Link to home
Create AccountLog in
Avatar of Bardlebee
Bardlebee

asked on

Cisco 1811 Block Internal IP of another network. How?

Do you guys know how I can block a certain internal IP address from another network from getting into my current one?


My Location External Address: 222.222.222.222
Their Location External Address: 444.444.444.444
Their Location Internal IP address: 192.168.4.150

It is for the router config I posted up there, they are connected via IPSec VPN so I am not sure it is possible because won't the router just see the external IP of the router connection?

How can I block the .150 but allow others onto my 222.222.222.222 network (Internally 192.168.2.0)
The router on their side is NOT a cisco and I want to not let them over in my network. That certain IP address that is.

dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.1 192.168.2.105
ip dhcp excluded-address 192.168.2.200 192.168.2.254
ip dhcp excluded-address 192.168.2.106 192.168.2.115
!
ip dhcp pool 192.168.2.0/24
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   dns-server 192.168.2.240 192.168.11.220
!
!
ip domain name WGSTSC
ip name-server 192.168.2.240
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$okPG$sSaKRYxgE8z7A/oZYTN9k0
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 5
 lifetime 3600

crypto isakmp invalid-spi-recovery
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set esp-3des-sha1 esp-3des esp-sha-hmac
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface Tunnel0
 no ip address
 ip mtu 1400
 ip tcp adjust-mss 1436
!
interface FastEthernet0
 description OUTSIDE INTERNET CONNECTION
 ip address 222.222.222.222 255.255.255.240
 ip mtu 1460
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
 crypto map vpn
 crypto ipsec df-bit clear
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
 speed 100
!
interface Vlan1
 description INSIDE NETWORK
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 111.111.111.111
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source static 192.168.2.240 333.333.333.333
!
logging 67.215.65.132
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 remark SDM_ACL Category=18
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq 60001
access-list 102 permit ip 192.168.11.0 0.0.0.255 any
access-list 102 permit ip 66.64.51.0 0.0.0.255 any
access-list 102 permit ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 105 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 106 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 107 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 109 permit ip 192.168.2.0 0.0.0.255 192.168.9.0 0.0.0.255
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
!
!
control-plane
!
banner motd ^CUnauthorized Access Strictly Prohibited!!^C
!
line con 0
 password 7 072E254147075844
 logging synchronous
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 privilege level 15
 password 7 106F0D140C19534A
 logging synchronous
 login
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input ssh
line vty 16
 privilege level 15
 login local
 transport input all
!
end


Avatar of mwblsz
mwblsz

a few questions:

1. Is this a one way block? meaning you can visit them, but they can not visit you.
Or is it two way block, meaning it is blocked both way.

2. You mentioned that remote network connect to you by IPsec VPN, but I did not see any VPN set up on your router. So what VPN device do you use?

sincerely
ASKER CERTIFIED SOLUTION
Avatar of Jimmy Larsson, CISSP, CEH
Jimmy Larsson, CISSP, CEH
Flag of Sweden image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
just put this in your router
 ip route 192.168.4.150 255.255.255.255 null0

that way traffic from your network can't get back to that IP
That will effectively kill all traffic to that host which might or might not be the desired result.

/Kvistofta
Avatar of Bardlebee

ASKER

Yeah, I didn't include the whole config, but this is the 222.222.222.222 router that I don't want 192.168.4.150 to get to from 444.444.444.444.

We don't have a cisco router on their side, but we are purchasing one. So I think I figured out pretty much I will need to block them before it gets encrypted like I thought. I didn't think I could block inbound packets through the IPsec and reconfiguring isn't fun. heh.

Thank you Kevin for the tips on security, I am quite new at the Cisco IOS when it comes to the CCNA level.