11-18-2012 04:31 AM - edited 03-07-2019 10:06 AM
Good day!
We've got 5 remote offices with cisco 881 routers, Win Clients behind them and all routers connected via vpn site-to-site to central software router.
Mostly all clients recieve ip addresses from routers in their subnets 192.168.x.0\24
We have Win DHCP Server in subnet 192.168.181.0\24
The problem is that some of clients,physically sutuated in 192.168.10.0\24 subnet, recieve ip addresses from Win DHCP server from 192.168.181.0\24 subnet.
Here's part of cisco cfg:
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 89.104.102.226 255.255.255.240
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip route-cache same-interface
ip route-cache policy
duplex auto
speed auto
crypto map vpn
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 192.168.110.110 255.255.255.0
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.10.12 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat pool NEW 89.104.102.226 89.104.102.226 prefix-length 24
ip nat inside source list 100 pool NEW overload
ip nat inside source static tcp 192.168.10.4 1723 89.104.102.226 1723 extendable
ip nat inside source static tcp 192.168.10.140 3306 89.104.102.226 3306 extendable
ip nat inside source static tcp 192.168.10.4 3389 89.104.102.226 3389 extendable
ip nat inside source static tcp 192.168.10.11 8081 89.104.102.226 8081 extendable
ip route 0.0.0.0 0.0.0.0 89.104.102.225
!
logging esm config
access-list 100 deny udp any any range bootps bootpc
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.19.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.181.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.240.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 deny udp any any eq bootpc
access-list 102 deny udp any any eq bootps
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.19.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.181.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.240.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.250.0 0.0.0.255
no cdp run
!
!
!
!
route-map IPSEC-TRAF permit 10
match ip address 102
set interface FastEthernet4
!
!
According to ACL's traffic going from 67 and 68 ports should be blocked but somehow it isn't blocking, what am I doing wrong?
11-18-2012 06:13 AM
Hi,
If clients on Vlan1 subnet 192.168.10.0/24 then you need to just add under VLAN1 ip helper-address. Because your DHCP server on another subnet.
int Vlan1
ip add 192.168.10.12 255.255.255.0
ip helper-address 192.168.181.x
Please rate helpful posts.
Sent from Cisco Technical Support iPhone App
11-18-2012 06:35 AM
And if you want to block packets as per ACL 100. Put it under interface VLAN 1.
Int Vlan1
ip access-group 100 in
But in this way clients on subnet 192.168.10.0/24 will not get their IP addresses.
Sent from Cisco Technical Support iPhone App
11-19-2012 01:08 AM
hello! thank you for your answer.
I want to block packets from local subnet to DHCP server in 192.168.181.0 subnet because the cisco's routers have functions of dhcp-servers for their subnets..
Maybe it's possible to make some firewall rulle on software router vyatta?
Which ACL we should use for Vlan1 :100 or 102 ?
When i map 100's acl to Vlan 1 interface, i loose connection to this local subnet from other subnets
I actually can't understand how this broadcast requests pass through VPN tunnela and routing?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: