04-13-2010 12:31 PM - edited 03-11-2019 10:32 AM
Here is my configuration. I can ping from the Router out to the internet. From the LAN I can ping the "inside" port and the "outside" port, but nothing past that. I also have no other access (web, smtp, etc). I am new to this device and zone based firewall, any help would be greatly appreciated.
abc-FW#sho run
Building configuration...
Current configuration : 6238 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname abc-FW
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 $2$ABC1234AC88394DD
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-1348925195
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1348925195
revocation-check none
rsakeypair TP-self-signed-1348925195
!
!
crypto pki certificate chain TP-self-signed-1348925195
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31333438 39323531 3935301E 170D3130 30343133 31373532
33395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33343839
32353139 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009327 F5DF6233 33F6BDBB 6BB6CFEB 7B24FBE5 C5DC8C3F 36CFAF7C D38A0C33
5974599B 05535C75 0F4969DF 77BED34F 127B0A4A 830CAA03 62F8F74A 6AC2BAB6
6B3C9588 E9619EC9 C400CBBA 2C633833 79EF3B6A 929DA9A7 72397C2D 8CBE4742
285E31B8 83ED76AB 10BD910A AB2C3C3C 0DEFAD68 C9695CB5 E2EC09F1 2DAD4293
70490203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14A98572 63934412 FDC7D679 7D454AD8 28BD04CB
A1301D06 03551D0E 04160414 A9857263 934412FD C7D6797D 454AD828 BD04CBA1
300D0609 2A864886 F70D0101 04050003 81810057 BA03D487 50C320B1 85280394
A1676BD1 90CC7C58 C5CF5291 D7EAA591 8608AB1D F7B526CC 8B2C5AD4 5FF03BBA
E02519C4 C178A97D 959919A2 3215AE93 20B1BF1E 05D2835A 3A4144EB 4F3BD335
321A8B6C 3FDC4311 611575A3 5BE7DB11 02807F28 75C9AA31 28B5B540 DA11C546
36E82DA6 8954831B F945A0DA 6FEED096 E35D83
quit
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.51 10.10.10.254
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 4.2.2.4 4.2.2.3
lease 0 2
!
!
ip cef
ip domain name abcDist.com
ip name-server 4.2.2.4
ip name-server 4.2.2.3
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
username admin123 privilege 15 secret 5 xxxxxyzzyxxxx
!
!
!
archive
log config
hidekeys
!
!
!
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any in-out
match access-group 110
match protocol icmp
match protocol smtp
match protocol https
match protocol dns
match protocol http
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect outbound-policy
class type inspect in-out
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect outbound-policy
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address dhcp client-id FastEthernet4
zone-member security out-zone
duplex auto
speed auto
!
interface Cellular0
no ip address
encapsulation ppp
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
zone-member security in-zone
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
!
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 110 permit tcp any any eq www
access-list 110 permit icmp any any
access-list 110 permit tcp any any
access-list 110 permit udp any any
access-list 110 permit gre any any
no cdp run
!
!
!
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line 3
no exec
line 4
exec-timeout 0 0
timeout login response 0
privilege level 0
modem answer-timeout 0
modem dtr-delay 0
activation-character 0
data-character-bits 8
exec-character-bits 8
special-character-bits 8
no exec
length 0
width 0
no history
no editing
transport preferred none
transport input none
transport output none
escape-character soft 0
escape-character 0
no ip tcp input-coalesce-threshold
callback forced-wait 0
callback nodsr-wait 0
stopbits 1
speed 115000
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
abc-FW#
Rich
04-14-2010 09:19 AM
Ok, so from the internal machines, can you PING 1.231 (which is the internet device)?
If the PING is not succesful, then let's check where it dies by doing a traceroute from the machine to that IP.
Federico.
04-14-2010 09:38 AM
Pinging 4.2.2.2
From the 192.168.1.0/24 network we are good.
C:\>ping 4.2.2.2
Pinging 4.2.2.2 with 32 bytes of data:
Reply from 4.2.2.2: bytes=32 time=34ms TTL=53
Reply from 4.2.2.2: bytes=32 time=32ms TTL=53
Reply from 4.2.2.2: bytes=32 time=31ms TTL=53
Reply from 4.2.2.2: bytes=32 time=32ms TTL=53
Ping statistics for 4.2.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 31ms, Maximum = 34ms, Average = 32ms
C:\>
From the 881G Router we are good.
abc-FW#ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/33/36 ms
abc-FW#
From the 881G Router with a source of 10.10.10.1 (VLAN1 IP)
abc-FW#ping 4.2.2.2 source 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
.....
Success rate is 0 percent (0/5)
abc-FW#
From the 10.10.10.0/24 network no good.
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : abc.com
IPv4 Address. . . . . . . . . . . : 10.10.10.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.1
C:\>ping 4.2.2.2
Pinging 4.2.2.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 4.2.2.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>
C:\>tracert 4.2.2.2
Tracing route to vnsc-bak.sys.gtei.net [4.2.2.2]
over a maximum of 30 hops:
1 1 ms 9 ms <1 ms 10.10.10.1
2 * * * Request timed out.
3 * * * Request timed out.
~
29 * * * Request timed out.
30 * * * Request timed out.
Trace complete.
C:\>
Rich
04-14-2010 09:42 AM
The .1.231 what kind of device is?
It could be that this device has no route back to the 10.10.10.0.24 network.
Federico.
04-14-2010 09:50 AM
1.231 is a Cisco 2811. I put in a static route to the 10.10.10.0 network, still unable to ping from the 10.10.10.0/24 network.
Rich
04-14-2010 09:56 AM
From the 2811 (1.231) router I can ping inside the 10.10.10.0/24 network, just not the other way around.
perim2811#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
perim2811#
04-14-2010 09:57 AM
Can you PING the .1.231 from the 10.10.10.1 (which is the LAN interface for the 881)?
Federico.
04-14-2010 10:00 AM
Negative.
abc-FW#ping 192.168.1.231 source 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.231, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
.....
Success rate is 0 percent (0/5)
abc-FW#
04-14-2010 10:09 AM
This might be the problem.
The VLAN1 interface is member of a ZBF zone:
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect outbound-policy
policy-map type inspect outbound-policy
class type inspect in-out
inspect
class class-default
drop
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
zone-member security in-zone
Can do this:
policy-map type inspect outbound-policy
class class-default
allow
So, we are gong to permit all traffic instead of dropping it.
Federico.
04-14-2010 10:13 AM
when I entered class class-default the only options are:
drop
exit
inspect
no
pass
police
service-policy
allow isn't an option.
Rich
04-14-2010 10:20 AM
Think you can do:
no drop
or
pass
To make sure the traffic is allowed.
Federico.
04-14-2010 10:26 AM
Here is what I have configured currently:
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
zone-member security in-zone
ip tcp adjust-mss 1452
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address dhcp client-id FastEthernet4
zone-member security out-zone
duplex auto
speed auto
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect outbound-policy
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
policy-map type inspect otubound-policy
class class-default
pass
Still unable to ping or web surf from 10.10.10.0/24 network
Rich
10-12-2011 05:53 AM
Hi Rich,
Were you able to get any solution for the above issue??
Arjun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide