Solved: Cisco 876 pppoe with bridged modem - Page 2

Charalampos Prevezanos · ‎02-13-2014

Hello sirs,

Im new to this so please forgive my ignorance,i have a cisco 876 router running advipservicesk9-mz.124-15.T17 ios,my adsl2+ line is Pstn so i figured i could use this router with a zyxel modem in bridged mode,after much frustration and search over the web i finaly got it to work,i also used Cisco CCP to apply a zone firewall in low mode since i know very little about firewalls,im posting my configuration below and i would appreciate any feedback as to whether is correct or not and also is there a way to create a second Vlan so that the zyxel modem would be accessed through a different network that of my primary vlan?

Thanks in advance

Building configuration...

Current configuration : 9546 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Kerberos

!

boot-start-marker

boot system flash:c870-advipservicesk9-mz.124-15.T17.bin

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

no logging buffered

logging console critical

enable secret 5 $1$26AC$XdfeeI/jEufq7z71fGib..

!

aaa new-model

!

aaa authentication login default local enable

aaa authentication login clientauth local

aaa authentication login local_authen local

aaa authorization exec local_author local

aaa authorization network groupauthor local

!

aaa session-id common

clock timezone Athens 2

!

crypto pki trustpoint TP-self-signed-2038751039

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2038751039

revocation-check none

rsakeypair TP-self-signed-2038751039

!

crypto pki certificate chain TP-self-signed-2038751039

certificate self-signed 01

3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32303338 37353130 3339301E 170D3134 30323033 31373433

31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30333837

35313033 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100D75B 9761DA15 E795851C 4019BE5D B9A3EB77 DB917493 CAECE885 EB7DD2E7

77C7ADBE 644319A3 8A4D87D5 D3AFA9A1 9CF9D7C6 0EE25F06 349FDB95 D05D999F

1860CA4E 0B0E9188 ADD87800 603CFDF4 44B91064 CD0E3FA9 81EF1A8F C852B781

E083ED39 58D91081 639A8067 8E692FDC 6E09F420 837B33DD CF564DBA 54B1CDF2

97F90203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603

551D1104 16301482 124B6572 6265726F 732E6368 616F732E 636F6D30 1F060355

1D230418 30168014 816950C6 34F3AFC1 6F4C7A32 3F77A6AD CBBD521E 301D0603

551D0E04 16041481 6950C634 F3AFC16F 4C7A323F 77A6ADCB BD521E30 0D06092A

864886F7 0D010104 05000381 81007F04 AADCCD51 E5A40D72 5AE6C04C 20ED53C6

3546F182 6DA245E5 7C1198E2 FEB4F95D 7440C752 56236EB3 C0A3AD94 667499A5

BBEC2C5F ABADA946 F5F609B7 9FC9EBF3 CEEC63F2 E1449E14 B75D898B D61CCC29

42F60E54 0E81A601 FE4AFF81 256AF987 A68477E0 0372714F 00769659 94E7AFEA

ED3C42A3 8DF1862C 9B7FDEBF BAB0

quit

dot11 syslog

no ip source-route

ip cef

!

no ip bootp server

ip domain name chaos.com

!

multilink bundle-name authenticated

!

username babz privilege 15 password 7 110D000B16011F15

!

archive

log config

hidekeys

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class class-default

policy-map type inspect ccp-permit

class class-default

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

!

interface Null0

no ip unreachables

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation hdlc

ip route-cache flow

shutdown

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface FastEthernet0

description ADSL WAN Interface

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet1

no cdp enable

!

interface FastEthernet2

no cdp enable

!

interface FastEthernet3

no cdp enable

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

ip address 192.168.1.200 255.255.255.0

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip route-cache flow

pppoe enable group global

!

interface Dialer1

description ADSL WAN Dialer$FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

ip route-cache flow

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

ppp chap hostname *****************************

ppp chap password 7 *********************

ppp ipcp dns request

ppp ipcp route default

!

ip forward-protocol nd

!

ip http server

ip http access-class 7

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat translation finrst-timeout 120

ip nat inside source list 1 interface Dialer1 overload

!

no logging trap

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 7 remark HTTP Access-class list

access-list 7 remark CCP_ACL Category=1

access-list 7 permit 192.168.1.230

access-list 7 permit 192.168.1.0 0.0.0.255

access-list 7 deny any

access-list 8 remark CCP_ACL Category=2

access-list 8 permit 192.168.1.0 0.0.0.255

access-list 9 remark CCP_ACL Category=2

access-list 9 permit 192.168.1.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark Auto generated by SDM Management Access feature

access-list 101 remark CCP_ACL Category=1

access-list 101 permit tcp host 192.168.1.230 host 192.168.1.200 eq telnet

access-list 101 permit tcp host 192.168.1.230 host 192.168.1.200 eq 22

access-list 101 permit tcp host 192.168.1.230 host 192.168.1.200 eq www

access-list 101 permit tcp host 192.168.1.230 host 192.168.1.200 eq 443

access-list 101 permit tcp host 192.168.1.230 host 192.168.1.200 eq cmd

access-list 101 deny tcp any host 192.168.1.200 eq telnet

access-list 101 deny tcp any host 192.168.1.200 eq 22

access-list 101 deny tcp any host 192.168.1.200 eq www

access-list 101 deny tcp any host 192.168.1.200 eq 443

access-list 101 deny tcp any host 192.168.1.200 eq cmd

access-list 101 deny udp any host 192.168.1.200 eq snmp

access-list 101 permit ip any any

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark CCP_ACL Category=1

access-list 102 permit ip host 192.168.1.230 any

no cdp run

!

control-plane

!

banner login ^CC

+-------------------------------------------------------+

| |

| CHAOS |

| |

+-------------------------------------------------------+

| UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE AND |

| ATTACHED NETWORKS IS STRICTLY PROHIBITED. |

| You must have explicit permission to access or |

| configure this device. All activities performed on |

| this device may be logged or monitored without further|

| notice, and the resulting logs may be used as evidence|

| in court. |

| Any unauthorized use of the system is unlawful, and |

| may be subject to civil and/or criminal penalties. |

+-------------------------------------------------------+

^C

!

line con 0

login authentication local_authen

no modem enable

transport output telnet

line aux 0

login authentication local_authen

transport output telnet

line vty 0 4

access-class 102 in

authorization exec local_author

login authentication local_authen

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Charalampos Prevezanos · ‎02-14-2014

yes offcourse im sure,its on bridge mode and i have internet, heres the output..

Kerberos#sh ip int

Kerberos#sh ip interface brie

Interface IP-Address OK? Method Status Prot ocol

ATM0 unassigned YES NVRAM administratively down down

BRI0 unassigned YES NVRAM administratively down down

BRI0:1 unassigned YES unset administratively down down

BRI0:2 unassigned YES unset administratively down down

Dialer1 62.1.59.176 YES IPCP up up

FastEthernet0 unassigned YES unset up up

FastEthernet1 unassigned YES unset administratively down down

FastEthernet2 unassigned YES unset administratively down down

FastEthernet3 unassigned YES unset up up

NVI0 unassigned YES unset administratively down down

Virtual-Access1 unassigned YES unset up up

Vlan1 192.168.1.200 YES NVRAM up up

Kerberos#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 213.16.246.30 to network 0.0.0.0

213.16.246.0/32 is subnetted, 1 subnets

C 213.16.246.30 is directly connected, Dialer1

C 192.168.1.0/24 is directly connected, Vlan1

62.0.0.0/32 is subnetted, 1 subnets

C 62.1.59.176 is directly connected, Dialer1

S* 0.0.0.0/0 [1/0] via 213.16.246.30

My pc is connected to ethernet3 oon c876 eth2 and eth1 are shutdown and eth0 is connected to the zyxel,and i can access the zyxel(192.168.1.100)

cadet alain · ‎02-14-2014

Hi,

ok so it seems correct but you said that you could communicate with the zyxel from the 876 ?

Can you show me that by pinging it after doing this:

enable

conf t

access-list 199 permit icmp any any

service timestamp debug uptime

logging buffer 7

do clear log

do debug ip pack deta 199

Then do your ping to zyxel and issue following command: do sh log

hit enter to get all and post output

Regards

Alain

Don't forget to rate helpful posts.

Charalampos Prevezanos · ‎02-14-2014

Kerberos#sh log
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

    Console logging: level critical, 0 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 99 messages logged, xml disabled,
                     filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled

No active filter modules.

ESM: 0 messages dropped

Trap logging: disabled

Log Buffer (4096 bytes):
.92.36.124 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000364: 14:45:08: IP: s=84.92.36.124 (Dialer1), d=192.168.1.250 (Vlan1), len 123                                , dropped by inspect
000365: 14:45:08:     ICMP type=3, code=3
000366: 14:45:12: IP: tableid=0, s=79.160.77.241 (Dialer1), d=192.168.1.250 (Vla                                n1), routed via FIB
000367: 14:45:12: IP: s=79.160.77.241 (Dialer1), d=192.168.1.250 (Vlan1), len 12                                3, dropped by inspect
000368: 14:45:12:     ICMP type=3, code=3

000420: 14:45:54:     ICMP type=11, code=0
000421: 14:45:56: IP: tableid=0, s=112.198.111.142 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000422: 14:45:56: IP: s=112.198.111.142 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect
000423: 14:45:56:     ICMP type=3, code=0
000424: 14:46:00: IP: tableid=0, s=79.161.66.79 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000425: 14:46:00: IP: s=79.161.66.79 (Dialer1), d=192.168.1.250 (Vlan1), len 56, dropped by inspect
000426: 14:46:00:     ICMP type=3, code=13
000427: 14:46:01: IP: tableid=0, s=180.234.250.77 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000428: 14:46:01: IP: s=180.234.250.77 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect
000429: 14:46:01:     ICMP type=3, code=3
000430: 14:46:01: IP: tableid=0, s=68.43.230.66 (Dialer1), d=62.1.59.176 (Dialer1), routed via RIB
000431: 14:46:01: IP: s=68.43.230.66 (Dialer1), d=62.1.59.176 (Dialer1), len 123, rcvd 3
000432: 14:46:01:     ICMP type=3, code=1
000433: 14:46:01: IP: s=68.43.230.66 (Dialer1), d=62.1.59.176, len 123, dropped by local inspect
000434: 14:46:01:     ICMP type=3, code=1
000435: 14:46:02: IP: tableid=0, s=60.50.113.139 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000436: 14:46:02: IP: s=60.50.113.139 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect
000437: 14:46:02:     ICMP type=3, code=3
000438: 14:46:03: IP: tableid=0, s=41.87.108.2 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000439: 14:46:03: IP: s=41.87.108.2 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect
000440: 14:46:03:     ICMP type=3, code=1
000441: 14:46:06: IP: tableid=0, s=95.150.180.104 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000442: 14:46:06: IP: s=95.150.180.104 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect
000443: 14:46:06:     ICMP type=3, code=1
000444: *Feb 12 22:55:24.016 Athens: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Virtual-Access1: the fragment table has reached its maximum threshold 1695: 14:45:21:     ICMP type=8, code=0
.248.160.35 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000446: 14:46:10: IP: s=66.248.160.35 (Dialer1), d=192.168.1.250 (Vlan1), len 56, dropped by inspect
000447: 14:46:10:     ICMP type=3, code=3   ICMP type=0, code=0
000399: 14:45:22: IP: tableid=0, s=60.241.169.192 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000400: 14:45:22: IP: s=60.241.169.192 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect
000401: 14:45:22:     ICMP type=3, code=1
000402: 14:45:23: IP: tableid=0, s=109.228.87.167 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000403: 14:45:23: IP: s=109.228.87.167 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect
000404: 14:45:23:     ICMP type=3, code=3
000405: 14:45:23: IP: tableid=0, s=91.119.71.28 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000406: 14:45:23: IP: s=91.119.71.28 (Dialer1), d=192.168.1.250 (Vlan1), len 56, dropped by inspect
000407: 14:45:23:     ICMP type=3, code=13
000408: *Feb 12 22:54:47.256 Athens: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Virtual-Access1: the fragment table has reached its maximum threshold 16
000409: 14:45:45: IP: tableid=0, s=86.163.47.171 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000410: 14:45:45: IP: s=86.163.47.171 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect
000411: 14:45:45:     ICMP type=3, code=1
000412: 14:45:49: IP: tableid=0, s=94.113.247.45 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB
000413: 14:45:49: IP: s=94.113.247.45 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect
000414: 14:45:49:     ICMP type=3, code=3

is that correct?

Charalampos Prevezanos · ‎02-14-2014

im sorry here it is again....

Kerberos#ping 192.168.1.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/12/24 ms

Kerberos#sh log

Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,

0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: level critical, 0 messages logged, xml disabled,

filtering disabled

Monitor logging: level debugging, 0 messages logged, xml disabled,

filtering disabled

Buffer logging: level debugging, 376 messages logged, xml disabled,

filtering disabled

Logging Exception size (4096 bytes)

Count and timestamp logging messages: disabled

Persistent logging: disabled

No active filter modules.

ESM: 0 messages dropped

Trap logging: disabled

Log Buffer (4096 bytes):

0, s=71.29.83.191 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

000528: 14:47:47: IP: s=71.29.83.191 (Dialer1), d=192.168.1.250 (Vlan1), len 80, dropped by inspect

000529: 14:47:47: ICMP type=3, code=1

000530: 14:47:50: IP: tableid=0, s=71.29.83.191 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

000531: 14:47:50: IP: s=71.29.83.191 (Dialer1), d=192.168.1.250 (Vlan1), len 80, dropped by inspect

000532: 14:47:50: ICMP type=3, code=1

000533: *Feb 12 22:57:08.852 Athens: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Virtual-Access1: the fragment table has reached its maximum threshold 16

000534: 14:47:53: IP: tableid=0, s=192.168.1.250 (Vlan1), d=194.219.227.2 (Dialer1), routed via FIB

000535: 14:47:53: IP: s=62.1.59.176 (Vlan1), d=194.219.227.2 (Dialer1), g=213.16.246.30, len 201, forward

000536: 14:47:53: ICMP type=3, code=3

000537: 14:47:54: IP: tableid=0, s=46.33.213.218 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

000538: 14:47:54: IP: s=46.33.213.218 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect

000539: 14:47:54: ICMP type=3, code=3

000540: 14:47:55: IP: tableid=0, s=24.199.188.2 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

000541: 14:47:55: IP: s=24.199.188.2 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect

000542: 14:47:55: ICMP type=3, code=3

000543: 14:47:55: IP: tableid=0, s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), routed via FIB

000544: 14:47:55: IP: s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), len 100, sending

000545: 14:47:55: ICMP type=8, code=0

000546: 14:47:55: IP: tableid=0, s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), routed via RIB

000547: 14:47:55: IP: s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), len 100, rcvd 3

000548: 14:47:55: ICMP type=0, code=0

000549: 14:47:55: IP: tableid=0, s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), routed via FIB

000550: 14:47:55: IP: s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), len 100, sending

000551: 14:47:55: ICMP type=8, code=0

000552: 14:47:55: IP: tableid=0, s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), routed via RIB

000553: 14:47:55: IP: s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), len 100, rcvd 3

000554: 14:47:55: ICMP type=0, code=0

000555: 14:47:55: IP: tableid=0, s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), routed via FIB

000556: 14:47:55: IP: s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), len 100, sending

000557: 14:47:55: ICMP type=8, code=0

000558: 14:47:55: IP: tableid=0, s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), routed via RIB

000559: 14:47:55: IP: s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), len 100, rcvd 3

000560: 14:47:55: ICMP type=0, code=0

000561: 14:47:55: IP: tableid=0, s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), routed via FIB

000562: 14:47:55: IP: s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), len 100, sending

000563: 14:47:55: ICMP type=8, code=0

000564: 14:47:55: IP: tableid=0, s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), routed via RIB

000565: 14:47:55: IP: s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), len 100, rcvd 3

000566: 14:47:55: ICMP type=0, code=0

000567: 14:47:55: IP: tableid=0, s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), routed via FIB

000568: 14:47:55: IP: s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), len 100, sending

000569: 14:47:55: ICMP type=8, code=0

000570: 14:47:55: IP: tableid=0, s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), routed via RIB

000571: 14:47:55: IP: s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), len 100, rcvd 3

000572: 14:47:55: ICMP type=0, code=0

000573: 14:47:56: IP: tableid=0, s=71.29.83.191 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

000574: 14:47:56: IP: s=71.29.83.191 (Dialer1), d=192.168.1.250 (Vlan1), len 76, dropped by inspect

000575: 14:47:56: ICMP type=3, code=1

000576: 14:47:58: IP: tableid=0, s=71.20.125.203 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

000577: 14:47:58: IP: s=71.20.125.203 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect

000578: 14:47:58: ICMP type=3, code=3

cadet alain · ‎02-14-2014

Hi,

the firewall is dropping it now let's do another test

enable

clear log

ping x.x.x.x so Vlan1 where x.x.x.x is the zyxel IP

sh log

Regards

Alain

Don't forget to rate helpful posts.

Charalampos Prevezanos · ‎02-14-2014

Kerberos#clear log

Kerberos#clear logging

Clear logging buffer [confirm]

Kerberos#ping 192.168.1.100

Kerberos#ping 192.168.1.100 so

Kerberos#ping 192.168.1.100 source vla

Kerberos#ping 192.168.1.100 source vlan 1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.200

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/12 ms

Kerberos#sh log

Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,

0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: level critical, 0 messages logged, xml disabled,

filtering disabled

Monitor logging: level debugging, 0 messages logged, xml disabled,

filtering disabled

Buffer logging: level debugging, 7537 messages logged, xml disabled,

filtering disabled

Logging Exception size (4096 bytes)

Count and timestamp logging messages: disabled

Persistent logging: disabled

No active filter modules.

ESM: 0 messages dropped

Trap logging: disabled

Log Buffer (4096 bytes):

n1), routed via FIB

004861: 15:09:14: IP: s=192.168.1.200 (local), d=192.168.1.100 (Vlan1), len 100, sending

004862: 15:09:14: ICMP type=8, code=0

004863: 15:09:14: IP: tableid=0, s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), routed via RIB

004864: 15:09:14: IP: s=192.168.1.100 (Vlan1), d=192.168.1.200 (Vlan1), len 100, rcvd 3

004865: 15:09:14: ICMP type=0, code=0

004866: 15:09:14: IP: tableid=0, s=114.229.202.185 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004867: 15:09:14: IP: s=114.229.202.185 (Dialer1), d=192.168.1.250 (Vlan1), len 159, dropped by inspect

004868: 15:09:14: ICMP type=3, code=3

004869: 15:09:15: IP: tableid=0, s=188.51.127.15 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004870: 15:09:15: IP: s=188.51.127.15 (Dialer1), d=192.168.1.250 (Vlan1), len 68, dropped by inspect

004871: 15:09:15: ICMP type=3, code=1

004872: 15:09:15: IP: tableid=0, s=1.196.229.203 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004873: 15:09:15: IP: s=1.196.229.203 (Dialer1), d=192.168.1.250 (Vlan1), len 56, dropped by inspect

004874: 15:09:15: ICMP type=3, code=3

004875: 15:09:16: IP: tableid=0, s=83.180.172.220 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004876: 15:09:16: IP: s=83.180.172.220 (Dialer1), d=192.168.1.250 (Vlan1), len 159, dropped by inspect

004877: 15:09:16: ICMP type=3, code=3

004878: 15:09:16: IP: tableid=0, s=41.57.98.223 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004879: 15:09:16: IP: s=41.57.98.223 (Dialer1), d=192.168.1.250 (Vlan1), len 86, dropped by inspect

004880: 15:09:16: ICMP type=3, code=3

004881: 15:09:17: IP: tableid=0, s=62.233.182.240 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004882: 15:09:17: IP: s=62.233.182.240 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect

004883: 15:09:17: ICMP type=3, code=3

004884: 15:09:17: IP: tableid=0, s=66.176.201.210 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004885: 15:09:17: IP: s=66.176.201.210 (Dialer1), d=192.168.1.250 (Vlan1), len 68, dropped by inspect

004886: 15:09:17: ICMP type=3, code=1

004887: *Feb 12 23:18:35.383 Athens: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Virtual-Access1: the fragment table has reached its maximum threshold 16

004888: 15:09:19: IP: tableid=0, s=147.30.16.8 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004889: 15:09:19: IP: s=147.30.16.8 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect

004890: 15:09:19: ICMP type=3, code=3

004891: 15:09:20: IP: tableid=0, s=69.157.103.90 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004892: 15:09:20: IP: s=69.157.103.90 (Dialer1), d=192.168.1.250 (Vlan1), len 159, dropped by inspect

004893: 15:09:20: ICMP type=3, code=1

004894: 15:09:20: IP: tableid=0, s=83.53.230.8 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004895: 15:09:20: IP: s=83.53.230.8 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect

004896: 15:09:20: ICMP type=3, code=3

004897: 15:09:20: IP: tableid=0, s=38.107.218.2 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004898: 15:09:20: IP: s=38.107.218.2 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect

004899: 15:09:20: ICMP type=3, code=3

004900: 15:09:20: IP: tableid=0, s=122.2.135.105 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004901: 15:09:20: IP: s=122.2.135.105 (Dialer1), d=192.168.1.250 (Vlan1), len 96, dropped by inspect

004902: 15:09:20: ICMP type=11, code=0

004903: 15:09:21: IP: tableid=0, s=2.71.126.85 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004904: 15:09:21: IP: s=2.71.126.85 (Dialer1), d=192.168.1.250 (Vlan1), len 123, dropped by inspect

004905: 15:09:21: ICMP type=3, code=3

004906: 15:09:21: IP: tableid=0, s=118.160.44.163 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004907: 15:09:21: IP: s=118.160.44.163 (Dialer1), d=192.168.1.250 (Vlan1), len 159, dropped by inspect

004908: 15:09:21: ICMP type=3, code=3

004909: 15:09:21: IP: tableid=0, s=89.132.6.46 (Dialer1), d=192.168.1.250 (Vlan1), routed via FIB

004910: 15:09:21: IP: s=89.132.6.46 (Dialer1), d=192.168.1.250 (Vlan1)

cadet alain · ‎02-14-2014

Hi,

can you connect a laptop to f3 for example and give it 192.168.1.199 mask 255.255.255.0 df gw= 192.168.1.100(vlan 1) and try to ping the zyxel from it.

As they are in same subnet the pc shouldn't use the vlan interface and the packets will be just L2 switched.

we shouldn't see any debug if we do this now:

enable

conf t

ip access-list extended 199

no 10

10 permit icmp 192.168.1.0 0.0.0.255 host 192.168.1.200 echo

do clear log

Do the test and issue the command: do sh log

Then if it works it means that indeed we can have a dialer linked to L2 interface but that is not good practice for me.

Can you try to change this port to L3 like this

int f0

no switchport

I'm not sure it can be done on this platform though

Regards

Alain

Don't forget to rate helpful posts.

Charalampos Prevezanos · ‎02-14-2014

Yes indeed i can ping the zyxel from a laptop like you described,i dont like it either to be honest ,it confuses me alot

im trying giving the command on Fast ethernet0 ... and it asks for

Kerberos(config-if)#no switchport acc
Kerberos(config-if)#no switchport access ?
vlan Set VLAN when interface is in access mode

i issued

#no switchport access vlan 1 on interface fae0 but had no effect i still can access the zyxel

cadet alain · ‎02-14-2014

Hi,

Can't you do simply no switchport, what does "no switchport ?" tells you ?

Regards

Alain

Don't forget to rate helpful posts.

Charalampos Prevezanos · ‎02-14-2014

Kerberos#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Kerberos(config)#int

Kerberos(config)#interface fa

Kerberos(config)#interface fastEthernet 0

Kerberos(config-if)#no sw

Kerberos(config-if)#no switchport

% Incomplete command.

if i put ? its asks

Kerberos(config-if)#no switchport ?

access Set access mode characteristics of the interface

mode Set trunking mode of the interface

priority Set 802.1p priorities

trunk Set trunking characteristics of the interface

voice Voice appliance attributes

Kerberos(config-if)#no switchport

Charalampos Prevezanos · ‎02-14-2014

Well it works its ok ,i just wanted to see it there was a way to isolate port Eth0 from rest of the Lan interfaces,

cadet alain · ‎02-14-2014

Hi,

you can't make it a L3 routed port so if you have ios 15 you can do an intra zone policy with ZBF or you can maybe put a L2 access-list if it is possible on this platform but I'm not sure it is.

Regards

Alain

Don't forget to rate helpful posts.

Charalampos Prevezanos · ‎02-14-2014

Well i will try the above you mentioned and will post any results in the future

Thanks alot for spending your time to help

cheers!!