Solved: Environment Setup Overview Question

Zydain · ‎10-29-2021

We have a brand new Cisco ISR4321 with an 8 port module (NIM-ES2-8). We are migrating to it from a combination of a Cisco ASA 5505 and Cisco 2801.

The current environment includes 2 separate LANs and a DMZ all segmented by VLANs.

LAN 1: VLAN1 with 192.168.x.x network

LAN 2: VLAN2 with 10.x.x.x network

DMZ: VLAN3 with 192.168.y.y network (two ports for this one)

I'm noticing I don't have the ability to set security levels on any of the NIM-ES2-8 card ports, leaving me with only the two Gb0/0/0 and Gb0/0/1 ports that can accept a security level. I'm am trying to set things up in a test environment to see if I can recreate the old environment with just the Cisco 4321. Looking to see if I can achieve what I'm aiming for?

Georg Pauwen · ‎11-03-2021

Hello,

a zone based firewall is a good idea. I completed/changed the configuration of your router to reflect:

- HBugLAN/ROELAN/DMZ cannot talk to each other

- HBugLAN/ROELAN/DMZ can access the Internet

Building configuration...
Current configuration : 5864 bytes
!
! Last configuration change at 16:30:14 CST Wed Nov 3 2021 by admin
! NVRAM config last updated at 17:48:32 CST Tue Nov 2 2021 by admin
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname ciscoisr
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$5ccN$4stDTw2XOCS8ZIihrL3EH1
enable password "Removed"
!
no aaa new-model
clock timezone CST -6 0
!
ip name-server "Removed" "Remomved"
ip domain name "Removed"
ip dhcp excluded-address 10.10.11.0 10.255.255.255
ip dhcp excluded-address 10.0.0.0 10.10.10.10
!
ip dhcp pool router-dhcp
network 10.0.0.0 255.0.0.0
default-router 10.10.10.254
dns-server "removed" "removed"
lease 3
!
ip dhcp pool roedhcp
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server "removed" "removed"
lease 3
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-3425543225
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3425543225
revocation-check none
rsakeypair TP-self-signed-3425543225
!
crypto pki certificate chain TP-self-signed-3425543225
!
license udi pid ISR4321/K9 sn FLM25160AU8
diagnostic bootup level minimal
spanning-tree extend system-id
!
username webui privilege 15 password 0 "removed"
username admin privilege 15 secret 5 $1$GqDt$j3m3KioD/XeYU/B7Ie9qV/
username cisco password 0 "remomved"
username sshadmin privilege 15 password 0 "removed"
username "removed" privilege 15 password 0 "removed"
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
class-map type inspect match-any ALL_PROTOCOLS_CM
match protocol http
match protocol https
match protocol dns
match protocol tcp
match protocol udp
match protocol icmp
match protocol ftp
!
class-map type inspect match-all HBugLAN_TO_ROELAN_CM
match access-group name HBugLAN_TO_ROELAN_ACL
!
class-map type inspect match-all HBugLAN_TO_DMZ_CM
match access-group name HBugLAN_TO_ROELAN_ACL
!
policy-map type inspect HBugLAN_TO_ROELAN_PM
class-type inspect HBugLAN_TO_ROELAN_CM
drop
class class-default
drop
!
policy-map type inspect HBugLAN_TO_DMZ_PM
class-type inspect HBugLAN_TO_DMZ_CM
drop
class class-default
drop
!
policy-map type inspect HBugLAN_TO_WAN_PM
class-type inspect ALL_PROTOCOLS_CM
inspect
class class-default
drop
policy-map type inspect ROELAN_TO_WAN_PM
class-type inspect ALL_PROTOCOLS_CM
inspect
class class-default
drop
policy-map type inspect DMZ_TO_WAN_PM
class-type inspect ALL_PROTOCOLS_CM
inspect
class class-default
drop
!
zone security WAN
description Outside
zone security HBugLAN
description Inside
zone security ROELAN
description Inside
zone security DMZ
description Inside
zone-pair security HBugLAN_TO_WAN_ZP source HBugLAN destination WAN
service-policy type inspect HBugLAN_TO_WAN_PM
zone-pair security ROELAN_TO_WAN_ZP source ROELAN destination WAN
service-policy type inspect ROELAN_TO_WAN_PM
zone-pair security DMZ_TO_WAN_ZP source DMZ destination WAN
service-policy type inspect DMZ_TO_WAN_PM
zone-pair security HBugLAN_TO_ROELAN_ZP source HBugLAN destination ROELAN
service-policy type inspect HBugLAN_TO_ROELAN_PM
zone-pair security HBugLAN_TO_DMZ_ZP source HBugLAN destination DMZ
service-policy type inspect HBugLAN_TO_DMZ_PM
!
interface GigabitEthernet0/0/0
description ICN Test
ip address "removed" 255.255.255.248
ip nat outside
zone-member security WAN
speed 100
negotiation auto
spanning-tree portfast trunk
!
interface GigabitEthernet0/0/0.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip nat inside
zone-member security ROELAN
!
interface GigabitEthernet0/0/0.3
encapsulation dot1Q 3
ip address 192.168.1.254 255.255.255.0
ip nat inside
zone-member security DMZ
!
interface GigabitEthernet0/0/1
description HBug
ip address 10.10.10.254 255.0.0.0
ip nat inside
zone-member security HBugLAN
speed 100
negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/1/0
description ROE
switchport access vlan 2
switchport trunk native vlan 2
switchport trunk allowed vlan 2
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
zone-member security DMZ
spanning-tree portfast disable
!
interface GigabitEthernet0/1/3
spanning-tree portfast disable
!
interface GigabitEthernet0/1/4
spanning-tree portfast disable
!
interface GigabitEthernet0/1/5
spanning-tree portfast disable
!
interface GigabitEthernet0/1/6
description DMZ
switchport trunk native vlan 3
switchport trunk allowed vlan 3
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/7
description DMZ
switchport trunk native vlan 3
switchport trunk allowed vlan 3
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
!
interface Vlan2
no ip address
zone-member security ROELAN
!
interface Vlan3
no ip address
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 "removed"
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
ip access-list extended HBugLAN_TO_ROELAN_ACL
permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
!
ip access-list extended HBugLAN_TO_DMZ_ACL
permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
control-plane
!
banner login ^CNo unauthorized access is allowed.^C
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password "removed"
login local
length 0
transport input ssh
line vty 5 15
password "removed"
login local
transport input ssh
!
event manager applet 40storeShowTech
event none sync no maxrun 31536000
action 001 cli command "enable"
action 002 cli command "traceroute 8.8.8.8 source GigabitEthernet0/0/1"
action 003 file open TECHFILE bootflash:40sh_tech.txt w+
action 004 file puts TECHFILE "$_cli_result"
action 005 file close TECHFILE

View solution in original post

Georg Pauwen · ‎10-29-2021

Hello,

what does your entire configuration look like ? You cannot set any security levels on the layer 2 ports, you can set e.g. access lists on the Vlan or subinterfaces...

Zydain · ‎11-03-2021

I've been playing around with it, and I've gotten to the point where I can get Internet connection on G0/0/1 using a 10.10.10.x address. However, we're hoping to replace our ASA with this device too instead of just the 2801 router. In the ASA we use several VLANs to isolate network traffic and to create a DMZ. I'm not quite understanding how I can accomplish the same task in this ISR 4321 router.

Here's the config so far.. it's a bit of a mess.

Wed Nov 03 2021 14:04:18 GMT-0700 (Pacific Daylight Time)
===================================================================================
#show running-config
Building configuration...
Current configuration : 5864 bytes
!
! Last configuration change at 16:30:14 CST Wed Nov 3 2021 by admin
! NVRAM config last updated at 17:48:32 CST Tue Nov 2 2021 by admin
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname ciscoisr
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$5ccN$4stDTw2XOCS8ZIihrL3EH1
enable password "Removed"
!
no aaa new-model
clock timezone CST -6 0
!
ip name-server "Removed" "Remomved"
ip domain name "Removed"
ip dhcp excluded-address 10.10.11.0 10.255.255.255
ip dhcp excluded-address 10.0.0.0 10.10.10.10
!
ip dhcp pool router-dhcp
network 10.0.0.0 255.0.0.0
default-router 10.10.10.254
dns-server "removed" "removed"
lease 3
!
ip dhcp pool roedhcp
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server "removed" "removed"
lease 3
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3425543225
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3425543225
revocation-check none
rsakeypair TP-self-signed-3425543225
!
!
crypto pki certificate chain TP-self-signed-3425543225
!
!
license udi pid ISR4321/K9 sn FLM25160AU8
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
!
!
!
!
username webui privilege 15 password 0 "removed"
username admin privilege 15 secret 5 $1$GqDt$j3m3KioD/XeYU/B7Ie9qV/
username cisco password 0 "remomved"
username sshadmin privilege 15 password 0 "removed"
username "removed" privilege 15 password 0 "removed"
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-all AllowROE
description Allow ROE Traffic
match access-group name AllowROE_acl
class-map type inspect match-all AllowOutgoing
match access-group name AllowOutgoing_acl
!
policy-map type inspect ROELAN-WAN-POLICY
class type inspect AllowROE
inspect
class class-default
drop log
policy-map type inspect HBUGLAN-WAN-POLICY
class type inspect AllowOutgoing
inspect
class class-default
drop log
!
zone security WAN
description Outside (Internet)
zone security HBugLAN
description Inside (HBug 10.x.x.x LAN)
zone security ROELAN
description Inside (ROE 192.168.2.x LAN)
zone security DMZ
description Inside (DMZ 192.168.1.x LAN)
zone-pair security HBUGLAN-WAN source HBugLAN destination WAN
service-policy type inspect HBUGLAN-WAN-POLICY
zone-pair security ROELAN-WAN source ROELAN destination WAN
service-policy type inspect ROELAN-WAN-POLICY
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description ICN Test
ip address "removed" 255.255.255.248
ip nat outside
zone-member security WAN
speed 100
negotiation auto
spanning-tree portfast trunk
!
interface GigabitEthernet0/0/0.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
zone-member security ROELAN
!
interface GigabitEthernet0/0/0.3
encapsulation dot1Q 3
ip address 192.168.1.254 255.255.255.0
zone-member security DMZ
!
interface GigabitEthernet0/0/1
description HBug
ip address 10.10.10.254 255.0.0.0
ip nat inside
zone-member security HBugLAN
speed 100
negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/1/0
description ROE
switchport access vlan 2
switchport trunk native vlan 2
switchport trunk allowed vlan 2
ip access-group AllowROE_acl in
ip access-group AllowROE_acl out
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
zone-member security DMZ
spanning-tree portfast disable
!
interface GigabitEthernet0/1/3
spanning-tree portfast disable
!
interface GigabitEthernet0/1/4
spanning-tree portfast disable
!
interface GigabitEthernet0/1/5
spanning-tree portfast disable
!
interface GigabitEthernet0/1/6
description DMZ
switchport trunk native vlan 3
switchport trunk allowed vlan 3
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/7
description DMZ
switchport trunk native vlan 3
switchport trunk allowed vlan 3
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
!
interface Vlan2
no ip address
zone-member security ROELAN
!
interface Vlan3
no ip address
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat inside source list 10 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 "removed"
!
!
!
ip access-list extended AllowOutgoing_acl
permit ip any any
ip access-list extended AllowROE_acl
permit ip any any
access-list 10 permit 10.0.0.0 0.255.255.255
!
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
control-plane
!
banner login ^CNo unauthorized access is allowed.^C
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password "removed"
login local
length 0
transport input ssh
line vty 5 15
password "removed"
login local
transport input ssh
!
!
!
!
!
event manager applet 40storeShowTech
event none sync no maxrun 31536000
action 001 cli command "enable"
action 002 cli command "traceroute 8.8.8.8 source GigabitEthernet0/0/1"
action 003 file open TECHFILE bootflash:40sh_tech.txt w+
action 004 file puts TECHFILE "$_cli_result"
action 005 file close TECHFILE
!
end

Georg Pauwen · ‎11-03-2021

Hello,

a zone based firewall is a good idea. I completed/changed the configuration of your router to reflect:

- HBugLAN/ROELAN/DMZ cannot talk to each other

- HBugLAN/ROELAN/DMZ can access the Internet

Building configuration...
Current configuration : 5864 bytes
!
! Last configuration change at 16:30:14 CST Wed Nov 3 2021 by admin
! NVRAM config last updated at 17:48:32 CST Tue Nov 2 2021 by admin
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname ciscoisr
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$5ccN$4stDTw2XOCS8ZIihrL3EH1
enable password "Removed"
!
no aaa new-model
clock timezone CST -6 0
!
ip name-server "Removed" "Remomved"
ip domain name "Removed"
ip dhcp excluded-address 10.10.11.0 10.255.255.255
ip dhcp excluded-address 10.0.0.0 10.10.10.10
!
ip dhcp pool router-dhcp
network 10.0.0.0 255.0.0.0
default-router 10.10.10.254
dns-server "removed" "removed"
lease 3
!
ip dhcp pool roedhcp
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server "removed" "removed"
lease 3
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-3425543225
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3425543225
revocation-check none
rsakeypair TP-self-signed-3425543225
!
crypto pki certificate chain TP-self-signed-3425543225
!
license udi pid ISR4321/K9 sn FLM25160AU8
diagnostic bootup level minimal
spanning-tree extend system-id
!
username webui privilege 15 password 0 "removed"
username admin privilege 15 secret 5 $1$GqDt$j3m3KioD/XeYU/B7Ie9qV/
username cisco password 0 "remomved"
username sshadmin privilege 15 password 0 "removed"
username "removed" privilege 15 password 0 "removed"
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
class-map type inspect match-any ALL_PROTOCOLS_CM
match protocol http
match protocol https
match protocol dns
match protocol tcp
match protocol udp
match protocol icmp
match protocol ftp
!
class-map type inspect match-all HBugLAN_TO_ROELAN_CM
match access-group name HBugLAN_TO_ROELAN_ACL
!
class-map type inspect match-all HBugLAN_TO_DMZ_CM
match access-group name HBugLAN_TO_ROELAN_ACL
!
policy-map type inspect HBugLAN_TO_ROELAN_PM
class-type inspect HBugLAN_TO_ROELAN_CM
drop
class class-default
drop
!
policy-map type inspect HBugLAN_TO_DMZ_PM
class-type inspect HBugLAN_TO_DMZ_CM
drop
class class-default
drop
!
policy-map type inspect HBugLAN_TO_WAN_PM
class-type inspect ALL_PROTOCOLS_CM
inspect
class class-default
drop
policy-map type inspect ROELAN_TO_WAN_PM
class-type inspect ALL_PROTOCOLS_CM
inspect
class class-default
drop
policy-map type inspect DMZ_TO_WAN_PM
class-type inspect ALL_PROTOCOLS_CM
inspect
class class-default
drop
!
zone security WAN
description Outside
zone security HBugLAN
description Inside
zone security ROELAN
description Inside
zone security DMZ
description Inside
zone-pair security HBugLAN_TO_WAN_ZP source HBugLAN destination WAN
service-policy type inspect HBugLAN_TO_WAN_PM
zone-pair security ROELAN_TO_WAN_ZP source ROELAN destination WAN
service-policy type inspect ROELAN_TO_WAN_PM
zone-pair security DMZ_TO_WAN_ZP source DMZ destination WAN
service-policy type inspect DMZ_TO_WAN_PM
zone-pair security HBugLAN_TO_ROELAN_ZP source HBugLAN destination ROELAN
service-policy type inspect HBugLAN_TO_ROELAN_PM
zone-pair security HBugLAN_TO_DMZ_ZP source HBugLAN destination DMZ
service-policy type inspect HBugLAN_TO_DMZ_PM
!
interface GigabitEthernet0/0/0
description ICN Test
ip address "removed" 255.255.255.248
ip nat outside
zone-member security WAN
speed 100
negotiation auto
spanning-tree portfast trunk
!
interface GigabitEthernet0/0/0.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip nat inside
zone-member security ROELAN
!
interface GigabitEthernet0/0/0.3
encapsulation dot1Q 3
ip address 192.168.1.254 255.255.255.0
ip nat inside
zone-member security DMZ
!
interface GigabitEthernet0/0/1
description HBug
ip address 10.10.10.254 255.0.0.0
ip nat inside
zone-member security HBugLAN
speed 100
negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/1/0
description ROE
switchport access vlan 2
switchport trunk native vlan 2
switchport trunk allowed vlan 2
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
zone-member security DMZ
spanning-tree portfast disable
!
interface GigabitEthernet0/1/3
spanning-tree portfast disable
!
interface GigabitEthernet0/1/4
spanning-tree portfast disable
!
interface GigabitEthernet0/1/5
spanning-tree portfast disable
!
interface GigabitEthernet0/1/6
description DMZ
switchport trunk native vlan 3
switchport trunk allowed vlan 3
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/7
description DMZ
switchport trunk native vlan 3
switchport trunk allowed vlan 3
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
!
interface Vlan2
no ip address
zone-member security ROELAN
!
interface Vlan3
no ip address
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 "removed"
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
ip access-list extended HBugLAN_TO_ROELAN_ACL
permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
!
ip access-list extended HBugLAN_TO_DMZ_ACL
permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
control-plane
!
banner login ^CNo unauthorized access is allowed.^C
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password "removed"
login local
length 0
transport input ssh
line vty 5 15
password "removed"
login local
transport input ssh
!
event manager applet 40storeShowTech
event none sync no maxrun 31536000
action 001 cli command "enable"
action 002 cli command "traceroute 8.8.8.8 source GigabitEthernet0/0/1"
action 003 file open TECHFILE bootflash:40sh_tech.txt w+
action 004 file puts TECHFILE "$_cli_result"
action 005 file close TECHFILE

Zydain · ‎11-05-2021

Thank you for the assistance. I think I've started to wrap my head around the zone setup and started configuring that yesterday. Not sure if I should start another thread for this or not, but I'm having trouble getting Internet access when I connect the laptop to the ports for VLAN2 (Gb0/1/0) and VLAN3 (Gb0/1/6 and Gb0/1/7). I pull an appropriate IP address, but not getting Internet access.

Updated Config:

Fri Nov 05 2021 08:58:00 GMT-0700 (Pacific Daylight Time)
===================================================================================
#show running-config
Building configuration...
Current configuration : 11724 bytes
!
! Last configuration change at 13:34:30 CST Fri Nov 5 2021 by admin
! NVRAM config last updated at 17:48:32 CST Tue Nov 2 2021 by admin
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname ciscoisr
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$5ccN$4stDTw2XOCS8ZIihrL3EH1
enable password "removed"
!
no aaa new-model
clock timezone CST -6 0
!
ip name-server 206.166.1.109 206.166.1.110
ip domain name ciscoisr.cisco.com
ip dhcp excluded-address 10.10.11.0 10.255.255.255
ip dhcp excluded-address 10.0.0.0 10.10.10.10
!
ip dhcp pool router-dhcp
network 10.0.0.0 255.0.0.0
default-router 10.10.10.254
dns-server 206.166.1.110 206.166.1.109
lease 3
!
ip dhcp pool roedhcp
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 206.166.1.110 206.166.1.109
lease 3
!
ip dhcp pool DMZDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 206.166.1.109 206.166.1.110
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3425543225
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3425543225
revocation-check none
rsakeypair TP-self-signed-3425543225
!
!
crypto pki certificate chain TP-self-signed-3425543225
!
!
license udi pid ISR4321/K9 sn FLM25160AU8
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
!
!
object-group network Barracuda_dst_net
host 10.10.10.3
!
object-group service Barracuda_svc
tcp eq 22
tcp eq www
tcp eq 123
tcp eq 443
tcp eq 1194
tcp eq 5120
tcp range 5121 5129
udp eq 22
udp eq 80
udp eq ntp
udp eq 443
udp eq 1194
udp eq 5120
udp range 5121 5129
!
object-group network WANtoChildFindWS_dst_net
host 192.168.1.101
!
object-group network WANtoHBugWS_dst_net
host 192.168.1.100
!
object-group network WANtoMailServer_dst_net
host 10.10.10.197
!
object-group service WANtoMailServer_svc
tcp eq 32000
!
object-group network WANtoVPNHBug_dst_net
host 10.10.10.32
!
object-group service WANtoVPNHBug_svc
udp eq 1194
!
object-group network WANtoVPNROE_dst_net
host 192.168.2.50
!
object-group service WANtoVPNROE_svc
udp eq 1194
!
!
!
username webui "removed"
username admin privilege 15 secret 5 "removed"
username cisco password 0 "removed"
username sshadmin privilege 15 password 0 "removed"
username "removed" privilege 15 password 0 "removed"
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-all DMZtoWAN
description DMZ outgoing traffic to Internet
match access-group name DMZtoWAN_acl
class-map type inspect match-all HBugLANtoDMZ
description HBugLAN outgoing traffic to DMZ
match access-group name HBugLANtoDMZ_acl
class-map type inspect match-all WANtoVPNHBug
description Wan traffic to HBug Open VPN service
match access-group name WANtoVPNHBug_acl
class-map type inspect match-any WANtoChildFindWS_app
match protocol http
match protocol https
class-map type inspect match-all HBugLANtoWAN
description HBugLAN outgoing traffic to Internet
match access-group name HBugLANtoWAN_acl
class-map type inspect match-all ROELANtoDMZ
description ROELAN outgoing traffic to DMZ
match access-group name ROELANtoDMZ_acl
class-map type inspect match-all WANtoVPNROE
description WAN to VPN Server for ROE
match access-group name WANtoVPNROE_acl
class-map type inspect match-all ROELANtoWAN
description ROELAN outgoing traffic to Internet
match access-group name ROELANtoWAN_acl
class-map type inspect match-all HBugLANtoROELAN
description HBugLAN outgoing traffic to ROELAN
match access-group name HBugLANtoROELAN_acl
class-map type inspect match-all ROELANtoHBugLAN
description ROE outgoing traffic to HBugLAN
match access-group name ROELANtoHBugLAN_acl
class-map type inspect match-any WANtoHBugWS_app
match protocol http
match protocol https
class-map type inspect match-any Barracuda_app
match protocol http
match protocol https
class-map type inspect match-any WANtoMailServer_app
match protocol pop3
match protocol smtp
match protocol http
class-map type inspect match-all WANtoChildFindWS
description Traffic to Child Find Web Server
match class-map WANtoChildFindWS_app
match access-group name WANtoChildFindWS_acl
class-map type inspect match-all WANtoMailServer
description Traffic to Mail Server
match class-map WANtoMailServer_app
match access-group name WANtoMailServer_acl
class-map type inspect match-all Barracuda
description WAN traffic to Barracuda
match class-map Barracuda_app
match access-group name Barracuda_acl
class-map type inspect match-all WANtoHBugWS
description WAN to HBug website
match class-map WANtoHBugWS_app
match access-group name WANtoHBugWS_acl
!
policy-map type inspect HBUGLAN-ROELAN-POLICY
class type inspect HBugLANtoROELAN
drop
class class-default
drop log
policy-map type inspect ROELAN-HBUGLAN-POLICY
class type inspect ROELANtoHBugLAN
drop
class class-default
drop log
policy-map type inspect WAN-HBUGLAN-POLICY
class type inspect Barracuda
inspect
class type inspect WANtoVPNHBug
inspect
class type inspect WANtoMailServer
inspect
class class-default
drop log
policy-map type inspect ROELAN-WAN-POLICY
class type inspect ROELANtoWAN
inspect
class class-default
drop log
policy-map type inspect HBUGLAN-WAN-POLICY
class type inspect HBugLANtoWAN
inspect
class class-default
drop log
policy-map type inspect HBUGLAN-DMZ-POLICY
class type inspect HBugLANtoDMZ
inspect
class class-default
drop log
policy-map type inspect DMZ-WAN-POLICY
class type inspect DMZtoWAN
inspect
class class-default
drop log
policy-map type inspect WAN-DMZ-POLICY
class type inspect WANtoHBugWS
inspect
class type inspect WANtoChildFindWS
inspect
class class-default
drop log
policy-map type inspect ROELAN-DMZ-POLICY
class type inspect ROELANtoDMZ
inspect
class class-default
drop log
policy-map type inspect WAN-ROELAN-POLICY
class type inspect WANtoVPNROE
inspect
class class-default
drop log
!
zone security WAN
description Outside (Internet)
zone security HBugLAN
description Inside (HBug 10.x.x.x LAN)
zone security ROELAN
description Inside (ROE 192.168.2.x LAN)
zone security DMZ
description Inside (DMZ 192.168.1.x LAN)
zone-pair security DMZ-WAN source DMZ destination WAN
service-policy type inspect DMZ-WAN-POLICY
zone-pair security HBUGLAN-DMZ source HBugLAN destination DMZ
service-policy type inspect HBUGLAN-DMZ-POLICY
zone-pair security HBUGLAN-ROELAN source HBugLAN destination ROELAN
service-policy type inspect HBUGLAN-ROELAN-POLICY
zone-pair security HBUGLAN-WAN source HBugLAN destination WAN
service-policy type inspect HBUGLAN-WAN-POLICY
zone-pair security ROELAN-DMZ source ROELAN destination DMZ
service-policy type inspect ROELAN-DMZ-POLICY
zone-pair security ROELAN-HBUGLAN source ROELAN destination HBugLAN
service-policy type inspect ROELAN-HBUGLAN-POLICY
zone-pair security ROELAN-WAN source ROELAN destination WAN
service-policy type inspect ROELAN-WAN-POLICY
zone-pair security WAN-DMZ source WAN destination DMZ
service-policy type inspect WAN-DMZ-POLICY
zone-pair security WAN-HBUGLAN source WAN destination HBugLAN
service-policy type inspect WAN-HBUGLAN-POLICY
zone-pair security WAN-ROELAN source WAN destination ROELAN
service-policy type inspect WAN-ROELAN-POLICY
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description ICN Test
ip address "removed" 255.255.255.248
ip nat outside
zone-member security WAN
speed 100
negotiation auto
spanning-tree portfast trunk
!
interface GigabitEthernet0/0/0.2
encapsulation dot1Q 2
!
interface GigabitEthernet0/0/0.3
encapsulation dot1Q 3
!
interface GigabitEthernet0/0/1
description HBug
ip address 10.10.10.254 255.0.0.0
ip nat inside
zone-member security HBugLAN
speed 100
negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/1/0
description ROE
switchport access vlan 2
switchport trunk native vlan 2
switchport trunk allowed vlan 2
switchport mode access
ip access-group AllowROE_acl in
ip access-group AllowROE_acl out
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
spanning-tree portfast disable
!
interface GigabitEthernet0/1/3
spanning-tree portfast disable
!
interface GigabitEthernet0/1/4
spanning-tree portfast disable
!
interface GigabitEthernet0/1/5
spanning-tree portfast disable
!
interface GigabitEthernet0/1/6
description DMZ
switchport access vlan 3
switchport trunk native vlan 3
switchport trunk allowed vlan 3
switchport mode access
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/7
description DMZ
switchport access vlan 3
switchport trunk native vlan 3
switchport trunk allowed vlan 3
switchport mode access
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
zone-member security ROELAN
!
interface Vlan3
ip address 192.168.1.254 255.255.255.0
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat inside source list 10 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 "removed"
!
!
!
ip access-list extended Barracuda_acl
permit object-group Barracuda_svc any object-group Barracuda_dst_net
ip access-list extended DMZtoWAN_acl
permit ip any any
ip access-list extended HBugLANtoDMZ_acl
permit ip any any
ip access-list extended HBugLANtoROELAN_acl
permit ip any any
ip access-list extended HBugLANtoWAN_acl
permit ip any any
ip access-list extended ROELANtoDMZ_acl
permit ip any any
ip access-list extended ROELANtoHBugLAN_acl
permit ip any any
ip access-list extended ROELANtoWAN_acl
permit ip any any
ip access-list extended WANtoChildFindWS_acl
permit ip any object-group WANtoChildFindWS_dst_net
ip access-list extended WANtoHBugWS_acl
permit ip any object-group WANtoHBugWS_dst_net
ip access-list extended WANtoMailServer_acl
permit object-group WANtoMailServer_svc any object-group WANtoMailServer_dst_net
ip access-list extended WANtoVPNHBug_acl
permit object-group WANtoVPNHBug_svc any object-group WANtoVPNHBug_dst_net
ip access-list extended WANtoVPNROE_acl
permit object-group WANtoVPNROE_svc any object-group WANtoVPNROE_dst_net
access-list 10 permit 10.0.0.0 0.255.255.255
!
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
control-plane
!
banner login ^CNo unauthorized access is allowed.^C
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password "removed"
login local
transport input ssh
line vty 5 15
password "removed"
login local
transport input ssh
!
!
!
!
!
event manager applet 40storeShowTech
event none sync no maxrun 31536000
action 001 cli command "enable"
action 002 cli command "traceroute 8.8.8.8 source GigabitEthernet0/0/1"
action 003 file open TECHFILE bootflash:40sh_tech.txt w+
action 004 file puts TECHFILE "$_cli_result"
action 005 file close TECHFILE
!
end

Zydain · ‎11-05-2021

At this point I am considering my original question answered, as I was trying to understand the general concepts of what I needed to configure. I was able to use the help received and apply those concepts into my environment's needs. I went ahead and moved this newest question to a new thread so I could focus on one issue at a time:

https://community.cisco.com/t5/routing/getting-internet-access-for-separate-lans-on-isr-4321/m-p/4498577#M357826

Note: Edited