Help with VLAN/DMZ configuration and one NAT entry

erxor · ‎11-26-2019

Hello!
I could use some assistance on configuring my VLANs with DMZ (I assume you call it DMZ, read on to see and please correct me where needed since it is a great way to learn!) and also a NAT entry or two on my C887VA router. I have attached the show tech.

So what I want to achieve is this:

I have 4 different VLANs (as you can see in the config) VLAN 1 (LAN), VLAN 10 (Wireless), VLAN 20 (Guest Wireless) and VLAN 30 (Security).

VLANs 1 and 10 I can trunk and use like normal since I have no concern for extra security on those VLANs, however, with VLAN 20 my wish is that they only have access to the Internet after connecting to the guest wifi. My thought is that I want VLAN 30 to be separated as well for safety reasons since this VLAN is going to contain my security devices like cameras etc. The thing here is that the device that I use to save all my camera footage is also the same device that I use to manage my switch and my wifi (it is a Ubiquiti Cloud Key Gen 2 +) and I want to be able to access this from the Internet to be able to check my cameras and preferebly change settings to the Ubiquiti part of the network (which is everything except the router). What I am thinking about that is that I "simply" put the cloud key on a port that is VLAN 30 and that way it should be possible to do what I am thinking?

On fa0 (the port where I am trunking VLAN 1 & 10) can I change the command to trunk just 1 & 10 and not every single VLAN except 20 and 30?

So having the VLANs configured like I do on the ports do I have to configure any other routes?

On to the next step of my config q's:

I want to be able to reach the cloud key and possibly some other devices not yet on the network from the Internet and I'm honestly not sure how to configure the NAT settings to do that. Like I said earlier lets assume that the cloud key is on VLAN 30 and lets give it an IP of 10.0.3.10

I also want to be able to access the router from the Internet (maybe having it locked down to a specific external IP for more safety) through SSH, is there any other settings I need to make that possible? SSH is working from an internal address, which you probably can tell by looking at the config but I thought I would mention it.

I hope you can help me out, I would greatly appreciate it!

Regards!

Georg Pauwen · ‎11-26-2019

Hello,

you can restrict access to Vlan 20 (and 30) by using access list (101 and 102 respectively in the configuration below). For remote access to the key, you need a static NAT entry. For remote SSH access, you need to put an access class on the VTY lines.

I have made some changes/additions to your configuration (marked in bold), see if you get it to work this way...

! Last configuration change at 14:51:28 UTC Tue Nov 26 2019
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname etthundratolvan-router
!
boot-start-marker
boot-end-marker
!
enable password 7 <removed>
!
no aaa new-model
ethernet lmi ce
!
power inline negotiation prestandard source
!
ip dhcp excluded-address 10.0.0.1 10.0.0.100
ip dhcp excluded-address 10.0.1.1 10.0.1.100
ip dhcp excluded-address 10.0.2.1 10.0.2.100
ip dhcp excluded-address 10.0.3.1 10.0.3.100
!
ip dhcp pool DHCP-VLAN 1
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server 8.8.8.8 8.8.4.4
lease 4
remember
!
ip dhcp pool DHCP-VLAN 10
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
dns-server 8.8.8.8 8.8.4.4
lease 4
remember
!
ip dhcp pool DHCP-VLAN 20
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
dns-server 8.8.8.8 8.8.4.4
lease 4
remember
!
ip dhcp pool DHCP-VLAN 30
network 10.0.3.0 255.255.255.0
default-router 10.0.3.1
dns-server 8.8.8.8 8.8.4.4
lease 4
remember
!
ip domain name plandigital.se
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
password encryption aes
!
license udi pid C887VA-K9 sn FCZ214040Q1
!
username ITI privilege 15 password 7 <removed>
!
controller VDSL 0
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.35 point-to-point
ip address dhcp
ip nat outside
ip virtual-reassembly in
atm route-bridged ip
pvc 8/35
encapsulation aal5snap
protocol pppoe
!
!
interface Ethernet0
no ip address
!
interface FastEthernet0
description VLAN 1 & 10 trunk to UniFi Switch
switchport trunk allowed vlan 1-19,21-29,31-4094
switchport mode trunk
no ip address
!
interface FastEthernet1
description VLAN 20 access to UniFi Switch
switchport access vlan 20
no ip address
!
interface FastEthernet2
description VLAN 30 access to UniFi Switch
switchport access vlan 30
no ip address
!
interface FastEthernet3
no ip address
shutdown
!
interface Vlan1
description LAN (Primary)
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan10
description Wireless-LAN
ip address 10.0.1.1 255.255.255.0
ip nat inside
!
interface Vlan20
description Guest_Wireless-LAN
ip address 10.0.2.1 255.255.255.0
ip nat inside
ip access-group 101 in
!
interface Vlan30
description Security
ip address 10.0.3.1 255.255.255.0
ip nat inside
ip access-group 102 in
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip nat inside source list Net-Allow interface ATM0.35 overload
ip nat inside source static 10.0.3.10 interface ATM0.35
ip route 0.0.0.0 0.0.0.0 ATM0.35 dhcp
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface Vlan1
ip ssh version 2
!
ip access-list extended Net-Allow
permit ip 10.0.0.0 0.0.0.255 any
permit ip 10.0.1.0 0.0.0.255 any
permit ip 10.0.2.0 0.0.0.255 any
permit ip 10.0.3.0 0.0.0.255 any

!

access-list 23 permit x.x.x.x
!
access-list 101 deny ip 10.0.2.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 101 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 101 deny ip 10.0.2.0 0.0.0.255 10.0.3.0 0.0.0.255
access-list 101 deny ip 10.0.3.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 101 permit ip 10.0.2.0 0.0.0.255 any
!
access-list 102 deny ip 10.0.3.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.0.3.0 0.0.0.255
access-list 101 deny ip 10.0.3.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.3.0 0.0.0.255
access-list 101 deny ip 10.0.3.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 101 deny ip 10.0.2.0 0.0.0.255 10.0.3.0 0.0.0.255
access-list 101 permit ip 10.0.3.0 0.0.0.255 any

control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
access-class 23 in
transport input ssh
transport output all
!
scheduler allocate 20000 1000
!
end

erxor · ‎11-26-2019

Thanks a lot for the reply and the info.

I can see how these changes make sense and I will implement the changes to the router; however, I will not be able to test the router on the actual network until this Thursday the 28th (I guess about 1½ day) and will then reply if I have any more questions or to let you know if it works.

Thanks again!

erxor · ‎11-28-2019

I was just inputting this info into the router and became confused/uncertain about the 101 & 102 acl's
I understand why they are there but my uncertainty is over the fact that there is only one line in the 102 acl and reading them all the second "bunch" should be acl 102 and not acl 101 do I have that correct?

Thanks