- Cisco Community
- Technology and Support
- Networking
- Routing
- Re: Cannot route to internet from Switch
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 06:57 PM
Here are my configs for my
Router:
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 60
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 70
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 80
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
dns-server 208.67.222.222 208.67.220.220
!
!
!
no ip bootp server
ip host JPL 192.168.2.2
ip cef
login block-for 13500 attempts 35 within 13500
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
!
vtp mode transparent
username user password 7
!
redundancy
!
!
!
!
no cdp run
!
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
pass
class class-default
pass
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
drop
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.70
encapsulation dot1Q 70
ip address 192.168.70.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.80
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
!
router rip
version 2
network 142.165.0.0
network 192.168.2.0
network 192.168.20.0
network 207.47.196.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 dhcp
ip identd
!
ip access-list extended INSIDE-TO-OUTSIDE
ip access-list extended OUTSIDE-TO-INSIDE
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 ioam timestamp
!
!
!
!
control-plane host
!
!
control-plane
!
!
vstack
banner login ^C
******* ***** ,******. ,************** ,******,
**********, ***** .********** ,***************** **********
******,***** ***** ************ ******************* ************
***** ***** ***** ***** ****** ***** ***** ,*****
***** *****, ***** ****** ***** ***** ,***** *****
***** ***** ***** ***** ***** ,**************** ***** *****
***** ,***** ***** ***** ****** ***************** ***** ,*****
***** ***** ***** ***** ***** ,,,,,,,,****** .***** *****
***** ,***** ***** ***** ***** ***** ***** *****
***** ***** ********** *****, ***********, ******
***** ***********.***** *********************** ***** *****
***** ********* ***** ******************** ***** ***** ^C
banner motd ^C
Welcome to ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
speed 115200
line aux 0
exec-timeout 15 0
login authentication local_auth
modem InOut
transport input telnet
transport output telnet
flowcontrol hardware
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7
login authentication local_auth
transport input none
!
scheduler allocate 20000 1000
!
end Switch:
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname JPL
!
boot-start-marker
boot host bootflash:startup-config
boot system bootflash:startup-config
boot config bootflash:startup-config
boot-end-marker
!
enable secret 5
enable password 7
!
username user privilege 15 password 7
!
!
no aaa new-model
ip subnet-zero
ip vrf mgmtVrf
!
!
!
vtp domain test-02
vtp mode transparent
!
!
!
power redundancy-mode redundant
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 20,30,40,50,60,70,80,159-160
!
!
!
interface FastEthernet1
ip vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
!
interface GigabitEthernet1/1
switchport access vlan 20
switchport mode dot1q-tunnel
no cdp enable
!
interface GigabitEthernet1/2
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/3
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/4
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/5
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/6
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/7
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/8
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/9
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/10
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/11
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/12
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/13
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/14
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/15
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/16
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/17
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/18
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/19
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/20
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/21
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/22
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/23
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/24
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/25
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/26
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/27
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/28
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/29
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/30
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/31
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/32
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/33
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/34
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/35
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/36
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/37
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/38
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/39
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/40
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/41
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/42
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/43
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/44
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/45
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/46
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/47
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/48
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
!
interface Vlan1
ip address 192.168.2.2 255.255.255.0
spanning-tree portfast
spanning-tree link-type shared
!
router rip
network 192.168.2.0
!
ip route 0.0.0.0 0.0.0.0 192.168.2.1
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
banner login ^C
**** *****************, ****
**** ******************* ****
**** ****. **** ****
**** ****. **** ****
**** ****. ***********, ****
**** ****. ****
**** ****. ****
,,,,,,,,,,,,,****** ****. ******,,,,,,,,,,,,,
****************, ****. ****************, ^C
banner motd ^C
Welcome to ^C
!
line con 0
login local
stopbits 1
line vty 0 5
login local
!
end
Any ideas?
"Fortune favors the brave."
▊▊▊
Solved! Go to Solution.
- Labels:
-
Other Routing
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2020 10:05 AM
I still think the problem is at the zone-based firewall configuration. You must have permit any any at OUTSIDE-TO-INSIDE acl, because the inspection and droping is done by the policy.
But before exploring further i would rather remove the configuration of zone based firewall below the interfaces to see if the issue is from this and after review the configuration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2020 10:17 AM
It is more efficient to make the pair inside-outside to do "inspect" rather than "pass" (below the class-map), so you would not create another pair outside-inside. In this case it will be stateful and permit from outside only replies for traffic initiated from the inside.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 08:14 PM - edited 01-14-2020 08:15 PM
Hi,
Are you able to ping from your switch, sourcing with the IP 192.168.2.2 to the destination IP 192.168.2.1?. If the pings are successful, then i would think the problem resides on the Router not the Switch. I can't see at the moment any switch related issue. Also, what do you exactly mean by "cannot route to internet", you're already doing it with a static route.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 08:25 PM - edited 01-14-2020 09:19 PM
Yes. Pings work.
NASA#ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.217.164.206, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/52/64 ms
NASA#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
JPL#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
JPL#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
JPL#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
"Fortune favors the brave."
▊▊▊
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 09:16 PM
Hi,
I did not see any NAT config here. You are not able to ping from any other vlan to outside right ? And you can ping to internet from outside interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 09:20 PM
Correct.
"Fortune favors the brave."
▊▊▊
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 09:30 PM
Can you add below to your Router.
access-list 10 permit 192.168.0.0 0.0.255.255
ip nat inside source list 10 interface gi0/0 overload
If worked, then you have to add "ip nat inside" to all the remainining subinterfaces you have in your Router
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 09:46 PM
show run
access-list 10 permit 192.168.0.0 0.0.255.255 ip nat inside source list 10 interface GigabitEthernet0/0 overload
NASA#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 1, occurred 00:02:18 ago
Outside interfaces:
GigabitEthernet0/0
Inside interfaces:
GigabitEthernet0/1, GigabitEthernet0/1.1, GigabitEthernet0/1.20
Hits: 10 Misses: 0
CEF Translated packets: 10, CEF Punted packets: 0
Expired translations: 1
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 10 interface GigabitEthernet0/0 refcount 0
"Fortune favors the brave."
▊▊▊
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 10:23 PM
It worked with you ? Output suggested that translation worked well
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 10:59 PM - edited 01-14-2020 11:04 PM
No. Not yet. I think it's the switch? If I have nat enabled on the router does the switch need to have it enabled as well?
"Fortune favors the brave."
▊▊▊
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2020 09:55 PM - edited 01-14-2020 10:07 PM
I still cannot ping from the switch?
NASA#ping 192.168.20.63 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.20.63, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms NASA#ping 192.168.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
JPL#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
JPL#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
JPL#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
JPL#
"Fortune favors the brave."
▊▊▊
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2020 12:41 AM
Post the router configuration again.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2020 04:39 AM
Hello,
You will need on the wan router interface to put "ip nat outside"
Rate if helpful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2020 05:33 AM
Hello,
I don't want to post anything redundant that might have been mentioned by others, but have a look at the changes marked in bold. Try and implement those...the assumption is that port 48 on the switch is uplinked to port 0/1 on the router.
Router:
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
aaa authentication login local_auth local
!
aaa session-id common
!
no ip source-route
no ip gratuitous-arps
!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 60
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 70
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 80
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
dns-server 208.67.222.222 208.67.220.220
!
no ip bootp server
ip host JPL 192.168.2.2
ip cef
login block-for 13500 attempts 35 within 13500
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
vtp mode transparent
username user password 7
!
redundancy
!
no cdp run
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
pass
class class-default
pass
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
drop
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
ip address dhcp
--> ip nat outside
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
--> ip nat inside
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.70
encapsulation dot1Q 70
ip address 192.168.70.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.80
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
--> no router rip
version 2
network 142.165.0.0
network 192.168.2.0
network 192.168.20.0
network 207.47.196.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended INSIDE-TO-OUTSIDE
ip access-list extended OUTSIDE-TO-INSIDE
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.80.0 0.0.0.255
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 ioam timestamp
!
control-plane host
!
control-plane
!
vstack
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
speed 115200
line aux 0
exec-timeout 15 0
login authentication local_auth
modem InOut
transport input telnet
transport output telnet
flowcontrol hardware
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7
login authentication local_auth
transport input none
!
scheduler allocate 20000 1000
!
end
Switch:
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname JPL
!
boot-start-marker
boot host bootflash:startup-config
boot system bootflash:startup-config
boot config bootflash:startup-config
boot-end-marker
!
enable secret 5
enable password 7
!
username user privilege 15 password 7
!
--> no ip routing
!
no aaa new-model
ip subnet-zero
ip vrf mgmtVrf
!
vtp domain test-02
vtp mode transparent
!
power redundancy-mode redundant
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 20,30,40,50,60,70,80,159-160
!
interface FastEthernet1
ip vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
!
interface GigabitEthernet1/1
switchport access vlan 20
switchport mode dot1q-tunnel
no cdp enable
!
interface GigabitEthernet1/2
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/3
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/4
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/5
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/6
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/7
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/8
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/9
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/10
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/11
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/12
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/13
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/14
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/15
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/16
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/17
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/18
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/19
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/20
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/21
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/22
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/23
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/24
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/25
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/26
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/27
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/28
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/29
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/30
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/31
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/32
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/33
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/34
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/35
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/36
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/37
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/38
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/39
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/40
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/41
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/42
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/43
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/44
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/45
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/46
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/47
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/48
description Uplink to Router interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
!
interface Vlan1
ip address 192.168.2.2 255.255.255.0
spanning-tree portfast
spanning-tree link-type shared
!
ip default-gateway 192.168.2.1
!
--> no router rip
network 192.168.2.0
!
--> no ip route 0.0.0.0 0.0.0.0 192.168.2.1
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
login local
stopbits 1
line vty 0 5
login local
!
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2020 09:07 AM - edited 01-15-2020 09:09 AM
Router
NASA#show run
Building configuration...
Current configuration : 7889 bytes
!
! Last configuration change at 16:26:49 UTC Wed Jan 15 2020 by nkoch
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 60
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 70
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 80
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
dns-server 208.67.222.222 208.67.220.220
!
!
!
no ip bootp server
ip host JPL 192.168.2.2
ip inspect WAAS flush-timeout 10
ip cef
login block-for 13500 attempts 35 within 13500
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
!
vtp mode transparent
username password 7
!
redundancy
notification-timer 120000
!
!
!
!
no cdp run
!
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
pass
class class-default
pass
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
drop
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
no ip address
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
ip address dhcp hostname NASA
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip nat enable
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip nat enable
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.70
encapsulation dot1Q 70
ip address 192.168.70.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1.80
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip identd
!
ip access-list extended INSIDE-TO-OUTSIDE
ip access-list extended OUTSIDE-TO-INSIDE
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 ioam timestamp
!
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.80.0 0.0.0.255
!
!
control-plane host
!
!
control-plane
!
!
vstack
banner login ^C
******* ***** ,******. ,************** ,******,
**********, ***** .********** ,***************** **********
******,***** ***** ************ ******************* ************
***** ***** ***** ***** ****** ***** ***** ,*****
***** *****, ***** ****** ***** ***** ,***** *****
***** ***** ***** ***** ***** ,**************** ***** *****
***** ,***** ***** ***** ****** ***************** ***** ,*****
***** ***** ***** ***** ***** ,,,,,,,,****** .***** *****
***** ,***** ***** ***** ***** ***** ***** *****
***** ***** ********** *****, ***********, ******
***** ***********.***** *********************** ***** *****
***** ********* ***** ******************** ***** ***** ^C
banner motd ^C
Welcome to ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
speed 115200
line aux 0
exec-timeout 15 0
login authentication local_auth
modem InOut
transport input telnet
transport output telnet
flowcontrol hardware
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7
login authentication local_auth
transport input none
!
scheduler allocate 20000 1000
!
end Switch
Building configuration...
Current configuration : 5879 bytes
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname JPL
!
boot-start-marker
boot host bootflash:startup-config
boot system bootflash:startup-config
boot config bootflash:startup-config
boot-end-marker
!
enable secret 5
enable password 7
!
username privilege 15 password 7
!
!
no aaa new-model
ip subnet-zero
no ip routing
ip vrf mgmtVrf
!
!
!
vtp domain test-02
vtp mode transparent
!
!
!
power redundancy-mode redundant
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 20,30,40,50,60,70,80,159-160
!
!
!
interface FastEthernet1
ip vrf forwarding mgmtVrf
no ip address
no ip route-cache
speed auto
duplex auto
!
interface GigabitEthernet1/1
switchport access vlan 20
switchport mode dot1q-tunnel
no cdp enable
!
interface GigabitEthernet1/2
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/3
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/4
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/5
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/6
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/7
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/8
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/9
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/10
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/11
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/12
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/13
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/14
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/15
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/16
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/17
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/18
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/19
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/20
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/21
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/22
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/23
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/24
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/25
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/26
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/27
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/28
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/29
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/30
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/31
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/32
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/33
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/34
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/35
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/36
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/37
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/38
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/39
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/40
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/41
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/42
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/43
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/44
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/45
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/46
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/47
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/48
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
!
interface Vlan1
ip address 192.168.2.2 255.255.255.0
no ip route-cache
spanning-tree portfast
spanning-tree link-type shared
!
ip default-gateway 192.168.2.1
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
banner login ^C
**** *****************, ****
**** ******************* ****
**** ****. **** ****
**** ****. **** ****
**** ****. ***********, ****
**** ****. ****
**** ****. ****
,,,,,,,,,,,,,****** ****. ******,,,,,,,,,,,,,
****************, ****. ****************, ^C
banner motd ^C
Welcome to ^C
!
line con 0
login local
stopbits 1
line vty 0 5
login local
!
end Still not routing? Thank you for your help.
"Fortune favors the brave."
▊▊▊
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2020 09:28 AM
Hello,
I see you have zone-based firewall configured. In the inspect policy you defined access list INSIDE-TO-OUTSIDE, but the access list is empty. Please configure permit rules for your subnets like this:
ip access-list extended INSIDE-TO-OUTSIDE
permit ip 192.168.0.0 0.0.255.255 any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide