01-14-2020 06:57 PM
Here are my configs for my
Router:
! version 15.7 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname NASA ! boot-start-marker boot-end-marker ! ! security authentication failure rate 10 log security passwords min-length 6 logging console critical enable secret 5 enable password 7 ! aaa new-model ! ! aaa authentication login local_auth local ! ! ! ! ! ! aaa session-id common ! ! ! ! ! ! no ip source-route no ip gratuitous-arps ! ! ! ! ! ! ! ! ! ! ! ip dhcp excluded-address 192.168.20.1 192.168.20.60 ip dhcp excluded-address 192.168.30.1 192.168.30.60 ip dhcp excluded-address 192.168.40.1 192.168.40.60 ip dhcp excluded-address 192.168.50.1 192.168.50.60 ip dhcp excluded-address 192.168.60.1 192.168.60.60 ip dhcp excluded-address 192.168.70.1 192.168.70.60 ip dhcp excluded-address 192.168.80.1 192.168.80.60 ! ip dhcp pool vlan 20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 30 network 192.168.30.0 255.255.255.0 default-router 192.168.30.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 40 network 192.168.40.0 255.255.255.0 default-router 192.168.40.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 50 network 192.168.50.0 255.255.255.0 default-router 192.168.50.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 60 network 192.168.60.0 255.255.255.0 default-router 192.168.60.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 70 network 192.168.70.0 255.255.255.0 default-router 192.168.70.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 80 network 192.168.80.0 255.255.255.0 default-router 192.168.80.1 dns-server 208.67.222.222 208.67.220.220 ! ! ! no ip bootp server ip host JPL 192.168.2.2 ip cef login block-for 13500 attempts 35 within 13500 no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! license udi pid CISCO2911/K9 sn FGL1741129H license accept end user agreement license boot module c2900 technology-package securityk9 license boot module c2900 technology-package datak9 ! ! vtp mode transparent username user password 7 ! redundancy ! ! ! ! no cdp run ! ! class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS match access-group name INSIDE-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS match access-group name OUTSIDE-TO-INSIDE ! policy-map type inspect INSIDE-TO-OUTSIDE-POLICY class type inspect INSIDE-TO-OUTSIDE-CLASS pass class class-default pass policy-map type inspect OUTSIDE-TO-INSIDE-POLICY class type inspect OUTSIDE-TO-INSIDE-CLASS drop class class-default drop ! zone security INSIDE zone security OUTSIDE zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE-TO-OUTSIDE-POLICY zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE service-policy type inspect OUTSIDE-TO-INSIDE-POLICY ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.0 ! interface Embedded-Service-Engine0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown no mop enabled ! interface GigabitEthernet0/0 ip address dhcp no ip redirects no ip unreachables no ip proxy-arp zone-member security OUTSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp zone-member security INSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1.1 encapsulation dot1Q 1 native ip address 192.168.2.1 255.255.255.0 zone-member security INSIDE no cdp enable ! interface GigabitEthernet0/1.20 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security INSIDE no cdp enable ! interface GigabitEthernet0/1.30 encapsulation dot1Q 30 ip address 192.168.30.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.40 encapsulation dot1Q 40 ip address 192.168.40.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.50 encapsulation dot1Q 50 ip address 192.168.50.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.60 encapsulation dot1Q 60 ip address 192.168.60.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.70 encapsulation dot1Q 70 ip address 192.168.70.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.80 encapsulation dot1Q 80 ip address 192.168.80.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/2 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex auto speed auto no mop enabled ! ! router rip version 2 network 142.165.0.0 network 192.168.2.0 network 192.168.20.0 network 207.47.196.0 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 dhcp ip identd ! ip access-list extended INSIDE-TO-OUTSIDE ip access-list extended OUTSIDE-TO-INSIDE ! logging trap debugging logging facility local2 dialer-list 1 protocol ip permit ipv6 ioam timestamp ! ! ! ! control-plane host ! ! control-plane ! ! vstack banner login ^C ******* ***** ,******. ,************** ,******, **********, ***** .********** ,***************** ********** ******,***** ***** ************ ******************* ************ ***** ***** ***** ***** ****** ***** ***** ,***** ***** *****, ***** ****** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ,**************** ***** ***** ***** ,***** ***** ***** ****** ***************** ***** ,***** ***** ***** ***** ***** ***** ,,,,,,,,****** .***** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ***** ***** ********** *****, ***********, ****** ***** ***********.***** *********************** ***** ***** ***** ********* ***** ******************** ***** ***** ^C banner motd ^C Welcome to ^C ! line con 0 exec-timeout 5 0 login authentication local_auth transport output telnet speed 115200 line aux 0 exec-timeout 15 0 login authentication local_auth modem InOut transport input telnet transport output telnet flowcontrol hardware line 2 exec-timeout 15 0 login authentication local_auth no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 password 7 login authentication local_auth transport input none ! scheduler allocate 20000 1000 ! end
Switch:
! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service compress-config ! hostname JPL ! boot-start-marker boot host bootflash:startup-config boot system bootflash:startup-config boot config bootflash:startup-config boot-end-marker ! enable secret 5 enable password 7 ! username user privilege 15 password 7 ! ! no aaa new-model ip subnet-zero ip vrf mgmtVrf ! ! ! vtp domain test-02 vtp mode transparent ! ! ! power redundancy-mode redundant ! ! ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 20,30,40,50,60,70,80,159-160 ! ! ! interface FastEthernet1 ip vrf forwarding mgmtVrf no ip address speed auto duplex auto ! interface GigabitEthernet1/1 switchport access vlan 20 switchport mode dot1q-tunnel no cdp enable ! interface GigabitEthernet1/2 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/3 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/4 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/5 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/6 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/7 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/8 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/9 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/10 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/11 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/12 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/13 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/14 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/15 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/16 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/17 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/18 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/19 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/20 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/21 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/22 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/23 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/24 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/25 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/26 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/27 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/28 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/29 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/30 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/31 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/32 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/33 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/34 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/35 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/36 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/37 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/38 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/39 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/40 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/41 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/42 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/43 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/44 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/45 switchport access vlan 50 switchport mode access media-type rj45 ! interface GigabitEthernet1/46 switchport access vlan 50 switchport mode access media-type rj45 ! interface GigabitEthernet1/47 switchport access vlan 50 switchport mode access media-type rj45 ! interface GigabitEthernet1/48 switchport trunk encapsulation dot1q switchport mode trunk media-type rj45 ! interface Vlan1 ip address 192.168.2.2 255.255.255.0 spanning-tree portfast spanning-tree link-type shared ! router rip network 192.168.2.0 ! ip route 0.0.0.0 0.0.0.0 192.168.2.1 no ip http server no ip http secure-server ! ! ! ! ! ! control-plane ! banner login ^C **** *****************, **** **** ******************* **** **** ****. **** **** **** ****. **** **** **** ****. ***********, **** **** ****. **** **** ****. **** ,,,,,,,,,,,,,****** ****. ******,,,,,,,,,,,,, ****************, ****. ****************, ^C banner motd ^C Welcome to ^C ! line con 0 login local stopbits 1 line vty 0 5 login local ! end
Any ideas?
Solved! Go to Solution.
01-15-2020 10:05 AM
I still think the problem is at the zone-based firewall configuration. You must have permit any any at OUTSIDE-TO-INSIDE acl, because the inspection and droping is done by the policy.
But before exploring further i would rather remove the configuration of zone based firewall below the interfaces to see if the issue is from this and after review the configuration.
01-15-2020 10:17 AM
It is more efficient to make the pair inside-outside to do "inspect" rather than "pass" (below the class-map), so you would not create another pair outside-inside. In this case it will be stateful and permit from outside only replies for traffic initiated from the inside.
01-14-2020 08:14 PM - edited 01-14-2020 08:15 PM
Hi,
Are you able to ping from your switch, sourcing with the IP 192.168.2.2 to the destination IP 192.168.2.1?. If the pings are successful, then i would think the problem resides on the Router not the Switch. I can't see at the moment any switch related issue. Also, what do you exactly mean by "cannot route to internet", you're already doing it with a static route.
01-14-2020 08:25 PM - edited 01-14-2020 09:19 PM
Yes. Pings work.
NASA#ping google.com Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.217.164.206, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 48/52/64 ms NASA#ping 192.168.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms JPL#ping 192.168.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms JPL#ping 192.168.20.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms JPL#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
01-14-2020 09:16 PM
Hi,
I did not see any NAT config here. You are not able to ping from any other vlan to outside right ? And you can ping to internet from outside interface
01-14-2020 09:20 PM
Correct.
01-14-2020 09:30 PM
Can you add below to your Router.
access-list 10 permit 192.168.0.0 0.0.255.255
ip nat inside source list 10 interface gi0/0 overload
If worked, then you have to add "ip nat inside" to all the remainining subinterfaces you have in your Router
01-14-2020 09:46 PM
show run
access-list 10 permit 192.168.0.0 0.0.255.255 ip nat inside source list 10 interface GigabitEthernet0/0 overload
NASA#show ip nat statistics Total active translations: 0 (0 static, 0 dynamic; 0 extended) Peak translations: 1, occurred 00:02:18 ago Outside interfaces: GigabitEthernet0/0 Inside interfaces: GigabitEthernet0/1, GigabitEthernet0/1.1, GigabitEthernet0/1.20 Hits: 10 Misses: 0 CEF Translated packets: 10, CEF Punted packets: 0 Expired translations: 1 Dynamic mappings: -- Inside Source [Id: 1] access-list 10 interface GigabitEthernet0/0 refcount 0
01-14-2020 10:23 PM
It worked with you ? Output suggested that translation worked well
01-14-2020 10:59 PM - edited 01-14-2020 11:04 PM
No. Not yet. I think it's the switch? If I have nat enabled on the router does the switch need to have it enabled as well?
01-14-2020 09:55 PM - edited 01-14-2020 10:07 PM
I still cannot ping from the switch?
NASA#ping 192.168.20.63 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.20.63, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms NASA#ping 192.168.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
JPL#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) JPL#ping 192.168.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms JPL#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) JPL#
01-15-2020 12:41 AM
Post the router configuration again.
Jon
01-15-2020 04:39 AM
Hello,
You will need on the wan router interface to put "ip nat outside"
Rate if helpful.
01-15-2020 05:33 AM
Hello,
I don't want to post anything redundant that might have been mentioned by others, but have a look at the changes marked in bold. Try and implement those...the assumption is that port 48 on the switch is uplinked to port 0/1 on the router.
Router:
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
aaa authentication login local_auth local
!
aaa session-id common
!
no ip source-route
no ip gratuitous-arps
!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 60
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 70
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 80
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
dns-server 208.67.222.222 208.67.220.220
!
no ip bootp server
ip host JPL 192.168.2.2
ip cef
login block-for 13500 attempts 35 within 13500
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
vtp mode transparent
username user password 7
!
redundancy
!
no cdp run
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
pass
class class-default
pass
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
drop
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
ip address dhcp
--> ip nat outside
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
--> ip nat inside
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
no cdp enable
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.70
encapsulation dot1Q 70
ip address 192.168.70.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/1.80
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
--> ip nat inside
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
--> no router rip
version 2
network 142.165.0.0
network 192.168.2.0
network 192.168.20.0
network 207.47.196.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended INSIDE-TO-OUTSIDE
ip access-list extended OUTSIDE-TO-INSIDE
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.80.0 0.0.0.255
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 ioam timestamp
!
control-plane host
!
control-plane
!
vstack
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
speed 115200
line aux 0
exec-timeout 15 0
login authentication local_auth
modem InOut
transport input telnet
transport output telnet
flowcontrol hardware
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7
login authentication local_auth
transport input none
!
scheduler allocate 20000 1000
!
end
Switch:
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname JPL
!
boot-start-marker
boot host bootflash:startup-config
boot system bootflash:startup-config
boot config bootflash:startup-config
boot-end-marker
!
enable secret 5
enable password 7
!
username user privilege 15 password 7
!
--> no ip routing
!
no aaa new-model
ip subnet-zero
ip vrf mgmtVrf
!
vtp domain test-02
vtp mode transparent
!
power redundancy-mode redundant
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 20,30,40,50,60,70,80,159-160
!
interface FastEthernet1
ip vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
!
interface GigabitEthernet1/1
switchport access vlan 20
switchport mode dot1q-tunnel
no cdp enable
!
interface GigabitEthernet1/2
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/3
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/4
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/5
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/6
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/7
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/8
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/9
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/10
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/11
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/12
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/13
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/14
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/15
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/16
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/17
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/18
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/19
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/20
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/21
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/22
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/23
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/24
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/25
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/26
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/27
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/28
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/29
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/30
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/31
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/32
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/33
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/34
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/35
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/36
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/37
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/38
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/39
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/40
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/41
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/42
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/43
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/44
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet1/45
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/46
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/47
switchport access vlan 50
switchport mode access
media-type rj45
!
interface GigabitEthernet1/48
description Uplink to Router interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
!
interface Vlan1
ip address 192.168.2.2 255.255.255.0
spanning-tree portfast
spanning-tree link-type shared
!
ip default-gateway 192.168.2.1
!
--> no router rip
network 192.168.2.0
!
--> no ip route 0.0.0.0 0.0.0.0 192.168.2.1
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
login local
stopbits 1
line vty 0 5
login local
!
end
01-15-2020 09:07 AM - edited 01-15-2020 09:09 AM
Router
NASA#show run Building configuration... Current configuration : 7889 bytes ! ! Last configuration change at 16:26:49 UTC Wed Jan 15 2020 by nkoch ! version 15.7 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service internal service sequence-numbers ! hostname NASA ! boot-start-marker boot-end-marker ! ! security authentication failure rate 10 log security passwords min-length 6 logging console critical enable secret 5 enable password 7 ! aaa new-model ! ! aaa authentication login local_auth local ! ! ! ! ! ! aaa session-id common ! ! ! ! ! ! no ip source-route no ip gratuitous-arps ! ! ! ! ! ! ! ! ! ! ! ! ! ip dhcp excluded-address 192.168.20.1 192.168.20.60 ip dhcp excluded-address 192.168.30.1 192.168.30.60 ip dhcp excluded-address 192.168.40.1 192.168.40.60 ip dhcp excluded-address 192.168.50.1 192.168.50.60 ip dhcp excluded-address 192.168.60.1 192.168.60.60 ip dhcp excluded-address 192.168.70.1 192.168.70.60 ip dhcp excluded-address 192.168.80.1 192.168.80.60 ! ip dhcp pool vlan 20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 30 network 192.168.30.0 255.255.255.0 default-router 192.168.30.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 40 network 192.168.40.0 255.255.255.0 default-router 192.168.40.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 50 network 192.168.50.0 255.255.255.0 default-router 192.168.50.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 60 network 192.168.60.0 255.255.255.0 default-router 192.168.60.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 70 network 192.168.70.0 255.255.255.0 default-router 192.168.70.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 80 network 192.168.80.0 255.255.255.0 default-router 192.168.80.1 dns-server 208.67.222.222 208.67.220.220 ! ! ! no ip bootp server ip host JPL 192.168.2.2 ip inspect WAAS flush-timeout 10 ip cef login block-for 13500 attempts 35 within 13500 no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! license udi pid CISCO2911/K9 sn FGL1741129H license accept end user agreement license boot module c2900 technology-package securityk9 license boot module c2900 technology-package datak9 ! ! vtp mode transparent username password 7 ! redundancy notification-timer 120000 ! ! ! ! no cdp run ! ! class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS match access-group name INSIDE-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS match access-group name OUTSIDE-TO-INSIDE ! policy-map type inspect INSIDE-TO-OUTSIDE-POLICY class type inspect INSIDE-TO-OUTSIDE-CLASS pass class class-default pass policy-map type inspect OUTSIDE-TO-INSIDE-POLICY class type inspect OUTSIDE-TO-INSIDE-CLASS drop class class-default drop ! zone security INSIDE zone security OUTSIDE zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE-TO-OUTSIDE-POLICY zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE service-policy type inspect OUTSIDE-TO-INSIDE-POLICY ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.0 ! interface Loopback1 no ip address ! interface Embedded-Service-Engine0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown no mop enabled ! interface GigabitEthernet0/0 ip address dhcp hostname NASA no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip nat enable ip virtual-reassembly in zone-member security OUTSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip nat enable ip virtual-reassembly in zone-member security INSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1.1 encapsulation dot1Q 1 native ip address 192.168.2.1 255.255.255.0 ip nat inside ip nat enable ip virtual-reassembly in zone-member security INSIDE no cdp enable ! interface GigabitEthernet0/1.20 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 ip nat inside ip nat enable ip virtual-reassembly in zone-member security INSIDE no cdp enable ! interface GigabitEthernet0/1.30 encapsulation dot1Q 30 ip address 192.168.30.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.40 encapsulation dot1Q 40 ip address 192.168.40.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.50 encapsulation dot1Q 50 ip address 192.168.50.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.60 encapsulation dot1Q 60 ip address 192.168.60.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.70 encapsulation dot1Q 70 ip address 192.168.70.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/1.80 encapsulation dot1Q 80 ip address 192.168.80.1 255.255.255.0 no cdp enable ! interface GigabitEthernet0/2 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex auto speed auto no mop enabled ! ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip nat inside source list 1 interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp ip identd ! ip access-list extended INSIDE-TO-OUTSIDE ip access-list extended OUTSIDE-TO-INSIDE ! logging trap debugging logging facility local2 dialer-list 1 protocol ip permit ipv6 ioam timestamp ! ! access-list 1 permit 192.168.2.0 0.0.0.255 access-list 1 permit 192.168.20.0 0.0.0.255 access-list 1 permit 192.168.30.0 0.0.0.255 access-list 1 permit 192.168.40.0 0.0.0.255 access-list 1 permit 192.168.50.0 0.0.0.255 access-list 1 permit 192.168.60.0 0.0.0.255 access-list 1 permit 192.168.70.0 0.0.0.255 access-list 1 permit 192.168.80.0 0.0.0.255 ! ! control-plane host ! ! control-plane ! ! vstack banner login ^C ******* ***** ,******. ,************** ,******, **********, ***** .********** ,***************** ********** ******,***** ***** ************ ******************* ************ ***** ***** ***** ***** ****** ***** ***** ,***** ***** *****, ***** ****** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ,**************** ***** ***** ***** ,***** ***** ***** ****** ***************** ***** ,***** ***** ***** ***** ***** ***** ,,,,,,,,****** .***** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ***** ***** ********** *****, ***********, ****** ***** ***********.***** *********************** ***** ***** ***** ********* ***** ******************** ***** ***** ^C banner motd ^C Welcome to ^C ! line con 0 exec-timeout 5 0 login authentication local_auth transport output telnet speed 115200 line aux 0 exec-timeout 15 0 login authentication local_auth modem InOut transport input telnet transport output telnet flowcontrol hardware line 2 exec-timeout 15 0 login authentication local_auth no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 password 7 login authentication local_auth transport input none ! scheduler allocate 20000 1000 ! end
Switch
Building configuration... Current configuration : 5879 bytes ! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service compress-config ! hostname JPL ! boot-start-marker boot host bootflash:startup-config boot system bootflash:startup-config boot config bootflash:startup-config boot-end-marker ! enable secret 5 enable password 7 ! username privilege 15 password 7 ! ! no aaa new-model ip subnet-zero no ip routing ip vrf mgmtVrf ! ! ! vtp domain test-02 vtp mode transparent ! ! ! power redundancy-mode redundant ! ! ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 20,30,40,50,60,70,80,159-160 ! ! ! interface FastEthernet1 ip vrf forwarding mgmtVrf no ip address no ip route-cache speed auto duplex auto ! interface GigabitEthernet1/1 switchport access vlan 20 switchport mode dot1q-tunnel no cdp enable ! interface GigabitEthernet1/2 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/3 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/4 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/5 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/6 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/7 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/8 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/9 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/10 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/11 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/12 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/13 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/14 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/15 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/16 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/17 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/18 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/19 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/20 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/21 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/22 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/23 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/24 switchport access vlan 30 switchport mode access ! interface GigabitEthernet1/25 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/26 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/27 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/28 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/29 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/30 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/31 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/32 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/33 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/34 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/35 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/36 switchport access vlan 40 switchport mode access ! interface GigabitEthernet1/37 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/38 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/39 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/40 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/41 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/42 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/43 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/44 switchport access vlan 50 switchport mode access ! interface GigabitEthernet1/45 switchport access vlan 50 switchport mode access media-type rj45 ! interface GigabitEthernet1/46 switchport access vlan 50 switchport mode access media-type rj45 ! interface GigabitEthernet1/47 switchport access vlan 50 switchport mode access media-type rj45 ! interface GigabitEthernet1/48 switchport trunk encapsulation dot1q switchport mode trunk media-type rj45 ! interface Vlan1 ip address 192.168.2.2 255.255.255.0 no ip route-cache spanning-tree portfast spanning-tree link-type shared ! ip default-gateway 192.168.2.1 no ip http server no ip http secure-server ! ! ! ! ! ! control-plane ! banner login ^C **** *****************, **** **** ******************* **** **** ****. **** **** **** ****. **** **** **** ****. ***********, **** **** ****. **** **** ****. **** ,,,,,,,,,,,,,****** ****. ******,,,,,,,,,,,,, ****************, ****. ****************, ^C banner motd ^C Welcome to ^C ! line con 0 login local stopbits 1 line vty 0 5 login local ! end
Still not routing? Thank you for your help.
01-15-2020 09:28 AM
Hello,
I see you have zone-based firewall configured. In the inspect policy you defined access list INSIDE-TO-OUTSIDE, but the access list is empty. Please configure permit rules for your subnets like this:
ip access-list extended INSIDE-TO-OUTSIDE
permit ip 192.168.0.0 0.0.255.255 any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide