Oh...Sorry Joseph, My mistake..

Actually i have not changed the name of the access-list...It is now like below..

Third configure the Global NAT statement like below...
ip nat inside source list NAT interface GigabitEthernet0/0 overload

ip access-list extended NAT
permit ip 192.168.4.0 0.0.0.63 any
permit ip 192.168.3.0 0.0.0.63 any
permit ip 192.168.2.0 0.0.0.63 any

Please rate the helpfull posts.
Regards,
Naidu.

Hi Joseph,

It seems that you have configured Vlans for the networks 192.168.4.0, 192.168.3.0 and 192.168.2.0 then no need those static routers.

Please click on the correct answer if this answered your question.

Regards,
Naidu.

Hi Joseph,

It is simple...You need to configure access-lists and applied the access-list under the respective vlan's
Configure the below access lists in the device in which you have configured the Vlans.

192.168.4.0 is a  servers network
192.168.3.0 client network
192.168.2.0client network

interface Vlan10
description Servers network
ip address 192.168.4.1 255.255.255.0

interface Vlan20
description Client1 network
ip address 192.168.3.1 255.255.255.0
ip access-group Client1 in

interface Vlan30
description Client2 network
ip address 192.168.2.1 255.255.255.0
ip access-group Client2 in

ip access-list extended Client1
deny   ip any 192.168.2.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 any

ip access-list extended Client2
deny   ip any 192.168.3.0 0.0.0.255
permit ip 192.168.2.0 any

Please click on the correct answer if this answered your question.
Regards,
Naidu.

Hi Joseph,

Good question.

We have not defined any rules under the Servers VLAN, so by default all traffic will be permit.

Even if you want explicitly want permit or restrict access then you can configure access-list like below.

ip access-list extended Server
permit ip any 192.168.3.0 0.0.0.255
permit ip any 192.168.3.0 0.0.0.255

interface Vlan10
description Servers network
ip address 192.168.4.1 255.255.255.0
ip access-group Server in

And no problem at all you can ask n number of questions, the idea is that you need to be clear about what you are looking for.

Please click on the correct answer if this answered your question.
Regards,
Naidu.

Hi Joseph,

See the below some security tighten from my point of view.

First of all I would suggest connect your router through ssh and never use telnet untill the router not support ssh.
And define access-list like below saying few networks only should able to login to the router so the other network can not login (I think your router is going to connect internet then this is must)

access-list 26 permit 192.168.2.0 0.0.0.255
access-list 26 permit 192.168.3.0 0.0.0.255
access-list 26 deny any any

line vty 0 4
access-class 26 in
login authentication device
transport input telnet ssh

Regarding the logs you want to see like when any one logged into the router the you need to configure the below commands in the router from global

config mode.

archive
log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys

Please click on the correct answer if this answered your question.
Regards,
Naidu.

Hi Joseph,

My router is 1921 IOs versio15,i dont know if it support ssh?
I have also have the same router at one of my customer which is managing by me. It will support ssh no doubt about it.
Please use the below commands in global config mode in order to get the ssh enable on the device. Once you enable ssh it wont accept telnet.

Router> enable
Router# config t
Router(config)#
line vty 0 4
access-class 23 in
login authentication device
transport input ssh

how to insert username and password for ssh on router?
Once you set above configure the usernamd and password like below.

Router> enable
Router# config t
Router(config)#
username admin privilege 15 secret 5 ********pwd*********
This you need to use when you connect the device through ssh.

What is this pls transport input telnet ssh?
This will enable the router to accept connections through ssh only.

where logs will be stored and how to check those logs?
Logs will be there on the router buffer. If you want store logs then you need to use any third party syslog server like I am using CiscoWorks for syslog and of course you can use KiwiCat also.

To check the logs on the router.....Use the following command from the exe mode Router#show log ---->This will display the stored logs in the buffer where you can find who logged in and alll.

Hope the above clear and understood.

Please click on the correct answer if this answered your question.
Regards,
Naidu.

Hi Joseph,

i dont know if it support ssh?

You need a crypto image to support ssh but you can also verify by doing this command: ip ssh ver in global config and if you want to know if a feature is supported by your IOS/architecture just go on Cisco feature navigator site : http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

If your router supports ssh, in order to use it you must:

1) give a hostname to your router with the global config hostname command

2) configure a domain name with the global config ip domain-name command

3) configure a local user with the global config  username xxx  privilege xx secret xxx  command

how to insert username and password for ssh on router?

The 3rd action answers this question

4) generate a  rsa key with the global config  crypto key generate rsa modulus 1024 command

5) optionaly enable ssh version 2 with the global config ip ssh version 2 command

6) on line vty: login local

 how to disable telnet?

7) on line vty: transport input ssh

What is this pls transport input telnet ssh? you mean telnet service will be overwrite by ssh

This means you can telnet  to your vty line and also  ssh to it  with the command in 7) you can only ssh to it

Concerning your ACL the deny any any at the end is useless unless you want to log but then you have to add the  log keyword at the end

why these 2 lines ? 

access-list 26 permit 192.168.2.0 0.0.0.63
access-list 26 permit 192.168.3.0 0.0.0.63

For me they are useless as they will never get hit because an ACL is parsed from top to bottom and once a match is done the parsing stops, the 2 first lines will get matched before.

where logs will be stored and how to check those logs?

What do you want to log ? the access with ssh to your router? all access or only failed ones?

The config given below your question is for the archive feature not for authentication logging.

You can log in many places but the best is a syslog server( a free one is tftpd32 for windows) and the command is simple:

logging x.x.x.x where x.x.x.x is the ip address or hostname( if you can resolve to ip) of your syslog server

But first verify logging is enabled with the show log command  and if not then enable it with the global config logging on command

then you can use the logging feature on your  final explicit deny with the log keyword or if you have got  a security IOS you can use this  global command: security  authentication failure rate xx log  which will block for 15 sec after xx attempts and log the attempts.

Regards.

Alain.

Hi Joseph,

Now my concern is logs on buffer of a router,am afraid it will consume a lot of memory and cause other problem,is'nt?
Yes, me to agree with you...but if nothing available then the only source is the router buffer to analyze the logs for any critical situations.

CiscoWorks and KiwiCat is an hardware or software ?if software how to conf it on window machine or linux?
I have CiscoWorks and I can teach you each and everything about it but it is license based and costly you need to buy it from CiscoWorks and untill you have a large network say 300-400 devices to manage no need this.
I would suggest you to use KiwiCat tools which is low cost and you can get trail version for 30 days.

See the below details for KiwiCat....

You can download this free tool and pay with this. You can just install it in any windows mechine.
http://kiwisyslog.com/kiwi-cattools-overview/

Please click on the correct answer if this answered your question.
Regards,
Naidu.

Joseph,

tftpd32  is a windows program.

As i said above  to send logs to this server just issue logging x.x.x.x where x.x.x.x is IP address of the machine hosting the syslog service.

I haven't tried on a linux box yet.

Regards.

Alain.

Hi Joseph,

Follow the below link will help you.
http://www.hak5.org/forums/index.php?showtopic=13229

Please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.