[c-nsp] separate two directly connected networks on a Cisco 1800 series ISR?

Darren O'Connor darrenoc at outlook.com
Wed Aug 28 08:58:00 EDT 2013


You could use ZBF on the firewall. Create two zones. One zone is allowed access to another, including return traffic. Traffic originated from the other side is denied.

Thanks

Darren
http://www.mellowd.co.uk/ccie


> Date: Wed, 28 Aug 2013 14:20:33 +0300
> From: m4rtntns at gmail.com
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] separate two directly connected networks on a Cisco 1800	series ISR?
> 
> Hi,
> 
> I have a network setup where networks 192.168.1.0/24 and
> 192.168.2.0/24 are served by same router(Cisco 1841,
> c1841-spservicesk9-mz.124-7a.bin) and while addresses in
> 192.168.1.0/24 are NAT -ed to inside global address 10.10.10.1, the
> 192.168.2.0/24 network is not NAT-ed:
> http://s10.postimg.org/dsn73dzm1/test.png
> 
> I would like to deny access from 192.168.2.0/24 network to
> 192.168.1.0/24. For this reason I have "deny ip 192.168.2.0 0.0.0.255
> 192.168.1.0 0.0.0.255" ACL in inbound direction on interface facing
> the 192.168.2.0/24 network:
> 
> R3#sh ip access-lists 100
> Extended IP access list 100
>     10 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 (456 matches)
>     20 permit ip any any (90 matches)
> R3#
> 
> 
> However, at the same time, one should have access from 192.168.1.0/24
> network to 192.168.2.0/24 network. Because of the ACL described above,
> this obviously does not work as returning packages from 192.168.2.0/24
> network will have src IP from 192.168.2.0/24 network and dst IP from
> 192.168.1.0/24 network and will be dropped by ACL. What are the
> options here? I tried to add second NAT setup which should change the
> src address of those packets which are from 192.168.1.0/24 AND
> destined to 192.168.2.0/24. Configuration for this was following:
> 
> interface Vlan5
>  description -> T42 eth0
>  ip address 192.168.1.1 255.255.255.0
>  ip nat inside
> end
> !
> interface Vlan10
>  description -> T60
>  ip address 192.168.2.1 255.255.255.0
>  ip access-group 100 in
>  ip nat outside
> end
> !
> ip nat inside source list 102 interface Vlan10 overload
> !
> access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
> !
> 
> Such approach seems to work. If I send an ICMP "echo request" package
> from 192.168.1.2 to 192.168.2.2, then it's NAT -ed and for 192.168.2.2
> host this ICMP "echo request" appears to be from 192.168.2.1.
> 
> 
> In addition, I tried few setups with policy based routing, but
> eventually none of those worked.
> 
> 
> What is the best approach here? Stick with this NAT solution described
> above? Something completely different to separate two networks behind
> the same router?
> 
> 
> 
> regards,
> Martin
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
 		 	   		  


More information about the cisco-nsp mailing list