+ Reply to Thread
Results 1 to 5 of 5
  1. Senior Member JeanM's Avatar
    Join Date
    Mar 2012
    Location
    California
    Posts
    1,105

    Certifications
    CCNA, MCP, S+, N+, A+
    #1

    Default Scenario question

    Hi,

    So here is a scenario question, would like to know what is the best practice or how you would go about setting this up.

    1 router with 3 interfaces, one interface let's call it fe0/0 is connected to the internet or wan, and the fe1/0 and fe1/1 are available locally. Let's say the wan interface fe0/0 is 1.1.1.1 and the two local interfaces are fe1/0 192.168.1.1 and fe1/1 192.168.2.1.

    The 192.168.1.1 then goes to a L2 switch, vlan address 192.168.1.100
    The 192.168.2.1 then goes to another L2 switch, vlan address 192.168.2.100

    The fe0/0 is set as ip nat outside, and the fe1/0 and fe1/1 are both set as ip nat inside.
    The fe0/0 is set to overload for PAT, and extended access list is configured.

    Question is, how can you allow the fe1/0 and fe1/1 to PAT over the fe0/0 but with independent access lists?
    For example, I want the fe1/0 to overload the fe0/0 and it's access list to allow traffic only between fe0/0 and fe1/0 or 1.1.1.1<-> 192.168.1.1
    And the fe1/1 to overload the fe0/0 or 1.1.1.1 <-> 192.168.2.1 but I don't want the fe0/0 and fe1/0 to have connectivity?

    It seems that both local interfaces can only be set as "ip nat inside", and then they "share" the access list used for PAT for the outside interface?

    Is this the right way to do it?

    interface FastEthernet0/0
    description to WAN
    ip address 1.1.1.1 255.255.255.0
    ip nat outside
    duplex auto
    speed auto
    !
    !
    interface FastEthernet1/0
    description ForWiredLan
    ip address 192.168.1.1 255.255.255.0
    ip access-group NOWIFI in
    ip access-group NOWIFI out
    ip nat inside
    duplex auto
    speed auto
    !
    interface FastEthernet1/1
    description ForWiFiLan
    ip address 192.168.2.1 255.255.255.0
    ip access-group NOLAN in
    ip access-group NOLAN out
    ip nat inside
    duplex auto
    speed auto
    !
    ip nat inside source list PAT interface FastEthernet0/0 overload
    ip classless
    !
    !
    ip access-list extended NOLAN
    deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    deny udp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    permit ip any any
    permit udp any any


    ip access-list extended NOWIFI
    deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    deny udp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    permit ip any any
    permit udp any any


    ip access-list extended PAT
    permit ip any any
    permit udp any any



    The goal for this is to have control over the two "inside" interfaces over the outside interface.
    Last edited by JeanM; 01-05-2015 at 05:01 PM.
    Reply With Quote Quote  

  2. SS -->
  3. DCD
    DCD is offline
    Senior Member DCD's Avatar
    Join Date
    Jan 2013
    Location
    San Francisco , Ca
    Posts
    437

    Certifications
    CCNA
    #2
    I'm not exactly sure what your trying to do but on your NOLAN and NOWIFI you can take of the deny udp the deny IP will cover the udp. You only need one access group on the F1/0 and F1/1 interface.
    In the first part of your question you wanted to PAT the to local interfaces then ant the end you say no connectivity.

    Quote Originally Posted by JeanM View Post
    Hi,

    Question is, how can you allow the fe1/0 and fe1/1 to PAT over the fe0/0 but with independent access lists?
    For example, I want the fe1/0 to overload the fe0/0 and it's access list to allow traffic only between fe0/0 and fe1/0 or 1.1.1.1<-> 192.168.1.1
    And the fe1/1 to overload the fe0/0 or 1.1.1.1 <-> 192.168.2.1 but I don't want the fe0/0 and fe1/0 to have connectivity?
    Reply With Quote Quote  

  4. Senior Member JeanM's Avatar
    Join Date
    Mar 2012
    Location
    California
    Posts
    1,105

    Certifications
    CCNA, MCP, S+, N+, A+
    #3
    Hi, goal is for two inside interfaces fe1/0 and fe1/1 to overload one fe0/0 interface and for the fe1/0 and fe1/1 interfaces to not have connectivity between the two.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jul 2010
    Location
    Chicago, Illinois
    Posts
    149

    Certifications
    MCSE:2003 / CCNA/A+
    #4
    Quote Originally Posted by DCD View Post
    I'm not exactly sure what your trying to do but on your NOLAN and NOWIFI you can take of the deny udp the deny IP will cover the udp. You only need one access group on the F1/0 and F1/1 interface.
    In the first part of your question you wanted to PAT the to local interfaces then ant the end you say no connectivity.
    hum the ACLs are on the outbound interface and you just deny access to the other subnet, deny any any to the other subnet, and vice versa. the default out would be FE 0/0... and each interface is on it's own subnet.

    The route table knows the subnets and the ACL's on each of the 2 interfaces denies traffic to the other subnet, but allows out the gateway of last resort which then does many to one.
    Reply With Quote Quote  

  6. DCD
    DCD is offline
    Senior Member DCD's Avatar
    Join Date
    Jan 2013
    Location
    San Francisco , Ca
    Posts
    437

    Certifications
    CCNA
    #5
    You need to add a line to each access list and denying the LAN of the other subnet and you may want to add deny ICMP between the wired LAN and the WIFI lan and WIFI to Wired.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks