cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3499
Views
0
Helpful
20
Replies

access list issue and ip route

malai.joseph
Level 1
Level 1

Hi

Have cisco router 1921 and 3 cisco switch 3560G

i want to configure the cisco router so as network 192.168.4.0/26,192.168.3.0/26,192.168.2.0/26, all to access internet

R1921(config)# ip nat inside source list 102 int G0/0 overload
R1921(config)# access-list 102 permit ip ?

I am i right to do this below?

R1921(config)# ip route 192.168.4.0/26 10.10.10.2
R1921(config)# ip route 192.168.3.0/26 10.10.10.2
R1921(config)# ip route 192.168.2.0/26 10.10.10.2

kindly assist on access-list and ip route?

thanks all

Jo

11 Accepted Solutions

Accepted Solutions

Latchum Naidu
VIP Alumni
VIP Alumni

Hi Joseph,

Configure like below inorder to get the LAN access to internet.

First of all you need to configure "ip nat outside" on the wan interface (whcih is connected to your ISP) and "ip nat inside" on your LAN interface like below...

interface GigabitEthernet0/0
ip nat outside

interface GigabitEthernet0/1
ip nat inside

Second default route like below in global config mode...

ip route 0.0.0.0 0.0.0.0 123.49.42.162


Third configure the Global NAT statement like below...

ip nat inside source list NAT interface GigabitEthernet0/0 overload

ip access-list extended UNNAT
permit ip 192.168.4.0 0.0.0.63 any
permit ip 192.168.3.0 0.0.0.63 any
permit ip 192.168.2.0 0.0.0.63 any


Please rate the helpfull posts.
Regards,
Naidu.

View solution in original post

Oh...Sorry Joseph, My mistake..

Actually i have not changed the name of the access-list...It is now like below..

Third configure the Global NAT statement like below...
ip nat inside source list NAT interface GigabitEthernet0/0 overload

ip access-list extended NAT
permit ip 192.168.4.0 0.0.0.63 any
permit ip 192.168.3.0 0.0.0.63 any
permit ip 192.168.2.0 0.0.0.63 any


Please rate the helpfull posts.
Regards,
Naidu.

View solution in original post

Hi Joseph,

It seems that you have configured Vlans for the networks 192.168.4.0, 192.168.3.0 and 192.168.2.0 then no need those static routers.


Please click on the correct answer if this answered your question.

Regards,
Naidu.

View solution in original post

Hi Joseph,

It is simple...You need to configure access-lists and applied the access-list under the respective vlan's
Configure the below access lists in the device in which you have configured the Vlans.

192.168.4.0 is a  servers network
192.168.3.0 client network
192.168.2.0client network


interface Vlan10
description Servers network
ip address 192.168.4.1 255.255.255.0

interface Vlan20
description Client1 network
ip address 192.168.3.1 255.255.255.0
ip access-group Client1 in


interface Vlan30
description Client2 network
ip address 192.168.2.1 255.255.255.0
ip access-group Client2 in


ip access-list extended Client1
deny   ip any 192.168.2.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 any

ip access-list extended Client2
deny   ip any 192.168.3.0 0.0.0.255
permit ip 192.168.2.0 any


Please click on the correct answer if this answered your question.
Regards,
Naidu.

View solution in original post

Hi Joseph,

Good question.


We have not defined any rules under the Servers VLAN, so by default all traffic will be permit.

Even if you want explicitly want permit or restrict access then you can configure access-list like below.

ip access-list extended Server
permit ip any 192.168.3.0 0.0.0.255
permit ip any 192.168.3.0 0.0.0.255


interface Vlan10
description Servers network
ip address 192.168.4.1 255.255.255.0
ip access-group Server in


And no problem at all you can ask n number of questions, the idea is that you need to be clear about what you are looking for.

Please click on the correct answer if this answered your question.
Regards,
Naidu.

View solution in original post

Hi Joseph,


See the below some security tighten from my point of view.


First of all I would suggest connect your router through ssh and never use telnet untill the router not support ssh.
And define access-list like below saying few networks only should able to login to the router so the other network can not login (I think your router is going to connect internet then this is must)

access-list 26 permit 192.168.2.0 0.0.0.255
access-list 26 permit 192.168.3.0 0.0.0.255
access-list 26 deny any any


line vty 0 4
access-class 26 in
login authentication device
transport input telnet ssh


Regarding the logs you want to see like when any one logged into the router the you need to configure the below commands in the router from global

config mode.

archive
log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys


Please click on the correct answer if this answered your question.
Regards,
Naidu.

View solution in original post

Hi Joseph,

My router is 1921 IOs versio15,i dont know if it support ssh?
I have also have the same router at one of my customer which is managing by me. It will support ssh no doubt about it.
Please use the below commands in global config mode in order to get the ssh enable on the device. Once you enable ssh it wont accept telnet.

Router> enable
Router# config t
Router(config)#
line vty 0 4
access-class 23 in
login authentication device
transport input ssh

how to insert username and password for ssh on router?
Once you set above configure the usernamd and password like below.

Router> enable
Router# config t
Router(config)#
username admin privilege 15 secret 5 ********pwd*********
This you need to use when you connect the device through ssh.


What is this pls transport input telnet ssh?
This will enable the router to accept connections through ssh only.


where logs will be stored and how to check those logs?
Logs will be there on the router buffer. If you want store logs then you need to use any third party syslog server like I am using CiscoWorks for syslog and of course you can use KiwiCat also.

To check the logs on the router.....Use the following command from the exe mode Router#show log ---->This will display the stored logs in the buffer where you can find who logged in and alll.


Hope the above clear and understood.


Please click on the correct answer if this answered your question.
Regards,
Naidu.

View solution in original post

Hi Joseph,

i dont know if it support ssh?

You need a crypto image to support ssh but you can also verify by doing this command: ip ssh ver in global config and if you want to know if a feature is supported by your IOS/architecture just go on Cisco feature navigator site : http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

If your router supports ssh, in order to use it you must:

1) give a hostname to your router with the global config hostname command

2) configure a domain name with the global config ip domain-name command

3) configure a local user with the global config  username xxx  privilege xx secret xxx  command

how to insert username and password for ssh on router?

The 3rd action answers this question

4) generate a  rsa key with the global config  crypto key generate rsa modulus 1024 command

5) optionaly enable ssh version 2 with the global config ip ssh version 2 command

6) on line vty: login local

how to disable telnet?

7) on line vty: transport input ssh

What is this pls transport input telnet ssh? you mean telnet service will be overwrite by ssh

This means you can telnet  to your vty line and also  ssh to it  with the command in 7) you can only ssh to it

Concerning your ACL the deny any any at the end is useless unless you want to log but then you have to add the  log keyword at the end

why these 2 lines ? 

access-list 26 permit 192.168.2.0 0.0.0.63
access-list 26 permit 192.168.3.0 0.0.0.63

For me they are useless as they will never get hit because an ACL is parsed from top to bottom and once a match is done the parsing stops, the 2 first lines will get matched before.

where logs will be stored and how to check those logs?

What do you want to log ? the access with ssh to your router? all access or only failed ones?

The config given below your question is for the archive feature not for authentication logging.

You can log in many places but the best is a syslog server( a free one is tftpd32 for windows) and the command is simple:

logging x.x.x.x where x.x.x.x is the ip address or hostname( if you can resolve to ip) of your syslog server

But first verify logging is enabled with the show log command  and if not then enable it with the global config logging on command

then you can use the logging feature on your  final explicit deny with the log keyword or if you have got  a security IOS you can use this  global command: security  authentication failure rate xx log  which will block for 15 sec after xx attempts and log the attempts.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

Hi Joseph,

Now my concern is logs on buffer of a router,am afraid it will consume a lot of memory and cause other problem,is'nt?
Yes, me to agree with you...but if nothing available then the only source is the router buffer to analyze the logs for any critical situations.

CiscoWorks and KiwiCat is an hardware or software ?if software how to conf it on window machine or linux?
I have CiscoWorks and I can teach you each and everything about it but it is license based and costly you need to buy it from CiscoWorks and untill you have a large network say 300-400 devices to manage no need this.
I would suggest you to use KiwiCat tools which is low cost and you can get trail version for 30 days.

See the below details for KiwiCat....

You can download this free tool and pay with this. You can just install it in any windows mechine.
http://kiwisyslog.com/kiwi-cattools-overview/


Please click on the correct answer if this answered your question.
Regards,
Naidu.

View solution in original post

Joseph,

tftpd32  is a windows program.

As i said above  to send logs to this server just issue logging x.x.x.x where x.x.x.x is IP address of the machine hosting the syslog service.

I haven't tried on a linux box yet.


Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

Hi Joseph,

Follow the below link will help you.
http://www.hak5.org/forums/index.php?showtopic=13229

Please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.

View solution in original post

20 Replies 20

Latchum Naidu
VIP Alumni
VIP Alumni

Hi Joseph,

Configure like below inorder to get the LAN access to internet.

First of all you need to configure "ip nat outside" on the wan interface (whcih is connected to your ISP) and "ip nat inside" on your LAN interface like below...

interface GigabitEthernet0/0
ip nat outside

interface GigabitEthernet0/1
ip nat inside

Second default route like below in global config mode...

ip route 0.0.0.0 0.0.0.0 123.49.42.162


Third configure the Global NAT statement like below...

ip nat inside source list NAT interface GigabitEthernet0/0 overload

ip access-list extended UNNAT
permit ip 192.168.4.0 0.0.0.63 any
permit ip 192.168.3.0 0.0.0.63 any
permit ip 192.168.2.0 0.0.0.63 any


Please rate the helpfull posts.
Regards,
Naidu.

Thanks Naidu

For quickly reply

can i get clear on

ip nat inside source list NAT interface GigabitEthernet0/0 overload

ip access-list extended UNNAT

why you use word NAT and below introduce word UNNAT?,is it arlight?kindly help am new to cisco on extended access list

How about

R1921(config)# ip route 192.168.4.0/26 10.10.10.2
R1921(config)# ip route 192.168.3.0/26 10.10.10.2
R1921(config)# ip route 192.168.2.0/26 10.10.10.2

does not required ?

Joseph

Oh...Sorry Joseph, My mistake..

Actually i have not changed the name of the access-list...It is now like below..

Third configure the Global NAT statement like below...
ip nat inside source list NAT interface GigabitEthernet0/0 overload

ip access-list extended NAT
permit ip 192.168.4.0 0.0.0.63 any
permit ip 192.168.3.0 0.0.0.63 any
permit ip 192.168.2.0 0.0.0.63 any


Please rate the helpfull posts.
Regards,
Naidu.

Thanks naidu,

i convenced this is a true answer..thanks

what about this?

R1921(config)# ip route 192.168.4.0/26 10.10.10.2
R1921(config)# ip route 192.168.3.0/26 10.10.10.2
R1921(config)# ip route 192.168.2.0/26 10.10.10.2

does not required ?i need to know what is this,what it do?

Joseph

Hi Joseph,

It seems that you have configured Vlans for the networks 192.168.4.0, 192.168.3.0 and 192.168.2.0 then no need those static routers.


Please click on the correct answer if this answered your question.

Regards,
Naidu.

Yes Naidu,

I have vlan and network  192.168.4.0 is a  servers network

192.168.3.0 client network

192.168.2.0client network

What need to be done so as
network 192.168.3.0 should not be able to communicate with  192.168.2.0 and viceversa

network 192.168.3.0 and 192.168.2.0 should be able to reach/communicate with 192.168.4.0 and viceversa

thanks for ur support

joseph

Hi Joseph,

It is simple...You need to configure access-lists and applied the access-list under the respective vlan's
Configure the below access lists in the device in which you have configured the Vlans.

192.168.4.0 is a  servers network
192.168.3.0 client network
192.168.2.0client network


interface Vlan10
description Servers network
ip address 192.168.4.1 255.255.255.0

interface Vlan20
description Client1 network
ip address 192.168.3.1 255.255.255.0
ip access-group Client1 in


interface Vlan30
description Client2 network
ip address 192.168.2.1 255.255.255.0
ip access-group Client2 in


ip access-list extended Client1
deny   ip any 192.168.2.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 any

ip access-list extended Client2
deny   ip any 192.168.3.0 0.0.0.255
permit ip 192.168.2.0 any


Please click on the correct answer if this answered your question.
Regards,
Naidu.

thanks Naidu,

192.168.4.0 is a  servers network
192.168.3.0 client network
192.168.2.0client network


interface Vlan10
description Servers network
ip address 192.168.4.1 255.255.255.0

interface Vlan20
description Client1 network
ip address 192.168.3.1 255.255.255.0
ip access-group Client1 in


interface Vlan30
description Client2 network
ip address 192.168.2.1 255.255.255.0
ip access-group Client2 in

//hope this will deny all from client2 and permit all from client1
ip access-list extended Client1
deny   ip any 192.168.2.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 any

//hope this will deny all from client1 and permit all from client2

ip access-list extended Client2
deny   ip any 192.168.3.0 0.0.0.255
permit ip 192.168.2.0 any

//how about permitting to server to client1 and client2

sorry for asking too much,but you help me a lot

Joseph

Hi Joseph,

Good question.


We have not defined any rules under the Servers VLAN, so by default all traffic will be permit.

Even if you want explicitly want permit or restrict access then you can configure access-list like below.

ip access-list extended Server
permit ip any 192.168.3.0 0.0.0.255
permit ip any 192.168.3.0 0.0.0.255


interface Vlan10
description Servers network
ip address 192.168.4.1 255.255.255.0
ip access-group Server in


And no problem at all you can ask n number of questions, the idea is that you need to be clear about what you are looking for.

Please click on the correct answer if this answered your question.
Regards,
Naidu.

Great job Naidu,

Now i want to have security issue on cisco router1921,what best security implementation can be done?

can i connect to my router with ssh ?and not telnet?what need to be done for this to be on place?

can i have a check of logs that who has try to ssh on my router?how to do that?

thanks very much

joseph

Hi Joseph,


See the below some security tighten from my point of view.


First of all I would suggest connect your router through ssh and never use telnet untill the router not support ssh.
And define access-list like below saying few networks only should able to login to the router so the other network can not login (I think your router is going to connect internet then this is must)

access-list 26 permit 192.168.2.0 0.0.0.255
access-list 26 permit 192.168.3.0 0.0.0.255
access-list 26 deny any any


line vty 0 4
access-class 26 in
login authentication device
transport input telnet ssh


Regarding the logs you want to see like when any one logged into the router the you need to configure the below commands in the router from global

config mode.

archive
log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys


Please click on the correct answer if this answered your question.
Regards,
Naidu.

Thx

My router is 1921 IOs versio15,i dont know if it support ssh?and i accustomed to linux and i know ssh require username and password ,how to insert username and password for ssh on router?and how to disable telnet?

What is this pls transport input telnet ssh? you mean telnet service will be overwrite by ssh?

hope to be this conf on router,that is 192.168.2.0 and 192.168.3.0 network will be able to ssh(you can ssh while u are in this network)
access-list 26 permit 192.168.2.0
access-list 26 permit 192.168.3.0

access-list 26 permit 192.168.2.0 0.0.0.63
access-list 26 permit 192.168.3.0 0.0.0.63
access-list 26 deny any any

line vty 0 4
access-class 26 in
login authentication device
transport input telnet ssh

where logs will be stored and how to check those logs?

config mode.

archive
log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys

Joseph

Hi Joseph,

My router is 1921 IOs versio15,i dont know if it support ssh?
I have also have the same router at one of my customer which is managing by me. It will support ssh no doubt about it.
Please use the below commands in global config mode in order to get the ssh enable on the device. Once you enable ssh it wont accept telnet.

Router> enable
Router# config t
Router(config)#
line vty 0 4
access-class 23 in
login authentication device
transport input ssh

how to insert username and password for ssh on router?
Once you set above configure the usernamd and password like below.

Router> enable
Router# config t
Router(config)#
username admin privilege 15 secret 5 ********pwd*********
This you need to use when you connect the device through ssh.


What is this pls transport input telnet ssh?
This will enable the router to accept connections through ssh only.


where logs will be stored and how to check those logs?
Logs will be there on the router buffer. If you want store logs then you need to use any third party syslog server like I am using CiscoWorks for syslog and of course you can use KiwiCat also.

To check the logs on the router.....Use the following command from the exe mode Router#show log ---->This will display the stored logs in the buffer where you can find who logged in and alll.


Hope the above clear and understood.


Please click on the correct answer if this answered your question.
Regards,
Naidu.

Hi Naidu,

Thanks,The details is clear and suffice.

Now my concern is logs on buffer of a router,am afraid it will consume a lot of memory and cause other problem,is'nt?

CiscoWorks and KiwiCat is an hardware or software ?if software how to conf it on window machine or linux?

CiscoWorks and KiwiCat are Intrusive detective system?can i get to know a,b,c from yours ?and if any?how to make it happens?

I think keeping logs on other place away from router is an ideal...

Thanks

joseph

Review Cisco Networking for a $25 gift card