01-14-2020 06:57 PM
Here are my configs for my
Router:
! version 15.7 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname NASA ! boot-start-marker boot-end-marker ! ! security authentication failure rate 10 log security passwords min-length 6 logging console critical enable secret 5 enable password 7 ! aaa new-model ! ! aaa authentication login local_auth local ! ! ! ! ! ! aaa session-id common ! ! ! ! ! ! no ip source-route no ip gratuitous-arps ! ! ! ! ! ! ! ! ! ! ! ip dhcp excluded-address 192.168.20.1 192.168.20.60 ip dhcp excluded-address 192.168.30.1 192.168.30.60 ip dhcp excluded-address 192.168.40.1 192.168.40.60 ip dhcp excluded-address 192.168.50.1 192.168.50.60 ip dhcp excluded-address 192.168.60.1 192.168.60.60 ip dhcp excluded-address 192.168.70.1 192.168.70.60 ip dhcp excluded-address 192.168.80.1 192.168.80.60 ! ip dhcp pool vlan 20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 30 network 192.168.30.0 255.255.255.0 default-router 192.168.30.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 40 network 192.168.40.0 255.255.255.0 default-router 192.168.40.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 50 network 192.168.50.0 255.255.255.0 default-router 192.168.50.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 60 network 192.168.60.0 255.255.255.0 default-router 192.168.60.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 70 network 192.168.70.0 255.255.255.0 default-router 192.168.70.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 80 network 192.168.80.0 255.255.255.0 default-router 192.168.80.1 dns-server 208.67.222.222 208.67.220.220 ! ! ! no ip bootp server ip host JPL 192.168.2.2 ip cef login block-for 13500 attempts 35 within 13500 no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! license udi pid CISCO2911/K9 sn FGL1741129H license accept end user agreement license boot module c2900 technology-package securityk9 license boot module c2900 technology-package datak9 ! ! vtp mode transparent username user password 7 ! redundancy ! ! ! ! no cdp run ! ! class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS match access-group name INSIDE-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS match access-group name OUTSIDE-TO-INSIDE ! policy-map type inspect INSIDE-TO-OUTSIDE-POLICY class type inspect INSIDE-TO-OUTSIDE-CLASS pass class class-default pass policy-map type inspect OUTSIDE-TO-INSIDE-POLICY class type inspect OUTSIDE-TO-INSIDE-CLASS drop class class-default drop ! zone security INSIDE zone security OUTSIDE zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE-TO-OUTSIDE-POLICY zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE service-policy type inspect OUTSIDE-TO-INSIDE-POLICY ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.0 ! interface Embedded-Service-Engine0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown no mop enabled ! interface GigabitEthernet0/0 ip address dhcp no ip redirects no ip unreachables no ip proxy-arp zone-member security OUTSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp zone-member security INSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1.1 encapsulation dot1Q 1 native ip address 192.168.2.1 255.255.255.0 zone-member security INSIDE no cdp enable ! interface GigabitEthernet0/1.20 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security INSIDE no cdp enable ! interface GigabitEthernet0/1.30 encapsulation dot1Q 30 ip address 192.168.30.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.40 encapsulation dot1Q 40 ip address 192.168.40.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.50 encapsulation dot1Q 50 ip address 192.168.50.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.60 encapsulation dot1Q 60 ip address 192.168.60.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.70 encapsulation dot1Q 70 ip address 192.168.70.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.80 encapsulation dot1Q 80 ip address 192.168.80.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/2 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex auto speed auto no mop enabled ! ! router rip version 2 network 142.165.0.0 network 192.168.2.0 network 192.168.20.0 network 207.47.196.0 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 dhcp ip identd ! ip access-list extended INSIDE-TO-OUTSIDE ip access-list extended OUTSIDE-TO-INSIDE ! logging trap debugging logging facility local2 dialer-list 1 protocol ip permit ipv6 ioam timestamp ! ! ! ! control-plane host ! ! control-plane ! ! vstack banner login ^C ******* ***** ,******. ,************** ,******, **********, ***** .********** ,***************** ********** ******,***** ***** ************ ******************* ************ ***** ***** ***** ***** ****** ***** ***** ,***** ***** *****, ***** ****** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ,**************** ***** ***** ***** ,***** ***** ***** ****** ***************** ***** ,***** ***** ***** ***** ***** ***** ,,,,,,,,****** .***** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ***** ***** ********** *****, ***********, ****** ***** ***********.***** *********************** ***** ***** ***** ********* ***** ******************** ***** ***** ^C banner motd ^C Welcome to ^C ! line con 0 exec-timeout 5 0 login authentication local_auth transport output telnet speed 115200 line aux 0 exec-timeout 15 0 login authentication local_auth modem InOut transport input telnet transport output telnet flowcontrol hardware line 2 exec-timeout 15 0 login authentication local_auth no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 password 7 login authentication local_auth transport input none ! scheduler allocate 20000 1000 ! end
Switch:
! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service compress-config ! hostname JPL ! boot-start-marker boot host bootflash:startup-config boot system bootflash:startup-config boot config bootflash:startup-config boot-end-marker ! enable secret 5 enable password 7 ! username user privilege 15 password 7 ! ! no aaa new-model ip subnet-zero ip vrf mgmtVrf ! ! ! vtp domain test-02 vtp mode transparent ! ! ! power redundancy-mode redundant ! ! ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 20,30,40,50,60,70,80,159-160 ! ! ! interface FastEthernet1 ip vrf forwarding mgmtVrf no ip address speed auto duplex auto ! interface GigabitEthernet1/1 switchport access vlan 20 switchport mode dot1q-tunnel no cdp enable ! interface GigabitEthernet1/2 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/3 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/4 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/5 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/6 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/7 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/8 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/9 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/10 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/11 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/12 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/13 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/14 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/15 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/16 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/17 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/18 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/19 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/20 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/21 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/22 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/23 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/24 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/25 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/26 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/27 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/28 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/29 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/30 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/31 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/32 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/33 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/34 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/35 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/36 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/37 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/38 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/39 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/40 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/41 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/42 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/43 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/44 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/45 switchport access vlan 50 switchport mode access media-type rj45 ! interface GigabitEthernet1/46 switchport access vlan 50 switchport mode access media-type rj45 ! interface GigabitEthernet1/47 switchport access vlan 50 switchport mode access media-type rj45 ! interface GigabitEthernet1/48 switchport trunk encapsulation dot1q switchport mode trunk media-type rj45 ! interface Vlan1 ip address 192.168.2.2 255.255.255.0 spanning-tree portfast spanning-tree link-type shared ! router rip network 192.168.2.0 ! ip route 0.0.0.0 0.0.0.0 192.168.2.1 no ip http server no ip http secure-server ! ! ! ! ! ! control-plane ! banner login ^C **** *****************, **** **** ******************* **** **** ****. **** **** **** ****. **** **** **** ****. ***********, **** **** ****. **** **** ****. **** ,,,,,,,,,,,,,****** ****. ******,,,,,,,,,,,,, ****************, ****. ****************, ^C banner motd ^C Welcome to ^C ! line con 0 login local stopbits 1 line vty 0 5 login local ! end
Any ideas?
Solved! Go to Solution.
01-15-2020 09:49 AM
! ip access-list extended INSIDE-TO-OUTSIDE permit ip 192.168.0.0 0.0.255.255 any ip access-list extended OUTSIDE-TO-INSIDE !
Still no luck.
01-15-2020 10:05 AM
I still think the problem is at the zone-based firewall configuration. You must have permit any any at OUTSIDE-TO-INSIDE acl, because the inspection and droping is done by the policy.
But before exploring further i would rather remove the configuration of zone based firewall below the interfaces to see if the issue is from this and after review the configuration.
01-15-2020 09:16 PM
01-15-2020 09:32 AM - edited 01-15-2020 09:34 AM
Your Access list inside zone based firewall is not there. For testing, can you remove zone member configuration from outside and inside interfaces ?
Once tested successfully, put it back and complete the access-list configuration
01-15-2020 10:09 AM
I still can't get it to route after adding that rule. I plan on changing my subnets and doing more granular access-lists later. Adding an AP with different SSID's and vlans. I just want to get it to route.
01-15-2020 10:17 AM
It is more efficient to make the pair inside-outside to do "inspect" rather than "pass" (below the class-map), so you would not create another pair outside-inside. In this case it will be stateful and permit from outside only replies for traffic initiated from the inside.
01-15-2020 10:20 AM
I was testing different things. I changed it to pass. I will change it later. The struggle is real.
01-15-2020 02:21 PM
Hello,
your NAT configuration for the inside NAT is incorrect. Remove 'ip nat enable'.
Which interfaces do you need to access the Internet ?
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
ip nat inside
--> no ip nat enable
ip virtual-reassembly in
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
--> no ip nat enable
ip virtual-reassembly in
zone-member security INSIDE
no cdp enable
01-15-2020 02:26 PM - edited 01-15-2020 02:30 PM
! interface GigabitEthernet0/0 ip address dhcp hostname NASA no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in zone-member security OUTSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly in zone-member security INSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1.1 encapsulation dot1Q 1 native ip address 192.168.2.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security INSIDE no cdp enable ! interface GigabitEthernet0/1.20 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security INSIDE no cdp enable
Still no luck. I want all my vlans to access the internet. I can disable the ones I don't want by removing address translation or disabling whatever made them work?
01-15-2020 02:44 PM
For me, it look like your Zone Base Firewall is making this problem, did you get a chance to define the ACL's for the ZBFW or did u try by remove zone configuration from interfaces ?
interface GigabitEthernet0/0
no zone-member security OUTSIDE
!
interface GigabitEthernet0/1
no zone-member security INSIDE
!
interface GigabitEthernet0/1.1
no zone-member security INSIDE
!
interface GigabitEthernet0/1.20
no zone-member security INSIDE
01-15-2020 03:21 PM
I will see what I can do. I want to get it setup properly without unnecessarily compromising my security or bowing down to my desire to get it up and running. I'll give it a shot next.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: