2600 and bridging to enable access-list 700 groups (sorry for double post)

Discussion in 'Cisco' started by turnip, Aug 25, 2007.

  1. turnip

    turnip Guest

    router 1:

    Code:
    User Access Verification
    
    Password:
    cerberus>en
    Password:
    cerberus#sho run
    Building configuration...
    
    Current configuration : 4189 bytes
    !
    ! Last configuration change at 23:51:43 UTC Fri Aug 24 2007
    !
    version 12.1
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname cerberus
    !
    no logging console
    enable secret 5 $1$N98h$xx.dS1
    enable password 7 xx
    !
    !
    class-map ftp
      match access-group 142
    class-map voice
      match access-group 105
    !
    !
    policy-map voip
      class voice
        priority 256
      class class-default
       fair-queue
    policy-map ftp-out
      class ftp
        priority 1000
      class class-default
       fair-queue
    !
    ip subnet-zero
    no ip finger
    no ip domain-lookup
    !
    no ip bootp server
    !
    !
    !
    interface FastEthernet0/0
     ip address 192.168.0.253 255.255.255.0
     ip helper-address 192.168.0.111
     ip nat inside
     no ip mroute-cache
     duplex auto
     speed auto
     no cdp enable
    !
    interface Serial0/0
     ip address 12.87.xx.xx255.255.255.252
     ip access-group 125 in
     ip access-group 112 out
     ip nat outside
     encapsulation ppp
     service-policy output ftp-out
     service-module t1 timeslots 1-24
     service-module t1 remote-alarm-enable
     no cdp enable
    !
    interface FastEthernet0/1
     ip address 10.0.0.253 255.255.255.0
     ip nat inside
     duplex auto
     speed auto
     no cdp enable
    !
    interface Serial0/1
     ip address 10.1.1.2 255.255.255.0
     ip nat inside
     encapsulation ppp
     service-policy output voip
     service-module t1 clock source internal
     no cdp enable
    !
    ip nat pool OVERLOAD 12.87.xx.xx12.87.xx.xxnetmask 255.255.255.252
    ip nat pool warehouse 12.170.xx.xx12.170.xx.xxnetmask 255.255.255.252
    ip nat inside source list 1 pool OVERLOAD overload
    ip nat inside source list 2 pool warehouse overload
    ip nat inside source static udp 10.0.0.254 5060 12.87xx.xx5060
    extendable
    ip nat inside source static udp 192.168.0.235 4326 12.87.xx.xx4326
    extendable
    ip nat inside source static tcp 192.168.0.235 4326 12.87.xxxx4326
    extendable
    ip nat inside source static tcp 10.0.0.254 6600 12.87.xx.xx6600
    extendable
    ip nat inside source static udp 10.0.0.254 6600 12.87.xx.xx6600
    extendable
    ip nat inside source static tcp 192.168.0.3 3389 12.170.xx.xx3389
    extendable
    ip nat inside source static tcp 192.168.0.199 443 12.170.xx.xx443
    extendable
    ip nat inside source static udp 192.168.0.199 4500 12.170xx.x4500
    extendable
    ip nat inside source static udp 192.168.0.199 500 12.170.xx.xx500
    extendable
    ip nat inside source static tcp 192.168.0.111 22 12.170.xx.xx 22
    extendable
    ip nat inside source static tcp 192.168.0.111 80 12.170.xx.xx80
    extendable
    ip nat inside source static tcp 10.0.0.254 22 12.87.xx.xx22 extendable
    ip nat inside source static tcp 10.0.0.254 80 12.87.xxxx 80 extendable
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0/0 12.87.xxxxname at&t
    ip route 192.168.1.0 255.255.255.0 Serial0/1 10.1.1.1 permanent
    no ip http server
    !
    access-list 1 permit 10.0.0.0 0.0.0.255
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 2 permit 192.168.1.0 0.0.0.255
    access-list 105 remark VOIP (SIP/IAX/IAX2) traffic gets top priority
    (5)
    access-list 105 permit udp any any eq 4569
    access-list 105 permit udp any any eq 5004
    access-list 105 permit udp any any eq 5036
    access-list 105 permit udp any any eq 5060
    access-list 105 permit ip host 10.0.0.254 any
    access-list 105 permit ip any host 10.0.0.254
    access-list 112 remark egress
    access-list 112 deny   ip host 192.168.1.188 any
    access-list 112 deny   ip host 192.168.1.101 any
    access-list 112 deny   ip host 192.168.1.5 any
    access-list 112 deny   ip host 192.168.1.13 any
    access-list 112 permit ip any any
    access-list 125 deny   tcp any any eq telnet
    access-list 125 deny   tcp any any eq chargen
    access-list 125 deny   tcp any any eq ident
    access-list 125 deny   tcp any any eq nntp
    access-list 125 deny   tcp any any eq hostname
    access-list 125 deny   tcp any any eq exec
    access-list 125 deny   tcp any any eq cmd
    access-list 125 permit ip any any
    access-list 142 remark for-out-ftp
    access-list 142 permit tcp any any eq ftp
    access-list 142 permit tcp any any eq ftp-data
    dialer-list 1 protocol ip permit
    dialer-list 1 protocol ipx permit
    no cdp run
    !
    line con 0
     transport input none
    line aux 0
    line vty 0 4
     password 7 12170A223F2A2D45
     login
    !
    ntp clock-period 17179990
    ntp server 10.0.0.254
    end
    
    
    router 2:

    Code:
    Current configuration : 1356 bytes
    !
    version 12.2
    service timestamps debug datetime msec
    service timestamps log uptime
    no service password-encryption
    !
    hostname warehouse
    !
    enable secret 5 $1$O2wX$niQv028P0Dpe33e2PrFr21
    !
    ip subnet-zero
    no ip source-route
    !
    !
    no ip domain-lookup
    !
    no ip bootp server
    !
    !
    class-map match-all voip-traffic
      match access-group 105
    !
    !
    policy-map voip
      class voip-traffic
        priority 256
      class class-default
       fair-queue
    !
    !
    !
    interface Ethernet0/0
     description Maintains LAN IP connectivity
     ip address 192.168.1.252 255.255.255.0
     ip helper-address 192.168.0.111
     half-duplex
     no cdp enable
    !
    interface Serial0/0
     ip address 10.1.1.1 255.255.255.0
     service-policy output voip
     encapsulation ppp
     service-module t1 timeslots 1-24
     service-module t1 remote-alarm-enable
     no cdp enable
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0/0 10.1.1.2 permanent
    no ip http server
    !
    access-list 105 remark VOIP (SIP/IAX/IAX2) traffic gets top priority
    (5)
    access-list 105 permit udp any any eq 4569
    access-list 105 permit udp any any eq 5004
    access-list 105 permit udp any any eq 5036
    access-list 105 permit udp any any eq 5060
    access-list 105 permit ip any host 10.0.0.254
    no cdp run
    snmp-server community public RO
    snmp-server enable traps tty
    snmp-server enable traps syslog
    !
    line con 0
     exec-timeout 0 0
    line aux 0
    line vty 0 4
     password tantor
     login
    !
    end
    
    warehouse#
    
    
    now the problem, I need to filter 4 PC's from reaching the internet
    via MAC address..

    the PC s are hung off router 2, which is just a point to point link to
    serial 0/1 on router 1... I need to give all pc's (even those 4) lan
    access for central dhcp server management.

    i've tried.

    bridge irb
    !
    s0/0
    no ip address
    bridge group 1
    !
    BV1
    ip address 12.xx.........
    ip nat outside
    !
    !
    bridge 1 protocol ieee
    bridge 1 route ip

    I was unable to route out the main T1 from that set up (on s0/0)..
    Anyway I need to ban 4 MAC's (not by IP), cant do it on the s0/0
    interface, they are already nat'd by then, the dhcp server is hung off
    the e0/0 interface.... sooo any suggestions please ? I have no idea
    how to appily a access-list in the 700 range..
     
    turnip, Aug 25, 2007
    #1
    1. Advertising

  2. turnip

    Merv Guest

    Would this work ?

    bridge 1 protocol ieee
    bridge 1 route ip

    interface Ethernet0/0
    no ip address 192.168.1.252 255.255.255.0
    no ip helper-address 192.168.0.111
    bridge-group 1
    access-group 701 in

    interface BVI 1
    ip address 192.168.1.252 255.255.255.0
    ip helper-address 192.168.0.111
    ip nat inside


    BTW ip helper address forwards a number of UDP broadcast types in
    additional to DHCP (bootp)

    Do You have NETBIOS traffic ? Do you have WINS ?
     
    Merv, Aug 25, 2007
    #2
    1. Advertising

  3. turnip

    turnip Guest

    On Aug 25, 12:00 pm, Merv <> wrote:
    > Would this work ?
    >
    > bridge 1 protocol ieee
    > bridge 1 route ip
    >
    > interface Ethernet0/0
    > no ip address 192.168.1.252 255.255.255.0
    > no ip helper-address 192.168.0.111
    > bridge-group 1
    > access-group 701 in
    >
    > interface BVI 1
    > ip address 192.168.1.252 255.255.255.0
    > ip helper-address 192.168.0.111
    > ip nat inside
    >
    > BTW ip helper address forwards a number of UDP broadcast types in
    > additional to DHCP (bootp)
    >
    > Do You have NETBIOS traffic ? Do you have WINS ?


    We do need to forward NETBIOS traffic and WINS, our wins server is
    across the point to point link.. here is a diagram http://vtiger.tantor.com/netmap.gif
    That bridges teh interface on the remote location side, and will let
    me filter based on MAC. However they need to be able to get over to
    the 192.168.0.0/24 and 10.0.0.0/24 networks.. Just not out

    WINS, The Domain Controller, and Exchange are all hung off the
    192.168.0.0 network, the remote side is 192.168.1.0/24
    I did manage to bridge the ethernet IFACE like you suggested, Maybe I
    can come up with some sane ACLs to let them to the other private
    networks but not out, based on MAC

    TYVM for teh reply
     
    turnip, Aug 25, 2007
    #3
  4. turnip

    Merv Guest


    > We do need to forward NETBIOS traffic and WINS, our wins server is
    > across the point to point link.. here is a diagramhttp://vtiger.tantor.com/netmap.gif
    > That bridges teh interface on the remote location side, and will let
    > me filter based on MAC. However they need to be able to get over to
    > the 192.168.0.0/24 and 10.0.0.0/24 networks.. Just not out



    take a look at Cisco TAC article
    http://www.ciscotaccc.com/kaidara-advisor/iprout/showcase?case=K83798834

    All NETBIOS broadcast traffic will be forwarded. If you have WINS you
    probably do not want this to occur

    You can disable this by using the no ip forward-protocol udp command.

    Test off hours to verify affect.

    you can see how much traffic is being forwarded by

    issueing the commands

    show clock
    show ip traffic

    at say 15 minute intervals and then subtracting the forwarded
    broaddcast shown in the UDP section of the output.
     
    Merv, Aug 25, 2007
    #4
  5. turnip

    turnip Guest

    On Aug 25, 1:39 pm, Merv <> wrote:
    > > We do need to forward NETBIOS traffic and WINS, our wins server is
    > > across the point to point link.. here is a diagramhttp://vtiger.tantor.com/netmap.gif
    > > That bridges teh interface on the remote location side, and will let
    > > me filter based on MAC. However they need to be able to get over to
    > > the 192.168.0.0/24 and 10.0.0.0/24 networks.. Just not out

    >
    > take a look at Cisco TAC articlehttp://www.ciscotaccc.com/kaidara-advisor/iprout/showcase?case=K83798834
    >
    > All NETBIOS broadcast traffic will be forwarded. If you have WINS you
    > probably do not want this to occur
    >
    > You can disable this by using the no ip forward-protocol udp command.
    >
    > Test off hours to verify affect.
    >
    > you can see how much traffic is being forwarded by
    >
    > issueing the commands
    >
    > show clock
    > show ip traffic
    >
    > at say 15 minute intervals and then subtracting the forwarded
    > broaddcast shown in the UDP section of the output.


    I am using the helper address just to insure the DHCP request goes
    through, that much works just fine. We did have some browsing issues
    until I turned up a WINS server, that much is also fine. Maybe I am
    looking at this the wrong way here. In order to really use the MAC
    filter list, Id have to put the serial 0/0 on our main router into
    bridging mode, since its the default route to the internet (a t1).

    mainlocation(router a, those 4 machines must be able to access the two
    networks off this router but not get out to the inet) < ----- >
    (warehouse router b) ->> (4 machines here I cant allow onto the
    internet)..

    Since I cant seem to put the serial interface into bridging mode and
    still have it work as a T1, I will use some ACL's on the warehouse
    router and statically address those 4 machines via DHCP and allow
    intranet browsing but deny internet browsing

    something like

    access-list 131 permit ip 192.168.1.10 255.255.255.0 192.168.0.0
    255.255.255.0
    access-list 131 permit ip 192.168.1.11 255.255.255.0 192.168.0.0
    255.255.255.0
    access-list 131 permit ip 192.168.1.12 255.255.255.0 192.168.0.0
    255.255.255.0
    access-list 131 permit ip 192.168.1.13 255.255.255.0 192.168.0.0
    255.255.255.0

    access-list 131 deny ip 192.168.1.10 255.255.255.0 0.0.0.0 0.0.0.0
    access-list 131 deny ip 192.168.1.11 255.255.255.0 0.0.0.0 0.0.0.0
    access-list 131 deny ip 192.168.1.12 255.255.255.0 0.0.0.0 0.0.0.0
    access-list 131 deny ip 192.168.1.13 255.255.255.0 0.0.0.0 0.0.0.0
    access-list 131 permit ip any any

    serial 0/0 (remote)
    ip access-group 131 out

    unless someone has a better idea
     
    turnip, Aug 25, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dave Hauss

    cisco 2600 access list?

    Dave Hauss, Jan 22, 2004, in forum: Cisco
    Replies:
    5
    Views:
    5,890
    Barry Margolin
    Jan 23, 2004
  2. PS2 gamer
    Replies:
    6
    Views:
    6,873
    Hansang Bae
    Jun 9, 2004
  3. RJ45
    Replies:
    1
    Views:
    1,130
    Walter Roberson
    Jan 27, 2006
  4. Phil
    Replies:
    19
    Views:
    586
  5. Giuen
    Replies:
    0
    Views:
    988
    Giuen
    Sep 12, 2008
Loading...

Share This Page