Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1517
Views
0
Helpful
5
Replies

Cisco ISR 892: LAN has no internet connectivity

Go to solution
it
Level 1
Level 1

‎02-03-2011 02:35 AM - edited ‎03-04-2019 11:17 AM

Hi there,

I'm new to Cisco products and am currently configuring an ISR 892 without wifi. I got the start-up config working and am now stuck with zone-based firewalling.

I configured four zones: private, dmz and internet-static and internet-dial. The private zone is configured for Vlan1 witch covers one ethernet switch port connected to the LAN. The dmz zone is currently not configured. The internet-static zone is configured for GigabitEthernet0 which connects us to our ISP providing a static IP. Internet-dial is configured for FastEthernet8 and connects to another ISP using a dial-up ADSL line, which is currently not connected.

So, in short: I try to connect the private zone to internet-static and get traffic flowing, but can't get this working. The private zone can talk to the router and the router can talk to the internet.

I suppose I forgot some basic configuration for the router itself because the zone configuration was done with the help of this config guide:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

Is there any other step-by-step config guide available for newbies like me?

Thanks in advance!

Regards

Christian

This is my current running config:

Current configuration : 6076 bytes

!
! Last configuration change at 08:26:03 UTC Thu Feb 3 2011 by admin
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname cisco892
!
boot-start-marker
boot-end-marker
!
!
logging buffered 4096
!
no aaa new-model
!
ip source-route
!
!
!
no ip dhcp conflict logging
!
!
ip cef
ip domain name corp.local
ip name-server 212.202.215.1
ip name-server 212.202.215.2
no ipv6 cef
!
multilink bundle-name authenticated
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
!
!
object-group network corp_production
192.168.10.0 255.255.255.0
!
!
!
!
!
no ip ftp passive
!
class-map type inspect match-any m-prot-general
match protocol tcp
match protocol udp
class-map type inspect match-any m-prot-web
match protocol http
match protocol https
class-map type inspect match-any m-prot-email
match protocol smtp
match protocol imap
match protocol imaps
match protocol imap3
match protocol pop3
match protocol pop3s
class-map type inspect match-any m-prot-time
match protocol ntp
class-map type inspect match-any m-prot-icmp
match protocol icmp
class-map type inspect match-any m-prot-naming
match protocol dns
class-map type inspect match-any m-prot-filetransfer
match protocol ftp
match protocol ftps
!
!
policy-map type inspect m-pol-allow-general
class type inspect m-prot-icmp
  pass log
class type inspect m-prot-general
  pass log
class class-default
  drop
policy-map type inspect m-pol-allow-icmp
class type inspect m-prot-naming
  pass
class type inspect m-prot-icmp
  pass
class class-default
  drop
!
zone security dmz
zone security private
zone security internet-static
zone security internet-dial
zone-pair security private-2-internet-static source private destination internet-static
service-policy type inspect m-pol-allow-general
zone-pair security private-2-dmz source private destination dmz
service-policy type inspect m-pol-allow-general
zone-pair security internet-static-2-dmz source internet-static destination dmz
service-policy type inspect m-pol-allow-icmp
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
isdn point-to-point-setup
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
description wan1$FW_OUTSIDE$$ETH-WAN$
no ip address
ip virtual-reassembly in
ip tcp adjust-mss 1412
shutdown
duplex auto
speed auto
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
description wan2$ETH-WAN$$FW_OUTSIDE$
ip address 212.61.253.99 255.255.255.240
ip nat outside
ip virtual-reassembly in
zone-member security internet-static
duplex auto
speed auto
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.10.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security private
ip tcp adjust-mss 1412
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
ip virtual-reassembly in
zone-member security internet-dial
encapsulation ppp
dialer pool 1
dialer-group 3
!
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 212.61.253.97
!
logging esm config
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
dialer-list 3 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input ssh
line vty 5 15
privilege level 15
login local
transport input ssh
!
end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎02-03-2011 03:07 AM

Hi,

To get your config working replace pass log with inspect  in

policy-map type inspect m-pol-allow-general
class type inspect m-prot-icmp
  pass log
class type inspect m-prot-general
  pass log
class class-default
  drop
policy-map type inspect m-pol-allow-icmp
class type inspect m-prot-naming
  pass
class type inspect m-prot-icmp
  pass
class class-default
  drop

and add to your config ip inspect log drop-pkt

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎02-03-2011 03:07 AM

Hi,

To get your config working replace pass log with inspect  in

policy-map type inspect m-pol-allow-general
class type inspect m-prot-icmp
  pass log
class type inspect m-prot-general
  pass log
class class-default
  drop
policy-map type inspect m-pol-allow-icmp
class type inspect m-prot-naming
  pass
class type inspect m-prot-icmp
  pass
class class-default
  drop

and add to your config ip inspect log drop-pkt

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
it
Level 1
Level 1
In response to cadet alain

‎02-03-2011 03:53 AM

Hi Alain,

that did it, thanks! Actually replacing "pass log" with "inspect" was enough to let traffic flow. So why "inspect" instead of "pass"? In my understanding both do basically the same: passing traffic with or without inspection.

Thanks again

Christian

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to it

‎02-03-2011 04:10 AM

It set of inspection rules to an interface, and there are two different modes for this command, configuration mode and interface configuration mode.


Where IP pass through will pass the traffic without any middle device...


Hope this cleare you...


Regards,
Naidu.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to it

‎02-03-2011 04:40 AM

Hi,

inspect: stateful inspection so the traffic is allowed in one direction and the return traffic is allowed in the other direction like in a PIX/ASA

pass: traffic is not inspected and it is allowed to pass only in one direction so you need another pass for return traffic

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
it
Level 1
Level 1
In response to cadet alain

‎02-03-2011 05:30 AM

Hi,

ok, so I misunderstood the concept/meaning of "inspect". Thanks a lot for clarification!

Regards

Christian

0 Helpful
Customers Also Viewed These Support Documents