Re: traceroute not working but ping working in cisco 891

aammar@npr.org · ‎01-24-2019

I am running traceroute to 8.8.8.8 but it is not working. though when I ping 8.8.8.8 but its pinging

I have done quite a research and learned that traceroute works on udp dns resolution.

Cisco 891 is configured with ZBF and udp and icmp is allowed from inside to outside but not really sure why traceroute not working. below is the configuration and please let me know whats wrong

service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!

ip dhcp excluded-address 10.33.167.0 10.33.167.10
ip dhcp excluded-address 172.27.128.0 172.27.128.10
!
ip dhcp pool insideDHCP
import all
network 10.33.167.0 255.255.255.0
domain-name ad.npr.org
default-router 10.33.167.1
dns-server 8.8.8.8 4.2.2.2
option 43 ascii "10,62,20,10"
option 242 ascii "MCIPADD=hq-cmact,MCPORT=1719,HTTPSRVR=dc-avaya-prov01,HTTPDIR=/FW/DC/"
!
ip dhcp pool Guestnet
network 172.27.128.0 255.255.255.0
default-router 172.27.128.1
dns-server 209.244.0.3 8.8.8.8 4.2.2.2
!
!
!
no ip domain lookup
ip domain name ad.npr.org
ip cef
no ipv6 cef
!

!
vlan 10
name NAS
!
vlan 15
name data
!
vlan 20
name voice
!
vlan 100
name Guest_Wireless
!
ip ssh source-interface Vlan15
!
class-map type inspect match-all SNMP
match access-group 130
class-map type inspect match-any TACACS
match access-group 150
class-map type inspect match-any SELF_OUT
match protocol icmp
class-map type inspect match-all ICMP
match access-group 140
class-map type inspect match-all DHCP
match access-group 120
class-map type inspect match-any ZBF_ALLOW_ALL
match protocol ftp
match protocol ssh
match protocol udp
match protocol tcp
match protocol telnet
match protocol dns
match protocol icmp
match protocol http
match protocol https
match protocol smtp
match access-group name udp-icmp
class-map type inspect match-all SSH
match access-group name SSH
class-map type inspect match-any GUEST_ALLOW_ALL
match protocol ftp
match protocol dns
match protocol icmp
match protocol https
match protocol http
match protocol tcp
match protocol udp
class-map type inspect match-all NTP
match access-group name NTP
class-map type inspect match-all IPSEC
match access-group name IPSEC
class-map type inspect match-all NPR
match access-group 101
class-map type inspect match-all INSIDE_TO_GUEST
match access-group name Inside2Guest_Access
!
policy-map type inspect OUTSIDE_TO_INSIDE
class type inspect NPR
inspect
class class-default
drop
policy-map type inspect GUEST_TO_INSIDE
class class-default
drop log
policy-map type inspect INSIDE_TO_GUEST
class type inspect GUEST_ALLOW_ALL
inspect
class class-default
pass
policy-map type inspect Guest_TO_OUTSIDE
description Guest LAN to Internet
class type inspect GUEST_ALLOW_ALL
inspect
class class-default
pass
policy-map type inspect OUTSIDE_TO_SELF
description Permitted traffic from Internet
class type inspect DHCP
pass
class type inspect IPSEC
inspect
class type inspect SSH
inspect
class type inspect NTP
inspect
class type inspect SNMP
inspect
class type inspect ICMP
inspect
class type inspect TACACS
pass log
class class-default
drop
policy-map type inspect Guest_TO_SELF
class type inspect DHCP
pass
class class-default
drop
policy-map type inspect SELF_TO_OUTSIDE
description Router to Internet
class type inspect SELF_OUT
inspect
class class-default
pass
policy-map type inspect INSIDE_TO_OUTSIDE
class type inspect ZBF_ALLOW_ALL
inspect
class class-default
pass
!
zone security INSIDE
description Inside LAN
zone security OUTSIDE
description WAN
zone security INSIDE-Guest
description Guest LAN
zone-pair security INSIDE_TO_GUEST source INSIDE destination INSIDE-Guest
description Printer Access
service-policy type inspect INSIDE_TO_GUEST
zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
description LAN to WAN
service-policy type inspect INSIDE_TO_OUTSIDE
zone-pair security OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
description NPR to Remote Site
service-policy type inspect OUTSIDE_TO_INSIDE
zone-pair security Guest_TO_OUTSIDE source INSIDE-Guest destination OUTSIDE
description Guest to WAN
service-policy type inspect Guest_TO_OUTSIDE
zone-pair security GUEST_TO_INSIDE source INSIDE-Guest destination INSIDE
service-policy type inspect GUEST_TO_INSIDE
zone-pair security Guest_TO_SELF source INSIDE-Guest destination self
service-policy type inspect Guest_TO_SELF
zone-pair security OUTSIDE_TO_SELF source OUTSIDE destination self
description CORE to Remote Site User
service-policy type inspect OUTSIDE_TO_SELF
zone-pair security SELF_TO_OUTSIDE source self destination OUTSIDE
description Remote Site Users to CORE
service-policy type inspect SELF_TO_OUTSIDE
!
crypto logging session
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key aiU!yb@dzL5 address 205.153.36.207
crypto isakmp key R3m7#yUs9! address 209.144.103.186
!
crypto ipsec security-association lifetime seconds 120
!
crypto ipsec transform-set AES esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map NPR_CMAP_1 1 ipsec-isakmp
description S2S Tunnel to vpn.npr.org
set peer 205.153.36.207 default
set transform-set AES
match address 100
!
!

!
interface FastEthernet0
description internet Access
ip address 38.32.38.34 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no cdp enable
crypto map NPR_CMAP_1
!
interface GigabitEthernet0
switchport trunk native vlan 15
switchport trunk allowed vlan 1-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet1
switchport trunk native vlan 15
switchport trunk allowed vlan 1-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet2
switchport trunk native vlan 15
switchport trunk allowed vlan 1-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet3
switchport trunk native vlan 15
switchport trunk allowed vlan 1-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet4
switchport trunk native vlan 15
switchport trunk allowed vlan 1-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet5
switchport trunk native vlan 15
switchport trunk allowed vlan 1-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet6
switchport trunk native vlan 15
switchport trunk allowed vlan 1-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet7
switchport trunk native vlan 15
switchport trunk allowed vlan 1-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet8
description internet Access
ip address dhcp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
shutdown
duplex auto
speed auto
crypto map NPR_CMAP_1
!
interface Wlan-GigabitEthernet8
switchport trunk allowed vlan 1-1005
switchport mode trunk
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
no ip address
!
interface Vlan1
no ip address
no ip route-cache
!
interface Vlan15
description Inside_LAN
ip address 10.33.167.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
no ip route-cache
!
interface Vlan20
description VoIP
ip address 10.33.168.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
no ip route-cache
!
interface Vlan100
description Guest_Wireless
ip address 172.27.128.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE-Guest
no ip route-cache
!
interface Async3
no ip address
encapsulation slip
shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-export source Vlan15
ip flow-export version 5
ip flow-export destination 10.36.1.119 2055
ip flow-top-talkers
top 40
sort-by packets
!
ip nat inside source route-map NPR_RMAP_1 interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 38.32.38.33
ip tacacs source-interface Vlan15
!

ip access-list extended IPSEC
permit udp host 205.153.36.207 any eq isakmp
permit udp host 209.144.103.186 any eq isakmp
permit udp host 205.153.36.207 any eq non500-isakmp
permit udp host 209.144.103.186 any eq non500-isakmp
permit esp host 205.153.36.207 any
permit esp host 209.144.103.186 any
ip access-list extended Inside2Guest_Access
permit ip 10.33.0.0 0.0.255.255 172.27.128.0 0.0.0.255
ip access-list extended NTP
permit udp host 10.36.1.10 any eq ntp
permit udp host 10.36.1.11 any eq ntp
ip access-list extended SSH
permit tcp 10.32.0.0 0.31.255.255 any eq 22
permit tcp 172.16.0.0 0.15.255.255 any eq 22
permit tcp 10.64.0.0 0.31.255.255 any eq 22
permit tcp 10.0.0.0 0.255.255.255 any eq 22
!
ip sla auto discovery
ip sla 10
icmp-echo 10.36.1.119 source-interface Vlan15
verify-data
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 10.31.2.200 source-interface Vlan15
ip sla schedule 20 life forever start-time now
logging trap debugging
logging source-interface Vlan15
logging host 10.36.1.233
logging host 10.62.16.241
logging host 64.125.196.130
logging host 10.70.8.241
!
route-map NPR_RMAP_1 permit 1
match ip address 103
!

access-list 100 remark Encrytion Domain
access-list 100 permit ip 10.33.167.0 0.0.0.255 10.32.0.0 0.31.255.255
access-list 100 permit ip 10.33.167.0 0.0.0.255 10.31.0.0 0.0.255.255
access-list 100 permit ip 10.33.167.0 0.0.0.255 10.64.0.0 0.31.255.255
access-list 100 permit ip 10.33.167.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 100 permit ip 10.33.167.0 0.0.0.255 10.255.4.0 0.0.0.255
access-list 100 permit ip 10.33.167.0 0.0.0.255 10.253.0.0 0.0.255.255
access-list 100 permit ip 10.33.167.0 0.0.0.255 10.44.0.0 0.0.255.255
access-list 100 permit ip 10.33.167.0 0.0.0.255 10.52.0.0 0.0.255.255
access-list 101 permit ip 10.32.0.0 0.31.255.255 10.33.167.0 0.0.0.255
access-list 101 permit ip 10.31.0.0 0.0.255.255 10.33.167.0 0.0.0.255
access-list 101 permit ip 10.64.0.0 0.31.255.255 10.33.167.0 0.0.0.255
access-list 101 permit ip 172.16.0.0 0.15.255.255 10.33.167.0 0.0.0.255
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any host-unreachable
access-list 103 deny ip 10.33.167.0 0.0.0.255 10.32.0.0 0.31.255.255
access-list 103 deny ip 10.33.167.0 0.0.0.255 10.64.0.0 0.31.255.255
access-list 103 deny ip 10.33.167.0 0.0.0.255 10.31.0.0 0.0.255.255
access-list 103 remark 5 NAT Route MAP
access-list 103 deny ip 10.33.167.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 103 deny ip 10.33.167.0 0.0.0.255 10.255.4.0 0.0.0.255
access-list 103 deny ip 10.33.167.0 0.0.0.255 10.253.0.0 0.0.255.255
access-list 103 permit ip 10.33.167.0 0.0.0.255 any
access-list 103 permit ip 172.27.128.0 0.0.0.255 any
access-list 110 permit ip 205.153.36.0 0.0.0.255 any
access-list 110 permit ip 10.0.0.0 0.255.255.255 any
access-list 120 remark DHCP
access-list 120 permit udp any any eq bootpc
access-list 120 permit udp any any eq bootps
access-list 130 remark SNMP
access-list 130 permit udp host 10.36.1.119 any eq snmp
access-list 140 permit icmp any any echo
access-list 140 permit icmp any any echo-reply
access-list 140 permit icmp any any traceroute
access-list 150 remark TACACS
access-list 150 permit ip host 10.62.24.10 any
access-list 150 permit ip host 10.62.24.11 any
access-list 150 permit ip 205.153.36.0 0.0.0.255 any
access-list 160 permit ip 10.0.0.0 0.255.255.255 any
access-list 160 permit ip 172.16.0.0 0.15.255.255 any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!

Seb Rupik · ‎01-24-2019

Hi there,

Try adding the following to your ICMP ACL:

access-list 140 permit icmp any any time-exceeded
access-list 140 permit icmp any any host-unreachable

cheers,

Seb.

aammar@npr.org · ‎01-25-2019

I have tried this but it didn't work

Georg Pauwen · ‎01-25-2019

Helo,

from where are you initiating the traceroute ? Windows or Mac, or from the router itself ?

aammar@npr.org · ‎01-25-2019

from the router itself as I have access to only onsite router, switch and AP remotely

Georg Pauwen · ‎01-24-2019

Hello,

you need to add icmp host-unreachable and icmp time-exceeded as below. First, add this to your config:

ip access-list extended UDP_ICMP_ACL
permit icmp any any time-exceeded
permit icmp any any host-unreachable
class-map type inspect match-any UDP_ICMP_CM
match access-group name UDP_ICMP_ACL

And then add the class type to your policy map:

policy-map type inspect INSIDE_TO_OUTSIDE
class type inspect ZBF_ALLOW_ALL
inspect
class type inspect UDP_ICMP_CM
pass
class class-default

aammar@npr.org · ‎01-25-2019

I have added the mentioned access list, class map and attached it to the policy map INSIDE_TO_OUTSIDE but still it didn't work. Also as an experiment I have added the class map to policy map SELF_TO_OUTSIDE but no use.

class-map type inspect match-all INSIDE_TO_GUEST
match access-group name Inside2Guest_Access
class-map type inspect match-any UDP_ICMP_CM
match access-group name UDP_ICMP_ACL
!
policy-map type inspect OUTSIDE_TO_INSIDE
class type inspect NPR
inspect
class class-default
drop
policy-map type inspect GUEST_TO_INSIDE
class class-default
drop log
policy-map type inspect INSIDE_TO_GUEST
class type inspect GUEST_ALLOW_ALL
inspect
class class-default
pass
policy-map type inspect Guest_TO_OUTSIDE
description Guest LAN to Internet
class type inspect GUEST_ALLOW_ALL
inspect
class class-default
pass
policy-map type inspect OUTSIDE_TO_SELF
description Permitted traffic from Internet
class type inspect DHCP
pass
class type inspect IPSEC
inspect
class type inspect SSH
inspect
class type inspect NTP
inspect
class type inspect SNMP
inspect
class type inspect ICMP
inspect
class type inspect TACACS
pass log
class class-default
drop
policy-map type inspect Guest_TO_SELF
class type inspect DHCP
pass
class class-default
drop
policy-map type inspect SELF_TO_OUTSIDE
description Router to Internet
class type inspect SELF_OUT
inspect
class class-default
pass
policy-map type inspect INSIDE_TO_OUTSIDE
class type inspect ZBF_ALLOW_ALL
inspect
class type inspect UDP_ICMP_CM
pass
class class-default
pass

Chicago-Temp-891FW#sh run | s access-list
ip access-list extended IPSEC
permit udp host 205.153.36.207 any eq isakmp
permit udp host 209.144.103.186 any eq isakmp
permit udp host 205.153.36.207 any eq non500-isakmp
permit udp host 209.144.103.186 any eq non500-isakmp
permit esp host 205.153.36.207 any
permit esp host 209.144.103.186 any
ip access-list extended Inside2Guest_Access
permit ip 10.33.0.0 0.0.255.255 172.27.128.0 0.0.0.255
ip access-list extended NTP
permit udp host 10.36.1.10 any eq ntp
permit udp host 10.36.1.11 any eq ntp
ip access-list extended SSH
permit tcp 10.32.0.0 0.31.255.255 any eq 22
permit tcp 172.16.0.0 0.15.255.255 any eq 22
permit tcp 10.64.0.0 0.31.255.255 any eq 22
permit tcp 10.0.0.0 0.255.255.255 any eq 22

ip access-list extended UDP_ICMP_ACL
permit icmp any any time-exceeded
permit icmp any any host-unreachable

Georg Pauwen · ‎01-25-2019

Hello,

from what I can tell from the previous config you posted, the icmp host unreachable and time exceeeded are alreay matched in access list 101:

access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any host-unreachable
!
class-map type inspect match-all NPR
match access-group 101

Remove these two entries from access list 101 and make sure they are not matched anywhere else with an 'inspect'...

aammar@npr.org · ‎01-25-2019

I tried that but no use.

even we have configured ACL, class map and policy map, could it be related to firmware?

Georg Pauwen · ‎01-25-2019

Hello,

post the current config with the changes you have implemented...

aammar@npr.org · ‎01-25-2019

this is another router 891 config and I have added the commands here. please check

ip dhcp excluded-address 172.27.128.0 172.27.128.10
ip dhcp excluded-address 10.33.135.0 10.33.135.10
ip dhcp excluded-address 10.33.135.200 10.33.135.254
!
ip dhcp pool inside
import all
network 10.33.135.0 255.255.255.0
domain-name ad.npr.org
default-router 10.33.135.1
dns-server 10.36.1.10 10.36.1.11
option 43 ascii "10,62,20,10"
option 242 ascii "MCIPADD=hq-cmact,MCPORT=1719,HTTPSRVR=dc-avaya-prov01,HTTPDIR=/FW/DC/,L2QVLAN=1"
!
ip dhcp pool GuestNet
network 172.27.128.0 255.255.255.0
default-router 172.27.128.1
dns-server 209.244.0.3 4.2.2.1 8.8.4.4
!
!
!
no ip domain lookup
ip domain name ad.npr.org
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891FW-A-K9 sn FTX183985F7
!
!
vtp mode transparent
username admin privilege 15 password 7 022E544F0F031928406E070917
username itnetwork privilege 15 password 7 01310F16622B0806651C5B19390B07004A4D
!
!
!
!
!
vlan 100
name Guest
lldp run
!
ip ssh source-interface Vlan1
!
class-map type inspect match-all SNMP
match access-group 130
class-map type inspect match-any TACACS
match access-group 150
class-map type inspect match-any SELF_OUT
match protocol icmp
class-map type inspect match-all ICMP
match access-group 140
class-map type inspect match-all DHCP
match access-group 120
class-map type inspect match-any ZBF_ALLOW_ALL
match protocol ftp
match protocol ssh
match protocol udp
match protocol tcp
match protocol telnet
match protocol dns
match protocol icmp
match protocol http
match protocol https
match protocol smtp
class-map type inspect match-all SSH
match access-group name SSH
class-map type inspect match-any GUEST_ALLOW_ALL
match protocol ftp
match protocol dns
match protocol icmp
match protocol https
match protocol http
match protocol tcp
match protocol udp
class-map type inspect match-all NTP
match access-group name NTP
class-map type inspect match-all IPSEC
match access-group name IPSEC
class-map type inspect match-all NPR
match access-group 101
class-map type inspect match-all INSIDE_TO_GUEST
match access-group name Inside2Guest_Access
class-map type inspect match-any UDP_ICMP_CM
match access-group name UDP_ICMP_ACL
!
policy-map type inspect OUTSIDE_TO_INSIDE
class type inspect NPR
inspect
class class-default
drop
policy-map type inspect GUEST_TO_INSIDE
class class-default
drop log
policy-map type inspect INSIDE_TO_GUEST
class type inspect GUEST_ALLOW_ALL
inspect
class class-default
pass
policy-map type inspect Guest_TO_OUTSIDE
description Guest LAN to Internet
class type inspect GUEST_ALLOW_ALL
inspect
class class-default
pass
policy-map type inspect OUTSIDE_TO_SELF
description Permitted traffic from Internet
class type inspect DHCP
pass
class type inspect IPSEC
inspect
class type inspect SSH
inspect
class type inspect NTP
inspect
class type inspect SNMP
inspect
class type inspect ICMP
inspect
class type inspect TACACS
pass log
class class-default
drop
policy-map type inspect Guest_TO_SELF
class type inspect DHCP
pass
class class-default
drop
policy-map type inspect SELF_TO_OUTSIDE
description Router to Internet
class type inspect SELF_OUT
inspect
class class-default
pass
policy-map type inspect INSIDE_TO_OUTSIDE
class type inspect ZBF_ALLOW_ALL
inspect
class type inspect UDP_ICMP_CM
pass
class class-default
pass
!
zone security INSIDE
description Inside LAN
zone security OUTSIDE
description WAN
zone security INSIDE-Guest
description Guest LAN
zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
description LAN to WAN
service-policy type inspect INSIDE_TO_OUTSIDE
zone-pair security SELF_TO_OUTSIDE source self destination OUTSIDE
description Remote Site Users to CORE
service-policy type inspect SELF_TO_OUTSIDE
zone-pair security OUTSIDE_TO_SELF source OUTSIDE destination self
description CORE to Remote Site User
service-policy type inspect OUTSIDE_TO_SELF
zone-pair security OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
description NPR to Remote Site
service-policy type inspect OUTSIDE_TO_INSIDE
zone-pair security Guest_TO_OUTSIDE source INSIDE-Guest destination OUTSIDE
description Guest to WAN
service-policy type inspect Guest_TO_OUTSIDE
zone-pair security GUEST_TO_INSIDE source INSIDE-Guest destination INSIDE
service-policy type inspect GUEST_TO_INSIDE
zone-pair security Guest_TO_SELF source INSIDE-Guest destination self
service-policy type inspect Guest_TO_SELF
zone-pair security INSIDE_TO_GUEST source INSIDE destination INSIDE-Guest
description Printer Access
service-policy type inspect INSIDE_TO_GUEST
!
crypto logging session
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key aiU!yb@dzL5 address 205.153.36.207
crypto isakmp key R3m7#yUs9! address 209.144.103.186
!
crypto ipsec security-association lifetime seconds 120
!
crypto ipsec transform-set AES esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map NPR_CMAP_1 1 ipsec-isakmp
description S2S Tunnel to vpn.npr.org
set peer 205.153.36.207 default
set transform-set AES
match address 100
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
description Facing the ISP (the WAN)
ip address dhcp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
crypto map NPR_CMAP_1
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface Wlan-GigabitEthernet8
switchport trunk allowed vlan 1,10,20,100,1002-1005
switchport mode trunk
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
!
interface Vlan1
description Inside_LAN
ip address 10.33.135.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
no ip route-cache
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-export source Vlan1
ip flow-export version 5
ip flow-export destination 10.36.1.119 2055
ip flow-top-talkers
top 40
sort-by packets
!
ip nat inside source route-map NPR_RMAP_1 interface FastEthernet0 overload
ip tacacs source-interface Vlan1
!
ip access-list extended IPSEC
permit udp host 205.153.36.207 any eq isakmp
permit udp host 209.144.103.186 any eq isakmp
permit udp host 205.153.36.207 any eq non500-isakmp
permit udp host 209.144.103.186 any eq non500-isakmp
permit esp host 205.153.36.207 any
permit esp host 209.144.103.186 any
ip access-list extended Inside2Guest_Access
permit ip 10.33.0.0 0.0.255.255 172.27.128.0 0.0.0.255
ip access-list extended NTP
permit udp host 10.36.1.10 any eq ntp
permit udp host 10.36.1.11 any eq ntp
ip access-list extended SSH
permit tcp 10.32.0.0 0.31.255.255 any eq 22
permit tcp 172.16.0.0 0.15.255.255 any eq 22
permit tcp 10.64.0.0 0.31.255.255 any eq 22
ip access-list extended UDP_ICMP_ACL
permit icmp any any time-exceeded
permit icmp any any host-unreachable
ip access-list extended trace-list
permit ip any any
!
ip sla auto discovery
ip sla 10
icmp-echo 10.36.1.10 source-interface Vlan1
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 10.31.2.200 source-interface Vlan1
ip sla schedule 20 life forever start-time now
logging trap debugging
logging source-interface Vlan1
logging host 10.62.16.241
logging host 10.36.1.233
logging host 64.125.196.130
logging host 10.70.8.241
no cdp run
!
route-map NPR_RMAP_1 permit 1
match ip address 103
!

access-list 100 remark Encrytion Domain
access-list 100 permit ip 10.33.135.0 0.0.0.255 10.32.0.0 0.31.255.255
access-list 100 permit ip 10.33.135.0 0.0.0.255 10.31.0.0 0.0.255.255
access-list 100 permit ip 10.33.135.0 0.0.0.255 10.64.0.0 0.31.255.255
access-list 100 permit ip 10.33.135.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 101 remark NPR Networks
access-list 101 permit ip 10.32.0.0 0.31.255.255 10.33.135.0 0.0.0.255
access-list 101 permit ip 10.31.0.0 0.0.255.255 10.33.135.0 0.0.0.255
access-list 101 permit ip 10.64.0.0 0.31.255.255 10.33.135.0 0.0.0.255
access-list 101 permit ip 172.16.0.0 0.15.255.255 10.33.135.0 0.0.0.255
access-list 103 deny ip 10.33.135.0 0.0.0.255 10.32.0.0 0.31.255.255
access-list 103 deny ip 10.33.135.0 0.0.0.255 10.64.0.0 0.31.255.255
access-list 103 deny ip 10.33.135.0 0.0.0.255 10.31.0.0 0.0.255.255
access-list 103 remark 5 NAT Route MAP
access-list 103 deny ip 10.33.135.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 103 permit ip 10.33.135.0 0.0.0.255 any
access-list 103 permit ip 172.27.128.0 0.0.0.255 any
access-list 120 remark DHCP
access-list 120 permit udp any any eq bootpc
access-list 120 permit udp any any eq bootps
access-list 130 remark SNMP
access-list 130 permit udp host 10.36.1.119 any eq snmp
access-list 140 remark ICMP
access-list 140 permit icmp host 10.36.1.119 any echo-reply
access-list 140 permit icmp host 10.36.1.119 any echo
access-list 140 permit icmp host 10.31.2.200 any echo
access-list 140 permit icmp 10.0.0.0 0.255.255.255 any echo
access-list 140 permit icmp 10.0.0.0 0.255.255.255 any echo-reply
access-list 150 remark TACACS
access-list 150 permit ip host 10.62.24.10 any
access-list 150 permit ip host 10.62.24.11 any
!