Skip to main content

Routing & ACL question

More
13 years 9 months ago #36211 by apit
Routing & ACL question was created by apit
Hi there..
Refer to the attached diagram...
File Attachment:


Uploaded with ImageShack.us

Below are the configuration for router 1 (HQ) and router 2 (branch)..

Router 1

static route
0.0.0.0 0.0.0.0 172.16.1.1
172.16.20.0 255.255.255.0 172.16.10.1
172.16.21.0 255.255.255.0 172.16.10.1
172.16.22.0 255.255.255.0 172.16.10.1
172.16.30.0 255.255.255.0 10.1.1.2
172.16.31.0 255.255.255.0 10.1.1.2
172.16.32.0 255.255.255.0 10.1.1.2

!
interface GigabitEthernet0/0
description *** Open LAN ***
ip address 172.16.10.1 255.255.255.252
ip access-group 1 in
duplex full
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description ********* Close LAN **************
ip address 192.168.0.126 255.255.255.128
ip access-group 2 in
duplex auto
speed auto
media-type rj45
!
!
interface FastEthernet0/0/0
description *** ISP MAN Connection ***
ip address 10.1.1.1 255.255.255.252
duplex full
speed auto
!


ACL
Gi 0/0
access-list 1 deny 192.168.0.0 0.0.0.255
access-list 1 permit any

Gi 0/1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny any


Router 2

0.0.0.0 0.0.0.0 10.1.1.1


!
interface GigabitEthernet0/0
description *** Open LAN ***
ip address 172.16.10.5 255.255.255.252
ip access-group 1 in
duplex full
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description ******* Close LAN **********
ip address 192.168.0.254 255.255.255.128
ip access-group 2 in
duplex auto
speed auto
media-type rj45
!
interface FastEthernet0/0/0
description *** ISP MAN Connection ***
ip address 10.1.1.2 255.255.255.252
duplex full
speed auto
!


ACL
Gi 0/0
access-list 1 deny 192.168.0.0 0.0.0.255
access-list 1 permit any

Gi 0/1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny any


Questions For Routing :

1- Can we use the same ip & subnet for Gi 0/1... Example for router 1 Gi 0/1 using ip 192.168.0.1/24 and for router 2 Gi 0/1 using ip 192.168.0.2/24? I'have try it but fail to ping each other..

2- If questions 1 possible, do we need to add routingat both router? Let say routing "ip route 192.168.0.0 255.255.255.0 10.1.1.2" at router 1 and " ip route 192.168.0.0 255.255.255.0 10.1.1.1" at router 2?

Questions For ACL :

I want to make network 1 & network 2 separated each other... User that using 172.16.x.y cannot access / ping to user that using ip 192.168.0.x /24....Network 1 can access to the internet but network 2 just access local application which is private to network 1.

I already configured my both router with above ACL but user at network 1 at branch still can ping to interface Gi 0/1 at both router 1 and router 2.

Is it because of ACL rules? How to correct it?
More
13 years 9 months ago #36214 by Nevins
Replied by Nevins on topic Re: Routing & ACL question
Hey apit, I would love to help but I'm going to need some more information and maybe a small bit of clearification.

You asked:

1- Can we use the same ip & subnet for Gi 0/1... Example for router 1 Gi 0/1 using ip 192.168.0.1/24 and for router 2 Gi 0/1 using ip 192.168.0.2/24? I'have try it but fail to ping each other..



I assume you mean can you use the private address range 192.168.x.x on two networks and have the communicate. The answer to that is yes with strings and conditions attached. 192.168.x.x is a special address range along with 10.x.x.x and 172.16.x.x-172.31.x.x which was intended to be used with NAT(network address translation). If NAT was not properly configured your going to have some problems.

You also asked:

2- If questions 1 possible, do we need to add routing at both routers? Let say routing "ip route 192.168.0.0 255.255.255.0 10.1.1.2" at router 1 and " ip route 192.168.0.0 255.255.255.0 10.1.1.1" at router 2?


No. You are essentially never going to use the IP route command with a private address. They are Non-routable addresses.


Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
More
13 years 9 months ago #36224 by apit
Replied by apit on topic Re: Routing & ACL question

I assume you mean can you use the private address range 192.168.x.x on two networks and have the communicate. The answer to that is yes with strings and conditions attached. 192.168.x.x is a special address range along with 10.x.x.x and 172.16.x.x-172.31.x.x which was intended to be used with NAT(network address translation). If NAT was not properly configured your going to have some problems.


yup..both router(router 1 & router 2) are in the private network...So i'm using privte IP for Gi0/0, Gi 0/1 and Fa 0/0/0....I've tried using 192.168.0.1/24 at router 1 Gi0/1 and 192.168.0.2/24 at router 2 but failed during the PING test...

After change it to the different subnet, PING test success (I change the router 1 Gi0/1 to 192.168.0.1/25 and router 2 Gi0/1 to 192.168.0.129/25).... Why is it happen?
More
13 years 9 months ago #36226 by Nevins
Replied by Nevins on topic Re: Routing & ACL question

PING test success (I change the router 1 Gi0/1 to 192.168.0.1/25 and router 2 Gi0/1 to 192.168.0.129/25).... Why is it happen?


The answer may be starting me in the face at the moment, but it's half-time for the superbowl and I simply don't see it at the moment. Anyways post the current running configs for both router 1 and 2 and we'll try to work from there.
Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
More
13 years 9 months ago #36227 by apit
Replied by apit on topic Re: Routing & ACL question
i already post the configuration at the 1st post..anyway i paste it again..or u need full "sh run" configuration?

Router 1

!
interface GigabitEthernet0/0
description *** Open LAN ***
ip address 172.16.10.1 255.255.255.252
ip access-group 1 in
duplex full
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description ********* Close LAN **************
ip address 192.168.0.126 255.255.255.128
ip access-group 2 in
duplex auto
speed auto
media-type rj45
!
!
interface FastEthernet0/0/0
description *** ISP MAN Connection ***
ip address 10.1.1.1 255.255.255.252
duplex full
speed auto
!

ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip route 172.16.20.0 255.255.255.0 172.16.10.1
ip route 172.16.21.0 255.255.255.0 172.16.10.1
ip route 172.16.22.0 255.255.255.0 172.16.10.1
ip route 172.16.30.0 255.255.255.0 10.1.1.2
ip route 172.16.31.0 255.255.255.0 10.1.1.2
ip route 172.16.32.0 255.255.255.0 10.1.1.2

access-list 1 deny 192.168.0.0 0.0.0.255
access-list 1 permit any

access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny any


Router 2

!
interface GigabitEthernet0/0
description *** Open LAN ***
ip address 172.16.10.5 255.255.255.252
ip access-group 1 in
duplex full
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description ******* Close LAN **********
ip address 192.168.0.254 255.255.255.128
ip access-group 2 in
duplex auto
speed auto
media-type rj45
!
interface FastEthernet0/0/0
description *** ISP MAN Connection ***
ip address 10.1.1.2 255.255.255.252
duplex full
speed auto
!

ip route 0.0.0.0 0.0.0.0 10.1.1.1

access-list 1 deny 192.168.0.0 0.0.0.255
access-list 1 permit any

access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny any

More
13 years 9 months ago #36233 by Chris
Replied by Chris on topic Re: Routing & ACL question
Sorry, missed that one!

Can you give the ACL's a try and let us know of the results ?

Thanks
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Time to create page: 0.153 seconds