Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Routing & ACL question

Routing & ACL question 5 years 7 months ago #36211

  • apit
  • apit's Avatar
  • Offline
  • Senior Member
  • Posts: 227
  • Karma: 0
Hi there..
Refer to the attached diagram...


Uploaded with ImageShack.us

Below are the configuration for router 1 (HQ) and router 2 (branch)..

Router 1
static route
0.0.0.0 0.0.0.0 172.16.1.1
172.16.20.0 255.255.255.0 172.16.10.1
172.16.21.0 255.255.255.0 172.16.10.1
172.16.22.0 255.255.255.0 172.16.10.1
172.16.30.0 255.255.255.0 10.1.1.2
172.16.31.0 255.255.255.0 10.1.1.2
172.16.32.0 255.255.255.0 10.1.1.2

!
interface GigabitEthernet0/0
description *** Open LAN ***
ip address 172.16.10.1 255.255.255.252
ip access-group 1 in
duplex full
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description ********* Close LAN **************
ip address 192.168.0.126 255.255.255.128
ip access-group 2 in
duplex auto
speed auto
media-type rj45
!
!
interface FastEthernet0/0/0
description *** ISP MAN Connection ***
ip address 10.1.1.1 255.255.255.252
duplex full
speed auto
!


ACL
Gi 0/0
access-list 1 deny 192.168.0.0 0.0.0.255
access-list 1 permit any

Gi 0/1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny any


Router 2

0.0.0.0 0.0.0.0 10.1.1.1


!
interface GigabitEthernet0/0
description *** Open LAN ***
ip address 172.16.10.5 255.255.255.252
ip access-group 1 in
duplex full
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description ******* Close LAN **********
ip address 192.168.0.254 255.255.255.128
ip access-group 2 in
duplex auto
speed auto
media-type rj45
!
interface FastEthernet0/0/0
description *** ISP MAN Connection ***
ip address 10.1.1.2 255.255.255.252
duplex full
speed auto
!


ACL
Gi 0/0
access-list 1 deny 192.168.0.0 0.0.0.255
access-list 1 permit any

Gi 0/1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny any

Questions For Routing :

1- Can we use the same ip & subnet for Gi 0/1... Example for router 1 Gi 0/1 using ip 192.168.0.1/24 and for router 2 Gi 0/1 using ip 192.168.0.2/24? I'have try it but fail to ping each other..

2- If questions 1 possible, do we need to add routingat both router? Let say routing "ip route 192.168.0.0 255.255.255.0 10.1.1.2" at router 1 and " ip route 192.168.0.0 255.255.255.0 10.1.1.1" at router 2?

Questions For ACL :

I want to make network 1 & network 2 separated each other... User that using 172.16.x.y cannot access / ping to user that using ip 192.168.0.x /24....Network 1 can access to the internet but network 2 just access local application which is private to network 1.

I already configured my both router with above ACL but user at network 1 at branch still can ping to interface Gi 0/1 at both router 1 and router 2.

Is it because of ACL rules? How to correct it?
The administrator has disabled public write access.

Re: Routing & ACL question 5 years 7 months ago #36214

  • Nevins
  • Nevins's Avatar
  • Offline
  • Expert Member
  • Posts: 438
  • Thank you received: 9
  • Karma: 4
Hey apit, I would love to help but I'm going to need some more information and maybe a small bit of clearification.

You asked:
1- Can we use the same ip & subnet for Gi 0/1... Example for router 1 Gi 0/1 using ip 192.168.0.1/24 and for router 2 Gi 0/1 using ip 192.168.0.2/24? I'have try it but fail to ping each other..


I assume you mean can you use the private address range 192.168.x.x on two networks and have the communicate. The answer to that is yes with strings and conditions attached. 192.168.x.x is a special address range along with 10.x.x.x and 172.16.x.x-172.31.x.x which was intended to be used with NAT(network address translation). If NAT was not properly configured your going to have some problems.

You also asked:
2- If questions 1 possible, do we need to add routing at both routers? Let say routing "ip route 192.168.0.0 255.255.255.0 10.1.1.2" at router 1 and " ip route 192.168.0.0 255.255.255.0 10.1.1.1" at router 2?

No. You are essentially never going to use the IP route command with a private address. They are Non-routable addresses.


Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
The administrator has disabled public write access.

Re: Routing & ACL question 5 years 7 months ago #36224

  • apit
  • apit's Avatar
  • Offline
  • Senior Member
  • Posts: 227
  • Karma: 0
I assume you mean can you use the private address range 192.168.x.x on two networks and have the communicate. The answer to that is yes with strings and conditions attached. 192.168.x.x is a special address range along with 10.x.x.x and 172.16.x.x-172.31.x.x which was intended to be used with NAT(network address translation). If NAT was not properly configured your going to have some problems.

yup..both router(router 1 & router 2) are in the private network...So i'm using privte IP for Gi0/0, Gi 0/1 and Fa 0/0/0....I've tried using 192.168.0.1/24 at router 1 Gi0/1 and 192.168.0.2/24 at router 2 but failed during the PING test...

After change it to the different subnet, PING test success (I change the router 1 Gi0/1 to 192.168.0.1/25 and router 2 Gi0/1 to 192.168.0.129/25).... Why is it happen?
The administrator has disabled public write access.

Re: Routing & ACL question 5 years 7 months ago #36226

  • Nevins
  • Nevins's Avatar
  • Offline
  • Expert Member
  • Posts: 438
  • Thank you received: 9
  • Karma: 4
PING test success (I change the router 1 Gi0/1 to 192.168.0.1/25 and router 2 Gi0/1 to 192.168.0.129/25).... Why is it happen?

The answer may be starting me in the face at the moment, but it's half-time for the superbowl and I simply don't see it at the moment. Anyways post the current running configs for both router 1 and 2 and we'll try to work from there.
Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
The administrator has disabled public write access.

Re: Routing & ACL question 5 years 7 months ago #36227

  • apit
  • apit's Avatar
  • Offline
  • Senior Member
  • Posts: 227
  • Karma: 0
i already post the configuration at the 1st post..anyway i paste it again..or u need full "sh run" configuration?

Router 1


!
interface GigabitEthernet0/0
description *** Open LAN ***
ip address 172.16.10.1 255.255.255.252
ip access-group 1 in
duplex full
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description ********* Close LAN **************
ip address 192.168.0.126 255.255.255.128
ip access-group 2 in
duplex auto
speed auto
media-type rj45
!
!
interface FastEthernet0/0/0
description *** ISP MAN Connection ***
ip address 10.1.1.1 255.255.255.252
duplex full
speed auto
!

ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip route 172.16.20.0 255.255.255.0 172.16.10.1
ip route 172.16.21.0 255.255.255.0 172.16.10.1
ip route 172.16.22.0 255.255.255.0 172.16.10.1
ip route 172.16.30.0 255.255.255.0 10.1.1.2
ip route 172.16.31.0 255.255.255.0 10.1.1.2
ip route 172.16.32.0 255.255.255.0 10.1.1.2

access-list 1 deny 192.168.0.0 0.0.0.255
access-list 1 permit any

access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny any

Router 2


!
interface GigabitEthernet0/0
description *** Open LAN ***
ip address 172.16.10.5 255.255.255.252
ip access-group 1 in
duplex full
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description ******* Close LAN **********
ip address 192.168.0.254 255.255.255.128
ip access-group 2 in
duplex auto
speed auto
media-type rj45
!
interface FastEthernet0/0/0
description *** ISP MAN Connection ***
ip address 10.1.1.2 255.255.255.252
duplex full
speed auto
!

ip route 0.0.0.0 0.0.0.0 10.1.1.1

access-list 1 deny 192.168.0.0 0.0.0.255
access-list 1 permit any

access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny any
The administrator has disabled public write access.

Re: Routing & ACL question 5 years 7 months ago #36233

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
Sorry, missed that one!

Can you give the ACL's a try and let us know of the results ?

Thanks
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.
Time to create page: 0.088 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup