09-27-2014 10:20 AM - edited 03-04-2019 11:51 PM
A bit of background. I have a network that I need to restrict access to from another network that is on the same VLAN.
192.168.0.0/24 <- Restricted Network
10.10.10.0/24 <- Secure Network
I want to prevent 192.168.0.0/24 from being able to access the 10.10.10.0/24 network. I cannot create this as a separate VLAN, as some of my devices are not VLAN aware.
The following config was added to try to block this in the ip access-list extended NATout-Acl:
deny ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
Which did not work.
Sterilized Config:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Mikes_House_Router
!
boot-start-marker
boot system flash c2801-adventerprisek9-mz.151-4.M8.bin
boot-end-marker
!
!
logging buffered 4096
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.9
ip dhcp excluded-address 10.10.10.11 10.10.10.49
ip dhcp excluded-address 192.168.0.1 192.168.0.29
ip dhcp excluded-address 192.168.0.32 192.168.0.254
!
ip dhcp pool Mikes_House
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
!
ip dhcp pool static-10.10.10.15
import all
host 10.10.10.15 255.255.255.0
client-identifier 0100.1111.cb34.9e
default-router 10.10.10.1
!
ip dhcp pool static-10.10.10.25
import all
host 10.10.10.25 255.255.255.0
client-identifier 0100.1921.b31c.d6
default-router 10.10.10.1
!
ip dhcp pool static-192.168.0.30
host 192.168.0.30 255.255.255.0
client-identifier 0124.a2e1.595a.fe
default-router 192.168.0.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool static-192.168.0.31
host 192.168.0.31 255.255.255.0
client-identifier 018c.7c92.72e1.e7
default-router 192.168.0.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool Mikes_House_Kids
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 208.67.222.222 208.67.220.220
!
!
ip cef
ip flow-cache timeout active 1
ip ddns update method DuckDNS
HTTP
add http://www.duckdns.org/update?domains=wb6vpm&token=910669b9-9b6f-48b1-aadb-387ab211bb4e
interval maximum 0 0 5 0
!
login block-for 30 attempts 3 within 30
login on-failure log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2801 sn FTX1143Y11R
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
username wb6vpm privilege 15 secret 5 $1$/1yd$0zly0Jo4A0ynHrrS2TCef1
username opengear privilege 15 secret 5 $1$kFBL$OU0Tez/HcrxnIVhV9F7dS/
!
redundancy
!
!
ip ssh version 1
!
class-map match-any VOIP
match protocol sip
match protocol rtp
class-map match-any WebEmail
match protocol http
match protocol secure-http
match protocol ftp
match protocol smtp
match protocol pop3
!
!
policy-map VoIPQOS
class VOIP
priority percent 52
set dscp ef
class WebEmail
bandwidth remaining percent 75
class class-default
fair-queue
!
!
crypto keyring newkeyring
pre-shared-key address 0.0.0.0 0.0.0.0 key NXCWLS$777
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 10 3
!
!
crypto ipsec transform-set NXCWLSVPNTransform esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile NXCWLSVPN-Prof
set transform-set NXCWLSVPNTransform
!
!
!
!
!
!
!
interface Loopback0
ip address 10.255.0.2 255.255.255.255
!
interface Tunnel1
bandwidth 1000
ip address 10.255.255.2 255.255.255.0
no ip redirects
ip mtu 1408
ip nhrp authentication NXCW@777
ip nhrp map multicast dynamic
ip nhrp map multicast 168.215.217.26
ip nhrp map 10.255.255.1 168.215.217.26
ip nhrp network-id 1772777
ip nhrp holdtime 300
ip nhrp nhs 10.255.255.1
ip tcp adjust-mss 574
ip ospf network broadcast
ip ospf priority 0
delay 1000
qos pre-classify
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1772777
tunnel protection ipsec profile NXCWLSVPN-Prof shared
!
interface FastEthernet0/0
description ISP
ip dhcp client update dns server none
ip ddns update DuckDNS
ip address dhcp client-id FastEthernet0/0 hostname wb6vpm.duckdns.org
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1/0
description WiFi
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface FastEthernet0/1/1
description Laptop Docking Station
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface FastEthernet0/1/2
description Desktop
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface FastEthernet0/1/3
description Roku
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface FastEthernet0/3/0
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface FastEthernet0/3/1
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface FastEthernet0/3/2
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface FastEthernet0/3/3
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 192.168.0.1 255.255.255.0 secondary
ip address 192.168.170.1 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
router ospf 10
router-id 10.255.255.2
redistribute connected
redistribute static subnets
network 10.10.10.0 0.0.0.255 area 0
network 10.255.0.0 0.0.0.0 area 0
network 10.255.255.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-export version 9
!
ip nat inside source list NATout-Acl interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.10.15 45000 interface FastEthernet0/0 45000
ip nat inside source static udp 10.10.10.15 45000 interface FastEthernet0/0 45000
ip nat inside source static udp 10.10.10.15 65000 interface FastEthernet0/0 65000
ip nat inside source static tcp 10.10.10.15 65000 interface FastEthernet0/0 65000
ip nat inside source static tcp 10.10.10.15 8080 interface FastEthernet0/0 8080
ip nat inside source static tcp 10.10.10.15 8980 interface FastEthernet0/0 8980
ip nat inside source static tcp 10.10.10.15 80 interface FastEthernet0/0 80
ip nat inside source static tcp 10.10.10.15 21 interface FastEthernet0/0 21
ip nat inside source static tcp 10.10.10.15 20 interface FastEthernet0/0 20
ip nat inside source static tcp 10.10.10.15 5000 interface FastEthernet0/0 5000
ip nat inside source static tcp 10.10.10.15 5001 interface FastEthernet0/0 5001
ip nat inside source static tcp 10.10.10.15 5002 interface FastEthernet0/0 5002
ip nat inside source static tcp 10.10.10.15 5003 interface FastEthernet0/0 5003
ip nat inside source static tcp 10.10.10.15 5004 interface FastEthernet0/0 5004
ip nat inside source static tcp 10.10.10.15 5005 interface FastEthernet0/0 5005
ip nat inside source static tcp 10.10.10.15 5006 interface FastEthernet0/0 5006
ip nat inside source static tcp 10.10.10.15 5007 interface FastEthernet0/0 5007
ip nat inside source static tcp 10.10.10.15 5008 interface FastEthernet0/0 5008
ip nat inside source static tcp 10.10.10.15 5009 interface FastEthernet0/0 5009
ip nat inside source static tcp 10.10.10.15 5010 interface FastEthernet0/0 5010
ip nat inside source static tcp 10.10.10.15 5011 interface FastEthernet0/0 5011
ip nat inside source static tcp 10.10.10.15 5012 interface FastEthernet0/0 5012
ip nat inside source static tcp 10.10.10.15 5013 interface FastEthernet0/0 5013
ip nat inside source static tcp 10.10.10.15 5014 interface FastEthernet0/0 5014
ip nat inside source static tcp 10.10.10.15 5015 interface FastEthernet0/0 5015
ip nat inside source static tcp 10.10.10.15 5016 interface FastEthernet0/0 5016
ip nat inside source static tcp 10.10.10.15 5017 interface FastEthernet0/0 5017
ip nat inside source static tcp 10.10.10.15 5018 interface FastEthernet0/0 5018
ip nat inside source static tcp 10.10.10.15 5019 interface FastEthernet0/0 5019
ip nat inside source static tcp 10.10.10.15 5020 interface FastEthernet0/0 5020
ip nat inside source static tcp 10.10.10.15 5021 interface FastEthernet0/0 5021
ip nat inside source static tcp 10.10.10.15 5022 interface FastEthernet0/0 5022
ip nat inside source static tcp 10.10.10.15 5023 interface FastEthernet0/0 5023
ip nat inside source static tcp 10.10.10.15 5024 interface FastEthernet0/0 5024
ip nat inside source static tcp 10.10.10.15 5025 interface FastEthernet0/0 5025
ip nat inside source static tcp 10.10.10.15 5026 interface FastEthernet0/0 5026
ip nat inside source static tcp 10.10.10.15 5027 interface FastEthernet0/0 5027
ip nat inside source static tcp 10.10.10.15 5028 interface FastEthernet0/0 5028
ip nat inside source static tcp 10.10.10.15 5029 interface FastEthernet0/0 5029
ip nat inside source static tcp 10.10.10.25 4242 interface FastEthernet0/0 4242
ip nat inside source static udp 10.10.10.25 4242 interface FastEthernet0/0 4242
ip nat inside source static tcp 10.10.10.25 4240 interface FastEthernet0/0 4240
ip nat inside source static udp 10.10.10.25 4240 interface FastEthernet0/0 4240
!
ip access-list extended NATout-Acl
permit ip 10.10.10.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.170.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
ip access-list extended OutsideIn-Acl
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit tcp any any established
permit udp any eq ntp any
permit udp any eq domain any
permit udp any any
permit tcp 64.17.230.96 0.0.0.7 any eq telnet
permit tcp 10.10.10.0 0.0.0.255 any eq telnet
permit tcp 65.255.201.64 0.0.0.3 any eq telnet
permit tcp any host 10.10.10.15 eq www
permit tcp any host 10.10.10.15 eq ftp
deny ip any any
!
logging trap debugging
logging host 10.10.10.15 transport tcp
!
!
!
!
snmp-server community M1cha3l RO
snmp-server packetsize 4096
snmp-server host 10.10.10.10 version 2c M1cha3l
snmp-server host 10.10.10.15 version 2c M1cha3l
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
login local
line aux 0
line vty 0 4
login local
transport input all
line vty 5 15
login local
transport input all
!
scheduler allocate 20000 1000
ntp peer 69.65.40.29
ntp peer 50.116.38.157
ntp peer 204.2.134.163
ntp peer 208.79.16.124
event manager applet CLIaccounting
event cli pattern ".*" sync no skip no
action 1.0 syslog priority informational msg "$_cli_msg"
action 2.0 set _exit_status "1"
!
end
09-27-2014 02:47 PM
Hi Michael,
it's a little bit late in my country (almost midnight) but I would try to answer your post (may be not a very good idea); it seems me that you are appliing the ACL just to control NAT not to permit/deny IP traffic. This way when a host in 192.168.0.x network try to connect to another host in the 10.10.10.0 network, it just sends the IP packet to it's default gateway (I suppose your router) and it will deliver the packet to the destionation network, un-natted but it will. Isn't it ?
Bye,
enrico
09-27-2014 04:11 PM
I am not clear about the original poster statement that some devices were not vlan aware and that is why everything is in the same vlan. Having these 4 networks/subnets all in the same vlan is a very unusual design and I believe that it is causing (or will cause) problems, starting with this need to restrict traffic.
To the extent that hosts in the network need to send their traffic through the router to get to destinations then the router is able to control access. To the extent that hosts in the network can communicate directly with other hosts then the router is not able to control that traffic. So the question becomes do these hosts need to send their traffic through the router to reach hosts in the other network?
To the extent that a host would send its traffic to its default gateway for destinations that it believes is remote then yes the traffic would go through the router. But considering that all of these hosts are in the same vlan and therefore in the same broadcast domain, then if a host in 10.10.10.0 wants to communicate with a host in 192.168.0.0 and if the host sends an ARP request for the destination address, then the other host would receive the ARP, would reply, and the hosts would communicate without needing the router. And in that case the router can not control the traffic.
So the real answer to the question of the original poster is that it depends on the behavior of the hosts in the network. The best that he can do is to configure an access list to control the traffic and to apply it inbound on the vlan 10 interface.
HTH
Rick
09-28-2014 12:44 AM
I think security is impossible in this design. because anybody can manually set ip address from any network and so get access.
acl mentioned is not prevent access from network to network. because it is nat acl not access acl
09-28-2014 01:57 PM
Ok, I didn't explain things very well. This is a router that I have as my NAT firewall/DMVPN to the office at my house. What I am doing, if you see the static DHCP assignments for the 192.168 net, those are my daughters iPads. I want to prevent those devices from being able to see anything but the internet, no normal network (10.10) or any of the VPN networks (which if I am remembering my networking correctly, they can't anyways, since their subnet is not being advertised by the OSPF policy). My WiFi access point is the device that is not VLAN compatible (hence my comment about not being able to do separate VLAN's, and then restricting VLAN to VLAN access).
This is not a "security" issue, beyond wanting to keep my kids from deciding to access either my network share, or our network printer.
I hope this helps clarify things.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide