https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3753419#M32483 <P>I have this config but kids with Kali can enter in the Aironet and access admin network. What im doing wrong? Is any way of resolve issue withou more hardware?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Router#sh run</P> <P>Building configuration...</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>ip dhcp excluded-address 192.168.2.1 192.168.2.2</P> <P>!</P> <P>ip dhcp pool STU</P> <P>&nbsp;network 192.168.2.0 255.255.255.0</P> <P>&nbsp;default-router 192.168.2.1</P> <P>&nbsp;dns-server 198.153.192.50 198.153.194.50</P> <P>&nbsp;lease 0 2</P> <P>!</P> <P>!</P> <P>ip dhcp pool ADMIN</P> <P>&nbsp;network 192.168.8.0 255.255.255.0</P> <P>&nbsp;default-router 192.168.8.1</P> <P>&nbsp;dns-server 8.8.8.8 1.1.1.1</P> <P>!</P> <P>!</P> <P>interface FastEthernet0</P> <P>&nbsp;description CONNECTED TO WAN</P> <P>&nbsp;switchport access vlan 100</P> <P>&nbsp;no ip address</P> <P>&nbsp;spanning-tree portfast</P> <P>&nbsp;service-policy output p2p-drop</P> <P>!</P> <P>interface FastEthernet1</P> <P>&nbsp;switchport access vlan 200</P> <P>&nbsp;no ip address</P> <P>&nbsp;spanning-tree portfast</P> <P>!</P> <P>interface FastEthernet2</P> <P>&nbsp;switchport access vlan 300</P> <P>&nbsp;no ip address</P> <P>&nbsp;spanning-tree portfast</P> <P>!</P> <P>interface FastEthernet3</P> <P>&nbsp;switchport trunk native vlan 100</P> <P>&nbsp;switchport mode trunk</P> <P>&nbsp;no ip address</P> <P>!</P> <P>&nbsp;</P> <P>!</P> <P>interface Vlan100</P> <P>&nbsp;description WAN</P> <P>&nbsp;ip address 192.168.1.1 255.255.255.0</P> <P>&nbsp;ip nat outside</P> <P>&nbsp;ip virtual-reassembly in</P> <P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P> <P>interface Vlan200</P> <P>&nbsp;description LAN</P> <P>&nbsp;ip address 192.168.2.1 255.255.255.0</P> <P>&nbsp;ip nat inside</P> <P>&nbsp;ip virtual-reassembly in</P> <P>&nbsp;service-policy output p2p-drop</P> <P>!</P> <P>interface Vlan300</P> <P>&nbsp;description LAN_ADMIN</P> <P>&nbsp;ip address 192.168.8.1 255.255.255.0</P> <P>&nbsp;ip nat inside</P> <P>&nbsp;ip virtual-reassembly in</P> <P>!</P> <P>ip default-gateway 192.168.1.254</P> <P>&nbsp;</P> <P>!</P> <P>ip nat inside source list 100 interface Vlan100 overload</P> <P>ip route 0.0.0.0 0.0.0.0 192.168.1.254</P> <P>!</P> <P>!</P> <P>access-list 100 permit ip 192.168.2.0 0.0.0.255 any</P> <P>access-list 100 permit ip 192.168.8.0 0.0.0.255 any</P> <P>!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>!</P> <P>end</P> <P>&nbsp;</P> <P>Router#</P> Fri, 21 Feb 2020 16:30:30 GMT Gabritex 2020-02-21T16:30:30Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3753419#M32483 <P>I have this config but kids with Kali can enter in the Aironet and access admin network. What im doing wrong? Is any way of resolve issue withou more hardware?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Router#sh run</P> <P>Building configuration...</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>ip dhcp excluded-address 192.168.2.1 192.168.2.2</P> <P>!</P> <P>ip dhcp pool STU</P> <P>&nbsp;network 192.168.2.0 255.255.255.0</P> <P>&nbsp;default-router 192.168.2.1</P> <P>&nbsp;dns-server 198.153.192.50 198.153.194.50</P> <P>&nbsp;lease 0 2</P> <P>!</P> <P>!</P> <P>ip dhcp pool ADMIN</P> <P>&nbsp;network 192.168.8.0 255.255.255.0</P> <P>&nbsp;default-router 192.168.8.1</P> <P>&nbsp;dns-server 8.8.8.8 1.1.1.1</P> <P>!</P> <P>!</P> <P>interface FastEthernet0</P> <P>&nbsp;description CONNECTED TO WAN</P> <P>&nbsp;switchport access vlan 100</P> <P>&nbsp;no ip address</P> <P>&nbsp;spanning-tree portfast</P> <P>&nbsp;service-policy output p2p-drop</P> <P>!</P> <P>interface FastEthernet1</P> <P>&nbsp;switchport access vlan 200</P> <P>&nbsp;no ip address</P> <P>&nbsp;spanning-tree portfast</P> <P>!</P> <P>interface FastEthernet2</P> <P>&nbsp;switchport access vlan 300</P> <P>&nbsp;no ip address</P> <P>&nbsp;spanning-tree portfast</P> <P>!</P> <P>interface FastEthernet3</P> <P>&nbsp;switchport trunk native vlan 100</P> <P>&nbsp;switchport mode trunk</P> <P>&nbsp;no ip address</P> <P>!</P> <P>&nbsp;</P> <P>!</P> <P>interface Vlan100</P> <P>&nbsp;description WAN</P> <P>&nbsp;ip address 192.168.1.1 255.255.255.0</P> <P>&nbsp;ip nat outside</P> <P>&nbsp;ip virtual-reassembly in</P> <P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P> <P>interface Vlan200</P> <P>&nbsp;description LAN</P> <P>&nbsp;ip address 192.168.2.1 255.255.255.0</P> <P>&nbsp;ip nat inside</P> <P>&nbsp;ip virtual-reassembly in</P> <P>&nbsp;service-policy output p2p-drop</P> <P>!</P> <P>interface Vlan300</P> <P>&nbsp;description LAN_ADMIN</P> <P>&nbsp;ip address 192.168.8.1 255.255.255.0</P> <P>&nbsp;ip nat inside</P> <P>&nbsp;ip virtual-reassembly in</P> <P>!</P> <P>ip default-gateway 192.168.1.254</P> <P>&nbsp;</P> <P>!</P> <P>ip nat inside source list 100 interface Vlan100 overload</P> <P>ip route 0.0.0.0 0.0.0.0 192.168.1.254</P> <P>!</P> <P>!</P> <P>access-list 100 permit ip 192.168.2.0 0.0.0.255 any</P> <P>access-list 100 permit ip 192.168.8.0 0.0.0.255 any</P> <P>!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>!</P> <P>end</P> <P>&nbsp;</P> <P>Router#</P> Fri, 21 Feb 2020 16:30:30 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3753419#M32483 Gabritex 2020-02-21T16:30:30Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3753446#M32484 <P>its probably more usefull to drill into who you have setup security on your wifi network. can you tell us how it is configured?</P> <P>&nbsp;</P> <P>also, please sanitise your config in this post, as it has weak encyption and anyone can decrypt it in 4 seconds flat.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 27 Nov 2018 11:16:03 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3753446#M32484 Dennis Mink 2018-11-27T11:16:03Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3753486#M32485 <P>hi, thanks for reply.</P> <P>&nbsp;</P> <P>In the wifi i have 2 ssid, one with access vlan 200 and SECOND with acces to vlan 300..</P> Tue, 27 Nov 2018 12:27:53 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3753486#M32485 Gabritex 2018-11-27T12:27:53Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3754068#M32486 <P>Hi,</P> <P>&nbsp;</P> <P>As dennis mentioned, remove the passwords from your config output because anyone can decrypt '7' encrypted passwords within 1 second.</P> <P>&nbsp;</P> <P>for your problem, i am suggesting to create ACLs in router and apply to interfaces accordingly.&nbsp; find below for sample,</P> <P>&nbsp;</P> <P><FONT face="courier new,courier"><SPAN>access-list 100&nbsp;den ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255</SPAN></FONT></P> <P><FONT face="courier new,courier"><SPAN>access-list 100 permit ip 192.168.2.0 0.0.0.255 any</SPAN></FONT></P> <P>&nbsp;</P> <P>apply this to interface 300 for in side</P> <P><FONT face="courier new,courier">int vlan 300</FONT></P> <P><FONT face="courier new,courier">ip access-g 100 in</FONT></P> <P>&nbsp;</P> <P><FONT face="helvetica">then your 192.168.2.0 range IPs will not be able to access 192.168.8.0 range IPs. which going through the router.&nbsp;</FONT></P> <P>&nbsp;</P> <P><FONT face="helvetica">if you have correctly&nbsp;configured wireless network with correct VLANs, this should work.</FONT></P> <P>&nbsp;</P> <P><FONT face="helvetica">regards,</FONT></P> Wed, 28 Nov 2018 05:11:39 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3754068#M32486 Kasun Bandara 2018-11-28T05:11:39Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3754218#M32487 <P>Ok, i will try your sugestion.</P> <P>&nbsp;</P> <P>But i dont now if i explained well.</P> <P>&nbsp;</P> <P>kids with kali can gain complete control of aironet 1832i and join Admin wifi without knowing the password.. And them Scann IP.</P> <P>&nbsp;</P> <P><SPAN>I think that's what's happening.</SPAN></P> Wed, 28 Nov 2018 10:00:16 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3754218#M32487 Gabritex 2018-11-28T10:00:16Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3754227#M32488 <P>Hi,</P> <P>i guess, then it should be issue with wireless security. use high secured encryption methods such as WAP2 in wireless SSID. becasue WEP and WPA keys are crackable. KALI contains lot of tools which can crack those methods. also use strong password without using dictionary word or only letters. use some complex password with symbols, numeric and alpha characters.</P> <P>&nbsp;</P> <P>regards,</P> Wed, 28 Nov 2018 10:23:15 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3754227#M32488 Kasun Bandara 2018-11-28T10:23:15Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755007#M32489 <P>Thanks for the reply,</P> <P>&nbsp;</P> <P>You are right, the problem are the ACL.</P> <P>&nbsp;</P> <P>I tryed to do what you sugested and succes vlan 200 cannot ping vlan 300 but vlan 300 as no internet and vlan 200 have.</P> <P>&nbsp;</P> <P>I will try to make ACL that waorks but having dificulty with that.&nbsp;</P> <P>&nbsp;</P> <P>Any sugestion more???</P> Thu, 29 Nov 2018 09:56:11 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755007#M32489 Gabritex 2018-11-29T09:56:11Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755009#M32490 <P>thanks for the reply but after all the problem are the ACL.</P> <P>&nbsp;</P> <P>Trying to make one that work..</P> Thu, 29 Nov 2018 09:57:12 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755009#M32490 Gabritex 2018-11-29T09:57:12Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755071#M32491 <P>Hi,</P> <P>&nbsp;</P> <P>can you share the Interfaces and ACL part of the configuration?</P> Thu, 29 Nov 2018 12:08:38 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755071#M32491 Kasun Bandara 2018-11-29T12:08:38Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755168#M32492 <P class="p1"><SPAN class="s1">interface FastEthernet0</SPAN></P> <P class="p1"><SPAN class="s1"> description CONNECTED TO WAN</SPAN></P> <P class="p1"><SPAN class="s1"> switchport access vlan 100</SPAN></P> <P class="p1"><SPAN class="s1"> no ip address</SPAN></P> <P class="p1"><SPAN class="s1"> spanning-tree portfast</SPAN></P> <P class="p1"><SPAN class="s1"> service-policy output p2p-drop</SPAN></P> <P class="p1"><SPAN class="s1">!</SPAN></P> <P class="p1"><SPAN class="s1">interface FastEthernet1</SPAN></P> <P class="p1"><SPAN class="s1"> switchport access vlan 200</SPAN></P> <P class="p1"><SPAN class="s1"> no ip address</SPAN></P> <P class="p1"><SPAN class="s1"> spanning-tree portfast</SPAN></P> <P class="p1"><SPAN class="s1">!</SPAN></P> <P class="p1"><SPAN class="s1">interface FastEthernet2</SPAN></P> <P class="p1"><SPAN class="s1"> switchport access vlan 300</SPAN></P> <P class="p1"><SPAN class="s1"> no ip address</SPAN></P> <P class="p1"><SPAN class="s1"> spanning-tree portfast</SPAN></P> <P class="p1"><SPAN class="s1">!</SPAN></P> <P class="p1"><SPAN class="s1">interface FastEthernet3</SPAN></P> <P class="p1"><SPAN class="s1"> switchport trunk native vlan 100</SPAN></P> <P class="p1"><SPAN class="s1"> switchport mode trunk</SPAN></P> <P class="p1"><SPAN class="s1"> no ip address</SPAN></P> <P class="p1"><SPAN class="s1">!</SPAN></P> <P class="p1"><SPAN class="s1">interface Vlan1</SPAN></P> <P class="p1"><SPAN class="s1"> no ip address</SPAN></P> <P class="p1"><SPAN class="s1">!</SPAN></P> <P class="p1"><SPAN class="s1">interface Vlan100</SPAN></P> <P class="p1"><SPAN class="s1"> description WAN</SPAN></P> <P class="p1"><SPAN class="s1"> ip address 192.168.1.1 255.255.255.0</SPAN></P> <P class="p1"><SPAN class="s1"> ip nat outside</SPAN></P> <P class="p1"><SPAN class="s1"> ip virtual-reassembly in</SPAN></P> <P class="p1"><SPAN class="s1">!</SPAN></P> <P class="p1"><SPAN class="s1">interface Vlan200</SPAN></P> <P class="p1"><SPAN class="s1"> description LAN</SPAN></P> <P class="p1"><SPAN class="s1"> ip address 192.168.2.1 255.255.255.0</SPAN></P> <P class="p1"><SPAN class="s1"> ip access-group 101 out</SPAN></P> <P class="p1"><SPAN class="s1"> ip nat inside</SPAN></P> <P class="p1"><SPAN class="s1"> ip virtual-reassembly in</SPAN></P> <P class="p1"><SPAN class="s1"> service-policy output p2p-drop</SPAN></P> <P class="p1">&nbsp;</P> <P class="p1"><SPAN class="s1">interface Vlan300</SPAN></P> <P class="p1"><SPAN class="s1"> description LAN_ADMIN</SPAN></P> <P class="p1"><SPAN class="s1"> ip address 192.168.8.1 255.255.255.0</SPAN></P> <P class="p1"><SPAN class="s1"> ip access-group 100 in</SPAN></P> <P class="p1"><SPAN class="s1"> ip nat inside</SPAN></P> <P class="p1"><SPAN class="s1"> ip virtual-reassembly in</SPAN></P> <P class="p1"><SPAN class="s1">!</SPAN></P> <P class="p1"><SPAN class="s1">ip default-gateway 192.168.1.254</SPAN></P> <P class="p1"><SPAN class="s1">ip forward-protocol nd</SPAN></P> <P class="p1"><SPAN class="s1">no ip http server</SPAN></P> <P class="p1"><SPAN class="s1">no ip http secure-server</SPAN></P> <P class="p1"><SPAN class="s1">!</SPAN></P> <P class="p1"><SPAN class="s1">!</SPAN></P> <P class="p1"><SPAN class="s1">ip nat inside source list 100 interface Vlan100 overload</SPAN></P> <P class="p1"><SPAN class="s1">ip route 0.0.0.0 0.0.0.0 192.168.1.254</SPAN></P> <P class="p1"><SPAN class="s1">!</SPAN></P> <P class="p1"><SPAN class="s1">!</SPAN></P> <P class="p1"><SPAN class="s1">access-list 100 deny <SPAN class="Apple-converted-space">&nbsp; </SPAN>ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255</SPAN></P> <P class="p1"><SPAN class="s1">access-list 100 permit ip 192.168.2.0 0.0.0.255 any</SPAN></P> <P class="p1"><SPAN class="s1">!</SPAN></P> <P class="p1">&nbsp;</P> Thu, 29 Nov 2018 14:39:02 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755168#M32492 Gabritex 2018-11-29T14:39:02Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755170#M32493 <P>Now they cannot connect but one vlan 300 cant access internet.</P> Thu, 29 Nov 2018 14:41:56 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755170#M32493 Gabritex 2018-11-29T14:41:56Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755194#M32494 <P>only works with&nbsp;</P> <P>&nbsp;</P> <P class="p1">access-list 100 permit ip 192.168.2.0 0.0.0.255 any</P> <P class="p1">access-list 100 permit ip 192.168.8.0 0.0.0.255 any</P> <P class="p1">&nbsp;</P> <P class="p1">but from vlan 200 can ping vlan 300</P> Thu, 29 Nov 2018 15:03:13 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755194#M32494 Gabritex 2018-11-29T15:03:13Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755208#M32495 <P>Hi try with below,</P> <P>&nbsp;</P> <P class="p1">interface Vlan200<BR />description LAN<BR />ip address 192.168.2.1 255.255.255.0<BR />ip access-group 100 in<BR />ip nat inside<BR />interface Vlan300<BR />description LAN_ADMIN<BR />ip address 192.168.8.1 255.255.255.0<BR />ip access-group 101 in<BR />ip nat inside<BR />!<BR />!<BR />ip nat inside source list 102 interface Vlan100 overload<BR />ip route 0.0.0.0 0.0.0.0 192.168.1.254<BR />!<BR />access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255<BR />access-list 100 permit ip 192.168.2.0 0.0.0.255 any<BR />access-list 101 permit ip 192.168.8.0 0.0.0.255 any<BR />access-list 102 permit ip any any</P> Thu, 29 Nov 2018 15:19:19 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755208#M32495 Kasun Bandara 2018-11-29T15:19:19Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755226#M32496 <P>no access on any network,</P> <P>&nbsp;</P> <P>maybe this is wrong too---&gt;&nbsp;<SPAN>access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255</SPAN></P> <P>&nbsp;</P> <P><SPAN>this access</SPAN><SPAN> list is to add to vlan 300</SPAN></P> <P>&nbsp;</P> Thu, 29 Nov 2018 15:33:48 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755226#M32496 Gabritex 2018-11-29T15:33:48Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755237#M32497 <P class="p1"><SPAN class="s1">interface Vlan200<BR /> description LAN<BR /> ip address 192.168.2.1 255.255.255.0<BR /> ip access-group 101 in<BR /> ip nat inside<BR /> interface Vlan300<BR /> description LAN_ADMIN<BR /> ip address 192.168.8.1 255.255.255.0<BR /> ip access-group 100 in<BR /> ip nat inside<BR /> !<BR /> !<BR /> ip nat inside source list 102 interface Vlan100 overload<BR /> ip route 0.0.0.0 0.0.0.0 192.168.1.254<BR /> !<BR /> access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255<BR /> access-list 100 permit ip 192.168.8.0 0.0.0.255 any<BR /> access-list 101 permit ip 192.168.2.0 0.0.0.255 any<BR /> access-list 102 permit ip any any</SPAN></P> <P class="p1">&nbsp;</P> <P class="p1">&nbsp;</P> <P class="p1"><SPAN class="s1">maybe?</SPAN></P> Thu, 29 Nov 2018 15:42:08 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755237#M32497 Gabritex 2018-11-29T15:42:08Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755263#M32498 <P>yes exactly.</P> Thu, 29 Nov 2018 16:08:59 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755263#M32498 Kasun Bandara 2018-11-29T16:08:59Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755265#M32499 Yes Exactly Thu, 29 Nov 2018 16:10:23 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755265#M32499 Kasun Bandara 2018-11-29T16:10:23Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755267#M32500 <P>Hi,</P> <P>&nbsp;</P> <P>it should be as earlier.</P> <P>&nbsp;</P> <P>interface Vlan200<BR />description LAN<BR />ip address 192.168.2.1 255.255.255.0<BR />ip access-group 100 in<BR />ip nat inside<BR />interface Vlan300<BR />description LAN_ADMIN<BR />ip address 192.168.8.1 255.255.255.0<BR />ip access-group 101 in<BR />ip nat inside<BR />!<BR />ip nat inside source list 102 interface Vlan100 overload<BR />ip route 0.0.0.0 0.0.0.0 192.168.1.254<BR />!<BR />access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255<BR />access-list 100 permit ip 192.168.2.0 0.0.0.255 any<BR />access-list 101 permit ip 192.168.8.0 0.0.0.255 any<BR />access-list 102 permit ip any any</P> Thu, 29 Nov 2018 16:13:10 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755267#M32500 Kasun Bandara 2018-11-29T16:13:10Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755272#M32501 <P class="p1">&nbsp;</P> <P class="p1">&nbsp;</P> <P class="p1"><SPAN class="s1">with this Vlan 200&nbsp;cant connect to internet</SPAN></P> <P class="p1">&nbsp;</P> <P class="p1"><SPAN class="s1">interface Vlan200</SPAN></P> <P class="p1"><SPAN class="s1">description LAN</SPAN></P> <P class="p1"><SPAN class="s1">ip address 192.168.2.1 255.255.255.0</SPAN></P> <P class="p1"><SPAN class="s1">ip access-group 101 out</SPAN></P> <P class="p1"><SPAN class="s1">ip nat inside</SPAN></P> <P class="p1"><SPAN class="s1">ip virtual-reassembly in</SPAN></P> <P class="p1"><SPAN class="s1">service-policy output p2p-drop</SPAN></P> <P class="p1"><SPAN class="s1">!</SPAN></P> <P class="p1"><SPAN class="s1">interface Vlan300</SPAN></P> <P class="p1"><SPAN class="s1">description LAN_ADMIN</SPAN></P> <P class="p1"><SPAN class="s1">ip address 192.168.8.1 255.255.255.0</SPAN></P> <P class="p1"><SPAN class="s1">ip access-group 100 in</SPAN></P> <P class="p1"><SPAN class="s1">ip nat inside</SPAN></P> <P class="p1"><SPAN class="s1">ip virtual-reassembly in</SPAN></P> <P class="p1"><SPAN class="s1">!</SPAN></P> <P class="p1"><SPAN class="s1">ip default-gateway 192.168.1.254</SPAN></P> <P class="p1"><SPAN class="s1">ip forward-protocol nd</SPAN></P> <P class="p1"><SPAN class="s1">no ip http server</SPAN></P> <P class="p1"><SPAN class="s1">no ip http secure-server</SPAN></P> <P class="p1"><SPAN class="s1">!</SPAN></P> <P class="p1"><SPAN class="s1">!</SPAN></P> <P class="p1"><SPAN class="s1">ip nat inside source list 102 interface Vlan100 overload</SPAN></P> <P class="p1"><SPAN class="s1">ip route 0.0.0.0 0.0.0.0 192.168.1.254</SPAN></P> <P class="p1"><SPAN class="s1">!</SPAN></P> <P class="p1"><SPAN class="s1">!</SPAN></P> <P class="p1"><SPAN class="s1">access-list 101 deny<SPAN>&nbsp;</SPAN><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255</SPAN></P> <P class="p1"><SPAN class="s1">access-list 101 permit ip 192.168.2.0 0.0.0.255 any</SPAN></P> <P class="p1"><SPAN class="s1">access-list 102 permit ip any any</SPAN></P> Thu, 29 Nov 2018 16:16:39 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755272#M32501 Gabritex 2018-11-29T16:16:39Z https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755298#M32502 <P>whenever I block access from one&nbsp;vlan to another,&nbsp;one&nbsp;of them do not have web access!!!!</P> Thu, 29 Nov 2018 16:36:57 GMT https://community.cisco.com/t5/network-security/simple-security-problem/m-p/3755298#M32502 Gabritex 2018-11-29T16:36:57Z