Re: Simple security problem - Page 2

Gabritex · ‎11-27-2018

I have this config but kids with Kali can enter in the Aironet and access admin network. What im doing wrong? Is any way of resolve issue withou more hardware?

Router#sh run

Building configuration...

ip dhcp excluded-address 192.168.2.1 192.168.2.2

!

ip dhcp pool STU

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 198.153.192.50 198.153.194.50

lease 0 2

!

ip dhcp pool ADMIN

network 192.168.8.0 255.255.255.0

default-router 192.168.8.1

dns-server 8.8.8.8 1.1.1.1

!

interface FastEthernet0

description CONNECTED TO WAN

switchport access vlan 100

no ip address

spanning-tree portfast

service-policy output p2p-drop

!

interface FastEthernet1

switchport access vlan 200

no ip address

spanning-tree portfast

!

interface FastEthernet2

switchport access vlan 300

no ip address

spanning-tree portfast

!

interface FastEthernet3

switchport trunk native vlan 100

switchport mode trunk

no ip address

!

interface Vlan100

description WAN

ip address 192.168.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly in

!

interface Vlan200

description LAN

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

service-policy output p2p-drop

!

interface Vlan300

description LAN_ADMIN

ip address 192.168.8.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip default-gateway 192.168.1.254

!

ip nat inside source list 100 interface Vlan100 overload

ip route 0.0.0.0 0.0.0.0 192.168.1.254

!

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

access-list 100 permit ip 192.168.8.0 0.0.0.255 any

!

end

Router#

Kasun Bandara · ‎11-29-2018

yes exactly.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Kasun Bandara · ‎11-29-2018

Yes Exactly

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Kasun Bandara · ‎11-29-2018

Hi,

it should be as earlier.

interface Vlan200
description LAN
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
ip nat inside
interface Vlan300
description LAN_ADMIN
ip address 192.168.8.1 255.255.255.0
ip access-group 101 in
ip nat inside
!
ip nat inside source list 102 interface Vlan100 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip 192.168.8.0 0.0.0.255 any
access-list 102 permit ip any any

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Gabritex · ‎11-29-2018

with this Vlan 200 cant connect to internet

interface Vlan200

description LAN

ip address 192.168.2.1 255.255.255.0

ip access-group 101 out

ip nat inside

ip virtual-reassembly in

service-policy output p2p-drop

!

interface Vlan300

description LAN_ADMIN

ip address 192.168.8.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

!

ip default-gateway 192.168.1.254

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list 102 interface Vlan100 overload

ip route 0.0.0.0 0.0.0.0 192.168.1.254

!

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

access-list 102 permit ip any any

Gabritex · ‎11-29-2018

whenever I block access from one vlan to another, one of them do not have web access!!!!

Kasun Bandara · ‎11-29-2018

Hi,

compare below commands with your actual command. interfaces need to apply ALCs correctly. also the NAT ACL.

interface Vlan200
description LAN
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
ip nat inside
interface Vlan300
description LAN_ADMIN
ip address 192.168.8.1 255.255.255.0
ip access-group 101 in
ip nat inside

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Kasun Bandara · ‎11-29-2018

And ACLs, needs to be like below.
ip nat inside source list 102 interface Vlan100 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip 192.168.8.0 0.0.0.255 any
access-list 102 permit ip any any

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB