11-05-2021 08:31 AM
I'm trying to get Internet Access while plugging into port Gb0/1/0 on the 192.168.2.x LAN.
I'm also trying to do the same thing for Gb0/1/6 and Gb0/1/7 for the 192.168.1.x LAN. No Internet Access.
I can get Internet Access on Gb0/0/1 just fine on the 10.10.10.x LAN.
Here's my current running config if it helps:
Fri Nov 05 2021 08:58:00 GMT-0700 (Pacific Daylight Time)
===================================================================================
#show running-config
Building configuration...
Current configuration : 11724 bytes
!
! Last configuration change at 13:34:30 CST Fri Nov 5 2021 by admin
! NVRAM config last updated at 17:48:32 CST Tue Nov 2 2021 by admin
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname ciscoisr
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$5ccN$4stDTw2XOCS8ZIihrL3EH1
enable password "removed"
!
no aaa new-model
clock timezone CST -6 0
!
ip name-server 206.166.1.109 206.166.1.110
ip domain name ciscoisr.cisco.com
ip dhcp excluded-address 10.10.11.0 10.255.255.255
ip dhcp excluded-address 10.0.0.0 10.10.10.10
!
ip dhcp pool router-dhcp
network 10.0.0.0 255.0.0.0
default-router 10.10.10.254
dns-server 206.166.1.110 206.166.1.109
lease 3
!
ip dhcp pool roedhcp
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 206.166.1.110 206.166.1.109
lease 3
!
ip dhcp pool DMZDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 206.166.1.109 206.166.1.110
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3425543225
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3425543225
revocation-check none
rsakeypair TP-self-signed-3425543225
!
!
crypto pki certificate chain TP-self-signed-3425543225
!
!
license udi pid ISR4321/K9 sn FLM25160AU8
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
!
!
object-group network Barracuda_dst_net
host 10.10.10.3
!
object-group service Barracuda_svc
tcp eq 22
tcp eq www
tcp eq 123
tcp eq 443
tcp eq 1194
tcp eq 5120
tcp range 5121 5129
udp eq 22
udp eq 80
udp eq ntp
udp eq 443
udp eq 1194
udp eq 5120
udp range 5121 5129
!
object-group network WANtoChildFindWS_dst_net
host 192.168.1.101
!
object-group network WANtoHBugWS_dst_net
host 192.168.1.100
!
object-group network WANtoMailServer_dst_net
host 10.10.10.197
!
object-group service WANtoMailServer_svc
tcp eq 32000
!
object-group network WANtoVPNHBug_dst_net
host 10.10.10.32
!
object-group service WANtoVPNHBug_svc
udp eq 1194
!
object-group network WANtoVPNROE_dst_net
host 192.168.2.50
!
object-group service WANtoVPNROE_svc
udp eq 1194
!
!
!
username webui "removed"
username admin privilege 15 secret 5 "removed"
username cisco password 0 "removed"
username sshadmin privilege 15 password 0 "removed"
username "removed" privilege 15 password 0 "removed"
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-all DMZtoWAN
description DMZ outgoing traffic to Internet
match access-group name DMZtoWAN_acl
class-map type inspect match-all HBugLANtoDMZ
description HBugLAN outgoing traffic to DMZ
match access-group name HBugLANtoDMZ_acl
class-map type inspect match-all WANtoVPNHBug
description Wan traffic to HBug Open VPN service
match access-group name WANtoVPNHBug_acl
class-map type inspect match-any WANtoChildFindWS_app
match protocol http
match protocol https
class-map type inspect match-all HBugLANtoWAN
description HBugLAN outgoing traffic to Internet
match access-group name HBugLANtoWAN_acl
class-map type inspect match-all ROELANtoDMZ
description ROELAN outgoing traffic to DMZ
match access-group name ROELANtoDMZ_acl
class-map type inspect match-all WANtoVPNROE
description WAN to VPN Server for ROE
match access-group name WANtoVPNROE_acl
class-map type inspect match-all ROELANtoWAN
description ROELAN outgoing traffic to Internet
match access-group name ROELANtoWAN_acl
class-map type inspect match-all HBugLANtoROELAN
description HBugLAN outgoing traffic to ROELAN
match access-group name HBugLANtoROELAN_acl
class-map type inspect match-all ROELANtoHBugLAN
description ROE outgoing traffic to HBugLAN
match access-group name ROELANtoHBugLAN_acl
class-map type inspect match-any WANtoHBugWS_app
match protocol http
match protocol https
class-map type inspect match-any Barracuda_app
match protocol http
match protocol https
class-map type inspect match-any WANtoMailServer_app
match protocol pop3
match protocol smtp
match protocol http
class-map type inspect match-all WANtoChildFindWS
description Traffic to Child Find Web Server
match class-map WANtoChildFindWS_app
match access-group name WANtoChildFindWS_acl
class-map type inspect match-all WANtoMailServer
description Traffic to Mail Server
match class-map WANtoMailServer_app
match access-group name WANtoMailServer_acl
class-map type inspect match-all Barracuda
description WAN traffic to Barracuda
match class-map Barracuda_app
match access-group name Barracuda_acl
class-map type inspect match-all WANtoHBugWS
description WAN to HBug website
match class-map WANtoHBugWS_app
match access-group name WANtoHBugWS_acl
!
policy-map type inspect HBUGLAN-ROELAN-POLICY
class type inspect HBugLANtoROELAN
drop
class class-default
drop log
policy-map type inspect ROELAN-HBUGLAN-POLICY
class type inspect ROELANtoHBugLAN
drop
class class-default
drop log
policy-map type inspect WAN-HBUGLAN-POLICY
class type inspect Barracuda
inspect
class type inspect WANtoVPNHBug
inspect
class type inspect WANtoMailServer
inspect
class class-default
drop log
policy-map type inspect ROELAN-WAN-POLICY
class type inspect ROELANtoWAN
inspect
class class-default
drop log
policy-map type inspect HBUGLAN-WAN-POLICY
class type inspect HBugLANtoWAN
inspect
class class-default
drop log
policy-map type inspect HBUGLAN-DMZ-POLICY
class type inspect HBugLANtoDMZ
inspect
class class-default
drop log
policy-map type inspect DMZ-WAN-POLICY
class type inspect DMZtoWAN
inspect
class class-default
drop log
policy-map type inspect WAN-DMZ-POLICY
class type inspect WANtoHBugWS
inspect
class type inspect WANtoChildFindWS
inspect
class class-default
drop log
policy-map type inspect ROELAN-DMZ-POLICY
class type inspect ROELANtoDMZ
inspect
class class-default
drop log
policy-map type inspect WAN-ROELAN-POLICY
class type inspect WANtoVPNROE
inspect
class class-default
drop log
!
zone security WAN
description Outside (Internet)
zone security HBugLAN
description Inside (HBug 10.x.x.x LAN)
zone security ROELAN
description Inside (ROE 192.168.2.x LAN)
zone security DMZ
description Inside (DMZ 192.168.1.x LAN)
zone-pair security DMZ-WAN source DMZ destination WAN
service-policy type inspect DMZ-WAN-POLICY
zone-pair security HBUGLAN-DMZ source HBugLAN destination DMZ
service-policy type inspect HBUGLAN-DMZ-POLICY
zone-pair security HBUGLAN-ROELAN source HBugLAN destination ROELAN
service-policy type inspect HBUGLAN-ROELAN-POLICY
zone-pair security HBUGLAN-WAN source HBugLAN destination WAN
service-policy type inspect HBUGLAN-WAN-POLICY
zone-pair security ROELAN-DMZ source ROELAN destination DMZ
service-policy type inspect ROELAN-DMZ-POLICY
zone-pair security ROELAN-HBUGLAN source ROELAN destination HBugLAN
service-policy type inspect ROELAN-HBUGLAN-POLICY
zone-pair security ROELAN-WAN source ROELAN destination WAN
service-policy type inspect ROELAN-WAN-POLICY
zone-pair security WAN-DMZ source WAN destination DMZ
service-policy type inspect WAN-DMZ-POLICY
zone-pair security WAN-HBUGLAN source WAN destination HBugLAN
service-policy type inspect WAN-HBUGLAN-POLICY
zone-pair security WAN-ROELAN source WAN destination ROELAN
service-policy type inspect WAN-ROELAN-POLICY
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description ICN Test
ip address "removed" 255.255.255.248
ip nat outside
zone-member security WAN
speed 100
negotiation auto
spanning-tree portfast trunk
!
interface GigabitEthernet0/0/0.2
encapsulation dot1Q 2
!
interface GigabitEthernet0/0/0.3
encapsulation dot1Q 3
!
interface GigabitEthernet0/0/1
description HBug
ip address 10.10.10.254 255.0.0.0
ip nat inside
zone-member security HBugLAN
speed 100
negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/1/0
description ROE
switchport access vlan 2
switchport trunk native vlan 2
switchport trunk allowed vlan 2
switchport mode access
ip access-group AllowROE_acl in
ip access-group AllowROE_acl out
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
spanning-tree portfast disable
!
interface GigabitEthernet0/1/3
spanning-tree portfast disable
!
interface GigabitEthernet0/1/4
spanning-tree portfast disable
!
interface GigabitEthernet0/1/5
spanning-tree portfast disable
!
interface GigabitEthernet0/1/6
description DMZ
switchport access vlan 3
switchport trunk native vlan 3
switchport trunk allowed vlan 3
switchport mode access
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/7
description DMZ
switchport access vlan 3
switchport trunk native vlan 3
switchport trunk allowed vlan 3
switchport mode access
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
zone-member security ROELAN
!
interface Vlan3
ip address 192.168.1.254 255.255.255.0
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat inside source list 10 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 "removed"
!
!
!
ip access-list extended Barracuda_acl
permit object-group Barracuda_svc any object-group Barracuda_dst_net
ip access-list extended DMZtoWAN_acl
permit ip any any
ip access-list extended HBugLANtoDMZ_acl
permit ip any any
ip access-list extended HBugLANtoROELAN_acl
permit ip any any
ip access-list extended HBugLANtoWAN_acl
permit ip any any
ip access-list extended ROELANtoDMZ_acl
permit ip any any
ip access-list extended ROELANtoHBugLAN_acl
permit ip any any
ip access-list extended ROELANtoWAN_acl
permit ip any any
ip access-list extended WANtoChildFindWS_acl
permit ip any object-group WANtoChildFindWS_dst_net
ip access-list extended WANtoHBugWS_acl
permit ip any object-group WANtoHBugWS_dst_net