cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2971
Views
20
Helpful
25
Replies

Cannot route to internet from Switch

NathanLKoch
Level 1
Level 1

Here are my configs for my

Router:

!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5 
enable password 7 
!         
aaa new-model
!         
!         
aaa authentication login local_auth local
!         
!         
!         
!         
!         
!         
aaa session-id common
!         
!         
!         
!         
!         
!         
no ip source-route
no ip gratuitous-arps
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
          
          
!         
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!         
ip dhcp pool vlan 20
 network 192.168.20.0 255.255.255.0
 default-router 192.168.20.1 
 dns-server 208.67.222.222 208.67.220.220 
!         
ip dhcp pool vlan 30
 network 192.168.30.0 255.255.255.0
 default-router 192.168.30.1 
 dns-server 208.67.222.222 208.67.220.220 
!         
ip dhcp pool vlan 40
 network 192.168.40.0 255.255.255.0
 default-router 192.168.40.1 
 dns-server 208.67.222.222 208.67.220.220 
!         
ip dhcp pool vlan 50
 network 192.168.50.0 255.255.255.0
 default-router 192.168.50.1 
 dns-server 208.67.222.222 208.67.220.220 
!         
ip dhcp pool vlan 60
 network 192.168.60.0 255.255.255.0
 default-router 192.168.60.1 
 dns-server 208.67.222.222 208.67.220.220 
!         
ip dhcp pool vlan 70
 network 192.168.70.0 255.255.255.0
 default-router 192.168.70.1 
 dns-server 208.67.222.222 208.67.220.220 
!         
ip dhcp pool vlan 80
 network 192.168.80.0 255.255.255.0
 default-router 192.168.80.1 
 dns-server 208.67.222.222 208.67.220.220 
!         
!         
!         
no ip bootp server
ip host JPL 192.168.2.2
ip cef    
login block-for 13500 attempts 35 within 13500
no ipv6 cef
!         
multilink bundle-name authenticated
!         
!         
!         
!         
!         
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!         
!         
vtp mode transparent
username user password 7 
!         
redundancy
!         
!         
!         
!         
no cdp run
!         
!         
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
 match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
 match access-group name OUTSIDE-TO-INSIDE
!         
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect INSIDE-TO-OUTSIDE-CLASS
  pass    
 class class-default
  pass    
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
 class type inspect OUTSIDE-TO-INSIDE-CLASS
  drop    
 class class-default
  drop    
!         
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
 service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!         
interface Embedded-Service-Engine0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown 
 no mop enabled
!         
interface GigabitEthernet0/0
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 zone-member security OUTSIDE
 duplex auto
 speed auto
 no mop enabled
!         
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 zone-member security INSIDE
 duplex auto
 speed auto
 no mop enabled
!         
interface GigabitEthernet0/1.1
 encapsulation dot1Q 1 native
 ip address 192.168.2.1 255.255.255.0
 zone-member security INSIDE
 no cdp enable
!         
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
 no cdp enable
!         
interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0
 no cdp enable
!         
interface GigabitEthernet0/1.40
 encapsulation dot1Q 40
 ip address 192.168.40.1 255.255.255.0
 no cdp enable
!         
interface GigabitEthernet0/1.50
 encapsulation dot1Q 50
 ip address 192.168.50.1 255.255.255.0
 no cdp enable
!         
interface GigabitEthernet0/1.60
 encapsulation dot1Q 60
 ip address 192.168.60.1 255.255.255.0
 no cdp enable
!         
interface GigabitEthernet0/1.70
 encapsulation dot1Q 70
 ip address 192.168.70.1 255.255.255.0
 no cdp enable
!         
interface GigabitEthernet0/1.80
 encapsulation dot1Q 80
 ip address 192.168.80.1 255.255.255.0
 no cdp enable
!         
interface GigabitEthernet0/2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown 
 duplex auto
 speed auto
 no mop enabled
!         
!         
router rip
 version 2
 network 142.165.0.0
 network 192.168.2.0
 network 192.168.20.0
 network 207.47.196.0
!         
ip forward-protocol nd
!         
no ip http server
no ip http secure-server
!         
ip route 0.0.0.0 0.0.0.0 dhcp
ip identd 
!         
ip access-list extended INSIDE-TO-OUTSIDE
ip access-list extended OUTSIDE-TO-INSIDE
!         
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 ioam timestamp
!         
!         
!         
!         
control-plane host
!         
!         
control-plane
!         
!         
 vstack   
banner login ^C
          
          
   *******         *****       ,******.          ,**************        ,******,             
 **********,       *****     .**********      ,*****************       **********            
******,*****       *****     ************    *******************      ************           
*****   *****      *****    *****   ******   *****                   *****   ,*****          
*****   *****,     *****   ******    *****   *****                  ,*****    *****          
*****    *****     *****   *****      *****  ,****************      *****      *****         
*****    ,*****    *****  *****       ******   *****************   *****       ,*****        
*****     *****    *****  *****        *****       ,,,,,,,,****** .*****        *****        
*****     ,*****   ***** *****          *****               ***** *****          *****       
*****      *****   **********           *****,             ***********,          ******      
*****       ***********.*****            *********************** *****            *****      
*****        ********* *****              ********************  *****              *****     ^C
banner motd ^C
Welcome to ^C
!         
line con 0
 exec-timeout 5 0
 login authentication local_auth
 transport output telnet
 speed 115200
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 modem InOut
 transport input telnet
 transport output telnet
 flowcontrol hardware
line 2    
 exec-timeout 15 0
 login authentication local_auth
 no activation-character
 no exec  
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password 7 
 login authentication local_auth
 transport input none
!         
scheduler allocate 20000 1000
!         
end  

Switch:

!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname JPL
!
boot-start-marker
boot host bootflash:startup-config
boot system bootflash:startup-config
boot config bootflash:startup-config
boot-end-marker
!
enable secret 5 
enable password 7 
!
username user privilege 15 password 7 
!
!         
no aaa new-model
ip subnet-zero
ip vrf mgmtVrf
!         
!         
!         
vtp domain test-02
vtp mode transparent
!         
!         
!         
power redundancy-mode redundant
!         
!         
!         
!         
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!         
vlan internal allocation policy ascending
!         
vlan 20,30,40,50,60,70,80,159-160 
!         
!         
!         
interface FastEthernet1
 ip vrf forwarding mgmtVrf
 no ip address
 speed auto
 duplex auto
!         
interface GigabitEthernet1/1
 switchport access vlan 20
 switchport mode dot1q-tunnel
 no cdp enable
!         
interface GigabitEthernet1/2
 switchport access vlan 20
 switchport mode access
!         
interface GigabitEthernet1/3
 switchport access vlan 20
 switchport mode access
!         
interface GigabitEthernet1/4
 switchport access vlan 20
 switchport mode access
!         
interface GigabitEthernet1/5
 switchport access vlan 20
 switchport mode access
!         
interface GigabitEthernet1/6
 switchport access vlan 20
 switchport mode access
!         
interface GigabitEthernet1/7
 switchport access vlan 20
 switchport mode access
!         
interface GigabitEthernet1/8
 switchport access vlan 20
 switchport mode access
!         
interface GigabitEthernet1/9
 switchport access vlan 20
 switchport mode access
!         
interface GigabitEthernet1/10
 switchport access vlan 20
 switchport mode access
!         
interface GigabitEthernet1/11
 switchport access vlan 20
 switchport mode access
!         
interface GigabitEthernet1/12
 switchport access vlan 20
 switchport mode access
!         
interface GigabitEthernet1/13
 switchport access vlan 30
 switchport mode access
!         
interface GigabitEthernet1/14
 switchport access vlan 30
 switchport mode access
!         
interface GigabitEthernet1/15
 switchport access vlan 30
 switchport mode access
!         
interface GigabitEthernet1/16
 switchport access vlan 30
 switchport mode access
!         
interface GigabitEthernet1/17
 switchport access vlan 30
 switchport mode access
!         
interface GigabitEthernet1/18
 switchport access vlan 30
 switchport mode access
!         
interface GigabitEthernet1/19
 switchport access vlan 30
 switchport mode access
!         
interface GigabitEthernet1/20
 switchport access vlan 30
 switchport mode access
!         
interface GigabitEthernet1/21
 switchport access vlan 30
 switchport mode access
!         
interface GigabitEthernet1/22
 switchport access vlan 30
 switchport mode access
!         
interface GigabitEthernet1/23
 switchport access vlan 30
 switchport mode access
!         
interface GigabitEthernet1/24
 switchport access vlan 30
 switchport mode access
!         
interface GigabitEthernet1/25
 switchport access vlan 40
 switchport mode access
!         
interface GigabitEthernet1/26
 switchport access vlan 40
 switchport mode access
!         
interface GigabitEthernet1/27
 switchport access vlan 40
 switchport mode access
!         
interface GigabitEthernet1/28
 switchport access vlan 40
 switchport mode access
!         
interface GigabitEthernet1/29
 switchport access vlan 40
 switchport mode access
!         
interface GigabitEthernet1/30
 switchport access vlan 40
 switchport mode access
!         
interface GigabitEthernet1/31
 switchport access vlan 40
 switchport mode access
!         
interface GigabitEthernet1/32
 switchport access vlan 40
 switchport mode access
!         
interface GigabitEthernet1/33
 switchport access vlan 40
 switchport mode access
!         
interface GigabitEthernet1/34
 switchport access vlan 40
 switchport mode access
!         
interface GigabitEthernet1/35
 switchport access vlan 40
 switchport mode access
!         
interface GigabitEthernet1/36
 switchport access vlan 40
 switchport mode access
!         
interface GigabitEthernet1/37
 switchport access vlan 50
 switchport mode access
!         
interface GigabitEthernet1/38
 switchport access vlan 50
 switchport mode access
!         
interface GigabitEthernet1/39
 switchport access vlan 50
 switchport mode access
!         
interface GigabitEthernet1/40
 switchport access vlan 50
 switchport mode access
!         
interface GigabitEthernet1/41
 switchport access vlan 50
 switchport mode access
!         
interface GigabitEthernet1/42
 switchport access vlan 50
 switchport mode access
!         
interface GigabitEthernet1/43
 switchport access vlan 50
 switchport mode access
!         
interface GigabitEthernet1/44
 switchport access vlan 50
 switchport mode access
!         
interface GigabitEthernet1/45
 switchport access vlan 50
 switchport mode access
 media-type rj45
!         
interface GigabitEthernet1/46
 switchport access vlan 50
 switchport mode access
 media-type rj45
!         
interface GigabitEthernet1/47
 switchport access vlan 50
 switchport mode access
 media-type rj45
!         
interface GigabitEthernet1/48
 switchport trunk encapsulation dot1q
 switchport mode trunk
 media-type rj45
!         
interface Vlan1
 ip address 192.168.2.2 255.255.255.0
 spanning-tree portfast
 spanning-tree link-type shared
!         
router rip
 network 192.168.2.0
!         
ip route 0.0.0.0 0.0.0.0 192.168.2.1
no ip http server
no ip http secure-server
!         
!         
!         
!         
!         
!         
control-plane
!         
banner login ^C
               **** *****************,  ****               
               **** ******************* ****               
               **** ****.          **** ****               
               **** ****.          **** ****               
               **** ****.  ***********, ****               
               **** ****.               ****               
               **** ****.               ****               
,,,,,,,,,,,,,****** ****.               ******,,,,,,,,,,,,,
 ****************,  ****.                ****************, ^C
banner motd ^C
 Welcome to ^C
!         
line con 0
 login local
 stopbits 1
line vty 0 5
 login local
!         
end       
     

Any ideas?

 

---------------------
"Fortune favors the brave."
▊▊▊
25 Replies 25

!         
ip access-list extended INSIDE-TO-OUTSIDE
 permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended OUTSIDE-TO-INSIDE
!  

Still no luck.

---------------------
"Fortune favors the brave."
▊▊▊

I still think the problem is at the zone-based firewall configuration. You must have permit any any at OUTSIDE-TO-INSIDE acl, because the inspection and droping is done by the policy. 

But before exploring further i would rather remove the configuration of zone based firewall below the interfaces to see if the issue is from this and after review the configuration.

You were right. It was the inspect to pass option.
---------------------
"Fortune favors the brave."
▊▊▊

Your Access list inside zone based firewall is not there. For testing, can you remove zone member configuration from outside and inside interfaces ?

 

Once tested successfully, put it back and complete the access-list configuration

I still can't get it to route after adding that rule. I plan on changing my subnets and doing more granular access-lists later. Adding an AP with different SSID's and vlans. I just want to get it to route.

---------------------
"Fortune favors the brave."
▊▊▊

It is more efficient to make the pair inside-outside to do "inspect" rather than "pass" (below the class-map), so you would not create another pair outside-inside. In this case it will be stateful and permit from outside only replies for traffic initiated from the inside. 

I was testing different things. I changed it to pass. I will change it later. The struggle is real.

---------------------
"Fortune favors the brave."
▊▊▊

Hello,

 

your NAT configuration for the inside NAT is incorrect. Remove 'ip nat enable'.

 

Which interfaces do you need to access the Internet ?

 

interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
ip nat inside
--> no ip nat enable
ip virtual-reassembly in
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
--> no ip nat enable
ip virtual-reassembly in
zone-member security INSIDE
no cdp enable

!         
interface GigabitEthernet0/0
 ip address dhcp hostname NASA
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 zone-member security OUTSIDE
 duplex auto
 speed auto
 no mop enabled
!         
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
 duplex auto
 speed auto
 no mop enabled
!         
interface GigabitEthernet0/1.1
 encapsulation dot1Q 1 native
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
 no cdp enable
!         
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
 no cdp enable

Still no luck. I want all my vlans to access the internet. I can disable the ones I don't want by removing address translation or disabling whatever made them work?

---------------------
"Fortune favors the brave."
▊▊▊

For me, it look like your Zone Base Firewall is making this problem, did you get a chance to define the ACL's for the ZBFW or did u try by remove zone configuration from interfaces ?

interface GigabitEthernet0/0
no zone-member security OUTSIDE

!        
interface GigabitEthernet0/1
no zone-member security INSIDE
!        
interface GigabitEthernet0/1.1
no zone-member security INSIDE
!        
interface GigabitEthernet0/1.20
no zone-member security INSIDE

I will see what I can do. I want to get it setup properly without unnecessarily compromising my security or bowing down to my desire to get it up and running. I'll give it a shot next.

---------------------
"Fortune favors the brave."
▊▊▊
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco