cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
723
Views
0
Helpful
6
Replies

Restrict Guest/BYOD Network Access

tvmfssrv9
Level 1
Level 1

We received a preconfigured router, however it was not configured correctly. Initially, our Guest and BYOD VLANs had no access to the internet. I added


access-list 130 permit ip 192.168.2.0 0.0.0.255 any
access-list 130 permit ip 192.168.3.0 0.0.0.255 any

And as expected, there is now internet access, but there is also access to  our internal network. Do I need to create a separate route-map or setup access groups? Or can I only allow traffic to 0.0.0.0 somehow instead of any? Or would I have to create deny rules?

Also the port forwarding doesn't work,  but I'm not sure this is the right place to ask about it.

The config

Building configuration...

Current configuration : 7506 bytes
!

!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NAME
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 172.17.43.1 172.17.43.75
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.3.1
!
ip dhcp pool V
network 172.17.43.0 255.255.255.0
default-router 172.17.43.1
dns-server 10.15.48.1 172.17.42.4 8.8.8.8
lease 15
!
ip dhcp pool V2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 172.17.43.7 8.8.8.8
lease 45
!
ip dhcp pool V3
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 8.8.8.8
!
!
!
ip domain name Domain.local
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 5
local name FS
ip mtu adjust
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-436626869
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-436626869
revocation-check none
rsakeypair TP-self-signed-436626869
!
!
crypto pki certificate chain TP-self-signed-436626869
certificate self-signed 01

quit
!
!
username user1 privilege 15 secret 5
username user2 privilege 7 password 0
username user3 privilege 15 secret 5
username user4 privilege 15 secret 5
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800

!
!
crypto ipsec transform-set TRANSFORMZ esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set TRANSFORMY esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map FMAP 10 ipsec-isakmp
set peer 2.3.4.5
set transform-set TRANSFORMZ
match address 111
crypto map FMAP 20 ipsec-isakmp
set peer 1.2.3.4
set transform-set TRANSFORMY
match address 113
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN Interface
ip address x.x.x.x 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map FMAP
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1.1
description LAN Interface
encapsulation dot1Q 1 native
ip address 172.17.43.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface GigabitEthernet0/1.2
description LAN Interface BYOD
encapsulation dot1Q 5
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface GigabitEthernet0/1.3
description LAN Interface FSS-Guest
encapsulation dot1Q 6
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface Virtual-Template5
ip unnumbered GigabitEthernet0/0
peer default ip address pool PPTP-POOL
ppp encrypt mppe auto
ppp authentication ms-chap-v2
!
ip local pool PPTP-POOL 10.20.100.1 10.20.100.254
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map NONAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 172.17.43.7 1194 x.x.x.x 1194 extendable
ip nat inside source static udp 172.17.43.7 1194 x.x.x.x 1194 extendable
ip route 0.0.0.0 0.0.0.0 5.5.5.1
!
!
route-map NONAT permit 10
match ip address 130
!
!
access-list 1 permit 172.17.43.0 0.0.0.255
access-list 23 permit 3.4.5.6
access-list 23 permit 5.4.3.2
access-list 23 permit 4.3.2.1
access-list 23 permit 172.17.43.0 0.0.0.255
access-list 23 permit 8.7.6.5 0.0.0.1
access-list 23 permit 7.6.5.4 0.0.0.1
access-list 23 permit 9.8.7.6 0.0.0.1
access-list 111 permit ip 172.17.43.0 0.0.0.255 10.15.48.0 0.0.0.255
access-list 113 permit ip 172.17.43.0 0.0.0.255 172.17.42.0 0.0.0.255
access-list 130 deny ip 172.17.43.0 0.0.0.255 10.15.48.0 0.0.0.255
access-list 130 deny ip 172.17.43.0 0.0.0.255 172.17.42.0 0.0.0.255
access-list 130 permit ip 172.17.43.0 0.0.0.255 any
access-list 130 permit ip 192.168.2.0 0.0.0.255 any
access-list 130 permit ip 192.168.3.0 0.0.0.255 any
!
control-plane
!
!
banner motd ^CCCCC


******************************************
* LEGAL NOTICE *
******************************************


blahblah
^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

1 Accepted Solution

Accepted Solutions

Hi,

You need to use access-list 130 to control traffic between your internal network and BYOD network. Create another access list for nat.

Thanks

John

**Please rate posts you find helpful**

View solution in original post

6 Replies 6

johnd2310
Level 8
Level 8

Hi,

You can create deny rules for traffic from BYOD  to Internal network at the top of access-list 130.

Thanks

John

**Please rate posts you find helpful**

Thanks, that should be pretty simple. However, I'm trying to give BYOD access to a DNS server on 172.17.43.0

This is what I'm trying to enter

configure terminal
ip access-list extended 130
33 permit ip 192.168.2.0 0.0.0.255 host 172.17.43.7 eq domain

But it gives me "Invalid input detected" at eq and I don't have the faintest clue why. If I run it with ? instead of eq, it gives me

dscp
fragments 
log 
log-input 
option 
precedence 
reflect 
time-range 
tos 
ttl 

Oh, I see, I need to specify udp or tcp instead of just ip.

Now for my port forwarding, do I need to create a new route map linked to another access list in order for it to work? 

Hi,

You need to use access-list 130 to control traffic between your internal network and BYOD network. Create another access list for nat.

Thanks

John

**Please rate posts you find helpful**

This is what the 130 access list looks like now. But, the 192.168.2.0 network still has full access to 172.17.43.0. Any ideas?

access-list 130 deny   ip 172.17.43.0 0.0.0.255 10.15.48.0 0.0.0.255
access-list 130 deny   ip 172.17.43.0 0.0.0.255 172.17.42.0 0.0.0.255
access-list 130 permit ip 172.17.43.0 0.0.0.255 any
access-list 130 permit udp 192.168.2.0 0.0.0.255 eq domain host 172.17.43.7
access-list 130 permit udp 192.168.2.0 0.0.0.255 host 172.17.43.7 eq domain
access-list 130 permit tcp 192.168.2.0 0.0.0.255 host 172.17.43.7 eq domain
access-list 130 permit tcp 192.168.2.0 0.0.0.255 eq domain host 172.17.43.7
access-list 130 deny   ip 192.168.2.0 0.0.0.255 172.17.43.0 0.0.0.255
access-list 130 permit ip 192.168.2.0 0.0.0.255 any
access-list 130 permit ip 192.168.3.0 0.0.0.255 any

Hi,

Which interface is access-list 130 applied?

Thanks

John

**Please rate posts you find helpful**
Review Cisco Networking for a $25 gift card