| [Config] Guest ACL - 877W I have a SOHO configuration with an 891 acting in ISR role. I had an old 877W sitting around that I wanted to re purpose into an access point that would offer both internal and guest access. I thought it would also be a good CLI/Cisco CCP learning experience.
The internal network on the 891 VLAN1 has a Windows server that takes care of all of the internal hosts, email, etc.
I added VLAN's 10 & 20 in the 877 and trunked them one of the two routed ports on 891. The other 891 routed port is internet facing.
All of that works fine and as expected. I have only one thing that I can't quite figure out. I put an ACL on the 877 to limit access to VLAN 10 (internal) from VLAN 20 (Guest). That piece works but I can't figure out how to limit access to the VLAN1 subnet on the 891. I have tried several different configurations in an attempt to limit access but haven't found one that works yet.
Any suggestions/comments relative to the two configurations below would be welcomed.
891 Configuration
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname myrouter
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 16384
logging console critical
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
!
clock timezone PCTime -7 0
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-
certificate self-signed 01
quit
no ip source-route
!
ip dhcp excluded-address
ip dhcp excluded-address
ip dhcp excluded-address
ip dhcp excluded-address
!
ip dhcp pool ccp-pool1
network 192.x.x.0 255.255.255.0
dns-server 192.X.x.5
default-router 192.X.x.254
!
ip dhcp pool ccp-pool2
network 192.x.x.0 255.255.255.0
dns-server 205.171.3.65 205.171.2.65
default-router 192.x.x.254
!
!
ip cef
no ip bootp server
ip domain name harnedy.com
ip name-server 192.x.x.5
no ipv6 cef
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn FTX155085NY
!
!
username myname privilege 15 secret 5
!
!
ip tcp synwait-time 10
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-nat-https-1
match access-group 101
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-https-1
inspect
class class-default
drop
policy-map type inspect sdm-pol-NATOutsideToInside-2
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-https-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-NATOutsideToInside-2 source out-zone destination out-zone
service-policy type inspect sdm-pol-NATOutsideToInside-2
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
description $ES_WAN$$FW_OUTSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security in-zone
duplex auto
speed auto
!
interface GigabitEthernet0.3
description $ETH-LAN$$FW_INSIDE$
encapsulation dot1Q 10
ip address 192.x.x.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
no cdp enable
!
interface GigabitEthernet0.4
description $ETH-LAN$$FW_INSIDE$
encapsulation dot1Q 20
ip address 192.x.x.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$
ip address 192.x.x.20 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password 7
no cdp enable
!
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.x.x.5 25 interface Dialer0 25
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.x.x.5 443 interface Dialer0 443
ip nat inside source list 2 interface Dialer0 overload
ip nat inside source list 3 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
logging esm config
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.x.x.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.x.x.0 0.0.0.255
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 192.x.x.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.x.x.5
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp server 192.x.x.5 prefer source Vlan1
end
877W Configuration
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname myrouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PCTime -7
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
!
!
crypto pki certificate chain TP-self-signed-3225385238
certificate self-signed 01
dot11 syslog
!
dot11 ssid tusnami1
vlan 10
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7
!
dot11 ssid tusnami_guest
vlan 20
authentication open
authentication key-management wpa
guest-mode
mbssid guest-mode
wpa-psk ascii 7
!
ip source-route
!
!
ip cef
no ip domain lookup
ip domain name harnedy.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username privilege 15 password 7
!
!
archive
log config
hidekeys
!
!
no ip ftp passive
!
bridge irb
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport mode trunk
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 20
spanning-tree portfast
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 10 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
broadcast-key vlan 10 change 30
!
broadcast-key vlan 20 change 30
!
!
ssid tusnami1
!
ssid tusnami_guest
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root
no cdp enable
!
interface Dot11Radio0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Vlan1
no ip address
!
interface Vlan10
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 10
bridge-group 10 spanning-disabled
!
interface Vlan20
description Guest Network
no ip address
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 20
bridge-group 20 spanning-disabled
!
interface BVI10
description Bridge to Internal Network
ip address 192.X.X.1 255.255.255.0
ip access-group sdm_bvi10_in in
ip nat inside
ip virtual-reassembly
!
interface BVI20
description Bridge to Guest Network
ip address 192.X.X.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip access-list extended sdm_bvi10_in
remark CCP_ACL Category=17
deny ip 192.X.X.0 0.0.0.255 any
permit ip any any
!
!
control-plane
!
bridge 10 route ip
bridge 20 route ip
!
line con 0
password 7
no modem enable
line aux 0
line vty 0 4
password 7
!
scheduler max-task-time 5000
end |
|
| What version of code is running on the 877W?
To use your current Zone-Based Firewall config, I'd add additional zones than just your
current in-zone and out-zone, something along the following lines (names are up to you) :
- zone security trusted-wired -- VLAN1
- zone security trusted-wireless -- VLAN10
- zone security untrusted-guest -- VLAN20
- zone security untrusted-wan -- Di0
then add the relevant permitted traffic types. That way, unless you EXPLICITY permit
the traffic between the zones, ZBFW simply denies the traffic.
Regards |
|
| Thanks to all for taking a look at my two conifgs.
I finally had time to take another look at this today and Hellfire is exactly correct. I just needed to add another zone in the 891 ZBFW to address the guest access (VLAN 20) aspect of my configuration. At that point I was able to drop traffic to the trusted lan segments as well as all of the 891 router SELF interfaces that are permitted by default unless you EXPLICITY deny them.
I eliminated all FW attributes from the 877W and left it as a stand alone AP as intended. |
|
|
|
