11-27-2018 02:40 AM - edited 02-21-2020 08:30 AM
I have this config but kids with Kali can enter in the Aironet and access admin network. What im doing wrong? Is any way of resolve issue withou more hardware?
Router#sh run
Building configuration...
ip dhcp excluded-address 192.168.2.1 192.168.2.2
!
ip dhcp pool STU
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 198.153.192.50 198.153.194.50
lease 0 2
!
!
ip dhcp pool ADMIN
network 192.168.8.0 255.255.255.0
default-router 192.168.8.1
dns-server 8.8.8.8 1.1.1.1
!
!
interface FastEthernet0
description CONNECTED TO WAN
switchport access vlan 100
no ip address
spanning-tree portfast
service-policy output p2p-drop
!
interface FastEthernet1
switchport access vlan 200
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 300
no ip address
spanning-tree portfast
!
interface FastEthernet3
switchport trunk native vlan 100
switchport mode trunk
no ip address
!
!
interface Vlan100
description WAN
ip address 192.168.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface Vlan200
description LAN
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
service-policy output p2p-drop
!
interface Vlan300
description LAN_ADMIN
ip address 192.168.8.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip default-gateway 192.168.1.254
!
ip nat inside source list 100 interface Vlan100 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.8.0 0.0.0.255 any
!
!
end
Router#
11-29-2018 08:08 AM
yes exactly.
11-29-2018 08:10 AM
11-29-2018 08:13 AM
Hi,
it should be as earlier.
interface Vlan200
description LAN
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
ip nat inside
interface Vlan300
description LAN_ADMIN
ip address 192.168.8.1 255.255.255.0
ip access-group 101 in
ip nat inside
!
ip nat inside source list 102 interface Vlan100 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip 192.168.8.0 0.0.0.255 any
access-list 102 permit ip any any
11-29-2018 08:15 AM - edited 11-29-2018 08:16 AM
with this Vlan 200 cant connect to internet
interface Vlan200
description LAN
ip address 192.168.2.1 255.255.255.0
ip access-group 101 out
ip nat inside
ip virtual-reassembly in
service-policy output p2p-drop
!
interface Vlan300
description LAN_ADMIN
ip address 192.168.8.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
!
ip default-gateway 192.168.1.254
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 102 interface Vlan100 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit ip any any
11-29-2018 08:36 AM
whenever I block access from one vlan to another, one of them do not have web access!!!!
11-29-2018 07:33 PM
Hi,
compare below commands with your actual command. interfaces need to apply ALCs correctly. also the NAT ACL.
interface Vlan200
description LAN
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
ip nat inside
interface Vlan300
description LAN_ADMIN
ip address 192.168.8.1 255.255.255.0
ip access-group 101 in
ip nat inside
11-29-2018 07:34 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide