- Cisco Community
- Technology and Support
- Networking
- Routing
- Cannot route to internet from Switch
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 06:57 PM
Here are my configs for my
Router:
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 60
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 70
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 80
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
dns-server 208.67.222.222 208.67.220.220
!
!
!
no ip bootp server
ip host JPL 192.168.2.2
ip cef
login block-for 13500 attempts 35 within 13500
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
!
vtp mode transparent
username user password 7
!
redundancy
!
!
!
!
no cdp run
!
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
pass
class class-default
pass
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
drop
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.70
encapsulation dot1Q 70
ip address 192.168.70.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.80
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
!
router rip
version 2
network 142.165.0.0
network 192.168.2.0
network 192.168.20.0
network 207.47.196.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 dhcp
ip identd
!
ip access-list extended INSIDE-TO-OUTSIDE
ip access-list extended OUTSIDE-TO-INSIDE
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 ioam timestamp
!
!
!
!
control-plane host
!
!
control-plane
!
!
vstack
banner login ^C
******* ***** ,******. ,************** ,******,
**********, ***** .********** ,***************** **********
******,***** ***** ************ ******************* ************
***** ***** ***** ***** ****** ***** ***** ,*****
***** *****, ***** ****** ***** ***** ,***** *****
***** ***** ***** ***** ***** ,**************** ***** *****
***** ,***** ***** ***** ****** ***************** ***** ,*****
***** ***** ***** ***** ***** ,,,,,,,,****** .***** *****
***** ,***** ***** ***** ***** ***** ***** *****
***** ***** ********** *****, ***********, ******
***** ***********.***** *********************** ***** *****
***** ********* ***** ******************** ***** ***** ^C
banner motd ^C
Welcome to ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
speed 115200
line aux 0
exec-timeout 15 0
login authentication local_auth
modem InOut
transport input telnet
transport output telnet
flowcontrol hardware
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7
login authentication local_auth
transport input none
!
scheduler allocate 20000 1000
!
end Switch:
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname JPL
!
boot-start-marker
boot host bootflash:startup-config
boot system bootflash:startup-config
boot config bootflash:startup-config
boot-end-marker
!
enable secret 5
enable password 7
!
username user privilege 15 password 7
!
!
no aaa new-model
ip subnet-zero
ip vrf mgmtVrf
!
!
!
vtp domain test-02
vtp mode transparent
!
!
!
power redundancy-mode redundant
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 20,30,40,50,60,70,80,159-160
!
!
!
interface FastEthernet1
ip vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
!
interface GigabitEthernet1/1
switchport access vlan 20
switchport mode dot1q-tunnel
no cdp enable
!
interface GigabitEthernet1/2
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/3
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/4
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/5
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/6
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/7
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/8
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/9
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/10
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/11
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/12
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/13
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/14
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/15
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/16
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/17
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/18
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/19
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/20
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/21
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/22
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/23
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/24
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/25
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/26
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/27
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/28
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/29
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/30
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/31
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/32
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/33
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/34
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/35
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/36
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/37
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/38
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/39
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/40
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/41
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/42
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/43
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/44
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/45
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/46
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/47
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/48
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
!
interface Vlan1
ip address 192.168.2.2 255.255.255.0
spanning-tree portfast
spanning-tree link-type shared
!
router rip
network 192.168.2.0
!
ip route 0.0.0.0 0.0.0.0 192.168.2.1
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
banner login ^C
**** *****************, ****
**** ******************* ****
**** ****. **** ****
**** ****. **** ****
**** ****. ***********, ****
**** ****. ****
**** ****. ****
,,,,,,,,,,,,,****** ****. ******,,,,,,,,,,,,,
****************, ****. ****************, ^C
banner motd ^C
Welcome to ^C
!
line con 0
login local
stopbits 1
line vty 0 5
login local
!
end
Any ideas?
"Fortune favors the brave."
▊▊▊
Solved! Go to Solution.
- Labels:
-
Other Routing
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2020 10:05 AM
I still think the problem is at the zone-based firewall configuration. You must have permit any any at OUTSIDE-TO-INSIDE acl, because the inspection and droping is done by the policy.
But before exploring further i would rather remove the configuration of zone based firewall below the interfaces to see if the issue is from this and after review the configuration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2020 10:17 AM
It is more efficient to make the pair inside-outside to do "inspect" rather than "pass" (below the class-map), so you would not create another pair outside-inside. In this case it will be stateful and permit from outside only replies for traffic initiated from the inside.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 08:14 PM - edited 01-14-2020 08:15 PM
Hi,
Are you able to ping from your switch, sourcing with the IP 192.168.2.2 to the destination IP 192.168.2.1?. If the pings are successful, then i would think the problem resides on the Router not the Switch. I can't see at the moment any switch related issue. Also, what do you exactly mean by "cannot route to internet", you're already doing it with a static route.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 08:25 PM - edited 01-14-2020 09:19 PM
Yes. Pings work.
NASA#ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.217.164.206, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/52/64 ms
NASA#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
JPL#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
JPL#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
JPL#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
"Fortune favors the brave."
▊▊▊
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 09:16 PM
Hi,
I did not see any NAT config here. You are not able to ping from any other vlan to outside right ? And you can ping to internet from outside interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 09:20 PM
Correct.
"Fortune favors the brave."
▊▊▊
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 09:30 PM
Can you add below to your Router.
access-list 10 permit 192.168.0.0 0.0.255.255
ip nat inside source list 10 interface gi0/0 overload
If worked, then you have to add "ip nat inside" to all the remainining subinterfaces you have in your Router
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 09:46 PM
show run
access-list 10 permit 192.168.0.0 0.0.255.255 ip nat inside source list 10 interface GigabitEthernet0/0 overload
NASA#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 1, occurred 00:02:18 ago
Outside interfaces:
GigabitEthernet0/0
Inside interfaces:
GigabitEthernet0/1, GigabitEthernet0/1.1, GigabitEthernet0/1.20
Hits: 10 Misses: 0
CEF Translated packets: 10, CEF Punted packets: 0
Expired translations: 1
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 10 interface GigabitEthernet0/0 refcount 0
"Fortune favors the brave."
▊▊▊
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 10:23 PM
It worked with you ? Output suggested that translation worked well
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 10:59 PM - edited 01-14-2020 11:04 PM
No. Not yet. I think it's the switch? If I have nat enabled on the router does the switch need to have it enabled as well?
"Fortune favors the brave."
▊▊▊
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 09:55 PM - edited 01-14-2020 10:07 PM
I still cannot ping from the switch?
NASA#ping 192.168.20.63 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.20.63, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms NASA#ping 192.168.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
JPL#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
JPL#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
JPL#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
JPL#
"Fortune favors the brave."
▊▊▊
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2020 12:41 AM
Post the router configuration again.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2020 04:39 AM
Hello,
You will need on the wan router interface to put "ip nat outside"
Rate if helpful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2020 05:33 AM
Hello,
I don't want to post anything redundant that might have been mentioned by others, but have a look at the changes marked in bold. Try and implement those...the assumption is that port 48 on the switch is uplinked to port 0/1 on the router.
Router:
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
aaa authentication login local_auth local
!
aaa session-id common
!
no ip source-route
no ip gratuitous-arps
!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 60
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 70
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 80
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
dns-server 208.67.222.222 208.67.220.220
!
no ip bootp server
ip host JPL 192.168.2.2
ip cef
login block-for 13500 attempts 35 within 13500
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
vtp mode transparent
username user password 7
!
redundancy
!
no cdp run
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
pass
class class-default
pass
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
drop
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
ip address dhcp
--> ip nat outside
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
--> ip nat inside
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.70
encapsulation dot1Q 70
ip address 192.168.70.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.80
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
--> no router rip
version 2
network 142.165.0.0
network 192.168.2.0
network 192.168.20.0
network 207.47.196.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended INSIDE-TO-OUTSIDE
ip access-list extended OUTSIDE-TO-INSIDE
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.80.0 0.0.0.255
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 ioam timestamp
!
control-plane host
!
control-plane
!
vstack
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
speed 115200
line aux 0
exec-timeout 15 0
login authentication local_auth
modem InOut
transport input telnet
transport output telnet
flowcontrol hardware
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7
login authentication local_auth
transport input none
!
scheduler allocate 20000 1000
!
end
Switch:
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname JPL
!
boot-start-marker
boot host bootflash:startup-config
boot system bootflash:startup-config
boot config bootflash:startup-config
boot-end-marker
!
enable secret 5
enable password 7
!
username user privilege 15 password 7
!
--> no ip routing
!
no aaa new-model
ip subnet-zero
ip vrf mgmtVrf
!
vtp domain test-02
vtp mode transparent
!
power redundancy-mode redundant
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 20,30,40,50,60,70,80,159-160
!
interface FastEthernet1
ip vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
!
interface GigabitEthernet1/1
switchport access vlan 20
switchport mode dot1q-tunnel
no cdp enable
!
interface GigabitEthernet1/2
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/3
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/4
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/5
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/6
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/7
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/8
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/9
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/10
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/11
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/12
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/13
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/14
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/15
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/16
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/17
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/18
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/19
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/20
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/21
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/22
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/23
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/24
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/25
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/26
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/27
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/28
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/29
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/30
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/31
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/32
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/33
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/34
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/35
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/36
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/37
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/38
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/39
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/40
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/41
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/42
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/43
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/44
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/45
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/46
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/47
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/48
description Uplink to Router interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
!
interface Vlan1
ip address 192.168.2.2 255.255.255.0
spanning-tree portfast
spanning-tree link-type shared
!
ip default-gateway 192.168.2.1
!
--> no router rip
network 192.168.2.0
!
--> no ip route 0.0.0.0 0.0.0.0 192.168.2.1
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
login local
stopbits 1
line vty 0 5
login local
!
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2020 09:07 AM - edited 01-15-2020 09:09 AM
Router
NASA#show run
Building configuration...
Current configuration : 7889 bytes
!
! Last configuration change at 16:26:49 UTC Wed Jan 15 2020 by nkoch
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 60
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 70
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 80
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
dns-server 208.67.222.222 208.67.220.220
!
!
!
no ip bootp server
ip host JPL 192.168.2.2
ip inspect WAAS flush-timeout 10
ip cef
login block-for 13500 attempts 35 within 13500
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
!
vtp mode transparent
username password 7
!
redundancy
notification-timer 120000
!
!
!
!
no cdp run
!
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
pass
class class-default
pass
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
drop
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
no ip address
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
ip address dhcp hostname NASA
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip nat enable
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip nat enable
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.70
encapsulation dot1Q 70
ip address 192.168.70.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.80
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip identd
!
ip access-list extended INSIDE-TO-OUTSIDE
ip access-list extended OUTSIDE-TO-INSIDE
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 ioam timestamp
!
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.80.0 0.0.0.255
!
!
control-plane host
!
!
control-plane
!
!
vstack
banner login ^C
******* ***** ,******. ,************** ,******,
**********, ***** .********** ,***************** **********
******,***** ***** ************ ******************* ************
***** ***** ***** ***** ****** ***** ***** ,*****
***** *****, ***** ****** ***** ***** ,***** *****
***** ***** ***** ***** ***** ,**************** ***** *****
***** ,***** ***** ***** ****** ***************** ***** ,*****
***** ***** ***** ***** ***** ,,,,,,,,****** .***** *****
***** ,***** ***** ***** ***** ***** ***** *****
***** ***** ********** *****, ***********, ******
***** ***********.***** *********************** ***** *****
***** ********* ***** ******************** ***** ***** ^C
banner motd ^C
Welcome to ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
speed 115200
line aux 0
exec-timeout 15 0
login authentication local_auth
modem InOut
transport input telnet
transport output telnet
flowcontrol hardware
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7
login authentication local_auth
transport input none
!
scheduler allocate 20000 1000
!
end Switch
Building configuration...
Current configuration : 5879 bytes
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname JPL
!
boot-start-marker
boot host bootflash:startup-config
boot system bootflash:startup-config
boot config bootflash:startup-config
boot-end-marker
!
enable secret 5
enable password 7
!
username privilege 15 password 7
!
!
no aaa new-model
ip subnet-zero
no ip routing
ip vrf mgmtVrf
!
!
!
vtp domain test-02
vtp mode transparent
!
!
!
power redundancy-mode redundant
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 20,30,40,50,60,70,80,159-160
!
!
!
interface FastEthernet1
ip vrf forwarding mgmtVrf
no ip address
no ip route-cache
speed auto
duplex auto
!
interface GigabitEthernet1/1
switchport access vlan 20
switchport mode dot1q-tunnel
no cdp enable
!
interface GigabitEthernet1/2
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/3
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/4
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/5
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/6
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/7
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/8
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/9
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/10
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/11
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/12
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/13
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/14
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/15
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/16
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/17
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/18
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/19
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/20
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/21
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/22
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/23
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/24
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/25
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/26
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/27
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/28
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/29
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/30
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/31
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/32
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/33
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/34
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/35
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/36
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/37
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/38
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/39
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/40
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/41
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/42
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/43
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/44
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/45
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/46
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/47
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/48
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
!
interface Vlan1
ip address 192.168.2.2 255.255.255.0
no ip route-cache
spanning-tree portfast
spanning-tree link-type shared
!
ip default-gateway 192.168.2.1
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
banner login ^C
**** *****************, ****
**** ******************* ****
**** ****. **** ****
**** ****. **** ****
**** ****. ***********, ****
**** ****. ****
**** ****. ****
,,,,,,,,,,,,,****** ****. ******,,,,,,,,,,,,,
****************, ****. ****************, ^C
banner motd ^C
Welcome to ^C
!
line con 0
login local
stopbits 1
line vty 0 5
login local
!
end Still not routing? Thank you for your help.
"Fortune favors the brave."
▊▊▊
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2020 09:28 AM
Hello,
I see you have zone-based firewall configured. In the inspect policy you defined access list INSIDE-TO-OUTSIDE, but the access list is empty. Please configure permit rules for your subnets like this:
ip access-list extended INSIDE-TO-OUTSIDE
permit ip 192.168.0.0 0.0.255.255 any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
