10-06-2018 01:01 AM - edited 03-08-2019 04:19 PM
hi I have a router 2901 my problem and this in a 192.168.2.0 network the hosts are all in dhcp and I created a pool that says that the address in dhcp for that host must always be the same, because on that address there I put a deny rule but 'when the host puts the address in a static and change it connects to the internet configuration that I have to do so that even if you put in a static does not connect to the internet?thank you.
Solved! Go to Solution.
10-09-2018 03:31 PM - edited 10-09-2018 03:32 PM
Hello
@nettuno8_20111 wrote:
hello yes I know but when the host is in dhcp can not connect to the internet but the problem is when you manually change the ip address that puts another and connects. I would like to make a configuration of the type that even when you change it manually you can not connect to the internet. thank you
conf t
mac access-list extended no-internet
deny host a0f3.c100.0175 any
permit any any
int dailer 1
mac-access group no-internet in
10-06-2018 01:24 AM
Hello,
what do you need...a static DHCP mapping ? Post the full config of your 2911...
10-06-2018 09:45 AM
Hello
so please confirm if I have understood -
You have create a dhcp static mapping for a host and that host does not connect to the internet
However if you put the ip address manually on the host it does connect to the internet?
10-06-2018 11:41 AM
So, you are saying that if a static address is configured instead of DHCP address, the host is somehow able to bypass the access list and access the internet? You want access to the internet to be denied regardless of DHCP or static configuration on the host?
Could you please elaborate more and post the configs?
10-07-2018 03:27 AM
hello sorry if I did not send you the configuration in time I could not send the configuration .. yes anyway and as you say ....
10-08-2018 09:37 AM
iro(config)#do show running-config
Building configuration...
Current configuration : 3798 bytes
!
! Last configuration change at 15:58:10 UTC Mon Oct 8 2018
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ciro
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.2
ip dhcp excluded-address 192.168.2.17 192.168.2.18
ip dhcp excluded-address 192.168.2.49 192.168.2.50
!
ip dhcp pool vlan-2
network 192.168.2.16 255.255.255.240
default-router 192.168.2.30
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
ip dhcp pool vlan-1
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.1.60
lease infinite
!
ip dhcp pool vlan-4
network 192.168.2.48 255.255.255.240
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.2.62
lease infinite
!
ip dhcp pool deny
host 192.168.1.50 255.255.255.0
client-identifier 01a0.f3c1.0001.75
default-router 192.168.1.60
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
!
ip host ciro-isp 192.168.10.2
ip host voice-voip 192.168.10.1
ip name-server 109.232.88.3
ip name-server 109.232.88.4
ip name-server 192.168.10.2
ip name-server 192.168.10.1
ip ddns update method dyndns
HTTP
add http://ciro15:ciro150182@update.dyndns.it/nic/update?system=dyndns&hostname=vegeta.homepc.it
interval maximum 24 0 0 0
interval minimum 24 0 0 0
!
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2901/K9 sn FCZ1523C0C1
!
!
vtp mode transparent
!
!
vlan 2
!
vlan 3
name ciro
!
vlan 4,11
!
!
!
!
!
interface Tunnel0
ip address 192.168.3.2 255.255.255.252
tunnel source Dialer1
tunnel destination 95.250.159.118
!
interface Port-channel2
switchport mode trunk
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
no ip address
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1.11
encapsulation dot1Q 11
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0/0
switchport access vlan 11
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
switchport access vlan 2
!
interface FastEthernet0/0/3
switchport access vlan 4
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly
standby version 2
standby 1 ip 192.168.1.60
standby 1 name vlan-1
!
interface Vlan2
ip address 192.168.2.18 255.255.255.240
ip nat inside
ip virtual-reassembly
standby version 2
standby 1 ip 192.168.2.30
standby 1 name vlan-2
!
interface Vlan4
ip address 192.168.2.50 255.255.255.240
ip nat inside
ip virtual-reassembly
standby version 2
standby 1 ip 192.168.2.62
standby 1 name vlan-4
!
interface Vlan11
ip address 192.168.10.2 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface Dialer1
mtu 1492
ip ddns update hostname vegeta.homepc.it.dyndns.it
ip ddns update dyndns
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp pap sent-username aliceadsl password 0 aliceadsl
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.30 34599 interface Dialer1 34599
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.2.16 255.255.255.240 Tunnel0
!
access-list 101 deny ip host 192.168.1.50 any
access-list 101 permit tcp host 34.255.218.242 eq www any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
!
!
!
control-plane
!
!
line con 0
password ciro
login
line aux 0
line vty 0
password ciro
login
line vty 1 4
login
!
scheduler allocate 20000 1000
end
ciro(config)#
10-08-2018 05:25 PM
Thanks for the config.
Firstly, you might want to unmark the question as resolved so that someone else may be able to assist you.
Secondly, what IP address does the host 192.168.1.50 have when it is able to connect to the internet?
I do see this line:
access-list 101 deny ip host 192.168.1.50 any;
and this:
ip nat inside source list 101 interface Dialer1 overload
which i presume, not 100% sure at the moment, would prevent the translation of host 192.168.1.50 by the nat process, thereby denying internet access.
If that does not deny the translation, then you would probably realize your objective by taking the appropriate measures on the host i.e. denying local users the the ability to change the host's ip address.
I stand to be corrected.
10-08-2018 07:08 PM
hello thanks for answering me the rule deny 101 192.168.1.50 the setting to prevent that host not to connect to the internet I have also created an ip dhcp pool deny so that the host when receiving the address in dhcp does not connect to internet but 'when the host in question changes the ip address and it takes one free connects to the internet I would like to make sure that even if the address does not change to the internet. for nat 101 it translates other hosts that must be connected to internet.
10-08-2018 07:16 PM
hello thanks for answering me, the rule 101 deny 192.168.1.50 the setting to prevent that host from not connecting to the internet I have also created an ip dhcp pool deny so that the host when receiving the address in dhcp does not connect to the internet, however, when the host in question changes the ip address and takes one free connection to the internet I would like to make sure that even if the address changes, do not connect to the internet. for nat 101 it translates other hosts that must be connected to internet.
10-08-2018 09:26 PM
You seem to have done it the right way. In your 'deny' DHCP pool have you tried the hardware-address command instead of the client-identifier command?
10-09-2018 09:16 AM
hello yes I know thanks .. when the host is in dhcp can not connect to the internet but the problem is when you change it manually, which puts another and connects I would like to make a configuration of the types that even when you change it manually can connect to the internet. thank you
10-09-2018 01:12 AM - edited 10-09-2018 01:16 AM
Hello
@nettuno8_20111 wrote:
ip dhcp excluded-address 192.168.1.1 192.168.1.2
ip dhcp excluded-address 192.168.2.17 192.168.2.18
ip dhcp excluded-address 192.168.2.49 192.168.2.50
!
ip dhcp pool vlan-2
network 192.168.2.16 255.255.255.240
default-router 192.168.2.30
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
ip dhcp pool vlan-1
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.1.60
lease infinite
!
ip dhcp pool vlan-4
network 192.168.2.48 255.255.255.240
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.2.62
lease infinite
!
ip dhcp pool deny
host 192.168.1.50 255.255.255.0
client-identifier 01a0.f3c1.0001.75
default-router 192.168.1.60
dns-server 8.8.8.8 8.8.4.4
lease infinite
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.30 34599 interface Dialer1 34599
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.2.16 255.255.255.240 Tunnel0
access-list 101 deny ip host 192.168.1.50 anyhere is the configuration .... when the host user 192.168.1.50 when changing ip connects to the internet. I have to make sure that even when host changes ip you do not have to connect to the internet. thank you
This because you have excluded that host from your NAT translation hence when you change its ip address its able to get natted and access the internet
10-09-2018 09:19 AM
hello yes I know but when the host is in dhcp can not connect to the internet but the problem is when you manually change the ip address that puts another and connects. I would like to make a configuration of the type that even when you change it manually you can not connect to the internet. thank you
10-09-2018 03:31 PM - edited 10-09-2018 03:32 PM
Hello
@nettuno8_20111 wrote:
hello yes I know but when the host is in dhcp can not connect to the internet but the problem is when you manually change the ip address that puts another and connects. I would like to make a configuration of the type that even when you change it manually you can not connect to the internet. thank you
conf t
mac access-list extended no-internet
deny host a0f3.c100.0175 any
permit any any
int dailer 1
mac-access group no-internet in
10-08-2018 01:58 PM
iro(config)#do show running-config
Building configuration...
Current configuration : 3798 bytes
!
! Last configuration change at 15:58:10 UTC Mon Oct 8 2018
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ciro
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.2
ip dhcp excluded-address 192.168.2.17 192.168.2.18
ip dhcp excluded-address 192.168.2.49 192.168.2.50
!
ip dhcp pool vlan-2
network 192.168.2.16 255.255.255.240
default-router 192.168.2.30
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
ip dhcp pool vlan-1
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.1.60
lease infinite
!
ip dhcp pool vlan-4
network 192.168.2.48 255.255.255.240
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.2.62
lease infinite
!
ip dhcp pool deny
host 192.168.1.50 255.255.255.0
client-identifier 01a0.f3c1.0001.75
default-router 192.168.1.60
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
!
ip host ciro-isp 192.168.10.2
ip host voice-voip 192.168.10.1
ip name-server 109.232.88.3
ip name-server 109.232.88.4
ip name-server 192.168.10.2
ip name-server 192.168.10.1
ip ddns update method dyndns
HTTP
add http://ciro15:ciro150182@update.dyndns.it/nic/update?system=dyndns&hostname=vegeta.homepc.it
interval maximum 24 0 0 0
interval minimum 24 0 0 0
!
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2901/K9 sn FCZ1523C0C1
!
!
vtp mode transparent
!
!
vlan 2
!
vlan 3
name ciro
!
vlan 4,11
!
!
!
!
!
interface Tunnel0
ip address 192.168.3.2 255.255.255.252
tunnel source Dialer1
tunnel destination 95.250.159.118
!
interface Port-channel2
switchport mode trunk
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
no ip address
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1.11
encapsulation dot1Q 11
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0/0
switchport access vlan 11
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
switchport access vlan 2
!
interface FastEthernet0/0/3
switchport access vlan 4
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly
standby version 2
standby 1 ip 192.168.1.60
standby 1 name vlan-1
!
interface Vlan2
ip address 192.168.2.18 255.255.255.240
ip nat inside
ip virtual-reassembly
standby version 2
standby 1 ip 192.168.2.30
standby 1 name vlan-2
!
interface Vlan4
ip address 192.168.2.50 255.255.255.240
ip nat inside
ip virtual-reassembly
standby version 2
standby 1 ip 192.168.2.62
standby 1 name vlan-4
!
interface Vlan11
ip address 192.168.10.2 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface Dialer1
mtu 1492
ip ddns update hostname vegeta.homepc.it.dyndns.it
ip ddns update dyndns
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp pap sent-username aliceadsl password 0 aliceadsl
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.30 34599 interface Dialer1 34599
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.2.16 255.255.255.240 Tunnel0
!
access-list 101 deny ip host 192.168.1.50 any
access-list 101 permit tcp host 34.255.218.242 eq www any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
!
!
!
control-plane
!
!
line con 0
password ciro
login
line aux 0
line vty 0
password ciro
login
line vty 1 4
login
!
scheduler allocate 20000 1000
end
ciro(config)#
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: