04-24-2019 06:56 AM
Hi All,
So I'm doing a new test config on a Cisco 881 Router.
I have created four IP subnet pools, I have created four interface VLANs 1,10,20,30 with IP addresses so the router knows what subnet is what. the problem is that I can't seem to put an access-list any of the ports that will be going to a switch. The interface VLAN-10 lets me put an access list onto it to block telnet and SSH but it just keeps working it Does not do anything at all.
What I'm trying to do is only have one management subnet within VLAN 1 that is not going to be Natted to the WAN side.
Has anyone come across this before any help would be appreciated
ip source-route
!
ip dhcp excluded-address 192.168.100.0 192.168.100.9
ip dhcp excluded-address 192.168.100.64 192.168.100.69
ip dhcp excluded-address 192.168.100.128 192.168.100.139
ip dhcp excluded-address 192.168.100.192 192.168.100.200
!
ip dhcp pool VLAN-1
network 192.168.100.0 255.255.255.192
default-router 192.168.100.1
dns-server 8.8.8.8
lease 3
!
ip dhcp pool VLAN-10
network 192.168.100.64 255.255.255.192
default-router 192.168.100.65
dns-server 8.8.8.8
lease 3
!
ip dhcp pool VLAN-20
network 192.168.100.128 255.255.255.192
default-router 192.168.100.129
dns-server 8.8.8.8
lease 3
!
ip dhcp pool VLAN-30
network 192.168.100.192 255.255.255.192
dns-server 8.8.8.8
default-router 192.168.100.193
lease 3
!
!
interface FastEthernet0
switchport access vlan 10
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.100.1 255.255.255.192
!
interface Vlan10
ip address 192.168.100.65 255.255.255.192
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
ip address 192.168.100.129 255.255.255.192
ip nat inside
ip virtual-reassembly in
!
interface Vlan30
ip address 192.168.100.193 255.255.255.192
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface FastEthernet4 overload
!
logging esm config
access-list 1 permit any
access-list 100 deny tcp host 192.168.100.65 eq 22 any
access-list 100 deny tcp host 192.168.100.65 eq telnet any
access-list 100 permit ip any any
!
!
line con 0
exec-timeout 60 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 60 0
logging synchronous
login local
transport input all
!
end
Solved! Go to Solution.
04-24-2019 07:25 AM
04-24-2019 07:25 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide