Solved: Help with access lists, separate traffic - Page 2

firstascent · ‎04-27-2011

Hello all,

I've been working on this for awhile now and have tried different configurations but cannot figure out what I'm missing.

It's pretty simple, I think...

I have (1) 1841 router and (1) 2960 24 port switch. Ports 1-12 are on VLAN1 and ports 13-24 are on VLAN5

VLAN1 is on 192.168.1.0 subnet and VLAN5 is on 192.168.10.0 subnet

All I would like to do is keep them separated. I don't want one to see the other and vice versa.

Right now anything on VLAN5 can't ping VLAN1 but... VLAN1 can ping VLAN5. So I'm close, I think, but not quite there yet.

Below is the config from the router. Please let me know if any of you sees something obvious or has any ideas I could try.

Thanks!

Building configuration...

Current configuration : 5204 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname lucee

!

boot-start-marker

boot system flash:c1841-advsecurityk9-mz.124-25c.bin

boot-end-marker

!

enable secret 5 $1$ZfZj$Pa/Fh8QWAWCx.eYdkYwsC/

!

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

aaa session-id common

no ip cef

!

ip auth-proxy max-nodata-conns 10

ip admission max-nodata-conns 10

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.9

ip dhcp excluded-address 192.168.1.31 192.168.1.254

!

ip dhcp pool gresham

network 192.168.1.0 255.255.255.0

dns-server 64.100.100.100 64.100.100.00

default-router 192.168.1.1

lease 2

!

no ip domain lookup

!

crypto pki trustpoint TP-self-signed-3233092784

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3233092784

revocation-check none

rsakeypair TP-self-signed-3233092784

!

crypto pki certificate chain TP-self-signed-3233092784

certificate self-signed 01

3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

D466549E 1EA208B3 829B1915 499E00EE 502BD8A5 A7252C6A C99321AD A2D31E90

A56DE969 BBD5184F 25FFEC8A 01E68C33 7C3B3682 EAAD3318 65E19EF5 20FBD087 45

quit

username nameHere password 7 0476

username nameHere privilege 15 password 7 0029

username nameHere privilege 15 password 7 050C

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group groupNameHere

key xxxxx

pool vpnpool

acl 102

crypto isakmp profile ISAKMPprof

match identity group groupNameHere

client authentication list userauthen

isakmp authorization list groupauthor

client configuration address respond

virtual-template 3

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile IPSecprof

set transform-set ESP-3DES-SHA

set isakmp-profile ISAKMPprof

!

interface FastEthernet0/0

no ip address

ip virtual-reassembly

duplex auto

speed auto

no keepalive

!

interface FastEthernet0/0.1

encapsulation dot1Q 1 native

ip address 192.168.1.1 255.255.255.0 secondary

ip address 00.0.000.00 255.255.255.224

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface FastEthernet0/0.5

encapsulation dot1Q 5

ip address 192.168.10.1 255.255.255.0

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface FastEthernet0/1

no ip address

ip virtual-reassembly

shutdown

duplex auto

speed auto

no keepalive

!

interface Serial0/0/0

no ip address

encapsulation frame-relay IETF

no ip mroute-cache

service-module t1 timeslots 1-24

service-module t1 fdl both

frame-relay lmi-type ansi

!

interface Serial0/0/0.1 point-to-point

frame-relay interface-dlci 16 ppp Virtual-Template1

!

interface Virtual-Template1

ip address negotiated

ip nat outside

ip virtual-reassembly

ip tcp adjust-mss 1452

ppp chap hostname 558

ppp chap password 7 115A4C

ppp ipcp dns request

ppp ipcp route default

ppp ipcp address accept

!

interface Virtual-Template3 type tunnel

ip unnumbered FastEthernet0/0.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSecprof

!

ip local pool vpnpool 172.16.1.1 172.16.1.10

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat pool nat 00.0.000.00 00.0.000.00 netmask 255.255.255.224

ip nat inside source list 105 pool nat overload

!

access-list 102 permit ip 192.168.10.0 0.0.0.255 any

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 105 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 105 deny ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 105 permit ip 192.168.1.0 0.0.0.255 any

!

control-plane

!

line con 0

line aux 0

line vty 0 4

password 7 12340

logging synchronous

transport input telnet ssh

!

scheduler allocate 20000 1000

end

firstascent · ‎04-29-2011

I don't have a separate DHCP server, I'm just using the router to assign a dhcp address

Antonio Knox · ‎04-29-2011

I'll assume you're using the server address 192.168.1.1 (Fa0/0.1)

You will need to allow DHCP requests (UDP 68) to the DHCP server.

Add this to your 111 ACL

Start from scratch(-ish)

no access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 111 permit any host 192.168.1.1 eq bootps

no access-list 111 permit ip 192.168.1.0 0.0.0.255 any

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 111 permit ip 192.168.1.0 0.0.0.255 any

I did it this way so that the order of the access list is maintained. After all the hubub, it will look like this:

access-list 111 permit any host 192.168.1.1 eq bootps <----Allow DHCP requests to 192.168.1.1

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 111 permit ip 192.168.1.0 0.0.0.255 any

Corrected for your convenience

Message was edited by: Antonio Knox

firstascent · ‎04-29-2011

do I need to have

access-list 112 permit ip any host 192.168.1.1 eq bootps

instead of

access-list 112 permit any host 192.168.1.1 eq bootps

the router didn't take the one you suggested.

the pc's that need dhcp go through fa0/0.1 so wouldn't I want to put that on acl 111 not acl 112?

Antonio Knox · ‎04-29-2011

Correct on both counts. *ip* was omitted by mistake, I type from the brain, so I miss characters from time to time.

If the host that require DHCP are on Fa0/0.1, apply it to 111. I went on an assumption since Fa0/0.5 was the network explicitly blocked.

I'm not my sharpest today. Good catch.

See the updated config above.

firstascent · ‎04-29-2011

ok, getting closer

so when i have the 192.168.1.1 ip address in there it works intermittently. I also tried using the primary address of the router and it also works intermittently.

i can connect, then lose the ip address, then about a minute later it will get the ip address back.

If I change the line to

access-list 111 permit udp any any eq bootps

then it works quickly and keep the ip address as it should.

But I would think that leaving it "any any" leaves it open for some vulnerability?

Thanks, I'm so close.

Antonio Knox · ‎04-29-2011

For functionality, this is a good spot to be in. I don't think that you will have issues with security here, so I would say you're good. I think what happens is the DHCP request is sent to a broadcast address (since no helper is defined) and locking the ACL down to a single ip with no helper address (since it shouldn't be necessary here) may be a problem, especially seeing that no one wants to allow bootps to a broadcast address. Leave it as is and you should be good.

Don't forget to rate for good help, my friend.

Message was edited by: Antonio Knox

firstascent · ‎04-29-2011

thank you so much! this little issue has been a headache the last few months, I knew it was a simple fix too!

Antonio Knox · ‎04-29-2011

But it's always the little stuff that gives us the most grief, right? Happy to be of help to you.