Solved: ISR 4331 - Internet is Not Through on Specific Vlan

Atif Sajjad · ‎07-24-2022

Dear All,

I have One ISR 4331, Which was managed by Another IT Guy, Unfortunately he left without proper Handover. Well, Coming to the point, I created one DHCP Pool on ISR 4331 /23 Network. I'm Getting an IP address but internet is working.
DHCP Pool name is :

dhcp pool KLD_Labour_CAMP_Pool_VLAN_71

Interface:

interface GigabitEthernet0/0/1.71

Please Note: Rest of the Vlans are working fine. Only Vlan 71 is not getting internet, maybe is it because of ACL or am i missing something?
Anyone can help me in this please ?

!

interface GigabitEthernet0/0/0

description WAN01_Microwave

ip address 172.16.10.2 255.255.255.252

negotiation auto

spanning-tree portfast

service-policy output WEBUI-QUEUING-OUT

!

interface GigabitEthernet0/0/1

description LAN_Trunk

no ip address

negotiation auto

spanning-tree portfast trunk

!

interface GigabitEthernet0/0/1.6

description THOE_Admin VLAN_6

encapsulation dot1Q 6

ip address 10.6.6.1 255.255.255.0

ip nbar protocol-discovery

ip access-group Admin_VLAN_6_IN in

service-policy input WEBUI-MARKING-IN

!

interface GigabitEthernet0/0/1.55

description IoT_VLAN_55

encapsulation dot1Q 55

ip address 10.6.55.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface GigabitEthernet0/0/1.60

description Management_VLAN_60

encapsulation dot1Q 60

ip address 10.6.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface GigabitEthernet0/0/1.61

description THOE_Office_VLAN_61

encapsulation dot1Q 61

ip address 10.6.1.1 255.255.255.0

ip helper-address 10.20.6.10

ip nbar protocol-discovery

ip access-group DATA_VLAN_61_IN in

service-policy input WEBUI-MARKING-IN

!

interface GigabitEthernet0/0/1.66

description KLD_Staff_BYON_VLAN_66

encapsulation dot1Q 66

ip address 10.6.66.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface GigabitEthernet0/0/1.67

description KLD_Staff_CAMP_VLAN_67

encapsulation dot1Q 67

ip address 10.6.67.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip access-group KLD_Staff_CAMP_VLAN_67_IN in

!

interface GigabitEthernet0/0/1.69

description CCTV_VLAN_69

encapsulation dot1Q 69

ip address 10.6.9.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip access-group CCTV_VLAN_69_IN in

!

interface GigabitEthernet0/0/1.71

description KLD_Labour_CAMP_VLAN_71

encapsulation dot1Q 71

ip address 10.100.70.1 255.255.254.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip access-group KLD_Labour_VLAN_71_IN in

!

interface GigabitEthernet0/0/1.100

description P2P_Access_VLAN_100

encapsulation dot1Q 100

ip address 10.6.100.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface GigabitEthernet0/0/1.102

description Sweden_KLD_Employee_VLAN_102

encapsulation dot1Q 102

ip address 10.6.102.1 255.255.255.0

ip helper-address 10.20.6.10

no ip redirects

no ip unreachables

no ip proxy-arp

ip access-group Sweden_KLD_Employee_VLAN_102_IN in

!

interface GigabitEthernet0/0/1.172

description NAS_VLAN_172

encapsulation dot1Q 172

ip address 172.16.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip access-group NAS_VLAN_172_IN in

!

interface GigabitEthernet0/0/1.3030

description SERVER FARM_VLAN_3030

encapsulation dot1Q 3030

ip address 10.20.6.1 255.255.254.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip access-group SERVER_FARM_VLAN_3030_IN in

!

interface GigabitEthernet0/0/1.3060

description iLO_VLAN_3060

encapsulation dot1Q 3060

ip address 10.20.18.1 255.255.254.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip access-group iLO_VLAN_3060_IN in

!

interface GigabitEthernet0/0/2

description WAN02_GSM_Router

ip address 172.16.101.2 255.255.255.248

media-type sfp

negotiation auto

spanning-tree portfast

service-policy output WEBUI-QUEUING-OUT

!

interface GigabitEthernet0

description Management

vrf forwarding Mgmt-intf

ip address 10.6.200.1 255.255.255.0

negotiation auto

!

ip http server

ip http access-class ipv4 99

ip http authentication local

ip http secure-server

ip http secure-port 65443

ip forward-protocol nd

ip dns server

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 172.16.10.1 track 2

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/2 172.16.101.1 10

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

!

ip access-list extended Admin_VLAN_6_IN

10 remark Access_to_Router

10 deny tcp 10.6.6.0 0.0.0.255 host 10.6.6.1 eq 22 log

20 deny tcp 10.6.6.0 0.0.0.255 host 10.6.6.1 eq 65443 log

30 remark Routed_Subnet_access

30 permit ip 10.6.6.0 0.0.0.255 172.16.10.0 0.0.0.3

40 permit ip 10.6.6.0 0.0.0.255 172.16.101.0 0.0.0.7

50 remark Internal_Subnet_access

50 permit ip 10.6.6.0 0.0.0.255 10.6.6.0 0.0.0.255

60 remark THOE_External_Subnets_and_Hosts_access

60 permit ip 10.6.6.0 0.0.0.255 10.6.1.0 0.0.0.255

70 permit ip 10.6.6.0 0.0.0.255 10.6.9.0 0.0.0.255

80 permit ip 10.6.6.0 0.0.0.255 10.20.6.0 0.0.1.255

90 remark Concord_External_Subnets_and_Hosts_access

90 permit ip 10.6.6.0 0.0.0.255 10.10.43.0 0.0.0.255

100 permit ip 10.6.6.0 0.0.0.255 10.10.6.0 0.0.1.255

110 permit ip 10.6.6.0 0.0.0.255 host 10.1.50.20

120 remark BLOCK_to_Private_subnets

120 deny ip 10.6.6.0 0.0.0.255 10.0.0.0 0.255.255.255 log

130 deny ip 10.6.6.0 0.0.0.255 172.16.0.0 0.15.255.255 log

140 deny ip 10.6.6.0 0.0.0.255 192.168.55.0 0.0.0.255 log

150 deny ip 10.6.6.0 0.0.0.255 169.254.0.0 0.0.255.255 log

160 deny ip 10.6.6.0 0.0.0.255 224.0.0.0 15.255.255.255 log

170 deny ip 10.6.6.0 0.0.0.255 240.0.0.0 7.255.255.255 log

180 deny ip 10.6.6.0 0.0.0.255 127.0.0.0 0.255.255.255 log

190 remark Access_to_Internet

190 permit ip 10.6.6.0 0.0.0.255 any

200 remark DHCP_request

200 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

210 remark Block_All_Traffic

210 deny ip any any

ip access-list extended CCTV_VLAN_69_IN

10 remark Access_to_Router

10 deny tcp 10.6.9.0 0.0.0.255 host 10.6.9.1 eq 22 log

20 deny tcp 10.6.9.0 0.0.0.255 host 10.6.9.1 eq 65443 log

30 remark Routed_Subnet_access

30 permit ip 10.6.9.0 0.0.0.255 172.16.10.0 0.0.0.3

40 remark Internal_Subnet_access

40 permit ip 10.6.9.0 0.0.0.255 10.6.9.0 0.0.0.255

50 remark External_Subnets_and_Hosts_access

50 permit ip 10.6.9.0 0.0.0.255 10.6.6.0 0.0.0.255

60 remark Concord_External_Subnets_and_Hosts_access

60 permit ip host 10.6.9.12 10.1.0.0 0.0.0.255

70 permit ip host 10.6.9.12 10.2.20.0 0.0.0.255

80 permit ip host 10.6.9.3 10.1.0.0 0.0.0.255

90 permit ip host 10.6.9.3 10.2.20.0 0.0.0.255

100 remark Remote_VPN_IT_and_Management

100 permit ip 10.6.9.0 0.0.0.255 10.2.99.0 0.0.0.255

110 permit ip host 10.6.9.12 10.2.5.0 0.0.0.255

120 remark BLOCK_to_Private_subnets

120 deny ip 10.6.9.0 0.0.0.255 10.0.0.0 0.255.255.255 log

130 deny ip 10.6.9.0 0.0.0.255 172.16.0.0 0.15.255.255 log

140 deny ip 10.6.9.0 0.0.0.255 192.168.55.0 0.0.0.255 log

150 deny ip 10.6.9.0 0.0.0.255 169.254.0.0 0.0.255.255 log

160 deny ip 10.6.9.0 0.0.0.255 224.0.0.0 15.255.255.255 log

170 deny ip 10.6.9.0 0.0.0.255 240.0.0.0 7.255.255.255 log

180 deny ip 10.6.9.0 0.0.0.255 127.0.0.0 0.255.255.255 log

190 remark DHCP_request

190 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

200 remark Block_All_Traffic

200 deny ip any any

ip access-list extended DATA_VLAN_61_IN

10 remark Access_to_Router

10 deny tcp 10.6.1.0 0.0.0.255 host 10.6.1.1 eq 22 log

20 deny tcp 10.6.1.0 0.0.0.255 host 10.6.1.1 eq 65443 log

30 remark Routed_Subnet_access

30 permit ip 10.6.1.0 0.0.0.255 172.16.10.0 0.0.0.3

40 permit ip 10.6.1.0 0.0.0.255 172.16.101.0 0.0.0.7

50 remark Admin_Subnet_access

50 permit tcp 10.6.1.0 0.0.0.255 10.6.6.0 0.0.0.255 established

60 permit tcp 10.6.1.0 0.0.0.255 10.1.0.0 0.0.0.255 established

70 permit tcp 10.6.1.0 0.0.0.255 10.2.20.0 0.0.0.255 established

80 remark Internal_Subnet_access

80 permit ip 10.6.1.0 0.0.0.255 10.6.1.0 0.0.0.255

90 remark ISLAND_Subnets_and_Hosts_access

90 permit ip host 10.6.1.10 10.2.50.0 0.0.0.255

100 permit ip 10.6.1.0 0.0.0.255 host 10.20.6.10

110 permit ip 10.6.1.0 0.0.0.255 host 10.20.6.20

120 permit ip host 10.6.1.10 10.6.6.0 0.0.0.255

130 permit ip host 10.6.1.10 10.6.102.0 0.0.0.255

140 remark Concord_External_Subnets_and_Hosts_access

140 permit ip 10.6.1.0 0.0.0.255 host 10.10.6.21

150 permit ip 10.6.1.0 0.0.0.255 host 10.10.6.22

160 permit ip 10.6.1.0 0.0.0.255 host 10.10.6.26

170 permit ip 10.6.1.0 0.0.0.255 host 10.10.6.27

180 permit ip 10.6.1.0 0.0.0.255 host 10.10.43.13

190 permit ip 10.6.1.0 0.0.0.255 host 10.10.6.48

200 permit ip 10.6.1.0 0.0.0.255 host 10.10.6.47

210 permit ip 10.6.1.0 0.0.0.255 host 10.10.43.47

220 permit ip 10.6.1.0 0.0.0.255 host 10.1.50.20

230 permit ip host 10.6.1.10 10.2.0.0 0.0.1.255

240 permit ip host 10.6.1.12 10.2.0.0 0.0.1.255

250 permit ip 10.6.1.0 0.0.0.255 host 10.2.1.14

260 remark Remote_VPN_IT_and_Management

260 permit ip host 10.6.1.10 10.2.99.0 0.0.0.255

270 permit ip host 10.6.1.10 10.2.5.0 0.0.0.25

280 remark BLOCK_to_Private_subnets

280 deny ip 10.6.1.0 0.0.0.255 10.0.0.0 0.255.255.255 log

290 deny ip 10.6.1.0 0.0.0.255 172.16.0.0 0.15.255.255 log

300 deny ip 10.6.1.0 0.0.0.255 192.168.55.0 0.0.0.255 log

310 deny ip 10.6.1.0 0.0.0.255 169.254.0.0 0.0.255.255 log

320 deny ip 10.6.1.0 0.0.0.255 224.0.0.0 15.255.255.255 log

330 deny ip 10.6.1.0 0.0.0.255 240.0.0.0 7.255.255.255 log

340 deny ip 10.6.1.0 0.0.0.255 127.0.0.0 0.255.255.255 log

350 remark Access_to_Internet

350 permit ip 10.6.1.0 0.0.0.255 any

360 remark DHCP_request

360 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

370 remark Block_All_Traffic

370 deny ip any any

ip access-list extended KLD_Labour_VLAN_71_IN

10 remark Access_to_Router

10 deny tcp 10.100.70.0 0.0.1.255 host 10.100.70.1 eq 22 log

20 deny tcp 10.100.70.0 0.0.1.255 host 10.100.70.1 eq 65443 log

30 remark Routed_Subnet_access

30 permit ip 10.100.70.0 0.0.1.255 172.16.10.0 0.0.0.3

40 remark Internal_Subnet_access

40 permit ip 10.100.70.0 0.0.1.255 10.100.70.0 0.0.1.255

50 remark BLOCK_to_Private_subnets

50 deny ip 10.100.70.0 0.0.1.255 10.0.0.0 0.255.255.255 log

60 deny ip 10.100.70.0 0.0.1.255 172.16.0.0 0.15.255.255 log

70 deny ip 10.100.70.0 0.0.1.255 192.168.54.0 0.0.1.255 log

80 deny ip 10.100.70.0 0.0.1.255 169.254.0.0 0.0.255.255 log

90 deny ip 10.100.70.0 0.0.1.255 224.0.0.0 15.255.255.255 log

100 deny ip 10.100.70.0 0.0.1.255 240.0.0.0 7.255.255.255 log

110 deny ip 10.100.70.0 0.0.1.255 127.0.0.0 0.255.255.255 log

120 remark Access_to_Internet

120 permit ip 10.100.70.0 0.0.1.255 any

130 remark DHCP_request

130 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

140 remark Block_All_Traffic

140 deny ip any any

ip access-list extended KLD_Staff_BYON_VLAN_66_IN

10 remark Access_to_Router

10 deny tcp 10.6.66.0 0.0.0.255 host 10.6.66.1 eq 22 log

20 deny tcp 10.6.66.0 0.0.0.255 host 10.6.66.1 eq 65443 log

30 remark Routed_Subnet_access

30 permit ip 10.6.66.0 0.0.0.255 172.16.10.0 0.0.0.3

40 remark Internal_Subnet_access

40 permit ip 10.6.66.0 0.0.0.255 10.6.66.0 0.0.0.255

50 remark External_Subnets_and_Hosts_access

50 permit ip 10.6.66.0 0.0.0.255 host 10.10.6.21

60 permit ip 10.6.66.0 0.0.0.255 host 10.10.6.22

70 permit ip 10.6.66.0 0.0.0.255 host 10.10.6.26

80 permit ip 10.6.66.0 0.0.0.255 host 10.1.50.20

90 permit ip 10.6.66.0 0.0.0.255 host 10.20.6.20

100 remark BLOCK_to_Private_subnets

100 deny ip 10.6.66.0 0.0.0.255 10.0.0.0 0.255.255.255 log

110 deny ip 10.6.66.0 0.0.0.255 172.16.0.0 0.15.255.255 log

120 deny ip 10.6.66.0 0.0.0.255 192.168.55.0 0.0.0.255 log

130 deny ip 10.6.66.0 0.0.0.255 169.254.0.0 0.0.255.255 log

140 deny ip 10.6.66.0 0.0.0.255 224.0.0.0 15.255.255.255 log

150 deny ip 10.6.66.0 0.0.0.255 240.0.0.0 7.255.255.255 log

160 deny ip 10.6.66.0 0.0.0.255 127.0.0.0 0.255.255.255 log

170 remark Access_to_Internet

170 permit ip 10.6.66.0 0.0.0.255 any

180 remark DHCP_request

180 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

190 remark Block_All_Traffic

190 deny ip any any

ip access-list extended KLD_Staff_CAMP_VLAN_67_IN

10 remark Access_to_Router

10 deny tcp 10.6.67.0 0.0.0.255 host 10.6.67.1 eq 22 log

20 deny tcp 10.6.67.0 0.0.0.255 host 10.6.67.1 eq 65443 log

30 remark Routed_Subnet_access

30 permit ip 10.6.67.0 0.0.0.255 172.16.10.0 0.0.0.3

40 remark Internal_Subnet_access

40 permit ip 10.6.67.0 0.0.0.255 10.6.67.0 0.0.0.255

50 remark BLOCK_to_Private_subnets

50 deny ip 10.6.67.0 0.0.0.255 10.0.0.0 0.255.255.255 log

60 deny ip 10.6.67.0 0.0.0.255 172.16.0.0 0.15.255.255 log

70 deny ip 10.6.67.0 0.0.0.255 192.168.55.0 0.0.0.255 log

80 deny ip 10.6.67.0 0.0.0.255 169.254.0.0 0.0.255.255 log

90 deny ip 10.6.67.0 0.0.0.255 224.0.0.0 15.255.255.255 log

100 deny ip 10.6.67.0 0.0.0.255 240.0.0.0 7.255.255.255 log

110 deny ip 10.6.67.0 0.0.0.255 127.0.0.0 0.255.255.255 log

120 remark Access_to_Internet

120 permit ip 10.6.67.0 0.0.0.255 any

130 remark DHCP_request

130 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

140 remark Block_All_Traffic

140 deny ip any any

ip access-list extended NAS_VLAN_172_IN

10 remark Access_to_Router

10 deny tcp 172.16.0.0 0.0.0.255 host 172.16.0.1 eq 22 log

20 deny tcp 172.16.0.0 0.0.0.255 host 172.16.0.1 eq 65443 log

30 remark Internal_Subnet_access

30 permit ip 172.16.0.0 0.0.0.255 172.16.0.0 0.0.0.255

40 remark BLOCK_to_Private_subnets

40 deny ip 172.16.0.0 0.0.0.255 10.0.0.0 0.255.255.255 log

50 deny ip 172.16.0.0 0.0.0.255 172.16.0.0 0.15.255.255 log

60 deny ip 172.16.0.0 0.0.0.255 192.168.55.0 0.0.0.255 log

70 deny ip 172.16.0.0 0.0.0.255 169.254.0.0 0.0.255.255 log

80 deny ip 172.16.0.0 0.0.0.255 224.0.0.0 15.255.255.255 log

90 deny ip 172.16.0.0 0.0.0.255 240.0.0.0 7.255.255.255 log

100 deny ip 172.16.0.0 0.0.0.255 127.0.0.0 0.255.255.255 log

110 remark NO_Access_to_Internet

110 remark DHCP_request

110 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

120 remark Block_All_Traffic

120 deny ip any any

ip access-list extended SERVER_FARM_VLAN_3030_IN

10 remark Access_to_Router

10 deny tcp 10.20.6.0 0.0.1.255 host 10.20.6.1 eq 22 log

20 deny tcp 10.20.6.0 0.0.1.255 host 10.20.6.1 eq 65443 log

30 remark Routed_Subnet_access

30 permit ip 10.20.6.0 0.0.1.255 172.16.10.0 0.0.0.3

40 permit ip host 10.20.6.10 172.16.101.0 0.0.0.7

50 remark Admin_Subnet_access

50 permit tcp 10.20.6.0 0.0.1.255 10.6.0.0 0.0.0.255 established

60 permit tcp 10.20.6.0 0.0.1.255 10.6.6.0 0.0.0.255 established

70 permit tcp 10.20.6.0 0.0.1.255 10.1.0.0 0.0.0.255 established

80 permit tcp 10.20.6.0 0.0.1.255 10.2.20.0 0.0.0.255 established

90 remark Internal_Subnet_access

90 permit ip 10.20.6.0 0.0.1.255 10.20.6.0 0.0.1.255 log

100 remark External_Subnets_and_Hosts_access

100 permit ip 10.20.6.0 0.0.1.255 10.20.18.0 0.0.1.255

110 permit ip 10.20.6.0 0.0.1.255 host 172.16.0.5

120 permit ip 10.20.6.0 0.0.1.255 host 10.6.1.10

130 permit ip host 10.20.6.10 10.6.6.0 0.0.0.255

140 permit ip host 10.20.6.10 10.6.1.0 0.0.0.255

150 permit ip host 10.20.6.10 10.6.102.0 0.0.0.255

160 remark Concord_External_Subnets_and_Hosts_access

160 permit ip host 10.20.6.20 host 10.1.50.20

170 permit ip 10.20.6.0 0.0.1.255 10.10.6.0 0.0.1.255

180 permit ip 10.20.6.0 0.0.1.255 10.10.43.0 0.0.0.255

190 permit ip 10.20.6.0 0.0.1.255 10.10.32.0 0.0.1.255

200 permit ip 10.20.6.0 0.0.1.255 10.10.18.0 0.0.1.255

210 remark Remote_VPN_IT_and_Management

210 permit ip 10.20.6.0 0.0.1.255 10.2.99.0 0.0.0.255

220 remark BLOCK_to_Private_subnets

220 deny ip 10.20.6.0 0.0.1.255 10.0.0.0 0.255.255.255 log

230 deny ip 10.20.6.0 0.0.1.255 172.16.0.0 0.15.255.255 log

240 deny ip 10.20.6.0 0.0.1.255 192.168.55.0 0.0.0.255 log

250 deny ip 10.20.6.0 0.0.1.255 169.254.0.0 0.0.255.255 log

260 deny ip 10.20.6.0 0.0.1.255 224.0.0.0 15.255.255.255 log

270 deny ip 10.20.6.0 0.0.1.255 240.0.0.0 7.255.255.255 log

280 deny ip 10.20.6.0 0.0.1.255 127.0.0.0 0.255.255.255 log

290 remark Access_to_Internet

290 permit ip 10.20.6.0 0.0.1.255 any

300 remark DHCP_request

300 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

310 remark Block_All_Traffic

310 deny ip any any

ip access-list extended Sweden_KLD_Employee_VLAN_102_IN

10 remark Access_to_Router

10 deny tcp 10.6.102.0 0.0.0.255 host 10.6.102.1 eq 22 log

20 deny tcp 10.6.102.0 0.0.0.255 host 10.6.102.1 eq 65443 log

30 remark Routed_Subnet_access

30 permit ip 10.6.102.0 0.0.0.255 172.16.10.0 0.0.0.3

40 permit ip 10.6.6.0 0.0.0.255 172.16.101.0 0.0.0.7

50 remark Internal_Subnet_access

50 permit ip 10.6.102.0 0.0.0.255 10.6.102.0 0.0.0.255

60 remark ISLAND_Subnets_and_Hosts_access

60 permit ip 10.6.102.0 0.0.0.255 host 10.20.6.10

70 permit ip 10.6.102.0 0.0.0.255 host 10.20.6.20

80 permit ip 10.6.102.0 0.0.0.255 host 10.6.1.10

90 remark Concord_External_Subnets_and_Hosts_access

90 permit ip 10.6.102.0 0.0.0.255 host 10.10.6.21

100 permit ip 10.6.102.0 0.0.0.255 host 10.10.6.22

110 permit ip 10.6.102.0 0.0.0.255 host 10.10.6.26

120 permit ip 10.6.102.0 0.0.0.255 host 10.10.6.27

130 permit ip 10.6.102.0 0.0.0.255 host 10.10.43.13

140 permit ip 10.6.102.0 0.0.0.255 host 10.10.6.48

150 permit ip 10.6.102.0 0.0.0.255 host 10.10.6.47

160 permit ip 10.6.102.0 0.0.0.255 host 10.10.43.47

170 permit ip 10.6.102.0 0.0.0.255 host 10.1.50.20

180 permit ip 10.6.102.0 0.0.0.255 host 10.2.1.14

190 remark BLOCK_to_Private_subnets

190 deny ip 10.6.102.0 0.0.0.255 10.0.0.0 0.255.255.255 log

200 deny ip 10.6.102.0 0.0.0.255 172.16.0.0 0.15.255.255 log

210 deny ip 10.6.102.0 0.0.0.255 192.168.55.0 0.0.0.255 log

220 deny ip 10.6.102.0 0.0.0.255 169.254.0.0 0.0.255.255 log

230 deny ip 10.6.102.0 0.0.0.255 224.0.0.0 15.255.255.255 log

240 deny ip 10.6.102.0 0.0.0.255 240.0.0.0 7.255.255.255 log

250 deny ip 10.6.102.0 0.0.0.255 127.0.0.0 0.255.255.255 log

260 remark Access_to_Internet

260 permit ip 10.6.102.0 0.0.0.255 any

270 remark DHCP_request

270 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

280 remark Block_All_Traffic

280 deny ip any any

ip access-list extended iLO_VLAN_3060_IN

10 remark Access_to_Router

10 deny tcp 10.20.18.0 0.0.1.255 host 10.20.18.1 eq 22 log

20 deny tcp 10.20.18.0 0.0.1.255 host 10.20.18.1 eq 65443 log

30 remark Routed_Subnet_access

30 permit ip 10.20.18.0 0.0.1.255 172.16.10.0 0.0.0.3

40 remark Admin_Subnet_access

40 permit tcp 10.20.18.0 0.0.1.255 10.6.6.0 0.0.0.255 established

50 remark Internal_Subnet_access

50 permit ip 10.20.18.0 0.0.1.255 10.20.18.0 0.0.1.255

60 remark BLOCK_to_Private_subnets

60 deny ip 10.20.18.0 0.0.1.255 10.0.0.0 0.255.255.255 log

70 deny ip 10.20.18.0 0.0.1.255 172.16.0.0 0.15.255.255 log

80 deny ip 10.20.18.0 0.0.1.255 192.168.55.0 0.0.0.255 log

90 deny ip 10.20.18.0 0.0.1.255 169.254.0.0 0.0.255.255 log

100 deny ip 10.20.18.0 0.0.1.255 224.0.0.0 15.255.255.255 log

110 deny ip 10.20.18.0 0.0.1.255 240.0.0.0 7.255.255.255 log

120 deny ip 10.20.18.0 0.0.1.255 127.0.0.0 0.255.255.255 log

130 remark NO_Access_to_Internet

130 remark DHCP_request

130 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps

140 remark Block_All_Traffic

140 deny ip any any

!

ip sla 1

icmp-echo 8.8.8.8 source-ip 172.16.10.2

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 172.16.10.1 source-ip 172.16.10.2

ip sla schedule 2 life forever start-time now

ip access-list standard 99

10 permit 10.6.0.0 0.0.0.255

20 permit 10.1.0.0 0.0.0.255

30 permit 10.2.99.0 0.0.0.255

!

control-plane host

!

control-plane

!

configuration mode exclusive

!

line con 0

stopbits 1

line aux 0

exec-timeout 0 1

no exec

transport output none

line vty 0 4

privilege level 15

length 0

transport input ssh

line vty 5 15

privilege level 15

transport input ssh

!

call-home

! If contact email address in call-home is configured as sch-smart-licensing@cisco.com

! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.

contact-email-addr sch-smart-licensing@cisco.com

profile "CiscoTAC-1"

active

destination transport-method http

ntp server time.nist.gov

!

event manager applet 1628509802359storeShowTech

event none sync no maxrun 31536000

action 001 cli command "enable"

action 002 cli command "traceroute vrf Mgmt-intf 172.16.10.2"

action 003 file open TECHFILE bootflash:1628509802359sh_tech.txt w+

action 004 file puts TECHFILE "$_cli_result"

action 005 file close TECHFILE

event manager applet 1658345085176storeShowTech

event none sync no maxrun 31536000

action 001 cli command "enable"

action 002 cli command "traceroute ip 8.8.8.8 source Gi0/0/1.70"

action 003 file open TECHFILE bootflash:1658345085176sh_tech.txt w+

action 004 file puts TECHFILE "$_cli_result"

action 005 file close TECHFILE

!

end

THOE_Router_01#

Georg Pauwen · ‎07-25-2022

Hello,

the ISR 4331 has no NAT configuration, so there must be another device in front of this router that does the NAT. Most likely, the IP address range (10.100.70..0/255.255.254.0) is not included in the range of addresses to be translated. Can you find out what device is actually the one externally facing the Internet ?

View solution in original post

Georg Pauwen · ‎07-25-2022

Hello,

the ISR 4331 has no NAT configuration, so there must be another device in front of this router that does the NAT. Most likely, the IP address range (10.100.70..0/255.255.254.0) is not included in the range of addresses to be translated. Can you find out what device is actually the one externally facing the Internet ?

ISR 4331 - Internet is Not Through on Specific Vlan

SEG: SLR(Specific License Reservation)の利用方法

Intelligent Capture にて AP Stats Capture の Specific を選択できない

ASA5500-X: Internet Firewall 設定例 (冗長構成)

Catalyst3650/3850、Catalyst9K SLR(Specific License Reservation)でのSmart License適用方法について

ISR 4331 routing table capacity