Simple security problem

Gabritex · ‎11-27-2018

I have this config but kids with Kali can enter in the Aironet and access admin network. What im doing wrong? Is any way of resolve issue withou more hardware?

Router#sh run

Building configuration...

ip dhcp excluded-address 192.168.2.1 192.168.2.2

!

ip dhcp pool STU

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 198.153.192.50 198.153.194.50

lease 0 2

!

ip dhcp pool ADMIN

network 192.168.8.0 255.255.255.0

default-router 192.168.8.1

dns-server 8.8.8.8 1.1.1.1

!

interface FastEthernet0

description CONNECTED TO WAN

switchport access vlan 100

no ip address

spanning-tree portfast

service-policy output p2p-drop

!

interface FastEthernet1

switchport access vlan 200

no ip address

spanning-tree portfast

!

interface FastEthernet2

switchport access vlan 300

no ip address

spanning-tree portfast

!

interface FastEthernet3

switchport trunk native vlan 100

switchport mode trunk

no ip address

!

interface Vlan100

description WAN

ip address 192.168.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly in

!

interface Vlan200

description LAN

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

service-policy output p2p-drop

!

interface Vlan300

description LAN_ADMIN

ip address 192.168.8.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip default-gateway 192.168.1.254

!

ip nat inside source list 100 interface Vlan100 overload

ip route 0.0.0.0 0.0.0.0 192.168.1.254

!

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

access-list 100 permit ip 192.168.8.0 0.0.0.255 any

!

end

Router#

Dennis Mink · ‎11-27-2018

its probably more usefull to drill into who you have setup security on your wifi network. can you tell us how it is configured?

also, please sanitise your config in this post, as it has weak encyption and anyone can decrypt it in 4 seconds flat.

Please remember to rate useful posts, by clicking on the stars below.

Gabritex · ‎11-27-2018

hi, thanks for reply.

In the wifi i have 2 ssid, one with access vlan 200 and SECOND with acces to vlan 300..

Kasun Bandara · ‎11-27-2018

Hi,

As dennis mentioned, remove the passwords from your config output because anyone can decrypt '7' encrypted passwords within 1 second.

for your problem, i am suggesting to create ACLs in router and apply to interfaces accordingly. find below for sample,

access-list 100 den ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

apply this to interface 300 for in side

int vlan 300

ip access-g 100 in

then your 192.168.2.0 range IPs will not be able to access 192.168.8.0 range IPs. which going through the router.

if you have correctly configured wireless network with correct VLANs, this should work.

regards,

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Gabritex · ‎11-28-2018

Ok, i will try your sugestion.

But i dont now if i explained well.

kids with kali can gain complete control of aironet 1832i and join Admin wifi without knowing the password.. And them Scann IP.

I think that's what's happening.

Kasun Bandara · ‎11-28-2018

Hi,

i guess, then it should be issue with wireless security. use high secured encryption methods such as WAP2 in wireless SSID. becasue WEP and WPA keys are crackable. KALI contains lot of tools which can crack those methods. also use strong password without using dictionary word or only letters. use some complex password with symbols, numeric and alpha characters.

regards,

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Gabritex · ‎11-29-2018

thanks for the reply but after all the problem are the ACL.

Trying to make one that work..

Gabritex · ‎11-29-2018

Thanks for the reply,

You are right, the problem are the ACL.

I tryed to do what you sugested and succes vlan 200 cannot ping vlan 300 but vlan 300 as no internet and vlan 200 have.

I will try to make ACL that waorks but having dificulty with that.

Any sugestion more???

Kasun Bandara · ‎11-29-2018

Hi,

can you share the Interfaces and ACL part of the configuration?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Gabritex · ‎11-29-2018

interface FastEthernet0

description CONNECTED TO WAN

switchport access vlan 100

no ip address

spanning-tree portfast

service-policy output p2p-drop

!

interface FastEthernet1

switchport access vlan 200

no ip address

spanning-tree portfast

!

interface FastEthernet2

switchport access vlan 300

no ip address

spanning-tree portfast

!

interface FastEthernet3

switchport trunk native vlan 100

switchport mode trunk

no ip address

!

interface Vlan1

no ip address

!

interface Vlan100

description WAN

ip address 192.168.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly in

!

interface Vlan200

description LAN

ip address 192.168.2.1 255.255.255.0

ip access-group 101 out

ip nat inside

ip virtual-reassembly in

service-policy output p2p-drop

interface Vlan300

description LAN_ADMIN

ip address 192.168.8.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

!

ip default-gateway 192.168.1.254

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list 100 interface Vlan100 overload

ip route 0.0.0.0 0.0.0.0 192.168.1.254

!

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

!

Gabritex · ‎11-29-2018

Now they cannot connect but one vlan 300 cant access internet.

Gabritex · ‎11-29-2018

only works with

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

access-list 100 permit ip 192.168.8.0 0.0.0.255 any

but from vlan 200 can ping vlan 300

Kasun Bandara · ‎11-29-2018

Hi try with below,

interface Vlan200
description LAN
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
ip nat inside
interface Vlan300
description LAN_ADMIN
ip address 192.168.8.1 255.255.255.0
ip access-group 101 in
ip nat inside
!
!
ip nat inside source list 102 interface Vlan100 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip 192.168.8.0 0.0.0.255 any
access-list 102 permit ip any any

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Gabritex · ‎11-29-2018

no access on any network,

maybe this is wrong too---> access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255

this access list is to add to vlan 300

Gabritex · ‎11-29-2018

interface Vlan200
description LAN
ip address 192.168.2.1 255.255.255.0
ip access-group 101 in
ip nat inside
interface Vlan300
description LAN_ADMIN
ip address 192.168.8.1 255.255.255.0
ip access-group 100 in
ip nat inside
!
!
ip nat inside source list 102 interface Vlan100 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 100 permit ip 192.168.8.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit ip any any

maybe?