Hi all,

I'm running the above router with a few catalyst switches.  Config for the ISR attached.

The problem being I want to use the router for tertiary DNS - I already have 2 x pi-holes internally taking care on a day to day basis for DNS.

When I SSH to my router I can ping 8.8.8.8 from it but as soon as I enter a FQND such as www.google.com it locks up and becomes unresponsive.  Killing the session is the only way back in. (Interestingly when I remove the echo-reply from my access-list it still pings - may be related)???

The way this used to work (pre-pi-holes DNS) was that for each VLAN when I wanted DNS I just hit the gateway for that van (192.168.0.1 for example) and it resolved.  Somewhere along the way something seems to disagree with this now.

I do recall that I used to have the Dialer0 interface in no particular zone.  This was moved to the Internet Zone as this seems the correct place for it.  I moved it back out of the internet zone which fixed DNS lookups but broke the Internet access.

Looking at my firewall I can see drops from 8.8.8.8:53 (google DNS) stating that the zone-pair security ZP-INTERNET-TO-SELF source INTERNET destination self is the problem, but I can't see why.  It would seem to be allowed.

An even bigger worry is that if I power this down then the WAN interface relies upon this ruleset to obtain its IP over DHCP.  If that is not working then it could be game over for my internet connection.

Because the SELF zone is uni-directional and traffic cannot be inspected to allow the return DNS traffic back I have allowed 53 udp and tcp back in through to the self zone so I guess it's a two-pronged query.

1) How does one cater for return traffic given that this could be an ephemeral port ?  Or is DNS just using UDP in which case my "53 in rule" should cover it.   It cannot be good practice to open ephemeral ports to your WAN interface.  No way.  However if I allow IP any any DNS bursts into life again.

2) Is there a more correct way to configure the access to the self zone?  I have NTP allowed in (time for the router). DNS allowed in (so that the router can resolve DNS which at present seems to be failing).  BootP so that the router can get its IP address and then some ICMP for well ICMP stuff - unreachables etc.

Only reaching out as I've been looking at this for over a day and my brain is now pickled.

I really don't understand how the DNS is supposed to work with return traffic even though this worked before without a hitch (and certainly no ephemeral ports inbound).  Confused as to why the DNS traffic is now failing.

When I try an nslookup from my connected MAC and set the server to 192.168.0.1 it times out before coming back with

;; connection timed out; no servers could be reached even though its on the same vlan.  It's not clear whether no servers could be reached refers to the name lookup or the actual DNS on the server not being available but looking at net stat there are no established sessions on port 53 to 192.168.0.1 which suggests to me that DNS is just not running on the server.

Clearly I have something wrong in my config but I cannot see what.

I'm struggling and I'd really appreciate some expert guidance.

Thanks in anticipation.

Rob.

**Having to paste config here a "The contents of the attachment doesn't match its file type." when trying to upload. Grrrr.

Password:

1700ISR#term len 0
1700ISR#sh run
Building configuration...

Current configuration : 25051 bytes
!
! Last configuration change at 09:27:33 GMT Mon Jul 13 2020 by rhbmcse
! NVRAM config last updated at 22:09:01 GMT Sun Jul 12 2020 by rhbmcse
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname 1700ISR
!
boot-start-marker
boot-end-marker
!
!
enable secret 9 $9$jUR3aCOM//XoF5BMiuU6Q
!
no aaa new-model
clock timezone GMT 0 0
clock summer-time GMT recurring
no ip source-route
!
!
!
!
!
!
!
!
!
ip name-server 212.23.3.100 212.23.6.100 8.8.8.8 8.8.4.4
ip domain name 21RTM.local
ip dhcp excluded-address 192.168.0.1 192.168.0.19
ip dhcp excluded-address 10.0.1.1
ip dhcp excluded-address 192.168.3.1
ip dhcp excluded-address 192.168.2.1 192.168.2.3
ip dhcp excluded-address 10.0.2.10
ip dhcp excluded-address 192.168.0.60 192.168.0.254
ip dhcp excluded-address 10.0.2.1
ip dhcp excluded-address 10.0.2.20
ip dhcp excluded-address 192.168.1.1 192.168.1.19
ip dhcp excluded-address 10.0.0.1 10.0.0.19
!
ip dhcp pool CLIENTS
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 10.0.2.10 10.0.2.20 192.168.0.1
domain-name 21RTM.local
!
ip dhcp pool MANAGEMENT
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server 10.0.2.10 10.0.2.20 10.0.0.1
!
ip dhcp pool SMART-PLUG-TV
host 192.168.0.21 255.255.255.0
hardware-address 48e1.e523
!
ip dhcp pool GOOGLE-HOME-LIVING-ROOM
host 192.168.0.25 255.255.255.0
hardware-address e4f0.4233.d066
dns-server 10.0.2.10 192.168.0.1
domain-name 21RTM.local
!
ip dhcp pool SONOS-LIVING-ROOM-PLAY1-LEFT-SPEAKER
host 192.168.0.28 255.255.255.0
client-identifier 0134
ip dhcp pool SONOS-LIVING-ROOM-PLAY1-RIGHT-SPEAKER
host 192.168.0.29 255.255.255.0
client-identifier 013.4008.dc
!
ip dhcp pool MONITORING
network 10.0.1.0 255.255.255.0
domain-name MONITORING.VLAN
default-router 10.0.1.1
dns-server 10.0.2.10 10.0.2.20 10.0.1.1
!
ip dhcp pool IP-CAMERA-001
host 192.168.0.22 255.255.255.0
client-identifier 0102d26.1a
!
ip dhcp pool SONOFF-WATER-HEATER-1
host 192.168.0.38 255.255.255.0
hardware-address cc50.8c1b
!
ip dhcp pool SONOFF-WATER-HEATER-2
host 192.168.0.39 255.255.255.0
hardware-address 807d.3a68.16c9
!
ip dhcp pool SMART-PLUG-STUDIO-KEYBOARDS-1
host 192.168.0.24 255.255.255.0
client-identifier 01b0002.b5
!
ip dhcp pool SMART-PLUG-STUDIO-RACK-1
host 192.168.0.26 255.255.255.0
client-identifier 01be8
!
ip dhcp pool RHB-LDOS-LAPTOP
host 192.168.0.36 255.255.255.0
client-identifier 013
ip dhcp pool GOOGLE-CAST-1080-LIVING-ROOM
host 192.168.0.30 255.255.255.0
hardware-address 3c79
!
ip dhcp pool DYSON-HC-LIV-RM
host 192.168.0.32 255.255.255.0
hardware-address c84
!
ip dhcp pool SMART-PLUG-OFFICE-LAPTOP-GANG
host 192.168.0.20 255.255.255.0
client-identifier 016854c.74
!
ip dhcp pool GOOGLE-HOME-STUDIO
host 192.168.0.31 255.255.255.0
hardware-address d4f5b0a
!
ip dhcp pool GOOGLE-HOME-MASTER-BEDROOM
host 192.168.0.34 255.255.255.0
hardware-address d4a33c
!
ip dhcp pool SAMSUNG-TAB-S5E
host 192.168.0.35 255.255.255.0
client-identifier 01
ip dhcp pool SMART-PLUG-STUDIO-GAMES-CONSOLES
host 192.168.0.40 255.255.255.0
client-identifier 0165b.05
!
ip dhcp pool SMART-PLUG-BEDSIDE-LAMP-RHB
host 192.168.0.41 255.255.255.0
client-identifier 016
ip dhcp pool NAGIOS-PI-1
host 10.0.1.10 255.255.255.0
hardware-address b82.0f6d
!
ip dhcp pool SMART-PLUG-MEROSS-SPARE
host 192.168.0.42 255.255.255.0
hardware-address 48e1
ip dhcp pool SERVICES
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
dns-server 10.0.2.10 10.0.2.20 10.0.2.1
domain-name SERVICES.VLAN
!
ip dhcp pool SMART-PLUG-OFFICE-MAC-PRO-GANG
host 192.168.0.23 255.255.255.0
client-identifier 0168.f7.de
dns-server 10.0.2.10 192.168.0.1
domain-name 21RTM.local
!
ip dhcp pool PANASONIC-PLASMA-LIVING-ROOM
host 192.168.0.37 255.255.255.0
client-identifier 018c2.41
!
ip dhcp pool HALLWAY-IPHONE-5S
host 192.168.0.43 255.255.255.0
client-identifier 0168.

ip dhcp pool AMAZON-FIRE-TV-LIVING-ROOM
host 192.168.0.44 255.255.255.0
hardware-address 00bb.daff
!
ip dhcp pool HP-LASERJET-OFFICE
host 192.168.0.45 255.255.255.0
hardware-address 3ca8.
8c
!
ip dhcp pool GAMING-CONSOLES
host 192.168.2.3 255.255.255.0
client-identifier 0104a.b3
dns-server 10.0.2.10 10.0.2.20 192.168.2.1
domain-name GAMING.VLAN
default-router 192.168.2.1
!
ip dhcp pool RHB-CHARM-LAPTOP
host 192.168.0.46 255.255.255.0
client-identifier 01ec.64.ae
!
ip dhcp pool LDOS-IPHONE-8
host 192.168.0.47 255.255.255.0
client-identifier 0150326.b8
!
ip dhcp pool MAC-PRO-CLIENT-VLAN
host 192.168.0.27 255.255.255.0
client-identifier 0170.3b.a4
!
ip dhcp pool MAC_PRO_MGMT_VLAN
host 10.0.0.20 255.255.255.0
client-identifier 0170.aa44.f6
domain-name MGMT.VLAN
!
ip dhcp pool RHB-NOTE-10-PLUS-CLIENT
host 192.168.0.33 255.255.255.0
client-identifier 018.c8c8.d2
!
ip dhcp pool RHB-NOTE-10-PLUS-MGMT
host 10.0.0.30 255.255.255.0
client-identifier 018cc8c8.d2
!
ip dhcp pool MACBOOK_PRO_MGMT_VLAN
host 10.0.0.25 255.255.255.0
client-identifier 01a16e.93
domain-name MGMT.VLAN
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
crypto pki trustpoint TP-self-signed-3510874038
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3510874038
revocation-check none
rsakeypair TP-self-signed-35174038
!
!
crypto pki certificate chain TP-self-signed-351038
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33353130 38373430 3338301E 170D3138 31303035 31373439
33355A17 0D3230306720B976 4CA6D29A 4C869A57 8FB85748
58491EEC 2987C8AB F89DA339 C65FE1BF D7891C51 168FEB2E 7F68A556 DC356112
5E30C794 CA237B31 07A8F16E 4289B4FF 2003F5E4 E6E2FFB6 2D5B873A 5481A04D
F84132ED 783001FE E638599D 22AFD316 E38DB9DE 1C99C8F8 B326057C 6D477FBB
C996B95A B5D2702F DC39BBAC B67CE40C 9E7F9375 05905090 BD65A720 4F5EAB46
B31A5E12 B1A90203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 1435C3D7 44179F37 6596ADAF 243B5A53 6F4DF132
36301D06 03551D0E 04160414 35C3D744 179F3765 96ADAF24 3B5A536F 4DF13236
300D0609 2A864886 F70D0101 05050003 82010100 6034A7C9 9DC08E1F C89571F9
CD446CCE E6F0AB62 8AF01F03 F21E8E75 9517FC28 D09C15DA F323BDDC EB42DE1C
09F81447 F87B2D72 5E026E9C F2E82A50 BC5E1FA8 0283BEE7 E36523A7 953F4B59
39DA2E50 2794C536 94337226 FFB3DA83 5ED172EF 0FC8D94C FBB9BE72 6A18F365
004FDFEA 29CF9FD7 F9C0FA3E D1C8E4E4 C202D693 218FC5CF A171C804 AA97BE50
6F305E61 B99D9BF5 D243DAE9 37848E38 992E006F 92B35E7B B8AC9995 1EDEC0C0
B25CE082 26AAFB31 E6F6B6B6 98E2BF42 94DD4F00 B2C3665E 1DC9C4C8 6E35C5B7
7984AFAF 1460956D 0A6516E8 2301EE0B 13252DB1 2DE096E8 A75FA9AA 1A344AA4
DBCC162F 1BA0BA74 CE0032E4 C892DE80 C08EA475
quit
!
!
license udi pid C1117-4P sn FGL227C
license boot level appxk9
license boot level securityk9
!
!
!
!
!
object-group network OBJGRP-ALL-INT-VLANS
192.168.0.0 255.255.248.0
10.0.1.0 255.255.255.0
10.0.0.0 255.255.255.0
10.0.2.0 255.255.255.0
!
object-group network OBJGRP-ALL-INTERNAL-VLANS-EXC-SERVICES
192.168.0.0 255.255.248.0
10.0.0.0 255.255.255.0
10.0.1.0 255.255.255.0
!
object-group network OBJGRP-CLIENT-VLAN
192.168.0.0 255.255.255.0
!
object-group network OBJGRP-EXT-NTP-SERVERS
host 79.135.97.79
host 130.88.212.143
!
object-group network OBJGRP-GAMING-CONSOLES
host 192.168.2.3
!
object-group network OBJGRP-GOOGLE-DNS-SERVERS
host 8.8.8.8
host 8.8.4.4
!
object-group network OBJGRP-INBOUND-DNS-NTP-HOSTS
host 90.207.238.97
host 90.207.238.99
host 212.23.3.100
host 212.23.6.100
host 79.135.97.79
host 130.88.212.143
host 8.8.8.8
host 8.8.4.4
!
object-group network OBJGRP-INSIDE-CLIENT-ROUTER-INTERFACE
host 192.168.0.1
!
object-group network OBJGRP-IPTV-CLIENTS
192.168.1.0 255.255.255.0
host 192.168.1.3
host 192.168.1.4
!
object-group network OBJGRP-MGMT-VLAN
10.0.0.0 255.255.255.0
!
object-group network OBJGRP-MONITORING-VLAN
10.0.1.0 255.255.255.0
!
object-group network OBJGRP-NAGIOS-PI
host 10.0.1.10
!
object-group network OBJGRP-PIHOLE-CLUSTER-1
host 10.0.2.10
host 10.0.2.20
!
object-group network OBJGRP-PIHOLE-PI-1
host 10.0.2.10
!
object-group network OBJGRP-PIHOLE-PI-2
host 10.0.2.20
!
object-group network OBJGRP-SERVICES-VLAN
10.0.2.0 255.255.255.0
!
object-group network OBJGRP-SKY-DNS-SERVERS
host 90.207.238.97
host 90.207.238.99
!
object-group network OBJGRP-ZEN-DNS-SERVERS
host 212.23.3.100
host 212.23.6.100
!
object-group service SCVGRP-DNS-PROTOCOLS
tcp eq domain
udp eq domain
!
object-group service SVCGRP-GAMING-PROTOCOLS
icmp echo
icmp echo-reply
ip
!
object-group service SVCGRP-INTERNAL-MONITORING-PROTOCOLS
udp eq snmp
tcp eq 5009
icmp echo
icmp echo-reply
tcp eq 443
udp eq bootps
udp eq bootpc
tcp eq 1400
!
object-group service SVCGRP-INTERNET-TO-SELF-PROTOCOLS
udp eq bootps
tcp eq domain
udp eq domain
udp eq ntp
icmp unreachable
icmp echo-reply
icmp time-exceeded
icmp parameter-problem
!
object-group service SVCGRP-IPTV-MGMT-PROTOCOLS
tcp eq 22
tcp eq www
icmp echo
icmp echo-reply
!
object-group service SVCGRP-MGMT-VLAN-MONITORING-PROTOCOLS
icmp echo
icmp echo-reply
udp eq snmp
tcp eq 5009
!
object-group service SVCGRP-MONITORING-VLAN-MGMT-PROTOCOLS
tcp eq www
tcp eq 22
tcp eq 9090
tcp eq 443
tcp eq 8888
tcp eq 2812
tcp eq 548
tcp eq 5353
tcp eq 5354
!
object-group service SVCGRP-NEMS-INTERNAL-MANAGEMENT-PROTOCOLS
tcp eq 9090
tcp eq 443
!
object-group service SVCGRP-PIHOLE-INTERNAL-MANAGEMENT-PROTOCOLS
tcp eq www
tcp eq 22
!
object-group service SVCGRP-PIHOLE-INTERNAL-PRODUCTION-PROTOCOLS
tcp eq www
tcp eq domain
udp eq domain
icmp echo
icmp echo-reply
tcp eq 22
!
object-group service SVCGRP-SELF-TO-INTERNET-PROTOCOLS
ip
icmp
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
username rhbmcse privilege 15 password 7 06240B2F48560F482546432B5D550A7A75
!
redundancy
mode none
!
!
!
!
controller VDSL 0/2/0
operating mode vdsl2
modem ukfeature
!
!
vlan internal allocation policy ascending
no cdp run
!
!
class-map type inspect match-any CMAP-CLIENT-VLAN-TO-SERVICES
match access-group name NACL-INT-VLANS-TO-PIHOLE-CLUSTER-1
class-map type inspect match-any CMAP-MONITORING-TO-NAGIOS-PI
match access-group name NACL-CLIENT-VLAN-TO-NAGIOS-PI
class-map type inspect match-any CMAP-NAGIOS-PI-TO-MGMT
match access-group name NACL-NAGIOS-PI-TO-MGMT
class-map type inspect match-any CMAP-LEIDOS-LAPTOP-TO-MGMT
match access-group name NACL-CLIENT-TO-MGMT
class-map type inspect match-any CMAP-MGMT-TO-INTERNET
match access-group name NACL-MGMT-TO-INTERNET
class-map type inspect match-any CMAP-NAGIOS-PI-TO-CLIENT-VLAN
match access-group name NACL-NAGIOS-PI-TO-CLIENT-VLAN
class-map type inspect match-any CMAP-CLIENT-VLAN-TO-NAGIOS-PI
match access-group name NACL-CLIENT-VLAN-TO-NAGIOS-PI
class-map type inspect match-any CMAP-MGMT-TO-IPTV
match access-group name NACL-MGMT-TO-IPTV
class-map type inspect match-all CMAP-INSIDE-TO-SELF
match access-group name NACL-SELF-AND-INSIDE
class-map type inspect match-all CMAP-SELF-TO-INSIDE
match access-group name NACL-SELF-AND-INSIDE
class-map type inspect match-all CMAP-IPTV-TO-INTERNET
match access-group name NACL-IPTV-TO-INTERNET
class-map type inspect match-any CMAP-CLIENT-TO-INTERNET
match access-group name NACL-CLIENT-TO-INTERNET
class-map type inspect match-any CMAP-CLIENT-TO-IPTV
match access-group name NACL-CLIENT-TO-IPTV
class-map type inspect match-any CMAP-SELF-TO-INTERNET
match access-group name NACL-SELF-TO-INTERNET
class-map type inspect match-any CMAP-IPTV-HOSTS-TO-PI-CLUSTER-1
match access-group name NACL-IPTV-HOSTS-TO-SERVICES
class-map type inspect match-any CMAP-INTERNET-TO-SELF
match access-group name NACL-INTERNET-TO-SELF
class-map type inspect match-any CMAP-MGMT-TO-SVCS
match access-group name NACL-INT-VLANS-TO-PIHOLE-CLUSTER-1
class-map type inspect match-any CMAP-MONITORING-TO-SVCS
match access-group name NACL-INT-VLANS-TO-PIHOLE-CLUSTER-1
class-map type inspect match-any CMAP-CONSOLES-TO-INTERNET
match access-group name NACL-CONSOLES-TO-INTERNET
class-map type inspect match-any CMAP-INTERNET-TO-CONSOLES
match access-group name NACL-INTERNET-TO-CONSOLES
class-map type inspect match-any CMAP-MGMT-TO-MONITORING
match access-group name NACL-MGMT-VLAN-TO-MONITORING-VLAN
class-map type inspect match-any CMAP-SERVICES-TO-INTERNET
match access-group name NACL-SERVICES-TO-INTERNET
class-map type inspect match-any CMAP-MONITORING-TO-INTERNET
match access-group name NACL-MONITORING-TO-INTERNET
class-map type inspect match-any CMAP-MGMT-TO-PIHOLE-CLUSTER-1
match access-group name NACL-INT-VLANS-TO-PIHOLE-CLUSTER-1
!
policy-map type inspect PM-CLIENT-VLAN-TO-NAGIOS-PI
class type inspect CMAP-CLIENT-VLAN-TO-NAGIOS-PI
inspect
class class-default
policy-map type inspect PM-MGMT-TO-PIHOLE-CLUSTER-1
class type inspect CMAP-MGMT-TO-PIHOLE-CLUSTER-1
inspect
class class-default
policy-map type inspect PM-MONITORING-TO-INTERNET
class type inspect CMAP-MONITORING-TO-INTERNET
inspect
class class-default
policy-map type inspect PM-IPTV-HOSTS-TO-PI-CLUSTER-1
class type inspect CMAP-IPTV-HOSTS-TO-PI-CLUSTER-1
inspect
class class-default
policy-map type inspect PM-CLIENT-TO-INTERNET
class type inspect CMAP-CLIENT-TO-INTERNET
inspect
class class-default
policy-map type inspect PM-SELF-TO-INTERNET
class type inspect CMAP-SELF-TO-INTERNET
pass
class class-default
drop log
policy-map type inspect PM-MGMT-TO-IPTV
class type inspect CMAP-MGMT-TO-IPTV
inspect
class class-default
policy-map type inspect PM-LEIDOS-LAPTOP-TO-MGMT
class type inspect CMAP-LEIDOS-LAPTOP-TO-MGMT
inspect
class class-default
policy-map type inspect PM-ALL-INT-VLANS-TO-SERVICES
class type inspect CMAP-CLIENT-VLAN-TO-SERVICES
inspect
class class-default
policy-map type inspect PM-SELF-TO-INSIDE
class type inspect CMAP-SELF-TO-INSIDE
pass
class class-default
drop log
policy-map type inspect PM-CLIENT-VLAN-TO-SERVICES
class type inspect CMAP-CLIENT-VLAN-TO-SERVICES
inspect
class class-default
policy-map type inspect PM-CONSOLES-TO-INTERNET
class type inspect CMAP-CONSOLES-TO-INTERNET
pass
class class-default
policy-map type inspect PM-NAGIOS-PI-TO-CLIENT-VLAN
class type inspect CMAP-NAGIOS-PI-TO-CLIENT-VLAN
inspect
class class-default
policy-map type inspect PM-INTERNET-TO-CONSOLES
class type inspect CMAP-INTERNET-TO-CONSOLES
pass
class class-default
policy-map type inspect PM-SERVICES-TO-INTERNET
class type inspect CMAP-SERVICES-TO-INTERNET
inspect
class class-default
policy-map type inspect PM-MGMT-TO-INTERNET
class type inspect CMAP-MGMT-TO-INTERNET
inspect
class class-default
policy-map type inspect PM-MONITORING-TO-SVCS
class type inspect CMAP-MONITORING-TO-SVCS
inspect
class class-default
policy-map type inspect PM-INTERNET-TO-SELF
class type inspect CMAP-INTERNET-TO-SELF
pass
class class-default
drop log
policy-map type inspect PM-NAGIOS-PI-TO-MGMT
class type inspect CMAP-NAGIOS-PI-TO-MGMT
inspect
class class-default
policy-map type inspect PM-IPTV-TO-INTERNET
class type inspect CMAP-IPTV-TO-INTERNET
inspect
class class-default
policy-map type inspect PM-MGMT-TO-MONITORING
class type inspect CMAP-MGMT-TO-MONITORING
inspect
class class-default
policy-map type inspect PM-INSIDE-TO-SELF
class type inspect CMAP-INSIDE-TO-SELF
pass
class class-default
drop log
!
!
zone security INTERNET
zone security INSIDE
zone security IPTV
zone security GAMING
zone security MGMT
zone security MONITORING
zone security SERVICES
zone-pair security ZP-CLIENT-TO-INTERNET source INSIDE destination INTERNET
service-policy type inspect PM-CLIENT-TO-INTERNET
zone-pair security ZP-CLIENT-VLAN-TO-NAGIOS-PI source INSIDE destination MONITORING
service-policy type inspect PM-CLIENT-VLAN-TO-NAGIOS-PI
zone-pair security ZP-CLIENT-VLAN-TO-SERVICES source INSIDE destination SERVICES
service-policy type inspect PM-CLIENT-VLAN-TO-SERVICES
zone-pair security ZP-CONSOLES-TO-INTERNET source GAMING destination INTERNET
service-policy type inspect PM-CONSOLES-TO-INTERNET
zone-pair security ZP-GAMING-TO-SVCS source GAMING destination SERVICES
service-policy type inspect PM-ALL-INT-VLANS-TO-SERVICES
zone-pair security ZP-INSIDE-TO-SELF source INSIDE destination self
service-policy type inspect PM-INSIDE-TO-SELF
zone-pair security ZP-INTERNET-TO-CONSOLES source INTERNET destination GAMING
service-policy type inspect PM-INTERNET-TO-CONSOLES
zone-pair security ZP-INTERNET-TO-SELF source INTERNET destination self
service-policy type inspect PM-INTERNET-TO-SELF
zone-pair security ZP-IPTV-TO-INTERNET source IPTV destination INTERNET
service-policy type inspect PM-IPTV-TO-INTERNET
zone-pair security ZP-IPTV-TO-SERVICES source IPTV destination SERVICES
service-policy type inspect PM-IPTV-HOSTS-TO-PI-CLUSTER-1
zone-pair security ZP-LEIDOS-LAPTOP-TO-MGMT source INSIDE destination MGMT
service-policy type inspect PM-LEIDOS-LAPTOP-TO-MGMT
zone-pair security ZP-MGMT-TO-INTERNET source MGMT destination INTERNET
service-policy type inspect PM-MGMT-TO-INTERNET
zone-pair security ZP-MGMT-TO-IPTV source MGMT destination IPTV
service-policy type inspect PM-MGMT-TO-IPTV
zone-pair security ZP-MGMT-TO-MONITORING source MGMT destination MONITORING
service-policy type inspect PM-MGMT-TO-MONITORING
zone-pair security ZP-MGMT-TO-SVCS source MGMT destination SERVICES
service-policy type inspect PM-MGMT-TO-PIHOLE-CLUSTER-1
zone-pair security ZP-MONITORING-TO-CLIENT-VLAN source MONITORING destination INSIDE
service-policy type inspect PM-NAGIOS-PI-TO-CLIENT-VLAN
zone-pair security ZP-MONITORING-TO-INTERNET source MONITORING destination INTERNET
service-policy type inspect PM-MONITORING-TO-INTERNET
zone-pair security ZP-MONITORING-TO-MGMT source MONITORING destination MGMT
service-policy type inspect PM-NAGIOS-PI-TO-MGMT
zone-pair security ZP-MONITORING-TO-SVCS source MONITORING destination SERVICES
service-policy type inspect PM-MONITORING-TO-SVCS
zone-pair security ZP-SELF-TO-INSIDE source self destination INSIDE
service-policy type inspect PM-SELF-TO-INSIDE
zone-pair security ZP-SELF-TO-INTERNET source self destination INTERNET
service-policy type inspect PM-SELF-TO-INTERNET
zone-pair security ZP-SERVICES-TO-INTERNET source SERVICES destination INTERNET
service-policy type inspect PM-SERVICES-TO-INTERNET
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
shutdown
no negotiation auto
!
interface GigabitEthernet0/1/0
description IP CAMERA ACCESS PORT
switchport access vlan 10
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface GigabitEthernet0/1/1
description TRUNK TO LRSW
switchport trunk native vlan 999
switchport trunk allowed vlan 10,20,30,40,50,100
switchport mode trunk
speed 1000
duplex full
!
interface GigabitEthernet0/1/2
description TRUNK TO OFSW
switchport trunk native vlan 999
switchport trunk allowed vlan 10,20,30,40,50,100
switchport mode trunk
speed 1000
duplex full
!
interface GigabitEthernet0/1/3
description MANAGEMENT INTERFACE FOR BACKUP WiFi
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface ATM0/2/0
no ip address
shutdown
no atm ilmi-keepalive
no atm enable-ilmi-trap
!
interface Ethernet0/2/0
mac-address c03e.0f9c.268e
mtu 1514
no ip address
no negotiation auto
!
interface Ethernet0/2/0.101
encapsulation dot1Q 101
no ip redirects
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description CLIENT-VLAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
interface Vlan20
description IPTV-VLAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
zone-member security IPTV
!
interface Vlan30
description GAMING-VLAN
ip address 192.168.2.1 255.255.255.0
ip nat inside
zone-member security GAMING
!
interface Vlan40
description MONITORING-VLAN
ip address 10.0.1.1 255.255.255.0
ip nat inside
zone-member security MONITORING
!
interface Vlan50
description SERVICES-VLAN
ip address 10.0.2.1 255.255.255.0
ip nat inside
zone-member security SERVICES
!
interface Vlan100
description MGMT-VLAN
ip address 10.0.0.1 255.255.255.0
ip nat inside
zone-member security MGMT
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
ip nat outside
zone-member security INTERNET
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname zenzen
ppp chap password 7 04E155B3F
ppp direction callout
no cdp enable
no ip virtual-reassembly
!
ip nat inside source route-map OUTSIDE-POOL interface Dialer0 overload
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip route 0.0.0.0 0.0.0.0 Dialer0
ip ssh version 2
!
!
ip access-list extended NACL-CLIENT-TO-INTERNET
permit ip object-group OBJGRP-CLIENT-VLAN any
ip access-list extended NACL-CLIENT-VLAN-TO-NAGIOS-PI
permit object-group SVCGRP-NEMS-INTERNAL-MANAGEMENT-PROTOCOLS object-group OBJGRP-CLIENT-VLAN object-group OBJGRP-NAGIOS-PI
ip access-list extended NACL-CONSOLES-TO-INTERNET
permit object-group SVCGRP-GAMING-PROTOCOLS object-group OBJGRP-GAMING-CONSOLES any
ip access-list extended NACL-INT-VLANS-TO-PIHOLE-CLUSTER-1
permit object-group SVCGRP-PIHOLE-INTERNAL-PRODUCTION-PROTOCOLS object-group OBJGRP-ALL-INTERNAL-VLANS-EXC-SERVICES object-group OBJGRP-PIHOLE-CLUSTER-1
ip access-list extended NACL-INTERNET-TO-CONSOLES
permit object-group SVCGRP-GAMING-PROTOCOLS any object-group OBJGRP-GAMING-CONSOLES
ip access-list extended NACL-INTERNET-TO-SELF
permit object-group SVCGRP-INTERNET-TO-SELF-PROTOCOLS any any
ip access-list extended NACL-IPTV-HOSTS-TO-SERVICES
permit object-group SCVGRP-DNS-PROTOCOLS object-group OBJGRP-IPTV-CLIENTS object-group OBJGRP-PIHOLE-CLUSTER-1
ip access-list extended NACL-IPTV-TO-INTERNET
permit ip object-group OBJGRP-IPTV-CLIENTS any
ip access-list extended NACL-MGMT-TO-INTERNET
permit ip object-group OBJGRP-MGMT-VLAN any
ip access-list extended NACL-MGMT-TO-IPTV
permit object-group SVCGRP-IPTV-MGMT-PROTOCOLS object-group OBJGRP-MGMT-VLAN object-group OBJGRP-IPTV-CLIENTS
ip access-list extended NACL-MGMT-TO-PIHOLE-CLUSTER-1
permit object-group SVCGRP-PIHOLE-INTERNAL-MANAGEMENT-PROTOCOLS object-group OBJGRP-MGMT-VLAN object-group OBJGRP-PIHOLE-CLUSTER-1
ip access-list extended NACL-MGMT-VLAN-TO-MONITORING-VLAN
permit object-group SVCGRP-MONITORING-VLAN-MGMT-PROTOCOLS object-group OBJGRP-MGMT-VLAN object-group OBJGRP-MONITORING-VLAN
ip access-list extended NACL-MONITORING-TO-INTERNET
permit ip object-group OBJGRP-MONITORING-VLAN any
ip access-list extended NACL-NAGIOS-PI-TO-CLIENT-VLAN
permit object-group SVCGRP-INTERNAL-MONITORING-PROTOCOLS object-group OBJGRP-NAGIOS-PI object-group OBJGRP-CLIENT-VLAN
ip access-list extended NACL-NAGIOS-PI-TO-MGMT
permit object-group SVCGRP-MGMT-VLAN-MONITORING-PROTOCOLS object-group OBJGRP-NAGIOS-PI object-group OBJGRP-MGMT-VLAN
ip access-list extended NACL-SELF-AND-INSIDE
permit ip any any
ip access-list extended NACL-SELF-TO-INTERNET
permit ip any any
permit icmp any any
ip access-list extended NACL-SERVICES-TO-INTERNET
permit ip object-group OBJGRP-PIHOLE-CLUSTER-1 any
ip access-list extended NAT-TO-OUTSIDE
permit ip object-group OBJGRP-ALL-INT-VLANS any
!
!
!
route-map OUTSIDE-POOL permit 10
match ip address NAT-TO-OUTSIDE
!
snmp-server community 21RTM RO
snmp-server location 21RTM-ISR-1100-Living-Rm
snmp-server contact rhbmcse@gmail.com
!
!
control-plane
!
!
line con 0
session-timeout 60
exec-timeout 60 0
password 7 091A70152
login
transport input all
stopbits 1
line vty 0 4
exec-timeout 60 0
login local
transport input ssh
!
ntp master
ntp server 79.135.97.79
ntp server 130.88.212.143
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

1700ISR#