cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1579
Views
10
Helpful
8
Replies

Print across VLANs

Darkglasses
Level 1
Level 1

Folks,

I have 2 x Cisco 887VA routers connected to different internet links. They both feed a Cisco 2960 switch with runs my Business and Home Network. I have one network printer which I want to printer from any vllan. At this point I can ping the printer but no access to the web interface or print.

 

Where am I going wrong?

A show ARP displays devices on all subnets and a laptop at IP 10.10.1.54 can ping the printer at 192.168.1.51. 

 

Cisco887Res  - VLAN 10 - 192.168.10.0/24 (printer is here)

Cisco887Bus  - VLAN 20 - 10.10.1.0/24

 

The Cisco 887 has a 4 port switch module so I have assigned each VLAN to an interface and connected it the switch as follows:

Cisco887Res Fa1 to 2960 Fa0/1 - vlan 10 - Main Res Network route

Cisco887Res Fa2 to 2960 Fa0/12 - vlan 20 - Link to get to Business network

Cisco887Bus Fa1 to 2960 Fa0/13 - vlan 20 - Main Bus Network route

Cisco887Bus Fa2 to 2960 Fa0/24 - vlan 10 - Link to get to Residential network

 

show run - Cisco887Bus

Current configuration : 4452 bytes
!
! Last configuration change at 12:18:23 UTC Fri Mar 27 2020 by RouterBusAdmin
! NVRAM config last updated at 12:18:31 UTC Fri Mar 27 2020 by RouterBusAdmin
! NVRAM config last updated at 12:18:31 UTC Fri Mar 27 2020 by RouterBusAdmin
version 15.1
no service pad
service timestamps debug uptime
service timestamps log datetime msec
service password-encryption
!
hostname RouterBus
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 PASSWORD
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
ip dhcp excluded-address 10.10.1.1 10.10.1.50
!
ip dhcp pool LAN
network 10.10.1.0 255.255.255.0
default-router 10.10.1.1
dns-server 10.10.1.1
!
!
ip cef
ip domain name cisco887bus.lcoal
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZ1608C23Q
!
!
username RouterBusAdmin privilege 15 secret 5 PASSWROD
!
!
!
!
controller VDSL 0
!
ip ssh version 2
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
description Allowed_Protocol_From_INSIDE_to_OUTSIDE
match access-group name INSIDE-TO-OUTSIDE
match protocol http
match protocol https
match protocol dns
match protocol udp
match protocol tcp
match protocol icmp
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
!
!
!
!
!
!
interface Ethernet0
no ip address
no ip route-cache
!
interface Ethernet0.101
description Tagging for PPPoE (VDSL0)
encapsulation dot1Q 101
ip nat outside
no ip virtual-reassembly in
zone-member security OUTSIDE
no ip route-cache
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 55
no ip address
zone-member security INSIDE
!
interface FastEthernet1
no ip address
zone-member security INSIDE
!
interface FastEthernet2
switchport access vlan 10
no ip address
zone-member security INSIDE
!
interface FastEthernet3
no ip address
zone-member security INSIDE
!
interface Vlan1
ip address 10.10.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly in
!
interface Vlan10
description Routing to Main_Res
ip address 192.168.10.20 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan55
description Mgt
ip address 192.168.55.20 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
description Business VDSL dialer
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap ms-chap callin
ppp chap hostname ISP_USERNAME
ppp chap password 7 ISP_PASSWORD
ppp ipcp dns request accept
ppp ipcp address accept
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.10.1.XXX XXXXX interface Dialer0 XXXXX
ip nat inside source static tcp 10.10.1.XXX XXXXX interface Dialer0 XXXXX
ip nat inside source static tcp 10.10.1.XXX XXXXX interface Dialer0 XXXXX
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any 10.10.1.0 0.0.0.255
permit tcp any eq XXXXX host 10.10.1.XXX eq XXXXX
permit tcp any eq XXXXX host 10.10.1.XXX eq XXXXX
deny ip any any
!
access-list 1 permit 10.10.1.0 0.0.0.255
access-list 5 remark Remote MGT access
access-list 5 permit 10.10.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
access-class 5 in
exec-timeout 15 0
password 7 0307521805007914190B0C16
logging synchronous
transport input all
!
end

RouterBus#

 

show ip route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Dialer0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.1.0/24 is directly connected, Vlan1
L 10.10.1.1/32 is directly connected, Vlan1
xxx.xxx.xxx.xxx/32 is subnetted, 2 subnets
C xxx.xxx.xxx.xxx is directly connected, Dialer0
C xxx.xxx.xxx.xxx is directly connected, Dialer0
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, Vlan10
L 192.168.10.20/32 is directly connected, Vlan10
192.168.55.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.55.0/24 is directly connected, Vlan55
L 192.168.55.20/32 is directly connected, Vlan55
RouterBus#

 

8 Replies 8

Richard Burts
Hall of Fame
Hall of Fame

Your description says that 

Cisco887Bus Fa1 to 2960 Fa0/13 - vlan 20 - Main Bus Network route

But that is not what your running config says.

HTH

Rick

Rick, you are absolutely right.
I am still using VLAN 1 on this router as I have not yet moved traffic to VLAN 20.
John

All traffic moved to VLAN 20 and default VLAN 1 disabled.

I can still ping 192.168.10.51 from the same laptop which has the updated address 10.10.20.52.

No access to the printer Web GUI or Remote Desktop to Virtual Machines/Server on the same subnet

 

The investigation continues,

John

 

Current configuration : 4775 bytes
!
! Last configuration change at 17:57:40 UTC Fri Mar 27 2020 by RouterBusAdmin
! NVRAM config last updated at 17:54:04 UTC Fri Mar 27 2020 by RouterBusAdmin
! NVRAM config last updated at 17:54:04 UTC Fri Mar 27 2020 by RouterBusAdmin
version 15.1
no service pad
service timestamps debug uptime
service timestamps log datetime msec
service password-encryption
!
hostname RouterBus
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 XXXXX
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
ip dhcp excluded-address 10.10.20.1 10.10.20.50
!
ip dhcp pool BUS_LAN
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 10.10.20.1
!
!
ip cef
ip domain name cisco887bus.lcoal
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZ1608C23Q
!
!
username RouterBusAdmin privilege 15 secret 5 XXXXX
!
!
!
!
controller VDSL 0
!
ip ssh version 2
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
description Allowed_Protocol_From_INSIDE_to_OUTSIDE
match access-group name INSIDE-TO-OUTSIDE
match protocol http
match protocol https
match protocol dns
match protocol udp
match protocol tcp
match protocol icmp
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
!
!
!
!
!
!
interface Ethernet0
no ip address
no ip route-cache
!
interface Ethernet0.101
description Tagging for PPPoE (VDSL0)
encapsulation dot1Q 101
ip nat outside
no ip virtual-reassembly in
zone-member security OUTSIDE
no ip route-cache
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 55
no ip address
zone-member security INSIDE
!
interface FastEthernet1
switchport access vlan 20
no ip address
zone-member security INSIDE
!
interface FastEthernet2
switchport access vlan 10
no ip address
zone-member security INSIDE
!
interface FastEthernet3
switchport access vlan 20
no ip address
zone-member security INSIDE
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Vlan10
description Routing to Main_Res
ip address 192.168.10.20 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
description Main_Bus
ip address 10.10.20.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly in
!
interface Vlan55
description Mgt
ip address 192.168.55.20 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
description BT Bus VDSL dialer
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap ms-chap callin
ppp chap hostname ISP USERNAME
ppp chap password 7 ISP PASSWORD
ppp ipcp dns request accept
ppp ipcp address accept
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.10.1.XXX XXXXX interface Dialer0 XXXXX
ip nat inside source static tcp 10.10.1.XXX XXXXX interface Dialer0 XXXXX
ip nat inside source static tcp 10.10.1.XXX XXXXX interface Dialer0 XXXXX
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any 10.10.0.0 0.0.255.255
permit tcp any eq XXXXX host 10.10.20.XXX eq XXXXX
permit tcp any eq XXXXX host 10.10.20.XXX eq XXXXX
deny ip any any
!
access-list 1 remark Access to Dialer interface
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 5 remark Remote MGT access
access-list 5 permit 192.168.55.0 0.0.0.255
access-list 5 permit 10.10.20.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
access-class 5 in
exec-timeout 15 0
password 7 XXXXX
logging synchronous
transport input all
!
end

 

 

 

OK, still unresolved.

I physically moved the printer (not idle location) so that I could connect to VLAN 20. A few other changes and the majority of devices are able to print.

 

I still have to work the problem as I am not seeing where I am going wrong. Any guidance or advice is appreciated. 

 

My next step is to configure one of the switch ports on the 887 as a Trunk and connect to the 2960 as a trunk rather than a switch port in the same vlan. Or, maybe build sub interfaces off the Ethernet interface.

 

Hopefully I will have a working config if any one else is using this old kit.

 

John

One of my early thoughts was that the issue might be related to your zone based firewall implementation. And in examining these functions I notice this line in the configuration

match access-group name INSIDE-TO-OUTSIDE

I looked for the access list to which it refers and do not find it in the configuration. But I do not think that this is actually related to the problem accessing the printer, since both vlans are in the same zone and traffic between interfaces in the same zone is permitted. 

 

You mention problems accessing the gui for the printer and also problems accessing Virtual Machine/server on the same subnet. Can you tell us more about the Virtual Machine/server? 

 

It is interesting that ping from PC to printer is successful. Can the PC also ping the Virtual Machine/server?

 

If ping is successful it indicates that some basic IP is working and hints that the problem is some layer 3 policy issue. Since the printer and the server are in vlans which are primaries to the other router, could you post the config of the other router?

 

HTH

Rick

Hi Rick,

 

ZBF was suggested to me on this forum which I deployed a config that works fine. Maybe a little rough around the edges as I belief I may have left an unused access group/policy name in place. An attempt with an access-list stopped https traffic but got it working with grouped protocols. The ZBF config on the Residential 887VA is my improved template I will replicate on to the Business 887VA.

 

I moved quickly past ZBF as all interfaces are in the same zone and I could ping the printer. As I looked at the routing problem, ARP showed all my devices across all vlans and show ip route displayed a route for each vlan. Though I was unable to ping my server NIC in vlan 10 or the Win 10 VM's running through this NIC. Each VM could ping each other, the server and the printer. This is in place as a backup connection for the server connect to vlan 20 via another NIC. 

 

I was preparing my config from my Residential 887VA as requested and found the error. It was user error!

For some reason I had put VLAN 1 and 10 in the ZBF Outside zone, highlighted in bold. Once removed, I got to my printer GUI and was able to print. All VM's are responding to a ping from the laptop in vlan 20.

 

Thanks for the interest RIck and hope I will be able to assist other one day and offer up explanation. Some way to go yet! Anyway config posted should anyone find it useful or have a suggestion. 

 

Next task is enable mdns/bonjour broadcast to get a Google Chromecast to work 

 

Thanks,

John

 

RouterRes#sh run
Building configuration...

Current configuration : 6013 bytes
!
! Last configuration change at 19:19:45 UTC Fri Mar 27 2020 by RouterResAdmin
! NVRAM config last updated at 19:19:50 UTC Fri Mar 27 2020 by RouterResAdmin
! NVRAM config last updated at 19:19:50 UTC Fri Mar 27 2020 by RouterResAdmin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterRes
!
boot-start-marker
boot-end-marker
!
!
enable password 7 XXXXX
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp excluded-address 192.168.90.1 192.168.90.50
ip dhcp excluded-address 192.168.20.1 192.168.20.50
ip dhcp excluded-address 192.168.10.1 192.168.10.50
ip dhcp excluded-address 192.168.50.1 192.168.50.50
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 192.168.1.254
!
ip dhcp pool IPTV
network 192.168.90.0 255.255.255.0
default-router 192.168.90.254
dns-server 192.168.90.254
!
ip dhcp pool LAN_ALT
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
dns-server 192.168.20.254
!
ip dhcp pool LAN_MAIN
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
dns-server 192.168.10.254
!
ip dhcp pool LAN_IOT
network 192.168.50.0 255.255.255.0
default-router 192.168.50.254
dns-server 192.168.50.254
!
!
ip domain name cisco887res.local
ip cef
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FGL17362220
!
!
username RouterResAdmin privilege 15 secret 5 XXXXX
!
!
!
!
!
controller VDSL 0
!
ip ssh version 2
!
class-map type inspect match-all LAN-TO-WAN-CLASS
match access-group name LAN-TO-WAN
class-map type inspect match-all WAN-TO-LAN-CLASS
match access-group name WAN-TO-LAN
!
!
policy-map type inspect LAN-TO-WAN-POLICY
class type inspect LAN-TO-WAN-CLASS
inspect
class class-default
drop log
policy-map type inspect WAN-TO-LAN-POLICY
class type inspect WAN-TO-LAN-CLASS
pass
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security LAN-TO-WAN source INSIDE destination OUTSIDE
service-policy type inspect LAN-TO-WAN-POLICY
zone-pair security WAN-TO-LAN source OUTSIDE destination INSIDE
service-policy type inspect WAN-TO-LAN-POLICY
!
!
!
!
!
bridge irb
!
!
!
!
interface Ethernet0
no ip address
no ip route-cache
!
interface Ethernet0.101
description Tagging for PPPoE (VDSL0)
encapsulation dot1Q 101
ip nat outside
ip virtual-reassembly in
no ip route-cache
pppoe enable group global
pppoe-client dial-pool-number 1
bridge-group 100
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 55
no ip address
zone-member security INSIDE
!
interface FastEthernet1
switchport access vlan 10
no ip address
zone-member security INSIDE
!
interface FastEthernet2
switchport access vlan 20
no ip address
zone-member security INSIDE
!
interface FastEthernet3
switchport access vlan 90
no ip address
zone-member security INSIDE
!
interface Vlan1
description Default VLAN to be disabled
ip address 192.168.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security OUTSIDE
!
interface Vlan10
description Main Network
ip address 192.168.10.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security OUTSIDE
!
interface Vlan20
description Main_Bus
ip address 10.10.20.10 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan50
description VLAN for IOT devices
no ip address
!
interface Vlan55
description Mgt
ip address 192.168.55.10 255.255.255.0
!
interface Vlan90
description VLAN for IP TV boxes
no ip address
bridge-group 100
!
interface Dialer0
no ip address
no cdp enable
!
interface Dialer1
description BT Res VDSL
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap ms-chap callin
ppp chap hostname ISP USERNAME
ppp chap password 7 ISP PASSWORD
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
!
interface BVI100
description Brdige VLAN90 to Ethernet0.101
ip address 192.168.90.254 255.255.255.0
ip nat inside
no ip virtual-reassembly in
zone-member security OUTSIDE
ip tcp adjust-mss 1350
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.10.XXX XXXXX interface Dialer1 XXXXX
ip nat inside source static tcp 192.168.10.XXX XXXXX interface Dialer1 XXXXX
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended LAN-TO-WAN
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended WAN-TO-LAN
permit icmp any 192.168.0.0 0.0.255.255
permit ip 192.168.90.0 0.0.0.255 any
permit tcp any eq XXXXX host 192.168.10.XXX eq XXXXX
permit tcp any eq XXXXX host 192.168.10.XXX eq XXXXX
!
access-list 1 remark Networks allowed through Dialer interface
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.90.0 0.0.0.255
access-list 1 deny any
access-list 5 remark Access for Remote Mgt
access-list 5 permit 192.168.55.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
bridge 100 protocol ieee
bridge 100 route ip
!
line con 0
logging synchronous
line aux 0
line vty 0 4
access-class 5 in
exec-timeout 15 0
password 7 XXXXX
logging synchronous
transport input all
!
!
end

 

 

John

 

Thanks for the update. Glad to know that you were able to find your own problem and glad my suggestions pointed you in the right direction. A well deserved +5 for sharing your solution with the community. I hope to see you continue to be active in the community.

HTH

Rick

Follow-up;

The ZBF zones have to be applied to the vlan's to provide internet access

My ZBF does not all single ports to route from Outside (Internet) to devices on the local network despite showing PASS on the WAN-TO-LAN policy.

 

Work in progress,

 

controller VDSL 0
!
ip ssh version 2
!
class-map type inspect match-all LAN-TO-WAN-CLASS
match access-group name LAN-TO-WAN
class-map type inspect match-all WAN-TO-LAN-CLASS
match access-group name WAN-TO-LAN
!
!
policy-map type inspect LAN-TO-WAN-POLICY
class type inspect LAN-TO-WAN-CLASS
inspect
class class-default
drop log
policy-map type inspect WAN-TO-LAN-POLICY
class type inspect WAN-TO-LAN-CLASS
pass
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security LAN-TO-WAN source INSIDE destination OUTSIDE
service-policy type inspect LAN-TO-WAN-POLICY
zone-pair security WAN-TO-LAN source OUTSIDE destination INSIDE
service-policy type inspect WAN-TO-LAN-POLICY
!
!
!
!
!
!
!
interface Ethernet0
no ip address
no ip route-cache
!
interface Ethernet0.101
description Tagging for PPPoE (VDSL0)
encapsulation dot1Q 101
ip nat outside
no ip virtual-reassembly in
no ip route-cache
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 55
no ip address
!
interface FastEthernet1
switchport access vlan 20
no ip address
zone-member security INSIDE
!
interface FastEthernet2
switchport access vlan 10
no ip address
zone-member security INSIDE
!
interface FastEthernet3
switchport access vlan 20
no ip address
zone-member security INSIDE
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Vlan10
description Routing to Main_Res
ip address 192.168.10.20 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in

zone-member security INSIDE
!
interface Vlan20
description Main_Bus
ip address 10.10.20.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
interface Vlan55
description Mgt
ip address 192.168.55.20 255.255.255.0
!
interface Dialer0
description BT Bus VDSL dialer
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap ms-chap callin
ppp chap hostname green-lights@service.btclick.com
ppp chap password 7 06160E325F59060B01
ppp ipcp dns request accept
ppp ipcp address accept
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.10.1.5 3389 interface Dialer0 3389
ip nat inside source static tcp 10.10.1.51 3389 interface Dialer0 33894
ip nat inside source static tcp 10.10.20.5 32400 interface Dialer0 32400
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended LAN-TO-WAN
permit ip 10.10.20.0 0.0.0.255 any
ip access-list extended WAN-TO-LAN
permit ip any any
permit icmp any 10.10.20.0 0.0.0.255
permit tcp any eq 3389 host 10.10.20.5 eq 3389
permit tcp any eq 32400 host 10.10.20.5 eq 32400
deny ip any any
!
access-list 1 remark Access to Dialer interface
access-list 1 permit 10.10.20.0 0.0.0.255
dialer-list 1 protocol ip permit

Review Cisco Networking for a $25 gift card