04-13-2010 12:31 PM - edited 03-11-2019 10:32 AM
Here is my configuration. I can ping from the Router out to the internet. From the LAN I can ping the "inside" port and the "outside" port, but nothing past that. I also have no other access (web, smtp, etc). I am new to this device and zone based firewall, any help would be greatly appreciated.
abc-FW#sho run
Building configuration...
Current configuration : 6238 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname abc-FW
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 $2$ABC1234AC88394DD
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-1348925195
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1348925195
revocation-check none
rsakeypair TP-self-signed-1348925195
!
!
crypto pki certificate chain TP-self-signed-1348925195
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31333438 39323531 3935301E 170D3130 30343133 31373532
33395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33343839
32353139 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009327 F5DF6233 33F6BDBB 6BB6CFEB 7B24FBE5 C5DC8C3F 36CFAF7C D38A0C33
5974599B 05535C75 0F4969DF 77BED34F 127B0A4A 830CAA03 62F8F74A 6AC2BAB6
6B3C9588 E9619EC9 C400CBBA 2C633833 79EF3B6A 929DA9A7 72397C2D 8CBE4742
285E31B8 83ED76AB 10BD910A AB2C3C3C 0DEFAD68 C9695CB5 E2EC09F1 2DAD4293
70490203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14A98572 63934412 FDC7D679 7D454AD8 28BD04CB
A1301D06 03551D0E 04160414 A9857263 934412FD C7D6797D 454AD828 BD04CBA1
300D0609 2A864886 F70D0101 04050003 81810057 BA03D487 50C320B1 85280394
A1676BD1 90CC7C58 C5CF5291 D7EAA591 8608AB1D F7B526CC 8B2C5AD4 5FF03BBA
E02519C4 C178A97D 959919A2 3215AE93 20B1BF1E 05D2835A 3A4144EB 4F3BD335
321A8B6C 3FDC4311 611575A3 5BE7DB11 02807F28 75C9AA31 28B5B540 DA11C546
36E82DA6 8954831B F945A0DA 6FEED096 E35D83
quit
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.51 10.10.10.254
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 4.2.2.4 4.2.2.3
lease 0 2
!
!
ip cef
ip domain name abcDist.com
ip name-server 4.2.2.4
ip name-server 4.2.2.3
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
username admin123 privilege 15 secret 5 xxxxxyzzyxxxx
!
!
!
archive
log config
hidekeys
!
!
!
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any in-out
match access-group 110
match protocol icmp
match protocol smtp
match protocol https
match protocol dns
match protocol http
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect outbound-policy
class type inspect in-out
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect outbound-policy
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address dhcp client-id FastEthernet4
zone-member security out-zone
duplex auto
speed auto
!
interface Cellular0
no ip address
encapsulation ppp
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
zone-member security in-zone
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
!
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 110 permit tcp any any eq www
access-list 110 permit icmp any any
access-list 110 permit tcp any any
access-list 110 permit udp any any
access-list 110 permit gre any any
no cdp run
!
!
!
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line 3
no exec
line 4
exec-timeout 0 0
timeout login response 0
privilege level 0
modem answer-timeout 0
modem dtr-delay 0
activation-character 0
data-character-bits 8
exec-character-bits 8
special-character-bits 8
no exec
length 0
width 0
no history
no editing
transport preferred none
transport input none
transport output none
escape-character soft 0
escape-character 0
no ip tcp input-coalesce-threshold
callback forced-wait 0
callback nodsr-wait 0
stopbits 1
speed 115000
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
abc-FW#
Rich
04-13-2010 12:41 PM
Hi,
If you're tying to access the Internet and this is your Internet router this makes sense.
The router will have a public IP (that's why you can PING the Internet from the router).
The router has no NAT configuration, that's why you're not getting past the default gateway.
Is this your situation?
Federico.
04-13-2010 12:49 PM
It currently sits inside a corporate network, thus the reason why it has a private ip on the WAN side. I currently have one in the field that is behind an Internet router (ISP provided). It too has a private IP on the WAN side which is set by DHCP (MAC reserved) from the Internet router.
I've also tried with NAT on and NAT off, same results both time.
04-13-2010 12:54 PM
We're saying VLAN1 10.10.10.0/24 is the LAN side correct?
The WAN side is interface fast4 correct?
I don't see the IP since from the config file since it's getting ip from DHCP.
The LAN clients should have a default gateway pointing to the 10.10.10.1 so they can pass through the router.
Federico.
04-13-2010 12:56 PM
Correct VLAN1 is the inside at 10.10.10.0/24
the outside FE4 is currently set to 192.168.1.115/24 GW 192.168.1.231
PC:
IP: 10.10.10.2 (DHCP from router)
GW: 10.10.10.1
04-13-2010 12:58 PM
The inside LAN should have a default gateway pointing to the router 10.10.10.1, is it done already?
If you source a PING from the LAN's router IP (ping destination_IP source 10.10.10.1) does it succeeds?
What's the IP that you're trying to reach?
Federico.
04-13-2010 01:01 PM
From the PC I can ping 10.10.10.1 (LAN) and 192.168.1.115 (WAN) but no where else on the other side of the router.
From the Router I can ping everywhere. I used 4.2.2.4 as my test ping.
Rich
04-13-2010 01:03 PM
Again, is 10.10.10.1 the default gateway for the LAN subnet?
Federico.
04-13-2010 01:06 PM
Yes, 10.10.10.1 is the default gateway for the LAN subnet
04-13-2010 01:09 PM
You're using ZBF and let's see if that's not allowing communication between the interfaces.
For a test do the following:
interface fast4
no zone-member security out-zone
interface vlan1
no zone-member security in-zone
Does it work?
Federico.
04-13-2010 01:18 PM
removed them both, still unable to ping out.
Rich
04-13-2010 02:03 PM
If from the router itself you can PING 4.2.2.2, then you should be able to source that PING from 10.10.10.1
Do the following:
Enter those commands again and type the following on the router:
ping 4.2.2.2 source 10.10.10.1
If it does not work, do a traceroute to see where the packets die.
I think that maybe the router doing NAT, is not doing NAT for the 10.10.10.0/24 network.
Federico.
04-14-2010 08:38 AM
Tried pinging from inside the router, was successful, tried ping 4.2.2.2 source 10.10.10.1 received 5 timeouts. Did the trace route and got the following.
abc-FW#traceroute 4.2.2.2
Type escape sequence to abort.
Tracing the route to vnsc-bak.sys.gtei.net (4.2.2.2)
1 192.168.1.250 4 msec 0 msec 4 msec
2 host-193-145-x-x.ussignalcom.net (x.x.145.193) 12 msec 12 msec 16 msec
3 te4-0-0.pe02.ind.ussignalcom.net (x.204.127.250) 28 msec 32 msec 36 msec
4 te7-0-0.pe01.sbn.ussignalcom.net (x.204.127.101) 32 msec 28 msec 28 msec
5 te4-0-1.pe02.grr.ussignalcom.net (x.204.127.229) 28 msec 28 msec 32 msec
6 te1-0-0.pe01.dtw.ussignalcom.net (x.204.127.254) 32 msec 28 msec 28 msec
7 ge-6-11-137.car2.Detroit1.Level3.net (4.79.12.9) 28 msec 24 msec 32 msec
8 ae-11-11.car1.Detroit1.Level3.net (4.69.133.245) 24 msec 28 msec 36 msec
9 ae-8-8.ebr2.Chicago1.Level3.net (4.69.133.242) 44 msec 40 msec 36 msec
10 ae-21-52.car1.Chicago1.Level3.net (4.68.101.34) 44 msec
ae-21-54.car1.Chicago1.Level3.net (4.68.101.98) 32 msec
ae-21-56.car1.Chicago1.Level3.net (4.68.101.162) 32 msec
11 vnsc-bak.sys.gtei.net (4.2.2.2) 44 msec 32 msec 36 msec
abc-FW#traceroute 4.2.2.2 source 10.10.10.1
Type escape sequence to abort.
Tracing the route to vnsc-bak.sys.gtei.net (4.2.2.2)
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
~
29 * * *
30 * * *
abc-FW#
I also setup NAT.
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address dhcp client-id FastEthernet4
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Cellular0
no ip address
encapsulation ppp
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
Rich
04-14-2010 09:02 AM
You don't need NAT on this router if it has a private IP being received by DHCP.
Do you have a simple snapshot of the topology that you can post?
Federico.
04-14-2010 09:16 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide