05-11-2019 01:23 PM - edited 05-11-2019 01:56 PM
Hello,
Here is my topology:
I have dynamic NAT on ffw.lim.rt01.
VLAN 10's gateway is 10.0.1.1 on ffw.lim.rt01's g0/1.10. VLAN 20's gateway is 10.0.1.17 on ffw.lim.rt01's g0/1.20.
Each VPCS can ping each other.
VPCS can ping 72.145.30.1 thanks to NAT.
I want my VPCS to still access to fai.rt01, but without being able to access each other, which is to say I want to restrict routing between VLAN 10 and VLAN 20.
on ffw.lim.rt01 I have tried this:
access-list 101 deny ip 10.1.1.17 0.0.0.7 10.0.1.1 0.0.0.15 access-list 101 permit ip any any access-list 102 deny ip 10.0.1.1 0.0.0.15 10.0.1.17 0.0.0.7 access-list 102 permit ip any any int g0/1.10 ip access-group 102 out int g0/1.20 ip access-group 101 out
It does not do anything. When I remove "permit ip any any ", it works, except my VPCS can ping 72.145.30.1 anymore.
What am I missing? Is it related to the NAT?
Solved! Go to Solution.
05-11-2019 03:26 PM - edited 05-11-2019 03:28 PM
Try changing the direction from out to in.
Also the source IP should be 10.0.1.0
05-11-2019 01:33 PM
High level below ACL wrong
access-list 101 deny ip 10.1.1.17 0.0.0.7 10.0.1.1 0.0.0.15 <<-- this should be 10.0.1.17
can you post the config of switch and router to look again ?
05-11-2019 01:56 PM
Thanks, it does not change anything though.
By the way, I updated my message under the ACL ("It does not do anything. When I remove "permit ip any any ", it works, except my VPCS can ping 72.145.30.1 anymore.").
Here are the configs:
ffw.lim.rt01#show running-config Building configuration... Current configuration : 3963 bytes ! ! Last configuration change at 20:51:59 UTC Sat May 11 2019 ! version 15.6 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ffw.lim.rt01 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ethernet lmi ce ! ! ! no process cpu autoprofile hog mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ! ! ! ! no ip icmp rate-limit unreachable ! ! ! ! ! ! no ip domain lookup ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! redundancy ! no cdp log mismatch duplex no cdp run ! ip tcp synwait-time 5 ! ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 ip address 72.145.30.2 255.255.255.252 ip nat outside ip virtual-reassembly in duplex auto speed auto media-type rj45 no cdp enable ! interface GigabitEthernet0/1 no ip address ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 no cdp enable ! interface GigabitEthernet0/1.10 encapsulation dot1Q 10 ip address 10.0.1.1 255.255.255.240 ip access-group 102 out ip nat inside ip virtual-reassembly in no cdp enable ! interface GigabitEthernet0/1.20 encapsulation dot1Q 20 ip address 10.0.1.17 255.255.255.248 ip access-group 101 out ip nat inside ip virtual-reassembly in no cdp enable ! interface GigabitEthernet0/2 no ip address shutdown duplex auto speed auto media-type rj45 no cdp enable ! interface GigabitEthernet0/3 no ip address shutdown duplex auto speed auto media-type rj45 no cdp enable ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip nat inside source list 1 interface GigabitEthernet0/0 overload ! ! ! access-list 1 permit 10.0.1.0 0.0.0.15 access-list 1 permit 10.0.1.16 0.0.0.7 access-list 101 deny ip 10.0.1.16 0.0.0.7 10.0.1.0 0.0.0.15 access-list 102 deny ip 10.0.1.0 0.0.0.15 10.0.1.16 0.0.0.7 ! control-plane ! banner exec ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C banner incoming ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C banner login ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login transport input none ! no scheduler allocate ! end
ffw.lim.sw01#sh run Building configuration... *May 11 20:54:18.539: %SYS-5-CONFIG_I: Configured from console by console Current configuration : 4081 bytes ! ! Last configuration change at 20:54:18 UTC Sat May 11 2019 ! version 15.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service compress-config ! hostname ffw.lim.sw01 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! ! ! ! ! no ip routing ! ! ! no ip cef no ipv6 cef ! ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 switchport trunk allowed vlan 10,20 switchport trunk encapsulation dot1q switchport mode trunk media-type rj45 negotiation auto ! interface GigabitEthernet0/1 switchport mode access media-type rj45 negotiation auto ! interface GigabitEthernet0/2 switchport mode access media-type rj45 negotiation auto ! interface GigabitEthernet0/3 switchport mode access media-type rj45 negotiation auto ! interface GigabitEthernet1/0 switchport access vlan 20 switchport mode access media-type rj45 negotiation auto ! interface GigabitEthernet1/1 switchport access vlan 10 switchport mode access media-type rj45 negotiation auto ! interface GigabitEthernet1/2 switchport access vlan 10 switchport mode access media-type rj45 negotiation auto ! interface GigabitEthernet1/3 switchport access vlan 10 switchport mode access media-type rj45 negotiation auto ! interface GigabitEthernet2/0 media-type rj45 negotiation auto ! interface GigabitEthernet2/1 media-type rj45 negotiation auto ! interface GigabitEthernet2/2 media-type rj45 negotiation auto ! interface GigabitEthernet2/3 media-type rj45 negotiation auto ! interface GigabitEthernet3/0 media-type rj45 negotiation auto ! interface GigabitEthernet3/1 media-type rj45 negotiation auto ! interface GigabitEthernet3/2 media-type rj45 negotiation auto ! interface GigabitEthernet3/3 media-type rj45 negotiation auto ! interface Vlan1 no ip address shutdown ! interface Vlan10 no ip address no ip route-cache shutdown ! interface Vlan20 no ip address no ip route-cache shutdown ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ! ! ! ! ! control-plane ! banner exec ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C banner incoming ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C banner login ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C ! line con 0 line aux 0 line vty 0 4 login ! ! end
05-11-2019 02:06 PM
Am i missing here some info ? where is your Default Gateway pointing to ?
05-11-2019 02:12 PM
On the router? I don't have one.
05-11-2019 03:26 PM - edited 05-11-2019 03:28 PM
Try changing the direction from out to in.
Also the source IP should be 10.0.1.0
05-11-2019 04:56 PM
Thank you very much.
This works:
access-list 101 deny ip 10.0.1.16 0.0.0.7 10.0.1.0 0.0.0.15 access-list 101 permit ip any any access-list 102 deny ip 10.0.1.0 0.0.0.15 10.0.1.16 0.0.0.7 access-list 102 permit ip any any int g0/1.10 ip access-group 102 in int g0/1.20 ip access-group 101 in
05-11-2019 05:24 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide