12-20-2023 03:42 PM
Hello
I run PiHole as a LOCAL DNS Server as well as DNS [WAN] in General. Currently my DHCP Server is handing out IP's and is also using 192.168.5.115 as DNS, as it is PiHole. With dividing up my network into vlans thus creating other Networks, can I still use 192.168.5.115 on, let's say, 192.168.2.0/192.168.3.0 etc? Port 53 will obviously be open to these Subnets. I was just curious if it would work.
12-22-2023 05:21 PM
Unfortunately it is a little chopped, as I have been trying everything.
Here is the running-config
: Serial Number: JAD2537040H
: Hardware: FPR-1010, 2587 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 cores)
:
NGFW Version 7.4.1
!
hostname FPR1010
enable password ***** encrypted
strong-encryption-disable
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto
!
interface Vlan1
nameif inside
security-level 0
ip address 192.168.5.1 255.255.255.0
!
interface Vlan2
nameif fbeye
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
nameif fhc
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Vlan4
nameif ceyea
security-level 0
ip address 192.168.3.1 255.255.255.0
!
interface Vlan5
nameif proxmox
security-level 0
ip address 192.168.4.1 255.255.255.0
!
interface Vlan6
nameif 177
security-level 0
ip address 192.168.6.1 255.255.255.0
!
interface Ethernet1/1
no switchport
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
pppoe client vpdn group HomeDSL
ip address pppoe setroute
!
interface Ethernet1/2
switchport
no security-level
!
interface Ethernet1/3
switchport
switchport access vlan 2
no security-level
!
interface Ethernet1/4
switchport
switchport access vlan 3
no security-level
!
interface Ethernet1/5
switchport
switchport access vlan 4
no security-level
!
interface Ethernet1/6
switchport
switchport access vlan 5
no security-level
!
interface Ethernet1/7
switchport
switchport access vlan 6
power inline never
no security-level
!
interface Ethernet1/8
switchport
power inline auto
no security-level
!
interface Management1/1
management-only
nameif management
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
!
ftp mode passive
ngips conn-match vlan-id
dns domain-lookup any
dns server-group CiscoUmbrellaDNSServerGroup
name-server 208.67.222.222
name-server 208.67.220.220
name-server 2620:119:35::35
dns server-group Google
name-server 8.8.8.8
name-server 1.1.1.1
name-server 8.8.4.4
dns-group Google
no object-group-search access-control
object network fhc_lan
subnet 192.168.2.0 255.255.255.0
object network 177_lan
subnet 192.168.6.0 255.255.255.0
object network OMV
host 192.168.2.181
object network any-ipv6
subnet ::/0
object network IPv4-Private-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0
object network IPv4-Private-172.16.0.0-12
subnet 172.16.0.0 255.240.0.0
object network IPv4-Private-192.168.0.0-16
subnet 192.168.0.0 255.255.0.0
object network any-ipv4
subnet 0.0.0.0 0.0.0.0
object network fbeye_lan
subnet 192.168.1.0 255.255.255.0
object network fbeye_wan
host x.x.x.180
object network 177_wan
host x.x.x.177
object network ceyea_wan
host x.x.x.179
object network proxmox_lan
subnet 192.168.4.0 255.255.255.0
object network fbeye_mail
host 192.168.1.180
object network fhc_wan
host x.x.x.181
object network ceyea_lan
subnet 192.168.3.0 255.255.255.0
object network proxmox_wan
host x.x.x.178
object network pihole
host 192.168.4.115
object-group network IPv4-Private-All-RFC1918
network-object object IPv4-Private-10.0.0.0-8
network-object object IPv4-Private-172.16.0.0-12
network-object object IPv4-Private-192.168.0.0-16
object-group service |acSvcg-268435457
service-object ip
object-group service |acSvcg-268435466
service-object ip
object-group service |acSvcg-268435460
service-object tcp destination eq www
service-object tcp destination eq https
object-group service |acSvcg-268435461
service-object tcp destination eq 32400
object-group service |acSvcg-268435462
service-object udp destination eq 51820
object-group service |acSvcg-268435463
service-object tcp destination eq ssh
object-group service |acSvcg-268435464
service-object tcp destination eq smtp
service-object tcp destination eq 993
object-group service |acSvcg-268435465
service-object tcp destination eq ssh
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc 177 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc ceyea any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc fbeye any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc fhc any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc proxmox any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435466: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435466: L5 RULE: Inside_to__LAN
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435466 ifc inside any ifc 177 any rule-id 268435466
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435466 ifc inside any ifc ceyea any rule-id 268435466
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435466 ifc inside any ifc fbeye any rule-id 268435466
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435466 ifc inside any ifc fhc any rule-id 268435466
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435466 ifc inside any ifc proxmox any rule-id 268435466
access-list NGFW_ONBOX_ACL remark rule-id 268435460: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435460: L5 RULE: 181_NGINX_Access_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435460 ifc outside any ifc fhc object OMV rule-id 268435460
access-list NGFW_ONBOX_ACL remark rule-id 268435461: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435461: L5 RULE: 181_Plex_Access_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc outside any ifc fhc object OMV rule-id 268435461
access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435462: L5 RULE: 181_Wireguard_Access_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435462 ifc outside any ifc fhc object OMV rule-id 268435462
access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: 181_SSH_Access_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435463 ifc outside any ifc fhc object OMV rule-id 268435463
access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435464: L5 RULE: 180_fbeye_Mail_Access_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc outside any ifc fbeye object fbeye_mail rule-id 268435464
access-list NGFW_ONBOX_ACL remark rule-id 268435465: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435465: L5 RULE: 180_fbeye_SSH_Access_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435465 ifc outside any ifc fbeye object fbeye_mail rule-id 268435465
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
pager lines 24
logging enable
logging timestamp
logging permit-hostdown
mtu inside 1500
mtu fbeye 1500
mtu fhc 1500
mtu ceyea 1500
mtu proxmox 1500
mtu 177 1500
mtu outside 1500
mtu management 1500
no failover
failover replication http
no monitor-interface inside
no monitor-interface fbeye
no monitor-interface fhc
no monitor-interface ceyea
no monitor-interface proxmox
no monitor-interface 177
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
management-interface convergence
nat (fbeye,outside) source static fbeye_lan fbeye_wan
nat (fhc,outside) source static fhc_lan fhc_wan
nat (ceyea,outside) source static ceyea_lan ceyea_wan
nat (proxmox,outside) source static proxmox_lan proxmox_wan
nat (177,outside) source static 177_lan 177_wan
!
nat (inside,outside) after-auto source dynamic any-ipv4 interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside
ip-client fbeye
ip-client fbeye ipv6
ip-client 177
ip-client 177 ipv6
ip-client fhc
ip-client fhc ipv6
ip-client outside
ip-client outside ipv6
ip-client inside
ip-client inside ipv6
ip-client management
ip-client management ipv6
ip-client ceyea
ip-client ceyea ipv6
ip-client proxmox
ip-client proxmox ipv6
snmp-server group AUTH v3 auth
snmp-server group PRIV v3 priv
snmp-server group NOAUTH v3 noauth
snmp-server location null
snmp-server contact null
snmp-server community *****
sysopt connection tcpmss 0
no sysopt connection permit-vpn
crypto ipsec security-association pmtu-aging infinite
crypto ca permit-weak-crypto
crypto ca trustpool policy
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 inside
console timeout 0
vpdn group HomeDSL request dialout pppoe
vpdn group HomeDSL localname [blank]
vpdn group HomeDSL ppp authentication chap
vpdn username [blank]
dhcpd auto_config outside
!
dhcpd address 192.168.1.101-192.168.1.254 fbeye
dhcpd enable fbeye
!
dhcpd address 192.168.6.101-192.168.6.254 177
dhcpd enable 177
!
dhcpd address 192.168.2.101-192.168.2.254 fhc
dhcpd enable fhc
!
dhcpd address 192.168.5.2-192.168.5.254 inside
dhcpd enable inside
!
dhcpd address 192.168.3.101-192.168.3.254 ceyea
dhcpd enable ceyea
!
dhcpd address 192.168.4.101-192.168.4.254 proxmox
dhcpd enable proxmox
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client
webvpn
anyconnect ssl dtls none
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
class-map class_snmp
match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect xdmcp
class class_snmp
inspect snmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
snort preserve-connection
snort multichannel-lb enable
no dp-tcp-proxy
Cryptochecksum:5cdeb97bbe81dfda703bd840809c9192
: end
>
12-22-2023 05:24 PM
Here are pics of NAT and ACL's.
12-23-2023 03:32 PM
Alright so I think I have everything right.
I changed all my [STATIC] WAN to NETWORK [vlan] NAT's from STATIC to DYNAMIC, as the Network is a whole subnet not a single 1 to 1 NAT. All 6 vlan's grab their IP and have correct WAN Address.
I added my STATIC NAT Port Forwards for my various Internal servers and put them ABOVE their associated NAT [Pat] WAN to LAN Rules; I can now access my email servers and nginx servers and such...
With the NAT, I also created the appropriate ACL's to actually be able to access the inside servers.. I have verified on various vlans/servers that I can indeed access, So so far all is great!!!
I verified my ACL was legit because for fun, I changed to BLOCK and indeed I now can not access.
My question is... I use ALLOW and not Trust, right? I assume TRUST = [More or less] YOU ARE ALL WELCOME WITHOUT INSPECTION...Whereas ALLOW requires access to be approved, as in, the Ports allowed?
12-23-2023 10:09 PM
ALLOW meaning the traffic pass ACP and send to Snort for more inpsect
Trust the traffic pass ASP and bypass Snort and go directly without any more inspect
MHM
12-23-2023 04:53 PM
Well, everything works now. Local DNS, ACL's, NAT etc. Wow this is crazy I got it all working and I thak everyone.
12-24-2023 12:38 AM
You are so so welcome Friend any time
glad your lab finish
have a nice day
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide