Hey Guys,
I have a Cisco 871 and have a question about VLAN routing. I currently have two VLANs, one for hardwired clients and one for wireless clients. I have DSL, and right now each VLAN is its network's inside NAT interface, so they both route directly to the Internet. Is there a way to set up my network so that I can create ACLs between the Internet and my VLANs, but not have these ACLs affect inter-vlan communication?
The way I have it configured now, I can do this by placing ACLs on the Dialer interface, but I'm unable to specify an inside IP address on these ACLs (as the Dialer interface is before NAT).
I hope I make sense. Here is my configuration for reference:
Current configuration : 4554 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname tobyflenderson
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 xxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 10.7.17.0 10.7.17.99
ip dhcp excluded-address 10.7.17.200 10.7.17.255
ip dhcp excluded-address 10.19.86.0 10.19.86.99
ip dhcp excluded-address 10.19.86.200 10.19.86.255
!
ip dhcp pool VLAN10
import all
network 10.7.17.0 255.255.255.0
dns-server 10.7.17.71
domain-name hhsn.net
default-router 10.7.17.1
lease 14
!
ip dhcp pool VLAN20
import all
network 10.19.86.0 255.255.255.0
dns-server 10.7.17.71
domain-name hhsn.net
default-router 10.19.86.1
lease 14
!
!
ip cef
ip domain name hhsn.net
ip name-server 10.7.17.71
ip ddns update method NameCheap
HTTP
add xxxxx
interval maximum 14 0 0 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username xxxxx privilege 15 secret 5 xxxxx
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet4
description Link to DSL Modem
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
no ip address
!
interface Vlan10
description Wired LAN
ip address 10.7.17.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan20
description Wireless LAN
ip address 10.19.86.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
description Interface to the Net
ip ddns update NameCheap
ip address negotiated
ip access-group Outside-In in
ip access-group Inside-Out out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxx password xxxxx
ppp ipcp address accept
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.7.17.71 80 interface Dialer1 80
ip nat inside source static tcp 10.7.17.71 5222 interface Dialer1 5222
ip nat inside source static tcp 10.7.17.71 5223 interface Dialer1 5223
ip nat inside source static tcp 10.7.17.71 5269 interface Dialer1 5269
ip nat inside source static tcp 10.7.17.71 22 interface Dialer1 22
ip nat inside source static tcp 10.7.17.71 1723 interface Dialer1 1723
ip nat inside source static tcp 10.7.17.71 443 interface Dialer1 443
ip nat inside source static tcp 10.7.17.90 3074 interface Dialer1 3074
ip nat inside source static udp 10.7.17.90 3074 interface Dialer1 3074
ip nat inside source static udp 10.7.17.90 88 interface Dialer1 88
!
ip access-list extended Inside-Out
permit udp host 10.7.17.71 any eq domain
permit ip any any reflect temp-in timeout 60
ip access-list extended Outside-In
evaluate temp-in
permit tcp any any eq www
permit tcp any any eq 5222
permit tcp any any eq 5223
permit tcp any any eq 5269
permit tcp any any eq 1723
permit tcp any any eq 443
permit tcp any any eq 3074
permit udp any any eq 3074
permit udp any any eq 88
permit tcp any any eq 22
!
access-list 1 permit 10.7.17.0 0.0.0.255
access-list 1 permit 10.19.86.0 0.0.0.255
dialer-list 1 protocol ip list 1
!
!
!
!
!
control-plane
!
banner login ^CC Authorized users ONLY! Terminal sessions are extensively logged. ^C
banner motd ^CCC
Welcome to $(hostname).$(domain), the edge router for the San Jose node of HHSn.
You are currently using vty $(line).
Don't forget to save your changes!
^C
!
line con 0
password 7 xxxxx
no modem enable
transport preferred ssh
transport output all
line aux 0
transport preferred ssh
transport output all
line vty 0 4
password 7 xxxxx
transport preferred ssh
transport input ssh
transport output ssh
!
scheduler max-task-time 5000
end
I have a Cisco 871 and have a question about VLAN routing. I currently have two VLANs, one for hardwired clients and one for wireless clients. I have DSL, and right now each VLAN is its network's inside NAT interface, so they both route directly to the Internet. Is there a way to set up my network so that I can create ACLs between the Internet and my VLANs, but not have these ACLs affect inter-vlan communication?
The way I have it configured now, I can do this by placing ACLs on the Dialer interface, but I'm unable to specify an inside IP address on these ACLs (as the Dialer interface is before NAT).
I hope I make sense. Here is my configuration for reference:
Current configuration : 4554 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname tobyflenderson
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 xxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 10.7.17.0 10.7.17.99
ip dhcp excluded-address 10.7.17.200 10.7.17.255
ip dhcp excluded-address 10.19.86.0 10.19.86.99
ip dhcp excluded-address 10.19.86.200 10.19.86.255
!
ip dhcp pool VLAN10
import all
network 10.7.17.0 255.255.255.0
dns-server 10.7.17.71
domain-name hhsn.net
default-router 10.7.17.1
lease 14
!
ip dhcp pool VLAN20
import all
network 10.19.86.0 255.255.255.0
dns-server 10.7.17.71
domain-name hhsn.net
default-router 10.19.86.1
lease 14
!
!
ip cef
ip domain name hhsn.net
ip name-server 10.7.17.71
ip ddns update method NameCheap
HTTP
add xxxxx
interval maximum 14 0 0 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username xxxxx privilege 15 secret 5 xxxxx
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet4
description Link to DSL Modem
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
no ip address
!
interface Vlan10
description Wired LAN
ip address 10.7.17.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan20
description Wireless LAN
ip address 10.19.86.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
description Interface to the Net
ip ddns update NameCheap
ip address negotiated
ip access-group Outside-In in
ip access-group Inside-Out out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxx password xxxxx
ppp ipcp address accept
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.7.17.71 80 interface Dialer1 80
ip nat inside source static tcp 10.7.17.71 5222 interface Dialer1 5222
ip nat inside source static tcp 10.7.17.71 5223 interface Dialer1 5223
ip nat inside source static tcp 10.7.17.71 5269 interface Dialer1 5269
ip nat inside source static tcp 10.7.17.71 22 interface Dialer1 22
ip nat inside source static tcp 10.7.17.71 1723 interface Dialer1 1723
ip nat inside source static tcp 10.7.17.71 443 interface Dialer1 443
ip nat inside source static tcp 10.7.17.90 3074 interface Dialer1 3074
ip nat inside source static udp 10.7.17.90 3074 interface Dialer1 3074
ip nat inside source static udp 10.7.17.90 88 interface Dialer1 88
!
ip access-list extended Inside-Out
permit udp host 10.7.17.71 any eq domain
permit ip any any reflect temp-in timeout 60
ip access-list extended Outside-In
evaluate temp-in
permit tcp any any eq www
permit tcp any any eq 5222
permit tcp any any eq 5223
permit tcp any any eq 5269
permit tcp any any eq 1723
permit tcp any any eq 443
permit tcp any any eq 3074
permit udp any any eq 3074
permit udp any any eq 88
permit tcp any any eq 22
!
access-list 1 permit 10.7.17.0 0.0.0.255
access-list 1 permit 10.19.86.0 0.0.0.255
dialer-list 1 protocol ip list 1
!
!
!
!
!
control-plane
!
banner login ^CC Authorized users ONLY! Terminal sessions are extensively logged. ^C
banner motd ^CCC
Welcome to $(hostname).$(domain), the edge router for the San Jose node of HHSn.
You are currently using vty $(line).
Don't forget to save your changes!
^C
!
line con 0
password 7 xxxxx
no modem enable
transport preferred ssh
transport output all
line aux 0
transport preferred ssh
transport output all
line vty 0 4
password 7 xxxxx
transport preferred ssh
transport input ssh
transport output ssh
!
scheduler max-task-time 5000
end