01-14-2020 06:57 PM
Here are my configs for my
Router:
! version 15.7 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname NASA ! boot-start-marker boot-end-marker ! ! security authentication failure rate 10 log security passwords min-length 6 logging console critical enable secret 5 enable password 7 ! aaa new-model ! ! aaa authentication login local_auth local ! ! ! ! ! ! aaa session-id common ! ! ! ! ! ! no ip source-route no ip gratuitous-arps ! ! ! ! ! ! ! ! ! ! ! ip dhcp excluded-address 192.168.20.1 192.168.20.60 ip dhcp excluded-address 192.168.30.1 192.168.30.60 ip dhcp excluded-address 192.168.40.1 192.168.40.60 ip dhcp excluded-address 192.168.50.1 192.168.50.60 ip dhcp excluded-address 192.168.60.1 192.168.60.60 ip dhcp excluded-address 192.168.70.1 192.168.70.60 ip dhcp excluded-address 192.168.80.1 192.168.80.60 ! ip dhcp pool vlan 20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 30 network 192.168.30.0 255.255.255.0 default-router 192.168.30.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 40 network 192.168.40.0 255.255.255.0 default-router 192.168.40.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 50 network 192.168.50.0 255.255.255.0 default-router 192.168.50.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 60 network 192.168.60.0 255.255.255.0 default-router 192.168.60.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 70 network 192.168.70.0 255.255.255.0 default-router 192.168.70.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 80 network 192.168.80.0 255.255.255.0 default-router 192.168.80.1 dns-server 208.67.222.222 208.67.220.220 ! ! ! no ip bootp server ip host JPL 192.168.2.2 ip cef login block-for 13500 attempts 35 within 13500 no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! license udi pid CISCO2911/K9 sn FGL1741129H license accept end user agreement license boot module c2900 technology-package securityk9 license boot module c2900 technology-package datak9 ! ! vtp mode transparent username user password 7 ! redundancy ! ! ! ! no cdp run ! ! class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS match access-group name INSIDE-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS match access-group name OUTSIDE-TO-INSIDE ! policy-map type inspect INSIDE-TO-OUTSIDE-POLICY class type inspect INSIDE-TO-OUTSIDE-CLASS pass class class-default pass policy-map type inspect OUTSIDE-TO-INSIDE-POLICY class type inspect OUTSIDE-TO-INSIDE-CLASS drop class class-default drop ! zone security INSIDE zone security OUTSIDE zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE-TO-OUTSIDE-POLICY zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE service-policy type inspect OUTSIDE-TO-INSIDE-POLICY ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.0 ! interface Embedded-Service-Engine0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown no mop enabled ! interface GigabitEthernet0/0 ip address dhcp no ip redirects no ip unreachables no ip proxy-arp zone-member security OUTSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp zone-member security INSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1.1 encapsulation dot1Q 1 native ip address 192.168.2.1 255.255.255.0 zone-member security INSIDE no cdp enable ! interface GigabitEthernet0/1.20 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security INSIDE no cdp enable ! interface GigabitEthernet0/1.30 encapsulation dot1Q 30 ip address 192.168.30.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.40 encapsulation dot1Q 40 ip address 192.168.40.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.50 encapsulation dot1Q 50 ip address 192.168.50.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.60 encapsulation dot1Q 60 ip address 192.168.60.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.70 encapsulation dot1Q 70 ip address 192.168.70.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.80 encapsulation dot1Q 80 ip address 192.168.80.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/2 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex auto speed auto no mop enabled ! ! router rip version 2 network 142.165.0.0 network 192.168.2.0 network 192.168.20.0 network 207.47.196.0 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 dhcp ip identd ! ip access-list extended INSIDE-TO-OUTSIDE ip access-list extended OUTSIDE-TO-INSIDE ! logging trap debugging logging facility local2 dialer-list 1 protocol ip permit ipv6 ioam timestamp ! ! ! ! control-plane host ! ! control-plane ! ! vstack banner login ^C ******* ***** ,******. ,************** ,******, **********, ***** .********** ,***************** ********** ******,***** ***** ************ ******************* ************ ***** ***** ***** ***** ****** ***** ***** ,***** ***** *****, ***** ****** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ,**************** ***** ***** ***** ,***** ***** ***** ****** ***************** ***** ,***** ***** ***** ***** ***** ***** ,,,,,,,,****** .***** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ***** ***** ********** *****, ***********, ****** ***** ***********.***** *********************** ***** ***** ***** ********* ***** ******************** ***** ***** ^C banner motd ^C Welcome to ^C ! line con 0 exec-timeout 5 0 login authentication local_auth transport output telnet speed 115200 line aux 0 exec-timeout 15 0 login authentication local_auth modem InOut transport input telnet transport output telnet flowcontrol hardware line 2 exec-timeout 15 0 login authentication local_auth no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 password 7 login authentication local_auth transport input none ! scheduler allocate 20000 1000 ! end
Switch:
! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service compress-config ! hostname JPL ! boot-start-marker boot host bootflash:startup-config boot system bootflash:startup-config boot config bootflash:startup-config boot-end-marker ! enable secret 5 enable password 7 ! username user privilege 15 password 7 ! ! no aaa new-model ip subnet-zero ip vrf mgmtVrf ! ! ! vtp domain test-02 vtp mode transparent ! ! ! power redundancy-mode redundant ! ! ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 20,30,40,50,60,70,80,159-160 ! ! ! interface FastEthernet1 ip vrf forwarding mgmtVrf no ip address speed auto duplex auto ! interface GigabitEthernet1/1 switchport access vlan 20 switchport mode dot1q-tunnel no cdp enable ! interface GigabitEthernet1/2 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/3 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/4 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/5 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/6 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/7 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/8 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/9 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/10 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/11 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/12 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/13 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/14 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/15 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/16 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/17 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/18 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/19 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/20 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/21 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/22 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/23 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/24 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/25 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/26 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/27 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/28 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/29 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/30 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/31 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/32 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/33 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/34 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/35 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/36 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/37 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/38 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/39 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/40 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/41 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/42 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/43 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/44 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/45 switchport access vlan 50 switchport mode access media-type rj45 ! interface GigabitEthernet1/46 switchport access vlan 50 switchport mode access media-type rj45 ! interface GigabitEthernet1/47 switchport access vlan 50 switchport mode access media-type rj45 ! interface GigabitEthernet1/48 switchport trunk encapsulation dot1q switchport mode trunk media-type rj45 ! interface Vlan1 ip address 192.168.2.2 255.255.255.0 spanning-tree portfast spanning-tree link-type shared ! router rip network 192.168.2.0 ! ip route 0.0.0.0 0.0.0.0 192.168.2.1 no ip http server no ip http secure-server ! ! ! ! ! ! control-plane ! banner login ^C **** *****************, **** **** ******************* **** **** ****. **** **** **** ****. **** **** **** ****. ***********, **** **** ****. **** **** ****. **** ,,,,,,,,,,,,,****** ****. ******,,,,,,,,,,,,, ****************, ****. ****************, ^C banner motd ^C Welcome to ^C ! line con 0 login local stopbits 1 line vty 0 5 login local ! end
Any ideas?
Solved! Go to Solution.
01-15-2020 10:05 AM
I still think the problem is at the zone-based firewall configuration. You must have permit any any at OUTSIDE-TO-INSIDE acl, because the inspection and droping is done by the policy.
But before exploring further i would rather remove the configuration of zone based firewall below the interfaces to see if the issue is from this and after review the configuration.
01-15-2020 10:17 AM
It is more efficient to make the pair inside-outside to do "inspect" rather than "pass" (below the class-map), so you would not create another pair outside-inside. In this case it will be stateful and permit from outside only replies for traffic initiated from the inside.
01-14-2020 08:14 PM - edited 01-14-2020 08:15 PM
Hi,
Are you able to ping from your switch, sourcing with the IP 192.168.2.2 to the destination IP 192.168.2.1?. If the pings are successful, then i would think the problem resides on the Router not the Switch. I can't see at the moment any switch related issue. Also, what do you exactly mean by "cannot route to internet", you're already doing it with a static route.
01-14-2020 08:25 PM - edited 01-14-2020 09:19 PM
Yes. Pings work.
NASA#ping google.com Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.217.164.206, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 48/52/64 ms NASA#ping 192.168.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms JPL#ping 192.168.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms JPL#ping 192.168.20.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms JPL#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
01-14-2020 09:16 PM
Hi,
I did not see any NAT config here. You are not able to ping from any other vlan to outside right ? And you can ping to internet from outside interface
01-14-2020 09:20 PM
Correct.
01-14-2020 09:30 PM
Can you add below to your Router.
access-list 10 permit 192.168.0.0 0.0.255.255
ip nat inside source list 10 interface gi0/0 overload
If worked, then you have to add "ip nat inside" to all the remainining subinterfaces you have in your Router
01-14-2020 09:46 PM
show run
access-list 10 permit 192.168.0.0 0.0.255.255 ip nat inside source list 10 interface GigabitEthernet0/0 overload
NASA#show ip nat statistics Total active translations: 0 (0 static, 0 dynamic; 0 extended) Peak translations: 1, occurred 00:02:18 ago Outside interfaces: GigabitEthernet0/0 Inside interfaces: GigabitEthernet0/1, GigabitEthernet0/1.1, GigabitEthernet0/1.20 Hits: 10 Misses: 0 CEF Translated packets: 10, CEF Punted packets: 0 Expired translations: 1 Dynamic mappings: -- Inside Source [Id: 1] access-list 10 interface GigabitEthernet0/0 refcount 0
01-14-2020 10:23 PM
It worked with you ? Output suggested that translation worked well
01-14-2020 10:59 PM - edited 01-14-2020 11:04 PM
No. Not yet. I think it's the switch? If I have nat enabled on the router does the switch need to have it enabled as well?
01-14-2020 09:55 PM - edited 01-14-2020 10:07 PM
I still cannot ping from the switch?
NASA#ping 192.168.20.63 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.20.63, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms NASA#ping 192.168.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
JPL#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) JPL#ping 192.168.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms JPL#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) JPL#
01-15-2020 12:41 AM
Post the router configuration again.
Jon
01-15-2020 04:39 AM
Hello,
You will need on the wan router interface to put "ip nat outside"
Rate if helpful.
01-15-2020 05:33 AM
Hello,
I don't want to post anything redundant that might have been mentioned by others, but have a look at the changes marked in bold. Try and implement those...the assumption is that port 48 on the switch is uplinked to port 0/1 on the router.
Router:
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
aaa authentication login local_auth local
!
aaa session-id common
!
no ip source-route
no ip gratuitous-arps
!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 60
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 70
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 80
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
dns-server 208.67.222.222 208.67.220.220
!
no ip bootp server
ip host JPL 192.168.2.2
ip cef
login block-for 13500 attempts 35 within 13500
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
vtp mode transparent
username user password 7
!
redundancy
!
no cdp run
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
pass
class class-default
pass
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
drop
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
ip address dhcp
--> ip nat outside
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
--> ip nat inside
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.70
encapsulation dot1Q 70
ip address 192.168.70.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.80
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
--> no router rip
version 2
network 142.165.0.0
network 192.168.2.0
network 192.168.20.0
network 207.47.196.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended INSIDE-TO-OUTSIDE
ip access-list extended OUTSIDE-TO-INSIDE
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.80.0 0.0.0.255
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 ioam timestamp
!
control-plane host
!
control-plane
!
vstack
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
speed 115200
line aux 0
exec-timeout 15 0
login authentication local_auth
modem InOut
transport input telnet
transport output telnet
flowcontrol hardware
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7
login authentication local_auth
transport input none
!
scheduler allocate 20000 1000
!
end
Switch:
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname JPL
!
boot-start-marker
boot host bootflash:startup-config
boot system bootflash:startup-config
boot config bootflash:startup-config
boot-end-marker
!
enable secret 5
enable password 7
!
username user privilege 15 password 7
!
--> no ip routing
!
no aaa new-model
ip subnet-zero
ip vrf mgmtVrf
!
vtp domain test-02
vtp mode transparent
!
power redundancy-mode redundant
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 20,30,40,50,60,70,80,159-160
!
interface FastEthernet1
ip vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
!
interface GigabitEthernet1/1
switchport access vlan 20
switchport mode dot1q-tunnel
no cdp enable
!
interface GigabitEthernet1/2
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/3
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/4
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/5
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/6
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/7
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/8
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/9
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/10
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/11
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/12
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/13
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/14
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/15
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/16
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/17
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/18
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/19
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/20
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/21
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/22
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/23
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/24
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/25
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/26
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/27
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/28
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/29
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/30
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/31
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/32
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/33
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/34
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/35
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/36
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/37
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/38
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/39
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/40
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/41
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/42
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/43
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/44
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/45
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/46
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/47
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/48
description Uplink to Router interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
!
interface Vlan1
ip address 192.168.2.2 255.255.255.0
spanning-tree portfast
spanning-tree link-type shared
!
ip default-gateway 192.168.2.1
!
--> no router rip
network 192.168.2.0
!
--> no ip route 0.0.0.0 0.0.0.0 192.168.2.1
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
login local
stopbits 1
line vty 0 5
login local
!
end
01-15-2020 09:07 AM - edited 01-15-2020 09:09 AM
Router
NASA#show run Building configuration... Current configuration : 7889 bytes ! ! Last configuration change at 16:26:49 UTC Wed Jan 15 2020 by nkoch ! version 15.7 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service internal service sequence-numbers ! hostname NASA ! boot-start-marker boot-end-marker ! ! security authentication failure rate 10 log security passwords min-length 6 logging console critical enable secret 5 enable password 7 ! aaa new-model ! ! aaa authentication login local_auth local ! ! ! ! ! ! aaa session-id common ! ! ! ! ! ! no ip source-route no ip gratuitous-arps ! ! ! ! ! ! ! ! ! ! ! ! ! ip dhcp excluded-address 192.168.20.1 192.168.20.60 ip dhcp excluded-address 192.168.30.1 192.168.30.60 ip dhcp excluded-address 192.168.40.1 192.168.40.60 ip dhcp excluded-address 192.168.50.1 192.168.50.60 ip dhcp excluded-address 192.168.60.1 192.168.60.60 ip dhcp excluded-address 192.168.70.1 192.168.70.60 ip dhcp excluded-address 192.168.80.1 192.168.80.60 ! ip dhcp pool vlan 20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 30 network 192.168.30.0 255.255.255.0 default-router 192.168.30.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 40 network 192.168.40.0 255.255.255.0 default-router 192.168.40.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 50 network 192.168.50.0 255.255.255.0 default-router 192.168.50.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 60 network 192.168.60.0 255.255.255.0 default-router 192.168.60.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 70 network 192.168.70.0 255.255.255.0 default-router 192.168.70.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 80 network 192.168.80.0 255.255.255.0 default-router 192.168.80.1 dns-server 208.67.222.222 208.67.220.220 ! ! ! no ip bootp server ip host JPL 192.168.2.2 ip inspect WAAS flush-timeout 10 ip cef login block-for 13500 attempts 35 within 13500 no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! license udi pid CISCO2911/K9 sn FGL1741129H license accept end user agreement license boot module c2900 technology-package securityk9 license boot module c2900 technology-package datak9 ! ! vtp mode transparent username password 7 ! redundancy notification-timer 120000 ! ! ! ! no cdp run ! ! class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS match access-group name INSIDE-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS match access-group name OUTSIDE-TO-INSIDE ! policy-map type inspect INSIDE-TO-OUTSIDE-POLICY class type inspect INSIDE-TO-OUTSIDE-CLASS pass class class-default pass policy-map type inspect OUTSIDE-TO-INSIDE-POLICY class type inspect OUTSIDE-TO-INSIDE-CLASS drop class class-default drop ! zone security INSIDE zone security OUTSIDE zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE-TO-OUTSIDE-POLICY zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE service-policy type inspect OUTSIDE-TO-INSIDE-POLICY ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.0 ! interface Loopback1 no ip address ! interface Embedded-Service-Engine0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown no mop enabled ! interface GigabitEthernet0/0 ip address dhcp hostname NASA no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip nat enable ip virtual-reassembly in zone-member security OUTSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip nat enable ip virtual-reassembly in zone-member security INSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1.1 encapsulation dot1Q 1 native ip address 192.168.2.1 255.255.255.0 ip nat inside ip nat enable ip virtual-reassembly in zone-member security INSIDE no cdp enable ! interface GigabitEthernet0/1.20 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 ip nat inside ip nat enable ip virtual-reassembly in zone-member security INSIDE no cdp enable ! interface GigabitEthernet0/1.30 encapsulation dot1Q 30 ip address 192.168.30.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.40 encapsulation dot1Q 40 ip address 192.168.40.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.50 encapsulation dot1Q 50 ip address 192.168.50.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.60 encapsulation dot1Q 60 ip address 192.168.60.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.70 encapsulation dot1Q 70 ip address 192.168.70.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.80 encapsulation dot1Q 80 ip address 192.168.80.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/2 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex auto speed auto no mop enabled ! ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip nat inside source list 1 interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp ip identd ! ip access-list extended INSIDE-TO-OUTSIDE ip access-list extended OUTSIDE-TO-INSIDE ! logging trap debugging logging facility local2 dialer-list 1 protocol ip permit ipv6 ioam timestamp ! ! access-list 1 permit 192.168.2.0 0.0.0.255 access-list 1 permit 192.168.20.0 0.0.0.255 access-list 1 permit 192.168.30.0 0.0.0.255 access-list 1 permit 192.168.40.0 0.0.0.255 access-list 1 permit 192.168.50.0 0.0.0.255 access-list 1 permit 192.168.60.0 0.0.0.255 access-list 1 permit 192.168.70.0 0.0.0.255 access-list 1 permit 192.168.80.0 0.0.0.255 ! ! control-plane host ! ! control-plane ! ! vstack banner login ^C ******* ***** ,******. ,************** ,******, **********, ***** .********** ,***************** ********** ******,***** ***** ************ ******************* ************ ***** ***** ***** ***** ****** ***** ***** ,***** ***** *****, ***** ****** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ,**************** ***** ***** ***** ,***** ***** ***** ****** ***************** ***** ,***** ***** ***** ***** ***** ***** ,,,,,,,,****** .***** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ***** ***** ********** *****, ***********, ****** ***** ***********.***** *********************** ***** ***** ***** ********* ***** ******************** ***** ***** ^C banner motd ^C Welcome to ^C ! line con 0 exec-timeout 5 0 login authentication local_auth transport output telnet speed 115200 line aux 0 exec-timeout 15 0 login authentication local_auth modem InOut transport input telnet transport output telnet flowcontrol hardware line 2 exec-timeout 15 0 login authentication local_auth no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 password 7 login authentication local_auth transport input none ! scheduler allocate 20000 1000 ! end
Switch
Building configuration... Current configuration : 5879 bytes ! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service compress-config ! hostname JPL ! boot-start-marker boot host bootflash:startup-config boot system bootflash:startup-config boot config bootflash:startup-config boot-end-marker ! enable secret 5 enable password 7 ! username privilege 15 password 7 ! ! no aaa new-model ip subnet-zero no ip routing ip vrf mgmtVrf ! ! ! vtp domain test-02 vtp mode transparent ! ! ! power redundancy-mode redundant ! ! ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 20,30,40,50,60,70,80,159-160 ! ! ! interface FastEthernet1 ip vrf forwarding mgmtVrf no ip address no ip route-cache speed auto duplex auto ! interface GigabitEthernet1/1 switchport access vlan 20 switchport mode dot1q-tunnel no cdp enable ! interface GigabitEthernet1/2 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/3 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/4 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/5 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/6 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/7 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/8 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/9 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/10 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/11 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/12 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/13 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/14 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/15 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/16 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/17 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/18 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/19 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/20 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/21 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/22 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/23 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/24 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/25 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/26 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/27 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/28 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/29 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/30 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/31 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/32 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/33 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/34 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/35 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/36 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/37 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/38 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/39 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/40 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/41 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/42 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/43 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/44 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/45 switchport access vlan 50 switchport mode access media-type rj45 ! interface GigabitEthernet1/46 switchport access vlan 50 switchport mode access media-type rj45 ! interface GigabitEthernet1/47 switchport access vlan 50 switchport mode access media-type rj45 ! interface GigabitEthernet1/48 switchport trunk encapsulation dot1q switchport mode trunk media-type rj45 ! interface Vlan1 ip address 192.168.2.2 255.255.255.0 no ip route-cache spanning-tree portfast spanning-tree link-type shared ! ip default-gateway 192.168.2.1 no ip http server no ip http secure-server ! ! ! ! ! ! control-plane ! banner login ^C **** *****************, **** **** ******************* **** **** ****. **** **** **** ****. **** **** **** ****. ***********, **** **** ****. **** **** ****. **** ,,,,,,,,,,,,,****** ****. ******,,,,,,,,,,,,, ****************, ****. ****************, ^C banner motd ^C Welcome to ^C ! line con 0 login local stopbits 1 line vty 0 5 login local ! end
Still not routing? Thank you for your help.
01-15-2020 09:28 AM
Hello,
I see you have zone-based firewall configured. In the inspect policy you defined access list INSIDE-TO-OUTSIDE, but the access list is empty. Please configure permit rules for your subnets like this:
ip access-list extended INSIDE-TO-OUTSIDE
permit ip 192.168.0.0 0.0.255.255 any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: