11-27-2018 02:40 AM - edited 02-21-2020 08:30 AM
I have this config but kids with Kali can enter in the Aironet and access admin network. What im doing wrong? Is any way of resolve issue withou more hardware?
Router#sh run
Building configuration...
ip dhcp excluded-address 192.168.2.1 192.168.2.2
!
ip dhcp pool STU
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 198.153.192.50 198.153.194.50
lease 0 2
!
!
ip dhcp pool ADMIN
network 192.168.8.0 255.255.255.0
default-router 192.168.8.1
dns-server 8.8.8.8 1.1.1.1
!
!
interface FastEthernet0
description CONNECTED TO WAN
switchport access vlan 100
no ip address
spanning-tree portfast
service-policy output p2p-drop
!
interface FastEthernet1
switchport access vlan 200
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 300
no ip address
spanning-tree portfast
!
interface FastEthernet3
switchport trunk native vlan 100
switchport mode trunk
no ip address
!
!
interface Vlan100
description WAN
ip address 192.168.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface Vlan200
description LAN
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
service-policy output p2p-drop
!
interface Vlan300
description LAN_ADMIN
ip address 192.168.8.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip default-gateway 192.168.1.254
!
ip nat inside source list 100 interface Vlan100 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.8.0 0.0.0.255 any
!
!
end
Router#
11-27-2018 03:16 AM
its probably more usefull to drill into who you have setup security on your wifi network. can you tell us how it is configured?
also, please sanitise your config in this post, as it has weak encyption and anyone can decrypt it in 4 seconds flat.
11-27-2018 04:27 AM
hi, thanks for reply.
In the wifi i have 2 ssid, one with access vlan 200 and SECOND with acces to vlan 300..
11-27-2018 09:11 PM
Hi,
As dennis mentioned, remove the passwords from your config output because anyone can decrypt '7' encrypted passwords within 1 second.
for your problem, i am suggesting to create ACLs in router and apply to interfaces accordingly. find below for sample,
access-list 100 den ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
apply this to interface 300 for in side
int vlan 300
ip access-g 100 in
then your 192.168.2.0 range IPs will not be able to access 192.168.8.0 range IPs. which going through the router.
if you have correctly configured wireless network with correct VLANs, this should work.
regards,
11-28-2018 02:00 AM
Ok, i will try your sugestion.
But i dont now if i explained well.
kids with kali can gain complete control of aironet 1832i and join Admin wifi without knowing the password.. And them Scann IP.
I think that's what's happening.
11-28-2018 02:23 AM
Hi,
i guess, then it should be issue with wireless security. use high secured encryption methods such as WAP2 in wireless SSID. becasue WEP and WPA keys are crackable. KALI contains lot of tools which can crack those methods. also use strong password without using dictionary word or only letters. use some complex password with symbols, numeric and alpha characters.
regards,
11-29-2018 01:57 AM
thanks for the reply but after all the problem are the ACL.
Trying to make one that work..
11-29-2018 01:56 AM
Thanks for the reply,
You are right, the problem are the ACL.
I tryed to do what you sugested and succes vlan 200 cannot ping vlan 300 but vlan 300 as no internet and vlan 200 have.
I will try to make ACL that waorks but having dificulty with that.
Any sugestion more???
11-29-2018 04:08 AM
Hi,
can you share the Interfaces and ACL part of the configuration?
11-29-2018 06:39 AM
interface FastEthernet0
description CONNECTED TO WAN
switchport access vlan 100
no ip address
spanning-tree portfast
service-policy output p2p-drop
!
interface FastEthernet1
switchport access vlan 200
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 300
no ip address
spanning-tree portfast
!
interface FastEthernet3
switchport trunk native vlan 100
switchport mode trunk
no ip address
!
interface Vlan1
no ip address
!
interface Vlan100
description WAN
ip address 192.168.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface Vlan200
description LAN
ip address 192.168.2.1 255.255.255.0
ip access-group 101 out
ip nat inside
ip virtual-reassembly in
service-policy output p2p-drop
interface Vlan300
description LAN_ADMIN
ip address 192.168.8.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
!
ip default-gateway 192.168.1.254
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface Vlan100 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
!
11-29-2018 06:41 AM - edited 11-29-2018 06:41 AM
Now they cannot connect but one vlan 300 cant access internet.
11-29-2018 07:02 AM - edited 11-29-2018 07:03 AM
only works with
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.8.0 0.0.0.255 any
but from vlan 200 can ping vlan 300
11-29-2018 07:17 AM - edited 11-29-2018 07:19 AM
Hi try with below,
interface Vlan200
description LAN
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
ip nat inside
interface Vlan300
description LAN_ADMIN
ip address 192.168.8.1 255.255.255.0
ip access-group 101 in
ip nat inside
!
!
ip nat inside source list 102 interface Vlan100 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip 192.168.8.0 0.0.0.255 any
access-list 102 permit ip any any
11-29-2018 07:33 AM
no access on any network,
maybe this is wrong too---> access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
this access list is to add to vlan 300
11-29-2018 07:42 AM
interface Vlan200
description LAN
ip address 192.168.2.1 255.255.255.0
ip access-group 101 in
ip nat inside
interface Vlan300
description LAN_ADMIN
ip address 192.168.8.1 255.255.255.0
ip access-group 100 in
ip nat inside
!
!
ip nat inside source list 102 interface Vlan100 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 100 permit ip 192.168.8.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit ip any any
maybe?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide