time-exceeded
access-list 102 permit icmp any host External IP address unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 120 deny ip 10.1.0.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
The command you mentioned says dynamic mapping is in use.
access-list 102 remark SDM_ACL Category=17
access-list 102 permit udp any host External IP address eq non500-isakmp
access-list 102 permit udp any host External IP address eq isakmp
access-list 102 permit esp any host External IP address
access-list 102 permit ahp any host External IP address
access-list 102 permit gre any host External IP address
access-list 102 permit tcp host 150.101.243.85 eq telnet host External IP address
access-list 102 permit tcp host 150.101.243.87 eq telnet host External IP address
access-list 102 permit tcp host 203.122.250.103 eq telnet host External IP address
access-list 102 permit tcp host 150.101.81.146 eq telnet host External IP address
access-list 102 permit tcp host 203.166.110.41 range 1700 1710 host External IP address
access-list 102 permit tcp host 203.166.110.40 range 9100 9505 host External IP address
access-list 102 permit tcp host 203.25.40.102 eq ftp host External IP address
access-list 102 permit tcp host 210.50.2.234 eq ftp host External IP address
access-list 102 permit tcp any host External IP address eq telnet
access-list 102 deny tcp any host External IP address eq 22
access-list 102 deny tcp any host External IP address eq cmd
access-list 102 deny udp any host External IP address eq snmp
access-list 102 permit tcp any host External IP address eq 5900
access-list 102 permit tcp host 203.122.227.198 host External IP address eq 3389
access-list 102 permit tcp any host External IP address eq 4125
access-list 102 permit tcp any host External IP address eq pop3
access-list 102 permit tcp any host External IP address eq www
access-list 102 permit tcp any host External IP address eq 443
access-list 102 permit tcp any host External IP address eq smtp
access-list 102 permit udp host 192.231.203.132 eq domain host External IP address
access-list 102 permit udp host 192.231.203.3 eq domain host External IP address
access-list 102 remark Auto generated by SDM for NTP (123) 192.231.203.132
access-list 102 permit udp host 192.231.203.132 eq ntp host External IP address eq ntp
access-list 102 deny ip 10.0.0.0 0.0.0.255 any
access-list 102 permit icmp host 150.101.81.146 host External IP address echo
access-list 102 permit icmp host 203.122.234.3 host External IP address echo
access-list 102 permit icmp host 203.122.250.103 host External IP address echo
access-list 102 permit icmp host 150.101.243.85 host External IP address echo
access-list 102 permit icmp host 150.101.243.87 host External IP address echo
access-list 102 permit icmp host 203.122.227.198 host External IP address echo
access-list 102 permit icmp any host External IP address echo-reply
access-list 102 permit icmp any host External IP address time-exceeded
access-list 102 permit icmp any host External IP address unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 120 deny ip 10.1.0.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
The command you mentioned says dynamic mapping is in use.
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 120 deny ip 10.1.0.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
Your 172.16.0.0 networks are being denied NAT translation. In order for address on the 172.16.0.0 subnets to be translated to an external ip you need to change the first three lines as so:
access-list 120 permit ip 172.16.1.0 0.0.0.255 any
This line will replace all three lines
Also make sure the 120 ACL is not being applied to anything else :)
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 120 deny ip 10.1.0.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
Your 172.16.0.0 networks are being denied NAT translation. In order for address on the 172.16.0.0 subnets to be translated to an external ip you need to change the first three lines as so:
access-list 120 permit ip 172.16.1.0 0.0.0.255 any
This line will replace all three lines
Also make sure the 120 ACL is not being applied to anything else :)
ASKER
Our 172.16.1.0 network does not require NAT, this is how its structured:
172.16.1.25 (Client PC) -> 172.16.1.2 (ISA int interface) -> 10.0.0.2 (ISA ext interface) -> 10.0.0.1 (Cisco)
Our other VLAN is (172.1.1.250) is for our PABX which transits via tge VPN and does not require NAT, those rules are just for preventing the PABX from using the internet.
I did however do that permit rule for the 192.168.0.0 network but soon after I found my VPN tunnels went down so I had to fall back to startup config.
172.16.1.25 (Client PC) -> 172.16.1.2 (ISA int interface) -> 10.0.0.2 (ISA ext interface) -> 10.0.0.1 (Cisco)
Our other VLAN is (172.1.1.250) is for our PABX which transits via tge VPN and does not require NAT, those rules are just for preventing the PABX from using the internet.
I did however do that permit rule for the 192.168.0.0 network but soon after I found my VPN tunnels went down so I had to fall back to startup config.
Please post your full "sh run" minus any passwords or public IPs.
ASKER
Current configuration : 15234 bytes
!
! No configuration change since last restart
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname glg
!
boot-start-marker
boot system flash flash:c870-advipservicesk9
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096
logging console critical
no logging monitor
enable secret 5 $1$hashed_password
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication ppp default local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone acst 9 30
clock summer-time ACDT recurring last Sun Oct 2:00 last Sun Mar 3:00
!
crypto pki trustpoint TP-self-signed-762479650
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-762479650
!
!
crypto pki certificate chain TP-self-signed-762479650
certificate self-signed 01
--removed--
quit
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key --removed-- address 0.0.0.0 0.0.0.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
crypto ipsec df-bit clear
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
!
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool eblen-customer
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.231.203.132
domain-name customer.eblen.com.au
lease 7
!
!
no ip bootp server
ip domain name --removed--
ip name-server 192.231.203.3
ip name-server 192.231.203.132
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
!
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.
server deny name webmessenger.msn.com
audit-trail on
application http
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yaho
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 --removed--
username voipadmin privilege 15 secret 5 ==removed==
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
class-map match-any WebEmail
match protocol http
match protocol secure-http
match protocol ftp
match protocol smtp
match protocol pop3
class-map match-any VoIP
match protocol h323
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map eblen-voip
class VoIP
priority percent 15
set dscp ef
class WebEmail
bandwidth remaining percent 85
class class-default
fair-queue
!
!
!
!
interface Tunnel0
bandwidth 4000
ip address 10.1.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 83505045
ip nhrp holdtime 360
ip nhrp cache non-authoritative
ip tcp adjust-mss 1360
no ip split-horizon eigrp 8376
delay 1000
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 83505045
tunnel protection ipsec profile SDM_Profile1
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
description Eblen Customer AP
switchport access vlan 3
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.0.0.1 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Vlan2
ip address 172.16.1.250 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
!
interface Vlan3
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
description $FW_OUTSIDE$
bandwidth 872
ip address negotiated
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nbar protocol-discovery
ip nat outside
ip inspect SDM_HIGH out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname --removed
ppp chap password 7 --removed--
service-policy output eblen-voip
!
router eigrp 8376
network 10.1.0.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.16.5.0 255.255.255.0 Tunnel0 10.1.0.6
!
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow-export version 5
ip flow-export destination 172.16.1.25 9991
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 120 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.2 25 External IP address 25 extendable
ip nat inside source static tcp 10.0.0.2 80 External IP address 80 extendable
ip nat inside source static tcp 10.0.0.2 110 External IP address 110 extendable
ip nat inside source static tcp 10.0.0.2 443 External IP address 443 extendable
ip nat inside source static tcp 10.0.0.2 3389 External IP address 3389 extendable
ip nat inside source static tcp 10.0.0.2 4125 External IP address 4125 extendable
ip nat inside source static tcp 10.0.0.2 5900 External IP address 5900 extendable
!
logging trap debugging
logging 172.16.1.25
access-list 1 permit 202.6.145.49
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 deny any
access-list 1 permit 0.0.0.1 255.255.255.0
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 permit ip host 150.101.81.146 any
access-list 100 permit ip host 203.122.250.103 any
access-list 100 permit ip host 150.101.243.85 any
access-list 100 permit ip host 150.101.243.87 any
access-list 100 permit ip host 202.6.145.49 any
access-list 100 permit ip host 203.122.227.198 any
access-list 100 permit ip 219.90.128.0 0.0.127.255 any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 121.44.0.0 0.1.255.255 any
access-list 100 permit ip 59.167.0.0 0.0.255.255 any
access-list 100 deny ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq 22
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq www
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq 443
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq cmd
access-list 101 deny tcp any host 10.0.0.1 eq telnet
access-list 101 deny tcp any host 10.0.0.1 eq 22
access-list 101 deny tcp any host 10.0.0.1 eq www
access-list 101 deny tcp any host 10.0.0.1 eq 443
access-list 101 deny tcp any host 10.0.0.1 eq cmd
access-list 101 deny udp any host 10.0.0.1 eq snmp
access-list 101 deny ip 150.101.226.40 0.0.0.3 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 102 remark SDM_ACL Category=17
access-list 102 permit udp any host External IP address eq non500-isakmp
access-list 102 permit udp any host External IP address eq isakmp
access-list 102 permit esp any host External IP address
access-list 102 permit ahp any host External IP address
access-list 102 permit gre any host External IP address
access-list 102 permit tcp host 150.101.243.85 eq telnet host External IP address
access-list 102 permit tcp host 150.101.243.87 eq telnet host External IP address
access-list 102 permit tcp host 203.122.250.103 eq telnet host External IP address
access-list 102 permit tcp host 150.101.81.146 eq telnet host External IP address
access-list 102 permit tcp host 203.166.110.41 range 1700 1710 host External IP address
access-list 102 permit tcp host 203.166.110.40 range 9100 9505 host External IP address
access-list 102 permit tcp host 203.25.40.102 eq ftp host External IP address
access-list 102 permit tcp host 210.50.2.234 eq ftp host External IP address
access-list 102 permit tcp any host External IP address eq telnet
access-list 102 deny tcp any host External IP address eq 22
access-list 102 deny tcp any host External IP address eq cmd
access-list 102 deny udp any host External IP address eq snmp
access-list 102 permit tcp any host External IP address eq 5900
access-list 102 permit tcp host 203.122.227.198 host External IP address eq 3389
access-list 102 permit tcp any host External IP address eq 4125
access-list 102 permit tcp any host External IP address eq pop3
access-list 102 permit tcp any host External IP address eq www
access-list 102 permit tcp any host External IP address eq 443
access-list 102 permit tcp any host External IP address eq smtp
access-list 102 permit udp host 192.231.203.132 eq domain host External IP address
access-list 102 permit udp host 192.231.203.3 eq domain host External IP address
access-list 102 remark Auto generated by SDM for NTP (123) 192.231.203.132
access-list 102 permit udp host 192.231.203.132 eq ntp host External IP address eq ntp
access-list 102 deny ip 10.0.0.0 0.0.0.255 any
access-list 102 permit icmp host 150.101.81.146 host External IP address echo
access-list 102 permit icmp host 203.122.234.3 host External IP address echo
access-list 102 permit icmp host 203.122.250.103 host External IP address echo
access-list 102 permit icmp host 150.101.243.85 host External IP address echo
access-list 102 permit icmp host 150.101.243.87 host External IP address echo
access-list 102 permit icmp host 203.122.227.198 host External IP address echo
access-list 102 permit icmp any host External IP address echo-reply
access-list 102 permit icmp any host External IP address time-exceeded
access-list 102 permit icmp any host External IP address unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 120 deny ip 10.1.0.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 100 in
authorization exec local_author
login authentication local_authen
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175105
ntp server 192.231.203.132 prefer
!
webvpn cef
end
!
! No configuration change since last restart
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname glg
!
boot-start-marker
boot system flash flash:c870-advipservicesk9
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096
logging console critical
no logging monitor
enable secret 5 $1$hashed_password
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication ppp default local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone acst 9 30
clock summer-time ACDT recurring last Sun Oct 2:00 last Sun Mar 3:00
!
crypto pki trustpoint TP-self-signed-762479650
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-762479650
!
!
crypto pki certificate chain TP-self-signed-762479650
certificate self-signed 01
--removed--
quit
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key --removed-- address 0.0.0.0 0.0.0.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
crypto ipsec df-bit clear
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
!
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool eblen-customer
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.231.203.132
domain-name customer.eblen.com.au
lease 7
!
!
no ip bootp server
ip domain name --removed--
ip name-server 192.231.203.3
ip name-server 192.231.203.132
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
!
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.
server deny name webmessenger.msn.com
audit-trail on
application http
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yaho
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 --removed--
username voipadmin privilege 15 secret 5 ==removed==
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
class-map match-any WebEmail
match protocol http
match protocol secure-http
match protocol ftp
match protocol smtp
match protocol pop3
class-map match-any VoIP
match protocol h323
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map eblen-voip
class VoIP
priority percent 15
set dscp ef
class WebEmail
bandwidth remaining percent 85
class class-default
fair-queue
!
!
!
!
interface Tunnel0
bandwidth 4000
ip address 10.1.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 83505045
ip nhrp holdtime 360
ip nhrp cache non-authoritative
ip tcp adjust-mss 1360
no ip split-horizon eigrp 8376
delay 1000
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 83505045
tunnel protection ipsec profile SDM_Profile1
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
description Eblen Customer AP
switchport access vlan 3
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.0.0.1 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Vlan2
ip address 172.16.1.250 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
!
interface Vlan3
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
description $FW_OUTSIDE$
bandwidth 872
ip address negotiated
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nbar protocol-discovery
ip nat outside
ip inspect SDM_HIGH out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname --removed
ppp chap password 7 --removed--
service-policy output eblen-voip
!
router eigrp 8376
network 10.1.0.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.16.5.0 255.255.255.0 Tunnel0 10.1.0.6
!
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow-export version 5
ip flow-export destination 172.16.1.25 9991
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 120 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.2 25 External IP address 25 extendable
ip nat inside source static tcp 10.0.0.2 80 External IP address 80 extendable
ip nat inside source static tcp 10.0.0.2 110 External IP address 110 extendable
ip nat inside source static tcp 10.0.0.2 443 External IP address 443 extendable
ip nat inside source static tcp 10.0.0.2 3389 External IP address 3389 extendable
ip nat inside source static tcp 10.0.0.2 4125 External IP address 4125 extendable
ip nat inside source static tcp 10.0.0.2 5900 External IP address 5900 extendable
!
logging trap debugging
logging 172.16.1.25
access-list 1 permit 202.6.145.49
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 deny any
access-list 1 permit 0.0.0.1 255.255.255.0
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 permit ip host 150.101.81.146 any
access-list 100 permit ip host 203.122.250.103 any
access-list 100 permit ip host 150.101.243.85 any
access-list 100 permit ip host 150.101.243.87 any
access-list 100 permit ip host 202.6.145.49 any
access-list 100 permit ip host 203.122.227.198 any
access-list 100 permit ip 219.90.128.0 0.0.127.255 any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 121.44.0.0 0.1.255.255 any
access-list 100 permit ip 59.167.0.0 0.0.255.255 any
access-list 100 deny ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq 22
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq www
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq 443
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq cmd
access-list 101 deny tcp any host 10.0.0.1 eq telnet
access-list 101 deny tcp any host 10.0.0.1 eq 22
access-list 101 deny tcp any host 10.0.0.1 eq www
access-list 101 deny tcp any host 10.0.0.1 eq 443
access-list 101 deny tcp any host 10.0.0.1 eq cmd
access-list 101 deny udp any host 10.0.0.1 eq snmp
access-list 101 deny ip 150.101.226.40 0.0.0.3 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 102 remark SDM_ACL Category=17
access-list 102 permit udp any host External IP address eq non500-isakmp
access-list 102 permit udp any host External IP address eq isakmp
access-list 102 permit esp any host External IP address
access-list 102 permit ahp any host External IP address
access-list 102 permit gre any host External IP address
access-list 102 permit tcp host 150.101.243.85 eq telnet host External IP address
access-list 102 permit tcp host 150.101.243.87 eq telnet host External IP address
access-list 102 permit tcp host 203.122.250.103 eq telnet host External IP address
access-list 102 permit tcp host 150.101.81.146 eq telnet host External IP address
access-list 102 permit tcp host 203.166.110.41 range 1700 1710 host External IP address
access-list 102 permit tcp host 203.166.110.40 range 9100 9505 host External IP address
access-list 102 permit tcp host 203.25.40.102 eq ftp host External IP address
access-list 102 permit tcp host 210.50.2.234 eq ftp host External IP address
access-list 102 permit tcp any host External IP address eq telnet
access-list 102 deny tcp any host External IP address eq 22
access-list 102 deny tcp any host External IP address eq cmd
access-list 102 deny udp any host External IP address eq snmp
access-list 102 permit tcp any host External IP address eq 5900
access-list 102 permit tcp host 203.122.227.198 host External IP address eq 3389
access-list 102 permit tcp any host External IP address eq 4125
access-list 102 permit tcp any host External IP address eq pop3
access-list 102 permit tcp any host External IP address eq www
access-list 102 permit tcp any host External IP address eq 443
access-list 102 permit tcp any host External IP address eq smtp
access-list 102 permit udp host 192.231.203.132 eq domain host External IP address
access-list 102 permit udp host 192.231.203.3 eq domain host External IP address
access-list 102 remark Auto generated by SDM for NTP (123) 192.231.203.132
access-list 102 permit udp host 192.231.203.132 eq ntp host External IP address eq ntp
access-list 102 deny ip 10.0.0.0 0.0.0.255 any
access-list 102 permit icmp host 150.101.81.146 host External IP address echo
access-list 102 permit icmp host 203.122.234.3 host External IP address echo
access-list 102 permit icmp host 203.122.250.103 host External IP address echo
access-list 102 permit icmp host 150.101.243.85 host External IP address echo
access-list 102 permit icmp host 150.101.243.87 host External IP address echo
access-list 102 permit icmp host 203.122.227.198 host External IP address echo
access-list 102 permit icmp any host External IP address echo-reply
access-list 102 permit icmp any host External IP address time-exceeded
access-list 102 permit icmp any host External IP address unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 120 deny ip 10.1.0.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 100 in
authorization exec local_author
login authentication local_authen
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175105
ntp server 192.231.203.132 prefer
!
webvpn cef
end
This is the statement that is providing NAT to your local networks:
ip nat inside source list 120 interface Dialer0 overload
So it is using ACL 120 to determine which IPs are allowed and denied translation.
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 120 deny ip 10.1.0.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
You will need to add a line for the vlan3 subnet (192.168.0.0) in order for it to be translated. I do not see anything else that references this ACL besides NAT.
ip nat inside source list 120 interface Dialer0 overload
So it is using ACL 120 to determine which IPs are allowed and denied translation.
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 120 deny ip 10.1.0.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
You will need to add a line for the vlan3 subnet (192.168.0.0) in order for it to be translated. I do not see anything else that references this ACL besides NAT.
ASKER
I now have NAT working with connectivity and DNS resolution,the only thing left is the traffic leaking between VLAN's which I find a bit strange.
Performing "sh int fast1 switchport" shows:
glg#sh int fast1 switchport
Name: Fa1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Disabled
Access Mode VLAN: 3 (VLAN0003)
Trunking Native Mode VLAN: 3 (VLAN0003)
Trunking VLANs Enabled: ALL
Trunking VLANs Active: 3
Protected: false
Priority for untagged frames: 0
Override vlan tag priority: FALSE
Voice VLAN: none
Appliance trust: none
This all seems fine except im a bit unsure about Trunking All VLAN's being enabled (even though only 3 is active)
The other VLAN's (VLAN 1 on 10.0.0.0 and VLAN 2 on 172.16.1.0) are both reachable but the other odd thing is one of my IP phones is reachable (172.16.1.99). I tried patching it to another switch with no VLAN's setup and it's still reachable (via web interface and ping).
Although as far as I can tell nothing is reachable from that subnet (192.168.0.0) to the other VLAN interfaces (due to ACL's) I would like to have it all air tight before letting customers on the WLAN.
What I find interesting is that a traceroute from the WLAN to a host on the other networks traverses 192.168.0.1 as a hop (I assume its acting as a gateway to the other networks otherwise it wouldn't work due to different subnets)
Performing "sh int fast1 switchport" shows:
glg#sh int fast1 switchport
Name: Fa1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Disabled
Access Mode VLAN: 3 (VLAN0003)
Trunking Native Mode VLAN: 3 (VLAN0003)
Trunking VLANs Enabled: ALL
Trunking VLANs Active: 3
Protected: false
Priority for untagged frames: 0
Override vlan tag priority: FALSE
Voice VLAN: none
Appliance trust: none
This all seems fine except im a bit unsure about Trunking All VLAN's being enabled (even though only 3 is active)
The other VLAN's (VLAN 1 on 10.0.0.0 and VLAN 2 on 172.16.1.0) are both reachable but the other odd thing is one of my IP phones is reachable (172.16.1.99). I tried patching it to another switch with no VLAN's setup and it's still reachable (via web interface and ping).
Although as far as I can tell nothing is reachable from that subnet (192.168.0.0) to the other VLAN interfaces (due to ACL's) I would like to have it all air tight before letting customers on the WLAN.
What I find interesting is that a traceroute from the WLAN to a host on the other networks traverses 192.168.0.1 as a hop (I assume its acting as a gateway to the other networks otherwise it wouldn't work due to different subnets)
Will you post an updated sh run please?
ASKER
Building configuration...
Current configuration : 15104 bytes
!
! Last configuration change at 15:27:13 acst Tue Mar 31 2009 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname <hostname>
!
boot-start-marker
boot system flash flash:c870-advipservicesk9
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096
logging console critical
no logging monitor
enable secret 5 <secret>
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication ppp default local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone acst 9 30
clock summer-time ACDT recurring last Sun Oct 2:00 last Sun Mar 3:00
!
crypto pki trustpoint TP-self-signed-762479650
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-762479650
!
!
crypto pki certificate chain TP-self-signed-762479650
certificate self-signed 01
<key>
quit
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key <key> address 0.0.0.0 0.0.0.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
crypto ipsec df-bit clear
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
!
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool eblen-customer
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.231.203.132
domain-name customer.business.com
lease infinite
!
!
no ip bootp server
ip domain name business.com
ip name-server 192.231.203.132
ip name-server 192.231.203.3
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
!
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.
server deny name webmessenger.msn.com
audit-trail on
application http
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yaho
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 <password>
username voipadmin privilege 15 secret 5 <password>
archive
log config
hidekeys
!
!
!
class-map match-any WebEmail
match protocol http
match protocol secure-http
match protocol ftp
match protocol smtp
match protocol pop3
class-map match-any VoIP
match protocol h323
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map eblen-voip
class VoIP
priority percent 15
set dscp ef
class WebEmail
bandwidth remaining percent 85
class class-default
fair-queue
!
!
!
!
interface Tunnel0
bandwidth 4000
ip address 10.1.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp cache non-authoritative
no ip split-horizon eigrp 8376
tunnel source Dialer0
tunnel mode gre multipoint
tunnel protection ipsec profile SDM_Profile1
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
description <AP name>
switchport access vlan 3
switchport trunk native vlan 3
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.0.0.1 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Vlan2
ip address 172.16.1.250 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan3
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
description $FW_OUTSIDE$
bandwidth 872
ip address negotiated
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nbar protocol-discovery
ip nat outside
ip inspect SDM_HIGH out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <username>
ppp chap password 7 <password>
service-policy output voip
!
router eigrp 8376
network 10.1.0.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.16.5.0 255.255.255.0 Tunnel0 10.1.0.6
!
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow-export version 5
ip flow-export destination 172.16.1.25 9991
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 120 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.2 25 External IP address2 25 extendable
ip nat inside source static tcp 10.0.0.2 80 External IP address2 80 extendable
ip nat inside source static tcp 10.0.0.2 110 External IP address2 110 extendable
ip nat inside source static tcp 10.0.0.2 443 External IP address2 443 extendable
ip nat inside source static tcp 10.0.0.2 3389 External IP address2 3389 extendable
ip nat inside source static tcp 10.0.0.2 4125 External IP address2 4125 extendable
ip nat inside source static tcp 10.0.0.2 5900 External IP address2 5900 extendable
!
logging trap debugging
logging 172.16.1.25
access-list 1 permit 202.6.145.49
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 deny any
access-list 1 permit 0.0.0.1 255.255.255.0
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 permit ip host 150.101.81.146 any
access-list 100 permit ip host 203.122.250.103 any
access-list 100 permit ip host 150.101.243.85 any
access-list 100 permit ip host 150.101.243.87 any
access-list 100 permit ip host 202.6.145.49 any
access-list 100 permit ip host 203.122.227.198 any
access-list 100 permit ip 219.90.128.0 0.0.127.255 any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 121.44.0.0 0.1.255.255 any
access-list 100 permit ip 59.167.0.0 0.0.255.255 any
access-list 100 deny ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq 22
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq www
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq 443
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq cmd
access-list 101 deny tcp any host 10.0.0.1 eq telnet
access-list 101 deny tcp any host 10.0.0.1 eq 22
access-list 101 deny tcp any host 10.0.0.1 eq www
access-list 101 deny tcp any host 10.0.0.1 eq 443
access-list 101 deny tcp any host 10.0.0.1 eq cmd
access-list 101 deny udp any host 10.0.0.1 eq snmp
access-list 101 deny ip External IP address0 0.0.0.3 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 102 remark SDM_ACL Category=17
access-list 102 permit udp any host External IP address2 eq non500-isakmp
access-list 102 permit udp any host External IP address2 eq isakmp
access-list 102 permit esp any host External IP address2
access-list 102 permit ahp any host External IP address2
access-list 102 permit gre any host External IP address2
access-list 102 permit tcp host 150.101.243.85 eq telnet host External IP address2
access-list 102 permit tcp host 150.101.243.87 eq telnet host External IP address2
access-list 102 permit tcp host 203.122.250.103 eq telnet host External IP address2
access-list 102 permit tcp host 150.101.81.146 eq telnet host External IP address2
access-list 102 permit tcp host 203.166.110.41 range 1700 1710 host External IP address2
access-list 102 permit tcp host 203.166.110.40 range 9100 9505 host External IP address2
access-list 102 permit tcp host 203.25.40.102 eq ftp host External IP address2
access-list 102 permit tcp host 210.50.2.234 eq ftp host External IP address2
access-list 102 permit tcp any host External IP address2 eq telnet
access-list 102 deny tcp any host External IP address2 eq 22
access-list 102 deny tcp any host External IP address2 eq cmd
access-list 102 deny udp any host External IP address2 eq snmp
access-list 102 permit tcp any host External IP address2 eq 5900
access-list 102 permit tcp host 203.122.227.198 host External IP address2 eq 3389
access-list 102 permit tcp any host External IP address2 eq 4125
access-list 102 permit tcp any host External IP address2 eq pop3
access-list 102 permit tcp any host External IP address2 eq www
access-list 102 permit tcp any host External IP address2 eq 443
access-list 102 permit tcp any host External IP address2 eq smtp
access-list 102 permit udp host 192.231.203.132 eq domain host External IP address2
access-list 102 permit udp host 192.231.203.3 eq domain host External IP address2
access-list 102 remark Auto generated by SDM for NTP (123) 192.231.203.132
access-list 102 permit udp host 192.231.203.132 eq ntp host External IP address2 eq ntp
access-list 102 deny ip 10.0.0.0 0.0.0.255 any
access-list 102 permit icmp host 150.101.81.146 host External IP address2 echo
access-list 102 permit icmp host 203.122.234.3 host External IP address2 echo
access-list 102 permit icmp host 203.122.250.103 host External IP address2 echo
access-list 102 permit icmp host 150.101.243.85 host External IP address2 echo
access-list 102 permit icmp host 150.101.243.87 host External IP address2 echo
access-list 102 permit icmp host 203.122.227.198 host External IP address2 echo
access-list 102 permit icmp any host External IP address2 echo-reply
access-list 102 permit icmp any host External IP address2 time-exceeded
access-list 102 permit icmp any host External IP address2 unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 120 deny ip 10.1.0.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
access-list 120 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 100 in
authorization exec local_author
login authentication local_authen
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175114
ntp server 192.231.203.132 prefer
!
webvpn cef
end
Current configuration : 15104 bytes
!
! Last configuration change at 15:27:13 acst Tue Mar 31 2009 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname <hostname>
!
boot-start-marker
boot system flash flash:c870-advipservicesk9
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096
logging console critical
no logging monitor
enable secret 5 <secret>
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication ppp default local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone acst 9 30
clock summer-time ACDT recurring last Sun Oct 2:00 last Sun Mar 3:00
!
crypto pki trustpoint TP-self-signed-762479650
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-762479650
!
!
crypto pki certificate chain TP-self-signed-762479650
certificate self-signed 01
<key>
quit
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key <key> address 0.0.0.0 0.0.0.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
crypto ipsec df-bit clear
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
!
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool eblen-customer
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.231.203.132
domain-name customer.business.com
lease infinite
!
!
no ip bootp server
ip domain name business.com
ip name-server 192.231.203.132
ip name-server 192.231.203.3
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
!
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.
server deny name webmessenger.msn.com
audit-trail on
application http
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yaho
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 <password>
username voipadmin privilege 15 secret 5 <password>
archive
log config
hidekeys
!
!
!
class-map match-any WebEmail
match protocol http
match protocol secure-http
match protocol ftp
match protocol smtp
match protocol pop3
class-map match-any VoIP
match protocol h323
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map eblen-voip
class VoIP
priority percent 15
set dscp ef
class WebEmail
bandwidth remaining percent 85
class class-default
fair-queue
!
!
!
!
interface Tunnel0
bandwidth 4000
ip address 10.1.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp cache non-authoritative
no ip split-horizon eigrp 8376
tunnel source Dialer0
tunnel mode gre multipoint
tunnel protection ipsec profile SDM_Profile1
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
description <AP name>
switchport access vlan 3
switchport trunk native vlan 3
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.0.0.1 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Vlan2
ip address 172.16.1.250 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan3
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
description $FW_OUTSIDE$
bandwidth 872
ip address negotiated
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nbar protocol-discovery
ip nat outside
ip inspect SDM_HIGH out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <username>
ppp chap password 7 <password>
service-policy output voip
!
router eigrp 8376
network 10.1.0.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.16.5.0 255.255.255.0 Tunnel0 10.1.0.6
!
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow-export version 5
ip flow-export destination 172.16.1.25 9991
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 120 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.2 25 External IP address2 25 extendable
ip nat inside source static tcp 10.0.0.2 80 External IP address2 80 extendable
ip nat inside source static tcp 10.0.0.2 110 External IP address2 110 extendable
ip nat inside source static tcp 10.0.0.2 443 External IP address2 443 extendable
ip nat inside source static tcp 10.0.0.2 3389 External IP address2 3389 extendable
ip nat inside source static tcp 10.0.0.2 4125 External IP address2 4125 extendable
ip nat inside source static tcp 10.0.0.2 5900 External IP address2 5900 extendable
!
logging trap debugging
logging 172.16.1.25
access-list 1 permit 202.6.145.49
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 deny any
access-list 1 permit 0.0.0.1 255.255.255.0
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 permit ip host 150.101.81.146 any
access-list 100 permit ip host 203.122.250.103 any
access-list 100 permit ip host 150.101.243.85 any
access-list 100 permit ip host 150.101.243.87 any
access-list 100 permit ip host 202.6.145.49 any
access-list 100 permit ip host 203.122.227.198 any
access-list 100 permit ip 219.90.128.0 0.0.127.255 any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 121.44.0.0 0.1.255.255 any
access-list 100 permit ip 59.167.0.0 0.0.255.255 any
access-list 100 deny ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq 22
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq www
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq 443
access-list 101 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq cmd
access-list 101 deny tcp any host 10.0.0.1 eq telnet
access-list 101 deny tcp any host 10.0.0.1 eq 22
access-list 101 deny tcp any host 10.0.0.1 eq www
access-list 101 deny tcp any host 10.0.0.1 eq 443
access-list 101 deny tcp any host 10.0.0.1 eq cmd
access-list 101 deny udp any host 10.0.0.1 eq snmp
access-list 101 deny ip External IP address0 0.0.0.3 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 102 remark SDM_ACL Category=17
access-list 102 permit udp any host External IP address2 eq non500-isakmp
access-list 102 permit udp any host External IP address2 eq isakmp
access-list 102 permit esp any host External IP address2
access-list 102 permit ahp any host External IP address2
access-list 102 permit gre any host External IP address2
access-list 102 permit tcp host 150.101.243.85 eq telnet host External IP address2
access-list 102 permit tcp host 150.101.243.87 eq telnet host External IP address2
access-list 102 permit tcp host 203.122.250.103 eq telnet host External IP address2
access-list 102 permit tcp host 150.101.81.146 eq telnet host External IP address2
access-list 102 permit tcp host 203.166.110.41 range 1700 1710 host External IP address2
access-list 102 permit tcp host 203.166.110.40 range 9100 9505 host External IP address2
access-list 102 permit tcp host 203.25.40.102 eq ftp host External IP address2
access-list 102 permit tcp host 210.50.2.234 eq ftp host External IP address2
access-list 102 permit tcp any host External IP address2 eq telnet
access-list 102 deny tcp any host External IP address2 eq 22
access-list 102 deny tcp any host External IP address2 eq cmd
access-list 102 deny udp any host External IP address2 eq snmp
access-list 102 permit tcp any host External IP address2 eq 5900
access-list 102 permit tcp host 203.122.227.198 host External IP address2 eq 3389
access-list 102 permit tcp any host External IP address2 eq 4125
access-list 102 permit tcp any host External IP address2 eq pop3
access-list 102 permit tcp any host External IP address2 eq www
access-list 102 permit tcp any host External IP address2 eq 443
access-list 102 permit tcp any host External IP address2 eq smtp
access-list 102 permit udp host 192.231.203.132 eq domain host External IP address2
access-list 102 permit udp host 192.231.203.3 eq domain host External IP address2
access-list 102 remark Auto generated by SDM for NTP (123) 192.231.203.132
access-list 102 permit udp host 192.231.203.132 eq ntp host External IP address2 eq ntp
access-list 102 deny ip 10.0.0.0 0.0.0.255 any
access-list 102 permit icmp host 150.101.81.146 host External IP address2 echo
access-list 102 permit icmp host 203.122.234.3 host External IP address2 echo
access-list 102 permit icmp host 203.122.250.103 host External IP address2 echo
access-list 102 permit icmp host 150.101.243.85 host External IP address2 echo
access-list 102 permit icmp host 150.101.243.87 host External IP address2 echo
access-list 102 permit icmp host 203.122.227.198 host External IP address2 echo
access-list 102 permit icmp any host External IP address2 echo-reply
access-list 102 permit icmp any host External IP address2 time-exceeded
access-list 102 permit icmp any host External IP address2 unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 120 deny ip 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 120 deny ip 10.1.0.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
access-list 120 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 100 in
authorization exec local_author
login authentication local_authen
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175114
ntp server 192.231.203.132 prefer
!
webvpn cef
end
Just create a new ACL that denies traffic to all VLANs/subnets and only allows traffic to the internet and apply it to the VLAN3 interface:
access-list 130 deny any 172.16.1.0 255.255.255.0
access-list 130 deny any 10.0.0.0 255.0.0.0
access-list 130 permit any any
int vlan 3
access-group 130 in
This will block all traffic originating on VLAN3 from accessing any subnet on the 172.16.1.0, and any 10.0 subnets, but still allows traffic to get to the internet.
access-list 130 deny any 172.16.1.0 255.255.255.0
access-list 130 deny any 10.0.0.0 255.0.0.0
access-list 130 permit any any
int vlan 3
access-group 130 in
This will block all traffic originating on VLAN3 from accessing any subnet on the 172.16.1.0, and any 10.0 subnets, but still allows traffic to get to the internet.
ASKER
Doesn't that defeat the purpose of the VLAN? (Not that im complaining that's a pretty bulletproof way of stopping it)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great help and follow through the entire length of the question with easy to understand help and examples.
Thanks, I glade I could help you out.
ASKER
No problem, I'm glad to have learned a lot more about VLAN's through this real world example and in future I'll know what the hell im doing :)
Dear how to configure multipel dhcp in cisco access point and ssid and vlan.
scenireo
I want maintean 5 location 4 location are staff and one location are customer.
i want that 4 location are used as non broadcasting with static ip yaa dhcp also allow.
but customers required broadcasting wihout deny websites with dhcp also required.
i ahve a one managabel swith , one router for inter vlan routing,and one cisco access point and multipel access point as a client.
plz give me answer with in two days.
scenireo
I want maintean 5 location 4 location are staff and one location are customer.
i want that 4 location are used as non broadcasting with static ip yaa dhcp also allow.
but customers required broadcasting wihout deny websites with dhcp also required.
i ahve a one managabel swith , one router for inter vlan routing,and one cisco access point and multipel access point as a client.
plz give me answer with in two days.
The Cisco 1100G will connect to the 2950 via trunk port and then to the 870.
Setup a second SSID on the 1100G with a different IP subnet. Then configure a different encryption key for customer use (something simple so they do not have much issue getting connected or even no encryption, but I do not recommend it).
Also make sure to deny traffic from the customer VLAN to the corporate VLAN on the 870 to insure they do not have access to corporate resources.
Customers will only be able to connect to the customer SSID and not have access to the corporate network