Cisco 876 problem - long... sorry

Hello everybody,

I just got my first Cisco 876 router.

I need to setup the interfaces as follows:
int f0 - PCs connected have full access to the internet and lan
int f1 - PCs connected have no access to p2p but full access to lan
int f2 - file server - full access to internet and lan
int f3 - web server - full access to internet and lan

Now I wanted to give access from the outside to the webserver for http, ftp, smtp, pop3 and remote desktop. I did the following:
ip nat inside source static tcp x.x.x.x 80 interface dialer0 80
ip nat inside source static tcp x.x.x.x 25 interface dialer0 25
ip nat inside source static tcp x.x.x.x 110 interface dialer0 110
ip nat inside source static tcp x.x.x.x 3389 interface dialer0 3389

and it works fine.

Now the problem:
- for the pc's I want to block p2p, I tried to make an acl.
Buy I can not apply it to the dialer0 because it will block everybody.
Also I can not apply it to the interfaces.

It looks like access-group xxx in/out can only be applied to the dialer0 or the vlan1.

Can my solution be a vlan? I created a vlan2 but now I can only ping computer ip's on the other vlan - I can not see the computers from the other vlan in NetworkNeighborhood nor can I see the shares.

Please help me,
Kostas

Yes, this is true that you can not apply an ACL to the switchport interfaces. Looks like the easiest thing to do is make a second VLAN as you were saying. Did you create a route for the second VLAN? That's what comes to mind since you say you can't see the other computers in network neighborhood or the shares.

Thank you for your reply and for being willing to help.

Here is my config (please advise) - ACL's 100, 101, 102 were created by SDM for the Firewall - even before setting up the firewall it was not working:


!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.100 192.168.1.254
ip dhcp excluded-address 192.168.2.100 192.168.2.254
!
ip dhcp pool sdm-pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 193.92.150.3 194.219.227.2
!
ip dhcp pool vlan2_pool
import all
network 192.168.2.0 255.255.255.0
dns-server 193.92.150.3 194.219.227.2
default-router 192.168.2.1
!
!
no ip domain lookup
ip domain name yourdomain.com
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-xx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xx
revocation-check none
rsakeypair TP-self-signed-xx
!
!
crypto pki certificate chain TP-self-signed-xx
certificate self-signed 01
xxx
quit
username admin privilege 15 secret 5 xxxxxxx
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan2
description $FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 102 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username myusername password 0 mypassword
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 2 interface Dialer0 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark INSIDE_IF=Vlan2
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 192.168.2.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip 192.168.2.0 0.0.0.255 any
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
banner login

---

Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to www.cisco.com/go/sdm

---

!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

OK, it's as I suspected. You have only a default route for all networks through interface Dialer0. Meaning if anything needs to be routed, it's going to the ISP. But your ISP has no routes for your two VLAN networks, so you'll either need to make static routes for them, or set-up a routing protocol such as OSPF. Hope this helps.

OK, it's as I suspected. You have only a default route for all networks through interface Dialer0. Meaning if anything needs to be routed, it's going to the ISP. But your ISP has no routes for your two VLAN networks, so you'll either need to make static routes for them, or set-up a routing protocol such as OSPF. Hope this helps.

Any hints on how to do any of the above???
Maybe the static routes is a better solution?
But static route between what? Any specifics (ip's, subnets)???

Thanks

I'll break down how to do a static route. The command in config mode is:

router(config)#ip route 123.100.10.0 255.255.255.0 123.234.10.1
or
router(config)#ip route 123.100.10.0 255.255.255.0 vlan 2

So basically it's "ip route", then the destination network (or host address) you want to reach, then the subnet mask of that network, and finally the next hop IP address or the interface you want this static route to be routed to.