Scenario question
JeanM
Member Posts: 1,117
Hi,
So here is a scenario question, would like to know what is the best practice or how you would go about setting this up.
1 router with 3 interfaces, one interface let's call it fe0/0 is connected to the internet or wan, and the fe1/0 and fe1/1 are available locally. Let's say the wan interface fe0/0 is 1.1.1.1 and the two local interfaces are fe1/0 192.168.1.1 and fe1/1 192.168.2.1.
The 192.168.1.1 then goes to a L2 switch, vlan address 192.168.1.100
The 192.168.2.1 then goes to another L2 switch, vlan address 192.168.2.100
The fe0/0 is set as ip nat outside, and the fe1/0 and fe1/1 are both set as ip nat inside.
The fe0/0 is set to overload for PAT, and extended access list is configured.
Question is, how can you allow the fe1/0 and fe1/1 to PAT over the fe0/0 but with independent access lists?
For example, I want the fe1/0 to overload the fe0/0 and it's access list to allow traffic only between fe0/0 and fe1/0 or 1.1.1.1<-> 192.168.1.1
And the fe1/1 to overload the fe0/0 or 1.1.1.1 <-> 192.168.2.1 but I don't want the fe0/0 and fe1/0 to have connectivity?
It seems that both local interfaces can only be set as "ip nat inside", and then they "share" the access list used for PAT for the outside interface?
Is this the right way to do it?
interface FastEthernet0/0
description to WAN
ip address 1.1.1.1 255.255.255.0
ip nat outside
duplex auto
speed auto
!
!
interface FastEthernet1/0
description ForWiredLan
ip address 192.168.1.1 255.255.255.0
ip access-group NOWIFI in
ip access-group NOWIFI out
ip nat inside
duplex auto
speed auto
!
interface FastEthernet1/1
description ForWiFiLan
ip address 192.168.2.1 255.255.255.0
ip access-group NOLAN in
ip access-group NOLAN out
ip nat inside
duplex auto
speed auto
!
ip nat inside source list PAT interface FastEthernet0/0 overload
ip classless
!
!
ip access-list extended NOLAN
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
deny udp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
permit udp any any
ip access-list extended NOWIFI
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
deny udp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip any any
permit udp any any
ip access-list extended PAT
permit ip any any
permit udp any any
The goal for this is to have control over the two "inside" interfaces over the outside interface.
So here is a scenario question, would like to know what is the best practice or how you would go about setting this up.
1 router with 3 interfaces, one interface let's call it fe0/0 is connected to the internet or wan, and the fe1/0 and fe1/1 are available locally. Let's say the wan interface fe0/0 is 1.1.1.1 and the two local interfaces are fe1/0 192.168.1.1 and fe1/1 192.168.2.1.
The 192.168.1.1 then goes to a L2 switch, vlan address 192.168.1.100
The 192.168.2.1 then goes to another L2 switch, vlan address 192.168.2.100
The fe0/0 is set as ip nat outside, and the fe1/0 and fe1/1 are both set as ip nat inside.
The fe0/0 is set to overload for PAT, and extended access list is configured.
Question is, how can you allow the fe1/0 and fe1/1 to PAT over the fe0/0 but with independent access lists?
For example, I want the fe1/0 to overload the fe0/0 and it's access list to allow traffic only between fe0/0 and fe1/0 or 1.1.1.1<-> 192.168.1.1
And the fe1/1 to overload the fe0/0 or 1.1.1.1 <-> 192.168.2.1 but I don't want the fe0/0 and fe1/0 to have connectivity?
It seems that both local interfaces can only be set as "ip nat inside", and then they "share" the access list used for PAT for the outside interface?
Is this the right way to do it?
interface FastEthernet0/0
description to WAN
ip address 1.1.1.1 255.255.255.0
ip nat outside
duplex auto
speed auto
!
!
interface FastEthernet1/0
description ForWiredLan
ip address 192.168.1.1 255.255.255.0
ip access-group NOWIFI in
ip access-group NOWIFI out
ip nat inside
duplex auto
speed auto
!
interface FastEthernet1/1
description ForWiFiLan
ip address 192.168.2.1 255.255.255.0
ip access-group NOLAN in
ip access-group NOLAN out
ip nat inside
duplex auto
speed auto
!
ip nat inside source list PAT interface FastEthernet0/0 overload
ip classless
!
!
ip access-list extended NOLAN
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
deny udp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
permit udp any any
ip access-list extended NOWIFI
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
deny udp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip any any
permit udp any any
ip access-list extended PAT
permit ip any any
permit udp any any
The goal for this is to have control over the two "inside" interfaces over the outside interface.
2015 goals - ccna voice / vmware vcp.
Comments
-
DCD Member Posts: 475 ■■■■□□□□□□I'm not exactly sure what your trying to do but on your NOLAN and NOWIFI you can take of the deny udp the deny IP will cover the udp. You only need one access group on the F1/0 and F1/1 interface.
In the first part of your question you wanted to PAT the to local interfaces then ant the end you say no connectivity.Hi,
Question is, how can you allow the fe1/0 and fe1/1 to PAT over the fe0/0 but with independent access lists?
For example, I want the fe1/0 to overload the fe0/0 and it's access list to allow traffic only between fe0/0 and fe1/0 or 1.1.1.1<-> 192.168.1.1
And the fe1/1 to overload the fe0/0 or 1.1.1.1 <-> 192.168.2.1 but I don't want the fe0/0 and fe1/0 to have connectivity? -
JeanM Member Posts: 1,117Hi, goal is for two inside interfaces fe1/0 and fe1/1 to overload one fe0/0 interface and for the fe1/0 and fe1/1 interfaces to not have connectivity between the two.2015 goals - ccna voice / vmware vcp.
-
Jollycork Member Posts: 149I'm not exactly sure what your trying to do but on your NOLAN and NOWIFI you can take of the deny udp the deny IP will cover the udp. You only need one access group on the F1/0 and F1/1 interface.
In the first part of your question you wanted to PAT the to local interfaces then ant the end you say no connectivity.
hum the ACLs are on the outbound interface and you just deny access to the other subnet, deny any any to the other subnet, and vice versa. the default out would be FE 0/0... and each interface is on it's own subnet.
The route table knows the subnets and the ACL's on each of the 2 interfaces denies traffic to the other subnet, but allows out the gateway of last resort which then does many to one. -
DCD Member Posts: 475 ■■■■□□□□□□You need to add a line to each access list and denying the LAN of the other subnet and you may want to add deny ICMP between the wired LAN and the WIFI lan and WIFI to Wired.