Link to home
Start Free TrialLog in
Avatar of techbnjcomp
techbnjcompFlag for United States of America

asked on

Cisco NAT Issue with Each LAN/Inside having traffic blocked btween them while allowing them Internet Access

All Cisco Gurus,

I have a Cisco 3825 router with a 24 port Ethernet Switch in it.   Port G0/1 has a private LAN on it with address space of 10.0.0.0/24.  Port G2/0 has a private LAN on it with address space of 192.168.20.0/24.  Both of these are "IP NAT INSIDE" interfaces.  Then I have the IP NAT OUTSIDE interface of port G0/0 which has public routable ip address on it.

I have the router doing NAT overload just fine from each of the inside interfaces.  The problem is that I need for each of the inside LAN networks (G0/1 and G2/0) to not see each other.   It would be great if G0/1 could see G2/0 but not the other way around but suitable would be for neither of them to see each other.  Of course I need the internet to not allow anyone in to G0/1 or G2/0  except for the statics I have predefined.  How do I keep G2/0 from pinging or seeing G0/1?  I tried putting a ACL on G2/0 that blocked anything going to 10.0.0.0/24 but that blocked both ways at least as far as icmp.  I know I read somewhere how to keep the lans from seeing each other but have tried about 100 different ways and it still lets them see each other or blocks nat from working.  I almost believe it is not NAT that is letting them see each other but it is just routing between interfaces.  I am just not sure which is why I am here to enlist someone a lot better than I on Cisco.   Below is a picture of what I just have described.

G0/1                               G2/0
 10.0.0.0/24               192.168.20.0/24
          |                                 |
 _____________________________________________
|                                                                  |
|       Cisco 3825                                          |
|____________________________________________|
                             |
                           G0/0
                      97.64.140.2
                               |
                          ISP gateway of 97.64.140.1


Current Config of Cisco 3825

!
version 12.4
ip source-route
ip cef
!
!
ip name-server 97.64.183.162
ip name-server 97.64.209.35
no ipv6 cef
!
multilink bundle-name authenticated
!
interface GigabitEthernet0/0
 description outside interface
 ip address 97.64.140.7 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 description inside interface
 ip address 10.0.0.6 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet2/0
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 97.64.140.1
no ip http server
no ip http secure-server
!
ip nat pool officepool 97.64.140.7 97.64.140.7 netmask 255.255.255.248
ip nat inside source static tcp 10.0.0.100 25 interface GigabitEthernet0/0 25
ip nat inside source static tcp 10.0.0.100 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 10.0.0.100 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 10.0.0.100 987 interface GigabitEthernet0/0 987
ip nat inside source static tcp 10.0.0.100 3389 interface GigabitEthernet0/0 3389
ip nat inside source list 10 pool officepool overload
!
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 10 permit 192.168.20.0 0.0.0.255
control-plane
!
Avatar of Don Johnston
Don Johnston
Flag of United States of America image

Here's one way:

access-list 66 deny 192.168.20.0 0.0.0.255
access-list 66 permit any
!
access-list 67 deny 10.0.0.0 0.0.0.255
access-list 67 permit any
!
int g0/1
 ip access-list 66 out
!
int g2/0
 ip access-list 67 out

Open in new window

SOLUTION
Avatar of BBRazz
BBRazz
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I didn't notice the uni-directional requirement.

A reflexive ACL would accomplish that.

Depending on the type of traffic, an extended ACL using the "established" variable could also.
Avatar of techbnjcomp

ASKER

donjohnston... your solution is one I have tried in many configurations and it denys traffic from both lans.  I do need the 10 network to be able to reach the 192 network but not the other way around.

BBRAZ.....I never heard of reflexive acls so going to have to study them to see if i can figure them out and if they will work..
What type of traffic is going from the 10 to the 192 network?
from the 10 to the 192 will mostly be  remote  desktp, telnet, ssh, port 80,443, 8080
still trying to figure out these reflective acl,s
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Guys I have not had time to get this done and not fair to leave you guys hanging.  I am going to accept both solutions as I am thinking once I have time to look into them both of them will work.  Thank you guys for your patience.