Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
614
Views
10
Helpful
9
Replies

I can not open my website from my lan network but from abroad yes

Go to solution
josecervini
Level 1
Level 1

‎08-11-2020 07:25 PM

With a $ 30 router everything worked fine, I bought a cisco 2921 and since I installed it I can't open my web page hosted on my lan. I have two LAN interfaces, the server is on 168.25.12.1, 168.25.12.150 being the ip of it, the rest of the computers are on the other interface 192.168.1. *. I imagine that the problem is to configure the interfaces to each other so that they can be seen but I have not yet achieved it

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP
In response to josecervini

‎08-12-2020 06:24 AM - edited ‎08-12-2020 06:28 AM

Hello
The most simplistic way is to use domain-less nat if your rtr supports it Also I notice you have ZBFW enabled suggest temporarily disabling  this until you obtain the connectivity you wish then reenable and verify is connectivity is still applicable
Example:
no ip nat pool pool1 192.168.1.0 192.168.1.200 netmask 255.255.255.0
no ip nat pool pool2 172.16.17.0 172.16.17.254 netmask 255.255.240.0
no ip nat inside source list 4 interface GigabitEthernet0/0 overload
no ip nat inside source list 101 interface GigabitEthernet0/0 overload
no ip nat inside source static tcp 172.16.17.150 80 interface GigabitEthernet0/0 80

GigabitEthernet0/0
no ip nat outside
ip nat enable

GigabitEthernet0/1
no ip nat inside
ip nat enable

GigabitEthernet0/2
no ip nat inside
ip nat enable

 

access-list 4 permit 192.168.1.0 0.0.0.255
ip nat source list 4 interface GigabitEthernet0/0 overload
ip nat source static tcp 172.16.17.150 80 interface GigabitEthernet0/0 80

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

9 Replies 9

Go to solution
Georg Pauwen
VIP
VIP

‎08-11-2020 11:34 PM

Hello,

 

post the running configuration (show run) of your 2921 router...

0 Helpful

Go to solution
josecervini
Level 1
Level 1
In response to Georg Pauwen

‎08-12-2020 05:04 AM

Building configuration...


Current configuration : 14568 bytes
!
! Last configuration change at 08:00:48 PCTime Wed Aug 12 2020 by josecervini
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
clock timezone PCTime -5 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!


ip port-map http port tcp 80 list 2 description web
ip port-map http port tcp 8080 list 5
ip port-map https port tcp 80 list 3 description web
!
ip dhcp excluded-address 192.168.1.1 192.168.1.19
ip dhcp excluded-address 192.168.1.221 192.168.1.254
ip dhcp excluded-address 172.16.16.1 172.16.17.9
ip dhcp excluded-address 172.16.17.255 172.16.31.254
ip dhcp excluded-address 192.168.10.1 192.168.10.19
ip dhcp excluded-address 192.168.10.201 192.168.10.254
!
ip dhcp pool ccp-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 4.2.2.2 8.8.8.8
default-router 192.168.1.1
domain-name 192.168.1.1
!
ip dhcp pool ccp-pool2
import all
network 172.16.16.0 255.255.240.0
domain-name 172.16.17.1
dns-server 8.8.8.8 4.2.2.2
default-router 172.16.17.1
!
ip dhcp pool ccp-pool3
import all
network 192.168.10.0 255.255.255.0
domain-name 192.168.10.1
dns-server 8.8.8.8 8.8.4.4
!
!
!
ip domain name cisco.com
ip name-server 192.168.1.1
ip name-server 172.16.17.150
ip name-server 8.8.4.4
ip name-server 8.8.8.8
ip ddns update method ccp_ddns1
DDNS both
!
ip ddns update method ccp_ddns2
DDNS both
!
ip ddns update method ccp_ddns3
HTTP
add http://josecervini:tania0509@www.zoneedit.com/auth/dynamic.html?host=<h>&dnsto=<a>
remove http://josecervini:tania0509@www.zoneedit.com/auth/dynamic.html?host=<h>&dnsto=<a>
!
ip cef
no ipv6 cef
!
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain test_trustpoint_config_created_for_sdm
voice-card 0
!
!
!
!
!
!
!
!
vxml logging-tag
license udi pid CISCO2921/K9 sn FJC2023A20G
license boot suite FoundationSuiteK9
license boot suite AdvUCSuiteK9
!
!
object-group network web
range 172.16.17.1 192.168.1.254
!
object-group service webs
tcp-udp eq 80
!
username ccpuser privilege 15 secret 5 $1$bIIh$a6.TxyCG//h9RvETKn8VT/
username josecervini privilege 15 secret 5 $1$cshA$d5m2kNtvOqhTU6YnjIKHT/
username cisco privilege 15 secret 5 $1$Tyso$5XDxXKGCMMK9RrL0g94B8/
!
redundancy
!
!
!
!
!
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-all sdm-nat-http-1
match access-group 150
match protocol http
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-invalid-src
match access-group 102
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
!
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-http-1
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $FW_OUTSIDE$$ETH-WAN$
ip dhcp client update dns server none
ip ddns update ccp_ddns2
ip address dhcp client-id GigabitEthernet0/0
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $FW_INSIDE$$ETH-LAN$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
media-type sfp auto-failover
!
interface GigabitEthernet0/2
description $FW_INSIDE$$ETH-LAN$
ip address 172.16.17.1 255.255.240.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
switchport trunk native vlan 2
switchport mode access
no ip address
shutdown
!
interface GigabitEthernet0/0/1
no ip address
shutdown
!
interface GigabitEthernet0/0/2
no ip address
shutdown
!
interface GigabitEthernet0/0/3
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool pool1 192.168.1.0 192.168.1.200 netmask 255.255.255.0
ip nat pool pool2 172.16.17.0 172.16.17.254 netmask 255.255.240.0
ip nat inside source list 4 interface GigabitEthernet0/0 overload
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 172.16.17.150 80 interface GigabitEthernet0/0 80
!
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
!
ipv6 ioam timestamp
!
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.16.16.0 0.0.15.255
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 172.16.17.150
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 172.16.17.150
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 172.16.16.0 0.0.15.255
access-list 5 remark CCP_ACL Category=1
access-list 5 permit 172.16.17.150
access-list 100 remark CCP_ACL Category=1
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 105 remark CCP_ACL Category=1
access-list 105 permit tcp any host 172.16.17.150 eq www
access-list 115 remark CCP_ACL Category=16
access-list 115 permit tcp 0.0.0.1 255.255.255.0 0.0.1.1 255.255.240.0 eq www
access-list 120 remark CCP_ACL Category=1
access-list 120 permit ip host 127.0.0.1 host 172.16.17.150
access-list 121 remark CCP_ACL Category=128
access-list 121 permit ip host 127.0.0.1 host 172.16.17.150
access-list 125 remark CCP_ACL Category=1
access-list 125 permit ip host 192.168.1.1 0.0.1.150 255.255.240.0
access-list 130 remark CCP_ACL Category=2
access-list 130 permit tcp any host 172.16.17.150 eq www
access-list 135 remark CCP_ACL Category=64
access-list 135 permit tcp 0.0.0.1 255.255.255.0 eq www 0.0.1.150 255.255.240.0 eq www
access-list 150 remark CCP_ACL Category=64
access-list 150 permit tcp any host 172.16.17.150 eq www
access-list 150 permit tcp any host 172.16.17.150 eq ftp-data
access-list 150 permit tcp any host 172.16.17.150 eq ftp
access-list 150 permit tcp any host 172.16.17.150 eq telnet
access-list 150 permit tcp any host 172.16.17.150 eq 443
access-list 150 permit tcp any host 172.16.17.150 eq 22
access-list 150 permit udp any host 172.16.17.150 eq 80
access-list 150 permit udp any host 172.16.17.150 range 20 23
access-list 150 permit udp any host 172.16.17.150 eq 443
!
!
!
control-plane
!
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input telnet
!
scheduler allocate 20000 1000
!
end

0 Helpful

Go to solution
paul driver
VIP
VIP

‎08-12-2020 12:47 AM

Hello

Can you confirm are how are you trying to access this web page? -is it via its register domain name?

From where are you trying to access this web page - internally from the same lan this page is hosted on or externally from an internet address?

 

Either way you need to use NAT and if your trying to access it from an internal host via its public ip address then you will need to hairpin the nat

please confirm and an example of the configuration could be provided.

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
josecervini
Level 1
Level 1
In response to paul driver

‎08-12-2020 05:09 AM

I try to enter by putting the domain, on the server there are 7 web pages, the test one is www.lobella.net, from outside my network it can be entered but I cannot connect from my pc or my laptop connected to my wifi. lan from server, interface GE 0/2 172.16.17.*, interface GE 0/1 were my pc and wifi is 192.168.1*, interface GE 0/0 is my WAN, when i write in my browser www.lobella.net show me login for my router configuration
0 Helpful

Go to solution
paul driver
VIP
VIP
In response to josecervini

‎08-12-2020 06:24 AM - edited ‎08-12-2020 06:28 AM

Hello
The most simplistic way is to use domain-less nat if your rtr supports it Also I notice you have ZBFW enabled suggest temporarily disabling  this until you obtain the connectivity you wish then reenable and verify is connectivity is still applicable
Example:
no ip nat pool pool1 192.168.1.0 192.168.1.200 netmask 255.255.255.0
no ip nat pool pool2 172.16.17.0 172.16.17.254 netmask 255.255.240.0
no ip nat inside source list 4 interface GigabitEthernet0/0 overload
no ip nat inside source list 101 interface GigabitEthernet0/0 overload
no ip nat inside source static tcp 172.16.17.150 80 interface GigabitEthernet0/0 80

GigabitEthernet0/0
no ip nat outside
ip nat enable

GigabitEthernet0/1
no ip nat inside
ip nat enable

GigabitEthernet0/2
no ip nat inside
ip nat enable

 

access-list 4 permit 192.168.1.0 0.0.0.255
ip nat source list 4 interface GigabitEthernet0/0 overload
ip nat source static tcp 172.16.17.150 80 interface GigabitEthernet0/0 80

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
josecervini
Level 1
Level 1
In response to paul driver

‎08-12-2020 12:07 PM

It is incredible how they have helped me, these steps were decisive, I checked that the cisco configuration professional helps but that the main lines have to be put through console and CLI, they are geniuses

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to josecervini

‎08-12-2020 12:12 PM

Can you, for the sake of reference, post the entire working configuration including the ZBF ?

0 Helpful

Go to solution
josecervini
Level 1
Level 1
In response to josecervini

‎08-12-2020 01:48 PM


Building configuration...


Current configuration : 7136 bytes
!
! Last configuration change at 16:45:39 PCTime Wed Aug 12 2020 by josecervini
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
clock timezone PCTime -5 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!


ip port-map http port tcp 80 list 2 description web
ip port-map http port tcp 8080 list 5
ip port-map https port tcp 80 list 3 description web
!
ip dhcp excluded-address 192.168.1.1 192.168.1.19
ip dhcp excluded-address 192.168.1.221 192.168.1.254
ip dhcp excluded-address 172.16.16.1 172.16.17.9
ip dhcp excluded-address 172.16.17.255 172.16.31.254
!
ip dhcp pool ccp-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 4.2.2.2 8.8.8.8
default-router 192.168.1.1
domain-name 192.168.1.1
!
ip dhcp pool ccp-pool2
import all
network 172.16.16.0 255.255.240.0
domain-name 172.16.17.1
dns-server 8.8.8.8 4.2.2.2
default-router 172.16.17.1
!
!
!
ip domain name cisco.com
ip name-server 192.168.1.1
ip name-server 172.16.17.150
ip name-server 8.8.4.4
ip name-server 8.8.8.8
ip ddns update method ccp_ddns1
DDNS both
!
ip ddns update method ccp_ddns2
DDNS both
!
ip ddns update method ccp_ddns3
HTTP
add http://josecervini:tania0509@www.zoneedit.com/auth/dynamic.html?host=<h>&dnsto=<a>
remove http://josecervini:tania0509@www.zoneedit.com/auth/dynamic.html?host=<h>&dnsto=<a>
!
ip cef
no ipv6 cef
!
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain test_trustpoint_config_created_for_sdm
voice-card 0
!
!
!
!
!
!
!
!
vxml logging-tag
license udi pid CISCO2921/K9 sn FJC2023A20G
license boot suite FoundationSuiteK9
license boot suite AdvUCSuiteK9
!
!
object-group network web
range 172.16.17.1 192.168.1.254
!
object-group service webs
tcp-udp eq 80
!
username ccpuser privilege 15 secret 5 $1$bIIh$a6.TxyCG//h9RvETKn8VT/
username josecervini privilege 15 secret 5 $1$cshA$d5m2kNtvOqhTU6YnjIKHT/
username cisco privilege 15 secret 5 $1$Tyso$5XDxXKGCMMK9RrL0g94B8/
!
redundancy
!
!
!
!
!
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $FW_OUTSIDE$$ETH-WAN$
ip dhcp client update dns server none
ip ddns update ccp_ddns2
ip address dhcp client-id GigabitEthernet0/0
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $FW_INSIDE$$ETH-LAN$
ip address 192.168.1.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
media-type sfp auto-failover
!
interface GigabitEthernet0/2
description $FW_INSIDE$$ETH-LAN$
ip address 172.16.17.1 255.255.240.0
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
switchport trunk native vlan 2
switchport mode access
no ip address
shutdown
!
interface GigabitEthernet0/0/1
no ip address
shutdown
!
interface GigabitEthernet0/0/2
no ip address
shutdown
!
interface GigabitEthernet0/0/3
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat source list 4 interface GigabitEthernet0/0 overload
ip nat source static tcp 172.16.17.150 80 interface GigabitEthernet0/0 80
!
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
!
ipv6 ioam timestamp
!
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.16.16.0 0.0.15.255
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 172.16.17.150
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 172.16.17.150
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 172.16.16.0 0.0.15.255
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 5 remark CCP_ACL Category=1
access-list 5 permit 172.16.17.150
access-list 100 remark CCP_ACL Category=1
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip any any
access-list 105 remark CCP_ACL Category=1
access-list 105 permit tcp any host 172.16.17.150 eq www
access-list 115 remark CCP_ACL Category=16
access-list 115 permit tcp 0.0.0.1 255.255.255.0 0.0.1.1 255.255.240.0 eq www
access-list 120 remark CCP_ACL Category=1
access-list 120 permit ip host 127.0.0.1 host 172.16.17.150
access-list 125 remark CCP_ACL Category=1
access-list 125 permit ip host 192.168.1.1 0.0.1.150 255.255.240.0
access-list 130 remark CCP_ACL Category=2
access-list 130 permit tcp any host 172.16.17.150 eq www
access-list 135 remark CCP_ACL Category=64
access-list 135 permit tcp 0.0.0.1 255.255.255.0 eq www 0.0.1.150 255.255.240.0 eq www
!
!
!
control-plane
!
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input telnet
!
scheduler allocate 20000 1000
!
end

0 Helpful

Go to solution
josecervini
Level 1
Level 1
In response to josecervini

‎08-12-2020 02:00 PM

i have problem with firewall, for that reason i not submit yet the final configuration, i try setup it
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card