cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
573
Views
20
Helpful
25
Replies
Highlighted
Beginner

Re: Cannot route to internet from Switch

!         
ip access-list extended INSIDE-TO-OUTSIDE
 permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended OUTSIDE-TO-INSIDE
!  

Still no luck.

---------------------
"Fortune favors the brave."
▊▊▊
Highlighted
Beginner

Re: Cannot route to internet from Switch

I still think the problem is at the zone-based firewall configuration. You must have permit any any at OUTSIDE-TO-INSIDE acl, because the inspection and droping is done by the policy. 

But before exploring further i would rather remove the configuration of zone based firewall below the interfaces to see if the issue is from this and after review the configuration.

View solution in original post

Highlighted
Beginner

Re: Cannot route to internet from Switch

You were right. It was the inspect to pass option.
---------------------
"Fortune favors the brave."
▊▊▊
Highlighted

Re: Cannot route to internet from Switch

Your Access list inside zone based firewall is not there. For testing, can you remove zone member configuration from outside and inside interfaces ?

 

Once tested successfully, put it back and complete the access-list configuration

Highlighted
Beginner

Re: Cannot route to internet from Switch

I still can't get it to route after adding that rule. I plan on changing my subnets and doing more granular access-lists later. Adding an AP with different SSID's and vlans. I just want to get it to route.

---------------------
"Fortune favors the brave."
▊▊▊
Highlighted
Beginner

Re: Cannot route to internet from Switch

It is more efficient to make the pair inside-outside to do "inspect" rather than "pass" (below the class-map), so you would not create another pair outside-inside. In this case it will be stateful and permit from outside only replies for traffic initiated from the inside. 

View solution in original post

Highlighted
Beginner

Re: Cannot route to internet from Switch

I was testing different things. I changed it to pass. I will change it later. The struggle is real.

---------------------
"Fortune favors the brave."
▊▊▊
Highlighted
VIP Mentor

Re: Cannot route to internet from Switch

Hello,

 

your NAT configuration for the inside NAT is incorrect. Remove 'ip nat enable'.

 

Which interfaces do you need to access the Internet ?

 

interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
ip nat inside
--> no ip nat enable
ip virtual-reassembly in
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
--> no ip nat enable
ip virtual-reassembly in
zone-member security INSIDE
no cdp enable

Highlighted
Beginner

Re: Cannot route to internet from Switch

!         
interface GigabitEthernet0/0
 ip address dhcp hostname NASA
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 zone-member security OUTSIDE
 duplex auto
 speed auto
 no mop enabled
!         
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
 duplex auto
 speed auto
 no mop enabled
!         
interface GigabitEthernet0/1.1
 encapsulation dot1Q 1 native
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
 no cdp enable
!         
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
 no cdp enable

Still no luck. I want all my vlans to access the internet. I can disable the ones I don't want by removing address translation or disabling whatever made them work?

---------------------
"Fortune favors the brave."
▊▊▊
Highlighted

Re: Cannot route to internet from Switch

For me, it look like your Zone Base Firewall is making this problem, did you get a chance to define the ACL's for the ZBFW or did u try by remove zone configuration from interfaces ?

interface GigabitEthernet0/0
no zone-member security OUTSIDE

!        
interface GigabitEthernet0/1
no zone-member security INSIDE
!        
interface GigabitEthernet0/1.1
no zone-member security INSIDE
!        
interface GigabitEthernet0/1.20
no zone-member security INSIDE

Highlighted
Beginner

Re: Cannot route to internet from Switch

I will see what I can do. I want to get it setup properly without unnecessarily compromising my security or bowing down to my desire to get it up and running. I'll give it a shot next.

---------------------
"Fortune favors the brave."
▊▊▊