topic Acces-list for VPN in Network Security

Acces-list for VPN (Solved)

bvoit2pimp — Mon, 11 Mar 2019 22:28:14 GMT

Hi,

I'm new to configuring routers en switches of cisco. But I've been able to get a cisco 861 router working with 2 vlan's.

My only problem is to seperate the 2 vlan's so they cannot reach eachother. I banged my head on getting these acces lists to work, but the only thing I've been able to is to not receive a DHCP adress at all, the rest I've tried both vlans where always able to ping eachother.

I'm very confused about how to configure these acces-lists (with the in and out and after all what I've tried its also beginning to confuse me in the source and destination ip)

some info :

Router = Cisco 861

Fastethernet 0 / 1 / 2 / 3 are configure in trunk mode (to switch)

I have 4 switches where VLANs work (port 1 & 2 are VLAN1 , all other ports are VLAN10)

Switch info is :

1 x Cisco SF-200 48 port

3 x Cisco SF-300 24 port

What I want to achieve is :

- Both VLAN's receive their ip by DHCP from the router (so they still need to be able to receive DHCP)

- VLAN1 needs to be able to only connect to 2 ip's on VLAN10 (192.168.1.200 and 192.168.1.201)

- VLAN10 may not reach anything on VLAN1

Can someone help me with this ? its not much but I don't find how to do this.

The acces-lists in the router config atm are totally wrong but it was to test what it did.

Thx in advance 🙂

My router config :

Router#show run

Building configuration...

Current configuration : 2815 bytes

! Last configuration change at 15:11:46 UTC Wed Jan 4 2006

! NVRAM config last updated at 14:01:07 UTC Wed Jan 4 2006

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname Router

boot-start-marker

boot-end-marker

enable secret 5 $1$B2a.$abguCFXGb79.CGszFLQZf0

no aaa new-model

memory-size iomem 10

crypto pki token default removal timeout 0

crypto pki trustpoint TP-self-signed-1719798455

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1719798455

revocation-check none

rsakeypair TP-self-signed-1719798455

ip dhcp excluded-address 192.168.1.1

ip dhcp excluded-address 192.168.1.200 192.168.1.254

ip dhcp excluded-address 192.168.2.1

ip dhcp excluded-address 192.168.2.200 192.168.2.254

ip dhcp pool vlan10

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 195.130.130.1 195.130.130.129

ip dhcp pool vlan 1

import all

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 195.130.130.1 195.130.130.129

ip name-server 195.130.130.129

ip name-server 195.130.130.1

ip name-server 195.130.131.4

no ip cef

license udi pid CISCO861-K9 sn FCZ160390WV

username ben privilege 15 secret 5 $1$DLkn$/cLYXwLSOiLSl5O/hH0Jw0

username ben2 privilege 15 password 0 xxxxxxx

interface FastEthernet0

switchport mode trunk

no ip address

interface FastEthernet1

switchport mode trunk

no ip address

interface FastEthernet2

switchport mode trunk

no ip address

interface FastEthernet3

switchport mode trunk

no ip address

interface FastEthernet4

ip address dhcp

ip nat outside

ip virtual-reassembly in

no ip route-cache

duplex auto

speed auto

interface Vlan1

ip address 192.168.2.1 255.255.255.0

ip access-group 110 out

ip nat inside

ip nat enable

ip virtual-reassembly in

no ip route-cache

interface Vlan10

ip address 192.168.1.1 255.255.255.0

ip access-group 101 in

ip nat inside

ip nat enable

ip virtual-reassembly in

ip forward-protocol nd

ip http server

ip http authentication local

no ip http secure-server

ip nat inside source list 1 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 192.168.40.1 254

ip access-list standard vlan1

deny 192.168.1.0 0.0.0.255

ip access-list standard vlan10

deny 192.168.2.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip host 192.168.2.2 host 192.168.1.1

access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

line con 0

line aux 0

line vty 0 4

password xxxxxxx

transport input all

end

Re: Acces-list for VPN

Julio Carvajal — Sat, 11 Feb 2012 17:03:17 GMT

Hello Ben,

To acomplish this you will need a stateful firewall ( like ZBFW) or Reflexive ACLS,

I would help you with the reflexive ACL:

ip access-list extended test

permit ip 192.168.2.0 0.0.0.255 host 192.168.1.200 reflect TEST

permit ip 192.168.2.0 0.0.0.255 host 192.168.1.201 reflect TEST

deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 reflect TEST

permit ip any any reflect TEST

ip access-list extended reflexive

evaluate TEST

interface vlan 1

ip access-group test in

ip access-group reflexive out

ip access-list extended Vlan10

deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0 255 reflect

permit ip any any reflect

ip access-list extended reflexive2

evaluate Vlan 10

interface vlan10

ip access-group Vlan10 in

ip access-group reflexive2 out

Please give it a try with that and let me know

Acces-list for VPN

bvoit2pimp — Sun, 12 Feb 2012 21:42:13 GMT

Hi I was able to fix this without the reflexive ACL's.

I did it like this :

interface Vlan1

ip address 192.168.2.1 255.255.255.0

ip access-group inbound in

ip nat inside

ip nat enable

ip virtual-reassembly in

no ip route-cache

interface Vlan10

ip address 192.168.1.1 255.255.255.0

ip access-group inbound10 in

ip nat inside

ip nat enable

ip virtual-reassembly in

ip forward-protocol nd

ip http server

ip http authentication local

no ip http secure-server

ip nat inside source list 1 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 192.168.40.1 254

ip access-list extended inbound

permit ip 192.168.2.0 0.0.0.255 host 192.168.1.5

deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip any any

ip access-list extended inbound10

permit ip host 192.168.1.5 192.168.2.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip any any

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

Acces-list for VPN (Solved)

Julio Carvajal — Mon, 13 Feb 2012 01:42:59 GMT

Hello Ben,

Great to know that you could solve it, please mark the question as answered so future users can learn

from your post.

Regards,

Julio