cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1273
Views
10
Helpful
11
Replies

Getting Internet Access for Separate LANs on ISR 4321

Zydain
Level 1
Level 1

I'm trying to get Internet Access while plugging into port Gb0/1/0 on the 192.168.2.x LAN. 

 

I'm also trying to do the same thing for Gb0/1/6 and Gb0/1/7 for the 192.168.1.x LAN.  No Internet Access.

 

I can get Internet Access on Gb0/0/1 just fine on the 10.10.10.x LAN.

 

Here's my current running config if it helps:


Fri Nov 05 2021 08:58:00 GMT-0700 (Pacific Daylight Time)
===================================================================================
#show running-config
Building configuration...
Current configuration : 11724 bytes
!
! Last configuration change at 13:34:30 CST Fri Nov 5 2021 by admin
! NVRAM config last updated at 17:48:32 CST Tue Nov 2 2021 by admin
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname ciscoisr
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$5ccN$4stDTw2XOCS8ZIihrL3EH1
enable password "removed"
!
no aaa new-model
clock timezone CST -6 0
!
ip name-server 206.166.1.109 206.166.1.110
ip domain name ciscoisr.cisco.com
ip dhcp excluded-address 10.10.11.0 10.255.255.255
ip dhcp excluded-address 10.0.0.0 10.10.10.10
!
ip dhcp pool router-dhcp
network 10.0.0.0 255.0.0.0
default-router 10.10.10.254
dns-server 206.166.1.110 206.166.1.109
lease 3
!
ip dhcp pool roedhcp
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 206.166.1.110 206.166.1.109
lease 3
!
ip dhcp pool DMZDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 206.166.1.109 206.166.1.110
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3425543225
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3425543225
revocation-check none
rsakeypair TP-self-signed-3425543225
!
!
crypto pki certificate chain TP-self-signed-3425543225
!
!
license udi pid ISR4321/K9 sn FLM25160AU8
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
!
!
object-group network Barracuda_dst_net
host 10.10.10.3
!
object-group service Barracuda_svc
tcp eq 22
tcp eq www
tcp eq 123
tcp eq 443
tcp eq 1194
tcp eq 5120
tcp range 5121 5129
udp eq 22
udp eq 80
udp eq ntp
udp eq 443
udp eq 1194
udp eq 5120
udp range 5121 5129
!
object-group network WANtoChildFindWS_dst_net
host 192.168.1.101
!
object-group network WANtoHBugWS_dst_net
host 192.168.1.100
!
object-group network WANtoMailServer_dst_net
host 10.10.10.197
!
object-group service WANtoMailServer_svc
tcp eq 32000
!
object-group network WANtoVPNHBug_dst_net
host 10.10.10.32
!
object-group service WANtoVPNHBug_svc
udp eq 1194
!
object-group network WANtoVPNROE_dst_net
host 192.168.2.50
!
object-group service WANtoVPNROE_svc
udp eq 1194
!
!
!
username webui "removed"
username admin privilege 15 secret 5 "removed"
username cisco password 0 "removed"
username sshadmin privilege 15 password 0 "removed"
username "removed" privilege 15 password 0 "removed"
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-all DMZtoWAN
description DMZ outgoing traffic to Internet
match access-group name DMZtoWAN_acl
class-map type inspect match-all HBugLANtoDMZ
description HBugLAN outgoing traffic to DMZ
match access-group name HBugLANtoDMZ_acl
class-map type inspect match-all WANtoVPNHBug
description Wan traffic to HBug Open VPN service
match access-group name WANtoVPNHBug_acl
class-map type inspect match-any WANtoChildFindWS_app
match protocol http
match protocol https
class-map type inspect match-all HBugLANtoWAN
description HBugLAN outgoing traffic to Internet
match access-group name HBugLANtoWAN_acl
class-map type inspect match-all ROELANtoDMZ
description ROELAN outgoing traffic to DMZ
match access-group name ROELANtoDMZ_acl
class-map type inspect match-all WANtoVPNROE
description WAN to VPN Server for ROE
match access-group name WANtoVPNROE_acl
class-map type inspect match-all ROELANtoWAN
description ROELAN outgoing traffic to Internet
match access-group name ROELANtoWAN_acl
class-map type inspect match-all HBugLANtoROELAN
description HBugLAN outgoing traffic to ROELAN
match access-group name HBugLANtoROELAN_acl
class-map type inspect match-all ROELANtoHBugLAN
description ROE outgoing traffic to HBugLAN
match access-group name ROELANtoHBugLAN_acl
class-map type inspect match-any WANtoHBugWS_app
match protocol http
match protocol https
class-map type inspect match-any Barracuda_app
match protocol http
match protocol https
class-map type inspect match-any WANtoMailServer_app
match protocol pop3
match protocol smtp
match protocol http
class-map type inspect match-all WANtoChildFindWS
description Traffic to Child Find Web Server
match class-map WANtoChildFindWS_app
match access-group name WANtoChildFindWS_acl
class-map type inspect match-all WANtoMailServer
description Traffic to Mail Server
match class-map WANtoMailServer_app
match access-group name WANtoMailServer_acl
class-map type inspect match-all Barracuda
description WAN traffic to Barracuda
match class-map Barracuda_app
match access-group name Barracuda_acl
class-map type inspect match-all WANtoHBugWS
description WAN to HBug website
match class-map WANtoHBugWS_app
match access-group name WANtoHBugWS_acl
!
policy-map type inspect HBUGLAN-ROELAN-POLICY
class type inspect HBugLANtoROELAN
drop
class class-default
drop log
policy-map type inspect ROELAN-HBUGLAN-POLICY
class type inspect ROELANtoHBugLAN
drop
class class-default
drop log
policy-map type inspect WAN-HBUGLAN-POLICY
class type inspect Barracuda
inspect
class type inspect WANtoVPNHBug
inspect
class type inspect WANtoMailServer
inspect
class class-default
drop log
policy-map type inspect ROELAN-WAN-POLICY
class type inspect ROELANtoWAN
inspect
class class-default
drop log
policy-map type inspect HBUGLAN-WAN-POLICY
class type inspect HBugLANtoWAN
inspect
class class-default
drop log
policy-map type inspect HBUGLAN-DMZ-POLICY
class type inspect HBugLANtoDMZ
inspect
class class-default
drop log
policy-map type inspect DMZ-WAN-POLICY
class type inspect DMZtoWAN
inspect
class class-default
drop log
policy-map type inspect WAN-DMZ-POLICY
class type inspect WANtoHBugWS
inspect
class type inspect WANtoChildFindWS
inspect
class class-default
drop log
policy-map type inspect ROELAN-DMZ-POLICY
class type inspect ROELANtoDMZ
inspect
class class-default
drop log
policy-map type inspect WAN-ROELAN-POLICY
class type inspect WANtoVPNROE
inspect
class class-default
drop log
!
zone security WAN
description Outside (Internet)
zone security HBugLAN
description Inside (HBug 10.x.x.x LAN)
zone security ROELAN
description Inside (ROE 192.168.2.x LAN)
zone security DMZ
description Inside (DMZ 192.168.1.x LAN)
zone-pair security DMZ-WAN source DMZ destination WAN
service-policy type inspect DMZ-WAN-POLICY
zone-pair security HBUGLAN-DMZ source HBugLAN destination DMZ
service-policy type inspect HBUGLAN-DMZ-POLICY
zone-pair security HBUGLAN-ROELAN source HBugLAN destination ROELAN
service-policy type inspect HBUGLAN-ROELAN-POLICY
zone-pair security HBUGLAN-WAN source HBugLAN destination WAN
service-policy type inspect HBUGLAN-WAN-POLICY
zone-pair security ROELAN-DMZ source ROELAN destination DMZ
service-policy type inspect ROELAN-DMZ-POLICY
zone-pair security ROELAN-HBUGLAN source ROELAN destination HBugLAN
service-policy type inspect ROELAN-HBUGLAN-POLICY
zone-pair security ROELAN-WAN source ROELAN destination WAN
service-policy type inspect ROELAN-WAN-POLICY
zone-pair security WAN-DMZ source WAN destination DMZ
service-policy type inspect WAN-DMZ-POLICY
zone-pair security WAN-HBUGLAN source WAN destination HBugLAN
service-policy type inspect WAN-HBUGLAN-POLICY
zone-pair security WAN-ROELAN source WAN destination ROELAN
service-policy type inspect WAN-ROELAN-POLICY
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description ICN Test
ip address "removed" 255.255.255.248
ip nat outside
zone-member security WAN
speed 100
negotiation auto
spanning-tree portfast trunk
!
interface GigabitEthernet0/0/0.2
encapsulation dot1Q 2
!
interface GigabitEthernet0/0/0.3
encapsulation dot1Q 3
!
interface GigabitEthernet0/0/1
description HBug
ip address 10.10.10.254 255.0.0.0
ip nat inside
zone-member security HBugLAN
speed 100
negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/1/0
description ROE
switchport access vlan 2
switchport trunk native vlan 2
switchport trunk allowed vlan 2
switchport mode access
ip access-group AllowROE_acl in
ip access-group AllowROE_acl out
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
spanning-tree portfast disable
!
interface GigabitEthernet0/1/3
spanning-tree portfast disable
!
interface GigabitEthernet0/1/4
spanning-tree portfast disable
!
interface GigabitEthernet0/1/5
spanning-tree portfast disable
!
interface GigabitEthernet0/1/6
description DMZ
switchport access vlan 3
switchport trunk native vlan 3
switchport trunk allowed vlan 3
switchport mode access
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/7
description DMZ
switchport access vlan 3
switchport trunk native vlan 3
switchport trunk allowed vlan 3
switchport mode access
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
zone-member security ROELAN
!
interface Vlan3
ip address 192.168.1.254 255.255.255.0
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat inside source list 10 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 "removed"
!
!
!
ip access-list extended Barracuda_acl
permit object-group Barracuda_svc any object-group Barracuda_dst_net
ip access-list extended DMZtoWAN_acl
permit ip any any
ip access-list extended HBugLANtoDMZ_acl
permit ip any any
ip access-list extended HBugLANtoROELAN_acl
permit ip any any
ip access-list extended HBugLANtoWAN_acl
permit ip any any
ip access-list extended ROELANtoDMZ_acl
permit ip any any
ip access-list extended ROELANtoHBugLAN_acl
permit ip any any
ip access-list extended ROELANtoWAN_acl
permit ip any any
ip access-list extended WANtoChildFindWS_acl
permit ip any object-group WANtoChildFindWS_dst_net
ip access-list extended WANtoHBugWS_acl
permit ip any object-group WANtoHBugWS_dst_net
ip access-list extended WANtoMailServer_acl
permit object-group WANtoMailServer_svc any object-group WANtoMailServer_dst_net
ip access-list extended WANtoVPNHBug_acl
permit object-group WANtoVPNHBug_svc any object-group WANtoVPNHBug_dst_net
ip access-list extended WANtoVPNROE_acl
permit object-group WANtoVPNROE_svc any object-group WANtoVPNROE_dst_net
access-list 10 permit 10.0.0.0 0.255.255.255
!
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
control-plane
!
banner login ^CNo unauthorized access is allowed.^C
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password "removed"
login local
transport input ssh
line vty 5 15
password "removed"
login local
transport input ssh
!
!
!
!
!
event manager applet 40storeShowTech
event none sync no maxrun 31536000
action 001 cli command "enable"
action 002 cli command "traceroute 8.8.8.8 source GigabitEthernet0/0/1"
action 003 file open TECHFILE bootflash:40sh_tech.txt w+
action 004 file puts TECHFILE "$_cli_result"
action 005 file close TECHFILE
!
end

2 Accepted Solutions

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

because the interface belog to NAT inside  and in ACL as below :

 

interface GigabitEthernet0/0/1
description HBug
ip address 10.10.10.254 255.0.0.0
ip nat inside
zone-member security HBugLAN
speed 100
negotiation auto
spanning-tree portfast disable

 

 

make sure they belong to correct  Zone

 

interface Vlan2

ip nat inside or DMZ
ip address 192.168.2.1 255.255.255.0
zone-member security ROELAN
!
interface Vlan3

ip nat inside or DMZ

ip address 192.168.1.254 255.255.255.0

 

You need add NAT as below

 

access-list 10 permit 10.0.0.0 0.255.255.255

access-list 10 permit 192.168.1.0 0.255.255.255

access-list 10 permit  192.168.2.0 0.255.255.255

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Hello,

 

as mentioned before, access list applied to interfaces that are part of a security zone do not work together with the ZBF. So it is either the ZBF, or access lists, not both.

 

Did you ever put the configuration in place I originally sent ?

View solution in original post

11 Replies 11

balaji.bandi
Hall of Fame
Hall of Fame

because the interface belog to NAT inside  and in ACL as below :

 

interface GigabitEthernet0/0/1
description HBug
ip address 10.10.10.254 255.0.0.0
ip nat inside
zone-member security HBugLAN
speed 100
negotiation auto
spanning-tree portfast disable

 

 

make sure they belong to correct  Zone

 

interface Vlan2

ip nat inside or DMZ
ip address 192.168.2.1 255.255.255.0
zone-member security ROELAN
!
interface Vlan3

ip nat inside or DMZ

ip address 192.168.1.254 255.255.255.0

 

You need add NAT as below

 

access-list 10 permit 10.0.0.0 0.255.255.255

access-list 10 permit 192.168.1.0 0.255.255.255

access-list 10 permit  192.168.2.0 0.255.255.255

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello,

 

you have posted the 'old', original non-working configuration which has a lot of errors and redundancies. The ZBF configuration I sent in the other post should provide Internet access as well. Did you configure this, and with what result ?

 

Here is the entire configuration again:

 

Building configuration...
Current configuration : 5864 bytes
!
! Last configuration change at 16:30:14 CST Wed Nov 3 2021 by admin
! NVRAM config last updated at 17:48:32 CST Tue Nov 2 2021 by admin
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname ciscoisr
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$5ccN$4stDTw2XOCS8ZIihrL3EH1
enable password "Removed"
!
no aaa new-model
clock timezone CST -6 0
!
ip name-server "Removed" "Remomved"
ip domain name "Removed"
ip dhcp excluded-address 10.10.11.0 10.255.255.255
ip dhcp excluded-address 10.0.0.0 10.10.10.10
!
ip dhcp pool router-dhcp
network 10.0.0.0 255.0.0.0
default-router 10.10.10.254
dns-server "removed" "removed"
lease 3
!
ip dhcp pool roedhcp
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server "removed" "removed"
lease 3
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-3425543225
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3425543225
revocation-check none
rsakeypair TP-self-signed-3425543225
!
crypto pki certificate chain TP-self-signed-3425543225
!
license udi pid ISR4321/K9 sn FLM25160AU8
diagnostic bootup level minimal
spanning-tree extend system-id
!
username webui privilege 15 password 0 "removed"
username admin privilege 15 secret 5 $1$GqDt$j3m3KioD/XeYU/B7Ie9qV/
username cisco password 0 "remomved"
username sshadmin privilege 15 password 0 "removed"
username "removed" privilege 15 password 0 "removed"
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
class-map type inspect match-any ALL_PROTOCOLS_CM
match protocol http
match protocol https
match protocol dns
match protocol tcp
match protocol udp
match protocol icmp
match protocol ftp
!
class-map type inspect match-all HBugLAN_TO_ROELAN_CM
match access-group name HBugLAN_TO_ROELAN_ACL
!
class-map type inspect match-all HBugLAN_TO_DMZ_CM
match access-group name HBugLAN_TO_ROELAN_ACL
!
policy-map type inspect HBugLAN_TO_ROELAN_PM
class-type inspect HBugLAN_TO_ROELAN_CM
drop
class class-default
drop
!
policy-map type inspect HBugLAN_TO_DMZ_PM
class-type inspect HBugLAN_TO_DMZ_CM
drop
class class-default
drop
!
policy-map type inspect HBugLAN_TO_WAN_PM
class-type inspect ALL_PROTOCOLS_CM
inspect
class class-default
drop
policy-map type inspect ROELAN_TO_WAN_PM
class-type inspect ALL_PROTOCOLS_CM
inspect
class class-default
drop
policy-map type inspect DMZ_TO_WAN_PM
class-type inspect ALL_PROTOCOLS_CM
inspect
class class-default
drop
!
zone security WAN
description Outside
zone security HBugLAN
description Inside
zone security ROELAN
description Inside
zone security DMZ
description Inside
zone-pair security HBugLAN_TO_WAN_ZP source HBugLAN destination WAN
service-policy type inspect HBugLAN_TO_WAN_PM
zone-pair security ROELAN_TO_WAN_ZP source ROELAN destination WAN
service-policy type inspect ROELAN_TO_WAN_PM
zone-pair security DMZ_TO_WAN_ZP source DMZ destination WAN
service-policy type inspect DMZ_TO_WAN_PM
zone-pair security HBugLAN_TO_ROELAN_ZP source HBugLAN destination ROELAN
service-policy type inspect HBugLAN_TO_ROELAN_PM
zone-pair security HBugLAN_TO_DMZ_ZP source HBugLAN destination DMZ
service-policy type inspect HBugLAN_TO_DMZ_PM
!
interface GigabitEthernet0/0/0
description ICN Test
ip address "removed" 255.255.255.248
ip nat outside
zone-member security WAN
speed 100
negotiation auto
spanning-tree portfast trunk
!
interface GigabitEthernet0/0/0.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip nat inside
zone-member security ROELAN
!
interface GigabitEthernet0/0/0.3
encapsulation dot1Q 3
ip address 192.168.1.254 255.255.255.0
ip nat inside
zone-member security DMZ
!
interface GigabitEthernet0/0/1
description HBug
ip address 10.10.10.254 255.0.0.0
ip nat inside
zone-member security HBugLAN
speed 100
negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/1/0
description ROE
switchport access vlan 2
switchport trunk native vlan 2
switchport trunk allowed vlan 2
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
zone-member security DMZ
spanning-tree portfast disable
!
interface GigabitEthernet0/1/3
spanning-tree portfast disable
!
interface GigabitEthernet0/1/4
spanning-tree portfast disable
!
interface GigabitEthernet0/1/5
spanning-tree portfast disable
!
interface GigabitEthernet0/1/6
description DMZ
switchport trunk native vlan 3
switchport trunk allowed vlan 3
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/7
description DMZ
switchport trunk native vlan 3
switchport trunk allowed vlan 3
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
!
interface Vlan2
no ip address
zone-member security ROELAN
!
interface Vlan3
no ip address
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
ip access-list extended HBugLAN_TO_ROELAN_ACL
permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
!
ip access-list extended HBugLAN_TO_DMZ_ACL
permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
control-plane
!
banner login ^CNo unauthorized access is allowed.^C
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password "removed"
login local
length 0
transport input ssh
line vty 5 15
password "removed"
login local
transport input ssh
!
event manager applet 40storeShowTech
event none sync no maxrun 31536000
action 001 cli command "enable"
action 002 cli command "traceroute 8.8.8.8 source GigabitEthernet0/0/1"
action 003 file open TECHFILE bootflash:40sh_tech.txt w+
action 004 file puts TECHFILE "$_cli_result"
action 005 file close TECHFILE

@Georg Pauwen

 

Honestly, it very well may have.  I was relying on the the webGUI's "operational status" in Ethernet and also using the webGUI troubleshooting tools for testing ping to 8.8.8.8 from the involved interfaces.  After doing what @balaji.bandi had suggested it still wasn't working (at least from what I could tell through the webGUI stuff I mentioned).  I then decided to just physically move the laptop to the other ports and realized I actually did have Internet access in all of them.  I guess I could reverse what I with balaji.bandi and test it out if you'd like me to.

 

Edit: I should mention I added a bunch of firewall rules after seeing your config.  It helped me have a better understanding of what I needed for my actual environment.  Since I had added a bunch of stuff I felt like I should start with a fresh thread and isolate my individual issues.

Hello,

 

below is the configuration minus the ZBF:

 

Building configuration...
Current configuration : 5864 bytes
!
! Last configuration change at 16:30:14 CST Wed Nov 3 2021 by admin
! NVRAM config last updated at 17:48:32 CST Tue Nov 2 2021 by admin
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname ciscoisr
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$5ccN$4stDTw2XOCS8ZIihrL3EH1
enable password "Removed"
!
no aaa new-model
clock timezone CST -6 0
!
ip name-server "Removed" "Remomved"
ip domain name "Removed"
ip dhcp excluded-address 10.10.11.0 10.255.255.255
ip dhcp excluded-address 10.0.0.0 10.10.10.10
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool router-dhcp
network 10.0.0.0 255.0.0.0
default-router 10.10.10.254
dns-server "removed" "removed"
lease 3
!
ip dhcp pool roedhcp
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server "removed" "removed"
lease 3
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-3425543225
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3425543225
revocation-check none
rsakeypair TP-self-signed-3425543225
!
crypto pki certificate chain TP-self-signed-3425543225
!
license udi pid ISR4321/K9 sn FLM25160AU8
diagnostic bootup level minimal
spanning-tree extend system-id
!
username webui privilege 15 password 0 "removed"
username admin privilege 15 secret 5 $1$GqDt$j3m3KioD/XeYU/B7Ie9qV/
username cisco password 0 "remomved"
username sshadmin privilege 15 password 0 "removed"
username "removed" privilege 15 password 0 "removed"
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
description ICN Test
ip address "removed" 255.255.255.248
ip nat outside
speed 100
negotiation auto
spanning-tree portfast trunk
!
interface GigabitEthernet0/0/0.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/0.3
encapsulation dot1Q 3
ip address 192.168.1.254 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1
description HBug
ip address 10.10.10.254 255.0.0.0
ip nat inside
speed 100
negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/1/0
description ROE
switchport access vlan 2
switchport trunk native vlan 2
switchport trunk allowed vlan 2
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
zone-member security DMZ
spanning-tree portfast disable
!
interface GigabitEthernet0/1/3
spanning-tree portfast disable
!
interface GigabitEthernet0/1/4
spanning-tree portfast disable
!
interface GigabitEthernet0/1/5
spanning-tree portfast disable
!
interface GigabitEthernet0/1/6
description DMZ
switchport trunk native vlan 3
switchport trunk allowed vlan 3
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/7
description DMZ
switchport trunk native vlan 3
switchport trunk allowed vlan 3
spanning-tree portfast trunk
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
!
interface Vlan2
no ip address
!
interface Vlan3
no ip address
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
control-plane
!
banner login ^CNo unauthorized access is allowed.^C
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password "removed"
login local
length 0
transport input ssh
line vty 5 15
password "removed"
login local
transport input ssh
!
event manager applet 40storeShowTech
event none sync no maxrun 31536000
action 001 cli command "enable"
action 002 cli command "traceroute 8.8.8.8 source GigabitEthernet0/0/1"
action 003 file open TECHFILE bootflash:40sh_tech.txt w+
action 004 file puts TECHFILE "$_cli_result"
action 005 file close TECHFILE

Zydain
Level 1
Level 1

Hello,

I've progressed a bit more in my config, but I'm still having trouble with a couple things that are pretty much the same problem:

 

I cannot ping the DMZ from the HBugLAN: 10.10.10.x > 192.168.1.x

I cannot ping internally in the DMZ: 192.168.1.x > 192.168.1.x (not really sure if this is a problem, it might be beneficial)

Ping worked everywhere else as I would expect, such as success from 192.168.2.x > 192.168.1.x or failure from 192.168.1.x > 192.168.2.x

 

Can anyone point me to where I've misconfigured?  I'm wondering if it has something to do with:

access-list 10 permit 10.0.0.0 0.255.255.255
access-list 10 permit 192.0.0.0 0.255.255.255

 

Full config below, feel free to bring up anything else that I may have butchered


Mon Nov 08 2021 11:15:42 GMT-0800 (Pacific Standard Time)
===================================================================================
#show running-config
Building configuration...
Current configuration : 12086 bytes
!
! Last configuration change at 17:07:38 CST Mon Nov 8 2021 by admin
! NVRAM config last updated at 17:48:32 CST Tue Nov 2 2021 by admin
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname ciscoisr
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$5ccN$4stDTw2XOCS8ZIihrL3EH1
enable password 7 "removed"
!
no aaa new-model
clock timezone CST -6 0
!
ip name-server 206.166.1.109 206.166.1.110
ip domain name ciscoisr.cisco.com
ip dhcp excluded-address 10.10.11.0 10.255.255.255
ip dhcp excluded-address 10.0.0.0 10.10.10.10
!
ip dhcp pool router-dhcp
network 10.0.0.0 255.0.0.0
default-router 10.10.10.254
dns-server 206.166.1.110 206.166.1.109
lease 3
!
ip dhcp pool roedhcp
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 206.166.1.110 206.166.1.109
lease 3
!
ip dhcp pool DMZDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 206.166.1.109 206.166.1.110
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3425543225
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3425543225
revocation-check none
rsakeypair TP-self-signed-3425543225
!
!
crypto pki certificate chain TP-self-signed-3425543225
!
!
license udi pid ISR4321/K9 sn FLM25160AU8
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
!
!
object-group network Barracuda_dst_net
host 10.10.10.3
!
object-group service Barracuda_svc
tcp eq 22
tcp eq www
tcp eq 123
tcp eq 443
tcp eq 1194
tcp eq 5120
tcp range 5121 5129
udp eq 22
udp eq 80
udp eq ntp
udp eq 443
udp eq 1194
udp eq 5120
udp range 5121 5129
!
object-group network WANtoChildFindWS_dst_net
host 192.168.1.101
!
object-group network WANtoHBugWS_dst_net
host 192.168.1.100
!
object-group network WANtoMailServer_dst_net
host 10.10.10.197
!
object-group service WANtoMailServer_svc
tcp eq 32000
!
object-group network WANtoVPNHBug_dst_net
host 10.10.10.32
!
object-group service WANtoVPNHBug_svc
udp eq 1194
!
object-group network WANtoVPNROE_dst_net
host 192.168.2.50
!
object-group service WANtoVPNROE_svc
udp eq 1194
!
!
!
username admin privilege 15 secret 5 $1$GqDt$j3m3KioD/XeYU/B7Ie9qV/
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-all DMZtoWAN
description DMZ outgoing traffic to Internet
match access-group name DMZtoWAN_acl
class-map type inspect match-all HBugLANtoDMZ
description HBugLAN outgoing traffic to DMZ
match access-group name HBugLANtoDMZ_acl
class-map type inspect match-all WANtoVPNHBug
description Wan traffic to HBug Open VPN service
match access-group name WANtoVPNHBug_acl
class-map type inspect match-any WANtoChildFindWS_app
match protocol http
match protocol https
class-map type inspect match-all HBugLANtoWAN
description HBugLAN outgoing traffic to Internet
match access-group name HBugLANtoWAN_acl
class-map type inspect match-all ROELANtoDMZ
description ROELAN outgoing traffic to DMZ
match access-group name ROELANtoDMZ_acl
class-map type inspect match-all WANtoVPNROE
description WAN to VPN Server for ROE
match access-group name WANtoVPNROE_acl
class-map type inspect match-all ROELANtoWAN
description ROELAN outgoing traffic to Internet
match access-group name ROELANtoWAN_acl
class-map type inspect match-all HBugLANtoROELAN
description HBugLAN outgoing traffic to ROELAN
match access-group name HBugLANtoROELAN_acl
class-map type inspect match-all ROELANtoHBugLAN
description ROE outgoing traffic to HBugLAN
match access-group name ROELANtoHBugLAN_acl
class-map type inspect match-any WANtoHBugWS_app
match protocol http
match protocol https
class-map type inspect match-any Barracuda_app
match protocol http
match protocol https
class-map type inspect match-any WANtoMailServer_app
match protocol pop3
match protocol smtp
match protocol http
class-map type inspect match-all WANtoChildFindWS
description Traffic to Child Find Web Server
match class-map WANtoChildFindWS_app
match access-group name WANtoChildFindWS_acl
class-map type inspect match-all WANtoMailServer
description Traffic to Mail Server
match class-map WANtoMailServer_app
match access-group name WANtoMailServer_acl
class-map type inspect match-all Barracuda
description WAN traffic to Barracuda
match class-map Barracuda_app
match access-group name Barracuda_acl
class-map type inspect match-all WANtoHBugWS
description WAN to HBug website
match class-map WANtoHBugWS_app
match access-group name WANtoHBugWS_acl
!
policy-map type inspect HBUGLAN-ROELAN-POLICY
class type inspect HBugLANtoROELAN
drop
class class-default
drop log
policy-map type inspect ROELAN-HBUGLAN-POLICY
class type inspect ROELANtoHBugLAN
drop
class class-default
drop log
policy-map type inspect WAN-HBUGLAN-POLICY
class type inspect Barracuda
inspect
class type inspect WANtoVPNHBug
inspect
class type inspect WANtoMailServer
inspect
class class-default
drop log
policy-map type inspect ROELAN-WAN-POLICY
class type inspect ROELANtoWAN
inspect
class class-default
drop log
policy-map type inspect HBUGLAN-WAN-POLICY
class type inspect HBugLANtoWAN
inspect
class class-default
drop log
policy-map type inspect HBUGLAN-DMZ-POLICY
class type inspect HBugLANtoDMZ
inspect
class class-default
drop log
policy-map type inspect DMZ-WAN-POLICY
class type inspect DMZtoWAN
inspect
class class-default
drop log
policy-map type inspect WAN-DMZ-POLICY
class type inspect WANtoHBugWS
inspect
class type inspect WANtoChildFindWS
inspect
class class-default
drop log
policy-map type inspect ROELAN-DMZ-POLICY
class type inspect ROELANtoDMZ
inspect
class class-default
drop log
policy-map type inspect WAN-ROELAN-POLICY
class type inspect WANtoVPNROE
inspect
class class-default
drop log
!
zone security WAN
description Outside (Internet)
zone security HBugLAN
description Inside (HBug 10.x.x.x LAN)
zone security ROELAN
description Inside (ROE 192.168.2.x LAN)
zone security DMZ
description Inside (DMZ 192.168.1.x LAN)
zone-pair security DMZ-WAN source DMZ destination WAN
service-policy type inspect DMZ-WAN-POLICY
zone-pair security HBUGLAN-DMZ source HBugLAN destination DMZ
service-policy type inspect HBUGLAN-DMZ-POLICY
zone-pair security HBUGLAN-ROELAN source HBugLAN destination ROELAN
service-policy type inspect HBUGLAN-ROELAN-POLICY
zone-pair security HBUGLAN-WAN source HBugLAN destination WAN
service-policy type inspect HBUGLAN-WAN-POLICY
zone-pair security ROELAN-DMZ source ROELAN destination DMZ
service-policy type inspect ROELAN-DMZ-POLICY
zone-pair security ROELAN-HBUGLAN source ROELAN destination HBugLAN
service-policy type inspect ROELAN-HBUGLAN-POLICY
zone-pair security ROELAN-WAN source ROELAN destination WAN
service-policy type inspect ROELAN-WAN-POLICY
zone-pair security WAN-DMZ source WAN destination DMZ
service-policy type inspect WAN-DMZ-POLICY
zone-pair security WAN-HBUGLAN source WAN destination HBugLAN
service-policy type inspect WAN-HBUGLAN-POLICY
zone-pair security WAN-ROELAN source WAN destination ROELAN
service-policy type inspect WAN-ROELAN-POLICY
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description ICN WAN1
ip address "removed"
ip nat outside
zone-member security WAN
speed 100
negotiation auto
spanning-tree portfast trunk
!
interface GigabitEthernet0/0/0.2
encapsulation dot1Q 2
zone-member security ROELAN
!
interface GigabitEthernet0/0/0.3
encapsulation dot1Q 3
zone-member security DMZ
!
interface GigabitEthernet0/0/0.4
encapsulation dot1Q 4
zone-member security HBugLAN
!
interface GigabitEthernet0/0/1
no ip address
shutdown
speed 100
negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/1/0
description ROE
switchport access vlan 2
switchport trunk native vlan 2
switchport mode access
ip access-group AllowROE_acl in
ip access-group AllowROE_acl out
zone-member security ROELAN
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/1
description HBug
switchport access vlan 4
switchport mode access
zone-member security HBugLAN
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/2
shutdown
spanning-tree portfast disable
!
interface GigabitEthernet0/1/3
shutdown
spanning-tree portfast disable
!
interface GigabitEthernet0/1/4
shutdown
spanning-tree portfast disable
!
interface GigabitEthernet0/1/5
shutdown
spanning-tree portfast disable
!
interface GigabitEthernet0/1/6
description DMZ
switchport access vlan 3
switchport trunk native vlan 3
switchport trunk allowed vlan 3
switchport mode access
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/7
description DMZ
switchport access vlan 3
switchport trunk native vlan 3
switchport trunk allowed vlan 3
switchport mode access
zone-member security DMZ
spanning-tree portfast trunk
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip helper-address 192.168.2.5
ip nat inside
zone-member security ROELAN
!
interface Vlan3
ip address 192.168.1.254 255.255.255.0
ip nat inside
zone-member security DMZ
!
interface Vlan4
ip address 10.10.10.254 255.0.0.0
ip helper-address 10.10.10.7
ip nat inside
zone-member security HBugLAN
!
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat inside source list 10 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
!
!
!
ip access-list extended Barracuda_acl
permit object-group Barracuda_svc any object-group Barracuda_dst_net
ip access-list extended DMZtoWAN_acl
permit ip any any
ip access-list extended HBugLANtoDMZ_acl
permit ip any any
ip access-list extended HBugLANtoROELAN_acl
permit ip any any
ip access-list extended HBugLANtoWAN_acl
permit ip any any
ip access-list extended ROELANtoDMZ_acl
permit ip any any
ip access-list extended ROELANtoHBugLAN_acl
permit ip any any
ip access-list extended ROELANtoWAN_acl
permit ip any any
ip access-list extended WANtoChildFindWS_acl
permit ip any object-group WANtoChildFindWS_dst_net
ip access-list extended WANtoHBugWS_acl
permit ip any object-group WANtoHBugWS_dst_net
ip access-list extended WANtoMailServer_acl
permit object-group WANtoMailServer_svc any object-group WANtoMailServer_dst_net
ip access-list extended WANtoVPNHBug_acl
permit object-group WANtoVPNHBug_svc any object-group WANtoVPNHBug_dst_net
ip access-list extended WANtoVPNROE_acl
permit object-group WANtoVPNROE_svc any object-group WANtoVPNROE_dst_net
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 10 permit 192.0.0.0 0.255.255.255
!
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
control-plane
!
banner login ^CNo unauthorized access is allowed.^C
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 "removed"
login local
transport input ssh
line vty 5 15
password 7 "removed"
login local
transport input ssh
!
!
!
!
!
event manager applet 40storeShowTech
event none sync no maxrun 31536000
action 001 cli command "enable"
action 002 cli command "traceroute 8.8.8.8 source GigabitEthernet0/0/1"
action 003 file open TECHFILE bootflash:40sh_tech.txt w+
action 004 file puts TECHFILE "$_cli_result"
action 005 file close TECHFILE
!
end

Thanks for posting a fresh copy of the config. I have comments about several things.

- You have configured 3 statements for nat and only 1 of them works

ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat inside source list 10 interface GigabitEthernet0/0/0 overload

The first one uses a route map which uses acl 197 but that acl does not exist. So this statement does not work
The second one uses acl 1 but that acl does not exist. So this statement does not work
The third one uses acl 10  which does exist and so should work. The use of permit 192.0.0.0 0.255.255.255 is very broad, but it would include the subnets for vlan 2 and 3.

I would suggest removing the 2 nat statements that do not work.

- You have configured a couple of helper addresses like this

ip helper-address 192.168.2.5

but the address specified is in the same subnet as the interface. So the dhcp server is local, and you do not need helper addresses for local dhcp servers. I suggest removing the helper addresses.

- you have configured a static default route like this

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0

when a static route specifies the outbound interface without specifying a next hop address it could cause problems. It might work but it might not work (it depends on whether the next hop device has enabled proxy arp). And even if it does work it is not a good idea. This will force the router to arp for every remote address to which it will forward traffic. This results in a very large arp table (consumes memory) and more processing cycles to search and to maintain the arp table. I suggest that you include the next hop address.

HTH

Rick

- You have configured 3 statements for nat and only 1 of them works

ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat inside source list 10 interface GigabitEthernet0/0/0 overload

The first one uses a route map which uses acl 197 but that acl does not exist. So this statement does not work
The second one uses acl 1 but that acl does not exist. So this statement does not work
The third one uses acl 10  which does exist and so should work. The use of permit 192.0.0.0 0.255.255.255 is very broad, but it would include the subnets for vlan 2 and 3.

I would suggest removing the 2 nat statements that do not work. 

I have performed these steps.  Thanks for pointing that out.  I intended to remove them after figuring out which one I still needed, but I had forgotten.

 

- You have configured a couple of helper addresses like this

ip helper-address 192.168.2.5

but the address specified is in the same subnet as the interface. So the dhcp server is local, and you do not need helper addresses for local dhcp servers. I suggest removing the helper addresses.

Thanks for this, I was confused by how the DHCP server and the Router would interact with each other.  I appreciate the correction.

 

- you have configured a static default route like this

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0

when a static route specifies the outbound interface without specifying a next hop address it could cause problems. It might work but it might not work (it depends on whether the next hop device has enabled proxy arp). And even if it does work it is not a good idea. This will force the router to arp for every remote address to which it will forward traffic. This results in a very large arp table (consumes memory) and more processing cycles to search and to maintain the arp table. I suggest that you include the next hop address.
This has been corrected, thanks again for the explanation.  It helps a lot.

Hello,

 

as mentioned before, access list applied to interfaces that are part of a security zone do not work together with the ZBF. So it is either the ZBF, or access lists, not both.

 

Did you ever put the configuration in place I originally sent ?

Georg,

 

I think your correcting me, and I'm not comprehending what you're trying to tell me.

 

I removed the access groups in this:

interface GigabitEthernet0/1/0
description ROE
switchport access vlan 2
switchport trunk native vlan 2
switchport mode access
ip access-group AllowROE_acl in
ip access-group AllowROE_acl out
zone-member security ROELAN
spanning-tree portfast trunk

 

Although, I'm unsure if this is what you are trying to point out, or if your telling me that I've made a bunch of redundant polices when trying to configure my ZBFW.  I was copying all the policies from our old ASA firewall, are these not going to apply correctly with what I'm trying to build in my most recent config?  I can post a new updated config if needed, just let me know.

After removing those ip access-groups, which is what I think you were telling me, everything seems to be working in my test environment as I'd expect.  I think you've gotten me to the point where I can test this thing out in a live environment.

 

Thanks for the help!

Thanks for the update. Glad to know that it is working as expected in your test environment.

HTH

Rick
Review Cisco Networking for a $25 gift card