02-09-2020 10:21 AM
I can't seem to get zbf and port forwarding working.
Current configuration : 15831 bytes ! ! Last configuration change at 10:07:40 UTC Sun Feb 9 2020 by nkoch ! NVRAM config last updated at 04:38:27 UTC Tue Feb 4 2020 by nkoch ! version 15.7 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service internal service sequence-numbers ! hostname NASA ! boot-start-marker boot-end-marker ! ! security authentication failure rate 10 log security passwords min-length 6 logging console critical enable secret 5 enable password 7 ! aaa new-model ! ! aaa authentication login local_auth local ! ! ! ! ! ! aaa session-id common ! vlan ifdescr detail ! ! ! ! ! no ip source-route no ip gratuitous-arps ! ! ! ! ! ! ! ! ! ! ! ! ! ip dhcp excluded-address 192.168.20.1 192.168.20.60 ip dhcp excluded-address 192.168.30.1 192.168.30.60 ip dhcp excluded-address 192.168.40.1 192.168.40.60 ip dhcp excluded-address 192.168.50.1 192.168.50.60 ip dhcp excluded-address 192.168.60.1 192.168.60.60 ip dhcp excluded-address 192.168.70.1 192.168.70.60 ip dhcp excluded-address 192.168.80.1 192.168.80.60 ! ip dhcp pool vlan 20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 30 network 192.168.30.0 255.255.255.0 default-router 192.168.30.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 40 network 192.168.40.0 255.255.255.0 default-router 192.168.40.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 50 network 192.168.50.0 255.255.255.0 default-router 192.168.50.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 60 network 192.168.60.0 255.255.255.0 default-router 192.168.60.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 70 network 192.168.70.0 255.255.255.0 default-router 192.168.70.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 80 network 192.168.80.0 255.255.255.0 default-router 192.168.80.1 dns-server 208.67.222.222 208.67.220.220 ! ! ! no ip bootp server ip host JPL 192.168.2.2 ip host GOLDSTONE 192.168.2.6 ip name-server 216.218.130.2 ip name-server 216.218.131.2 ip name-server 216.218.132.2 ip inspect WAAS flush-timeout 10 ip ddns update method update HTTP add https://@ipv4.tunnelbroker.net/nic/update?hostname= interval maximum 0 0 5 0 ! ip cef login block-for 13500 attempts 35 within 13500 ipv6 unicast-routing ipv6 dhcp pool vlan ! ipv6 dhcp pool vlan20 address prefix 2001:470:1F19:AB:2000::/68 dns-server 2620:119:35::35 dns-server 2620:119:53::53 ! ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! license udi pid CISCO2911/K9 sn FGL1741129H license accept end user agreement license boot module c2900 technology-package securityk9 license boot module c2900 technology-package datak9 ! ! vtp mode transparent username nkoch password 7 ! redundancy notification-timer 120000 ! ! ! ! no cdp run ! ! class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS match access-group name INSIDE-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS match access-group name OUTSIDE-TO-INSIDE class-map type inspect match-all V80-TO-OUTSIDE-CLASS match access-group name V80-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V80-CLASS match access-group name OUTSIDE-TO-V80 class-map type inspect match-all V30-TO-OUTSIDE-CLASS match access-group name V30-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V30-CLASS match access-group name OUTSIDE-TO-V30 class-map type inspect match-all V20-TO-OUTSIDE-CLASS match access-group name V20-TO-OUTSIDE match access-group name ip620-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V20-CLASS match access-group name OUTSIDE-TO-V20 match access-group name OUTSIDE-TO-ip620 class-map type inspect match-all V70-TO-OUTSIDE-CLASS match access-group name V70-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V70-CLASS match access-group name OUTSIDE-TO-V70 class-map type inspect match-all V60-TO-OUTSIDE-CLASS match access-group name V60-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V60-CLASS match access-group name OUTSIDE-TO-V60 class-map type inspect match-all V50-TO-OUTSIDE-CLASS match access-group name V50-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V50-CLASS match access-group name OUTSIDE-TO-V50 class-map type inspect match-all V40-TO-OUTSIDE-CLASS match access-group name V40-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V40-CLASS match access-group name OUTSIDE-TO-V40 ! policy-map type inspect V60-TO-OUTSIDE-POLICY class type inspect V60-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect V40-TO-OUTSIDE-POLICY class type inspect V40-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V60-POLICY class type inspect OUTSIDE-TO-V60-CLASS drop class class-default drop policy-map type inspect V20-TO-OUTSIDE-POLICY class type inspect V20-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect V70-TO-OUTSIDE-POLICY class type inspect V70-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V40-POLICY class type inspect OUTSIDE-TO-V40-CLASS drop class class-default drop policy-map type inspect V30-TO-OUTSIDE-POLICY class type inspect V30-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V80-POLICY class type inspect OUTSIDE-TO-V80-CLASS drop class class-default drop policy-map type inspect OUTSIDE-TO-V30-POLICY class type inspect OUTSIDE-TO-V30-CLASS inspect class class-default drop log policy-map type inspect OUTSIDE-TO-V50-POLICY class type inspect OUTSIDE-TO-V50-CLASS drop class class-default drop policy-map type inspect INSIDE-TO-OUTSIDE-POLICY class type inspect INSIDE-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect V50-TO-OUTSIDE-POLICY class type inspect V50-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V20-POLICY class type inspect OUTSIDE-TO-V20-CLASS drop class class-default drop policy-map type inspect OUTSIDE-TO-INSIDE-POLICY class type inspect OUTSIDE-TO-INSIDE-CLASS drop class class-default drop policy-map type inspect V80-TO-OUTSIDE-POLICY class type inspect V80-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V70-POLICY class type inspect OUTSIDE-TO-V70-CLASS drop class class-default drop ! zone security INSIDE zone security OUTSIDE zone security vlan20 zone security vlan30 zone security vlan40 zone security vlan50 zone security vlan60 zone security vlan70 zone security vlan80 zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE-TO-OUTSIDE-POLICY zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE service-policy type inspect OUTSIDE-TO-INSIDE-POLICY zone-pair security 20-TO-OUT source vlan20 destination OUTSIDE service-policy type inspect V20-TO-OUTSIDE-POLICY zone-pair security 30-TO-OUT source vlan30 destination OUTSIDE service-policy type inspect V30-TO-OUTSIDE-POLICY zone-pair security 40-TO-OUT source vlan40 destination OUTSIDE service-policy type inspect V40-TO-OUTSIDE-POLICY zone-pair security 50-TO-OUT source vlan50 destination OUTSIDE service-policy type inspect V50-TO-OUTSIDE-POLICY zone-pair security 60-TO-OUT source vlan60 destination OUTSIDE service-policy type inspect V60-TO-OUTSIDE-POLICY zone-pair security 70-TO-OUT source vlan70 destination OUTSIDE service-policy type inspect V70-TO-OUTSIDE-POLICY zone-pair security 80-TO-OUT source vlan80 destination OUTSIDE service-policy type inspect V80-TO-OUTSIDE-POLICY zone-pair security OUT-TO-20 source OUTSIDE destination vlan20 service-policy type inspect OUTSIDE-TO-V20-POLICY zone-pair security OUT-TO-30 source OUTSIDE destination vlan30 service-policy type inspect OUTSIDE-TO-V30-POLICY zone-pair security OUT-TO-40 source OUTSIDE destination vlan40 service-policy type inspect OUTSIDE-TO-V40-POLICY zone-pair security OUT-TO-50 source OUTSIDE destination vlan50 service-policy type inspect OUTSIDE-TO-V50-POLICY zone-pair security OUT-TO-60 source OUTSIDE destination vlan60 service-policy type inspect OUTSIDE-TO-V60-POLICY zone-pair security OUT-TO-70 source OUTSIDE destination vlan70 service-policy type inspect OUTSIDE-TO-V70-POLICY zone-pair security OUT-TO-80 source OUTSIDE destination vlan80 service-policy type inspect OUTSIDE-TO-V80-POLICY ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.0 ! interface Loopback1 no ip address ! interface Tunnel0 description Hurricane Electric IPv6 Tunnel Broker no ip address zone-member security OUTSIDE ipv6 address ipv6 enable tunnel source GigabitEthernet0/0 tunnel mode ipv6ip tunnel destination ! interface Embedded-Service-Engine0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown no mop enabled ! interface GigabitEthernet0/0 ip ddns update update ip address dhcp hostname NASA no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in zone-member security OUTSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly in zone-member security INSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1.1 encapsulation dot1Q 1 native ip address 192.168.2.1 255.255.255.0 zone-member security INSIDE no cdp enable ipv6 enable ! interface GigabitEthernet0/1.20 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan20 no cdp enable ipv6 enable ipv6 nd managed-config-flag ipv6 dhcp server vlan20 ! interface GigabitEthernet0/1.30 encapsulation dot1Q 30 ip address 192.168.30.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan30 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.40 encapsulation dot1Q 40 ip address 192.168.40.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan40 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.50 encapsulation dot1Q 50 ip address 192.168.50.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan50 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.60 encapsulation dot1Q 60 ip address 192.168.60.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan60 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.70 encapsulation dot1Q 70 ip address 192.168.70.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan70 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.80 encapsulation dot1Q 80 ip address 192.168.80.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan80 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.400 no cdp enable ! interface GigabitEthernet0/2 no ip address no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly in shutdown duplex auto speed auto no mop enabled ! ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip dns view default domain name vastspace.ca domain resolver source-interface GigabitEthernet0/0 ip nat inside source list 1 interface GigabitEthernet0/0 overload ip nat outside source list 201 interface GigabitEthernet0/0 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp ip identd ! ip access-list extended INSIDE-TO-OUTSIDE ip access-list extended OUTSIDE-TO-INSIDE ip access-list extended OUTSIDE-TO-V20 ip access-list extended OUTSIDE-TO-V30 permit tcp any host 192.168.30.67 eq www permit tcp any host 192.168.30.67 eq 443 ip access-list extended OUTSIDE-TO-V40 ip access-list extended OUTSIDE-TO-V50 ip access-list extended OUTSIDE-TO-V60 ip access-list extended OUTSIDE-TO-V70 ip access-list extended OUTSIDE-TO-V80 ip access-list extended V20-TO-OUTSIDE permit ip 192.168.20.0 0.0.0.255 any ip access-list extended V30-TO-OUTSIDE permit ip 192.168.30.0 0.0.0.255 any ip access-list extended V40-TO-OUTSIDE permit ip 192.168.40.0 0.0.0.255 any ip access-list extended V50-TO-OUTSIDE permit ip 192.168.50.0 0.0.0.255 any ip access-list extended V60-TO-OUTSIDE ip access-list extended V70-TO-OUTSIDE ip access-list extended V80-TO-OUTSIDE permit ip 192.168.80.0 0.0.0.255 any ! logging trap debugging logging facility local2 dialer-list 1 protocol ip permit ipv6 route ::/0 Tunnel0 ipv6 ioam timestamp ! ! access-list 1 permit 192.168.2.0 0.0.0.255 access-list 1 permit 192.168.20.0 0.0.0.255 access-list 1 permit 192.168.30.0 0.0.0.255 access-list 1 permit 192.168.40.0 0.0.0.255 access-list 1 permit 192.168.50.0 0.0.0.255 access-list 1 permit 192.168.60.0 0.0.0.255 access-list 1 permit 192.168.70.0 0.0.0.255 access-list 1 permit 192.168.80.0 0.0.0.255 ! ! ! ipv6 access-list OUTSIDE-TO-ip620 permit icmp any any unreachable permit icmp any any packet-too-big permit icmp any any hop-limit permit icmp any any reassembly-timeout permit icmp any any header permit icmp any any next-header permit icmp any any parameter-option permit icmp any any echo-request permit icmp any any echo-reply permit icmp any any dhaad-request permit icmp any any dhaad-reply permit icmp any any mpd-solicitation permit icmp any any mpd-advertisement permit icmp any any nd-na permit icmp any any nd-ns ! ipv6 access-list ip620-TO-OUTSIDE permit ipv6 2001:470:1F19:AB:2000::/68 any control-plane host ! ! control-plane ! ! vstack banner login ^C ******* ***** ,******. ,************** ,******, **********, ***** .********** ,***************** ********** ******,***** ***** ************ ******************* ************ ***** ***** ***** ***** ****** ***** ***** ,***** ***** *****, ***** ****** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ,**************** ***** ***** ***** ,***** ***** ***** ****** ***************** ***** ,***** ***** ***** ***** ***** ***** ,,,,,,,,****** .***** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ***** ***** ********** *****, ***********, ****** ***** ***********.***** *********************** ***** ***** ***** ********* ***** ******************** ***** ***** ^C banner motd ^C Welcome to ^C ! line con 0 exec-timeout 5 0 login authentication local_auth transport output telnet speed 115200 line aux 0 exec-timeout 15 0 login authentication local_auth modem InOut transport input telnet transport output telnet flowcontrol hardware line 2 exec-timeout 15 0 login authentication local_auth no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 password 7 login authentication local_auth transport input none ! scheduler allocate 20000 1000 ntp source GigabitEthernet0/0 ntp update-calendar ntp server 0.us.pool.ntp.org ! end
02-09-2020 11:15 AM
The description of the issue mentions zbf and port forwarding. The posted config has a fairly elaborate zbf configured and some address translation. But I am not seeing port forwarding. So I have a couple of questions:
1) is the zbf working?
2) what are you configuring for port forwarding?
02-09-2020 11:49 AM
Hello,
there are a lot of misconfigured parts in what you have posted. I have revised your configuration, make sure you have the parts marked in bold configured, this will inspect all outgoing traffic. Once you got that working, you need to decide what traffic you want to accept originating from the outside:
Current configuration : 15831 bytes
!
! Last configuration change at 10:07:40 UTC Sun Feb 9 2020 by nkoch
! NVRAM config last updated at 04:38:27 UTC Tue Feb 4 2020 by nkoch
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
!
vlan ifdescr detail
!
no ip source-route
no ip gratuitous-arps
!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 60
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 70
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 80
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
dns-server 208.67.222.222 208.67.220.220
!
no ip bootp server
ip host JPL 192.168.2.2
ip host GOLDSTONE 192.168.2.6
ip name-server 216.218.130.2
ip name-server 216.218.131.2
ip name-server 216.218.132.2
ip inspect WAAS flush-timeout 10
ip ddns update method update
HTTP
add https://@ipv4.tunnelbroker.net/nic/update?hostname=
interval maximum 0 0 5 0
!
ip cef
login block-for 13500 attempts 35 within 13500
ipv6 unicast-routing
ipv6 dhcp pool vlan
!
ipv6 dhcp pool vlan20
address prefix 2001:470:1F19:AB:2000::/68
dns-server 2620:119:35::35
dns-server 2620:119:53::53
!
ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
vtp mode transparent
username nkoch password 7
!
redundancy
notification-timer 120000
!
no cdp run
!
class-map type inspect match-all V20-TO-OUTSIDE-CLASS
match access-group name V20-TO-OUTSIDE
class-map type inspect match-all V30-TO-OUTSIDE-CLASS
match access-group name V30-TO-OUTSIDE
class-map type inspect match-all V40-TO-OUTSIDE-CLASS
match access-group name V40-TO-OUTSIDE
class-map type inspect match-all V50-TO-OUTSIDE-CLASS
match access-group name V50-TO-OUTSIDE
class-map type inspect match-all V60-TO-OUTSIDE-CLASS
match access-group name V60-TO-OUTSIDE
class-map type inspect match-all V70-TO-OUTSIDE-CLASS
match access-group name V70-TO-OUTSIDE
class-map type inspect match-all V80-TO-OUTSIDE-CLASS
match access-group name V80-TO-OUTSIDE
!
policy-map type inspect V20-TO-OUTSIDE-POLICY
class type inspect V20-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V30-TO-OUTSIDE-POLICY
class type inspect V30-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V40-TO-OUTSIDE-POLICY
class type inspect V40-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V50-TO-OUTSIDE-POLICY
class type inspect V50-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V60-TO-OUTSIDE-POLICY
class type inspect V60-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V70-TO-OUTSIDE-POLICY
class type inspect V70-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V80-TO-OUTSIDE-POLICY
class type inspect V80-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
zone security OUTSIDE
zone security vlan20
zone security vlan30
zone security vlan40
zone security vlan50
zone security vlan60
zone security vlan70
zone security vlan80
!
zone-pair security 20-TO-OUT source vlan20 destination OUTSIDE
service-policy type inspect V20-TO-OUTSIDE-POLICY
zone-pair security 30-TO-OUT source vlan30 destination OUTSIDE
service-policy type inspect V30-TO-OUTSIDE-POLICY
zone-pair security 40-TO-OUT source vlan40 destination OUTSIDE
service-policy type inspect V40-TO-OUTSIDE-POLICY
zone-pair security 50-TO-OUT source vlan50 destination OUTSIDE
service-policy type inspect V50-TO-OUTSIDE-POLICY
zone-pair security 60-TO-OUT source vlan60 destination OUTSIDE
service-policy type inspect V60-TO-OUTSIDE-POLICY
zone-pair security 70-TO-OUT source vlan70 destination OUTSIDE
service-policy type inspect V70-TO-OUTSIDE-POLICY
zone-pair security 80-TO-OUT source vlan80 destination OUTSIDE
service-policy type inspect V80-TO-OUTSIDE-POLICY
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
no ip address
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security OUTSIDE
ipv6 address
ipv6 enable
tunnel source GigabitEthernet0/0
tunnel mode ipv6ip
tunnel destination
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
ip ddns update update
ip address dhcp hostname NASA
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
zone-member security INSIDE
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan20
no cdp enable
ipv6 enable
ipv6 nd managed-config-flag
ipv6 dhcp server vlan20
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan30
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan40
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan50
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan60
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.70
encapsulation dot1Q 70
ip address 192.168.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan70
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.80
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan80
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.400
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns view default
domain name vastspace.ca
domain resolver source-interface GigabitEthernet0/0
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip identd
!
ip access-list extended V20-TO-OUTSIDE
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended V30-TO-OUTSIDE
permit ip 192.168.30.0 0.0.0.255 any
ip access-list extended V40-TO-OUTSIDE
permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended V50-TO-OUTSIDE
permit ip 192.168.50.0 0.0.0.255 any
ip access-list extended V60-TO-OUTSIDE
permit ip 192.168.60.0 0.0.0.255 any
ip access-list extended V70-TO-OUTSIDE
permit ip 192.168.70.0 0.0.0.255 any
ip access-list extended V80-TO-OUTSIDE
permit ip 192.168.80.0 0.0.0.255 any
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 route ::/0 Tunnel0
ipv6 ioam timestamp
!
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.80.0 0.0.0.255
!
!
!
ipv6 access-list OUTSIDE-TO-ip620
permit icmp any any unreachable
permit icmp any any packet-too-big
permit icmp any any hop-limit
permit icmp any any reassembly-timeout
permit icmp any any header
permit icmp any any next-header
permit icmp any any parameter-option
permit icmp any any echo-request
permit icmp any any echo-reply
permit icmp any any dhaad-request
permit icmp any any dhaad-reply
permit icmp any any mpd-solicitation
permit icmp any any mpd-advertisement
permit icmp any any nd-na
permit icmp any any nd-ns
!
ipv6 access-list ip620-TO-OUTSIDE
permit ipv6 2001:470:1F19:AB:2000::/68 any
control-plane host
!
!
control-plane
!
!
vstack
banner login ^C
******* ***** ,******. ,************** ,******,
**********, ***** .********** ,***************** **********
******,***** ***** ************ ******************* ************
***** ***** ***** ***** ****** ***** ***** ,*****
***** *****, ***** ****** ***** ***** ,***** *****
***** ***** ***** ***** ***** ,**************** ***** *****
***** ,***** ***** ***** ****** ***************** ***** ,*****
***** ***** ***** ***** ***** ,,,,,,,,****** .***** *****
***** ,***** ***** ***** ***** ***** ***** *****
***** ***** ********** *****, ***********, ******
***** ***********.***** *********************** ***** *****
***** ********* ***** ******************** ***** ***** ^C
banner motd ^C
Welcome to ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
speed 115200
line aux 0
exec-timeout 15 0
login authentication local_auth
modem InOut
transport input telnet
transport output telnet
flowcontrol hardware
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7
login authentication local_auth
transport input none
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0
ntp update-calendar
ntp server 0.us.pool.ntp.org
!
end
02-09-2020 11:52 AM
There was no information on forwarding ports? I want to foward ports 80 and 433 to ip 192.168.30.67.
02-09-2020 12:48 PM
Hello,
if you want to allow access from the outside to this IP address and ports, you need to add the below. Since you have a dynamic IP address on the outside, the access lists match 'any':
ip nat inside source static tcp 192.168.30.67 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 192.168.30.67 443 interface GigabitEthernet0/0 443
!
class-map type inspect match-any OUTSIDE-TO-V30-CLASS
match access-group name OUTSIDE-TO-V30_80
match access-group name OUTSIDE-TO-V30_443
!
policy-map type inspect OUTSIDE-TO-V30-POLICY
class type inspect OUTSIDE-TO-V30-CLASS
pass
class class-default
drop log
!
zone-pair security OUT-TO-30 source OUTSIDE destination vlan30
service-policy type inspect OUTSIDE-TO-V30-POLICY
!
ip access-list extended OUTSIDE-TO-V30_80
permiy tcp any any eq 80
!
ip access-list extended OUTSIDE-TO-V30_443
permiy tcp any any eq 443
02-09-2020 02:27 PM
It's not working.
02-09-2020 04:01 PM
Hello,
what specifically is not working ? Post the full running configuration with the changes you have implemented...
02-09-2020 04:47 PM - edited 02-09-2020 04:47 PM
NASA#show run Building configuration... Current configuration : 15909 bytes ! ! Last configuration change at 22:20:30 UTC Sun Feb 9 2020 by nkoch ! NVRAM config last updated at 04:38:27 UTC Tue Feb 4 2020 by nkoch ! version 15.7 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service internal service sequence-numbers ! hostname NASA ! boot-start-marker boot-end-marker ! ! security authentication failure rate 10 log security passwords min-length 6 logging console critical enable secret 5 enable password 7 ! aaa new-model ! ! aaa authentication login local_auth local ! ! ! ! ! ! aaa session-id common ! vlan ifdescr detail ! ! ! ! ! no ip source-route no ip gratuitous-arps ! ! ! ! ! ! ! ! ! ! ! ! ! ip dhcp excluded-address 192.168.20.1 192.168.20.60 ip dhcp excluded-address 192.168.30.1 192.168.30.60 ip dhcp excluded-address 192.168.40.1 192.168.40.60 ip dhcp excluded-address 192.168.50.1 192.168.50.60 ip dhcp excluded-address 192.168.60.1 192.168.60.60 ip dhcp excluded-address 192.168.70.1 192.168.70.60 ip dhcp excluded-address 192.168.80.1 192.168.80.60 ! ip dhcp pool vlan 20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 30 network 192.168.30.0 255.255.255.0 default-router 192.168.30.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 40 network 192.168.40.0 255.255.255.0 default-router 192.168.40.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 50 network 192.168.50.0 255.255.255.0 default-router 192.168.50.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 60 network 192.168.60.0 255.255.255.0 default-router 192.168.60.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 70 network 192.168.70.0 255.255.255.0 default-router 192.168.70.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 80 network 192.168.80.0 255.255.255.0 default-router 192.168.80.1 dns-server 208.67.222.222 208.67.220.220 ! ! ! no ip bootp server ip domain name earth.vastspace.ca ip host JPL 192.168.2.2 ip host GOLDSTONE 192.168.2.6 ip name-server 216.218.130.2 ip name-server 216.218.131.2 ip name-server 216.218.132.2 ip inspect WAAS flush-timeout 10 ip ddns update method update HTTP add@ipv4.tunnelbroker.net/nic/update?hostname=567894 interval maximum 0 0 5 0 ! ip cef login block-for 13500 attempts 35 within 13500 ipv6 unicast-routing ipv6 dhcp pool vlan ! ipv6 dhcp pool vlan20 address prefix 2001:470:1F19:AB:2000::/68 dns-server 2620:119:35::35 dns-server 2620:119:53::53 ! ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! license udi pid CISCO2911/K9 sn FGL1741129H license accept end user agreement license boot module c2900 technology-package securityk9 license boot module c2900 technology-package datak9 ! ! vtp mode transparent username nkoch password 7 ! redundancy notification-timer 120000 ! ! ! ! no cdp run ! ! class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS match access-group name INSIDE-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS match access-group name OUTSIDE-TO-INSIDE class-map type inspect match-all V80-TO-OUTSIDE-CLASS match access-group name V80-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V80-CLASS match access-group name OUTSIDE-TO-V80 class-map type inspect match-all V30-TO-OUTSIDE-CLASS match access-group name V30-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V30-CLASS match access-group name OUTSIDE-TO-V30 class-map type inspect match-all V20-TO-OUTSIDE-CLASS match access-group name V20-TO-OUTSIDE match access-group name ip620-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V20-CLASS match access-group name OUTSIDE-TO-V20 match access-group name OUTSIDE-TO-ip620 class-map type inspect match-all V70-TO-OUTSIDE-CLASS match access-group name V70-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V70-CLASS match access-group name OUTSIDE-TO-V70 class-map type inspect match-all V60-TO-OUTSIDE-CLASS match access-group name V60-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V60-CLASS match access-group name OUTSIDE-TO-V60 class-map type inspect match-all V50-TO-OUTSIDE-CLASS match access-group name V50-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V50-CLASS match access-group name OUTSIDE-TO-V50 class-map type inspect match-all V40-TO-OUTSIDE-CLASS match access-group name V40-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V40-CLASS match access-group name OUTSIDE-TO-V40 ! policy-map type inspect V60-TO-OUTSIDE-POLICY class type inspect V60-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect V40-TO-OUTSIDE-POLICY class type inspect V40-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V60-POLICY class type inspect OUTSIDE-TO-V60-CLASS drop class class-default drop policy-map type inspect V20-TO-OUTSIDE-POLICY class type inspect V20-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect V70-TO-OUTSIDE-POLICY class type inspect V70-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V40-POLICY class type inspect OUTSIDE-TO-V40-CLASS drop class class-default drop policy-map type inspect V30-TO-OUTSIDE-POLICY class type inspect V30-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V80-POLICY class type inspect OUTSIDE-TO-V80-CLASS drop class class-default drop policy-map type inspect OUTSIDE-TO-V30-POLICY class type inspect OUTSIDE-TO-V30-CLASS pass class class-default drop log policy-map type inspect OUTSIDE-TO-V50-POLICY class type inspect OUTSIDE-TO-V50-CLASS drop class class-default drop policy-map type inspect INSIDE-TO-OUTSIDE-POLICY class type inspect INSIDE-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect V50-TO-OUTSIDE-POLICY class type inspect V50-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V20-POLICY class type inspect OUTSIDE-TO-V20-CLASS drop class class-default drop policy-map type inspect OUTSIDE-TO-INSIDE-POLICY class type inspect OUTSIDE-TO-INSIDE-CLASS drop class class-default drop policy-map type inspect V80-TO-OUTSIDE-POLICY class type inspect V80-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V70-POLICY class type inspect OUTSIDE-TO-V70-CLASS drop class class-default drop ! zone security INSIDE zone security OUTSIDE zone security vlan20 zone security vlan30 zone security vlan40 zone security vlan50 zone security vlan60 zone security vlan70 zone security vlan80 zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE-TO-OUTSIDE-POLICY zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE service-policy type inspect OUTSIDE-TO-INSIDE-POLICY zone-pair security 20-TO-OUT source vlan20 destination OUTSIDE service-policy type inspect V20-TO-OUTSIDE-POLICY zone-pair security 30-TO-OUT source vlan30 destination OUTSIDE service-policy type inspect V30-TO-OUTSIDE-POLICY zone-pair security 40-TO-OUT source vlan40 destination OUTSIDE service-policy type inspect V40-TO-OUTSIDE-POLICY zone-pair security 50-TO-OUT source vlan50 destination OUTSIDE service-policy type inspect V50-TO-OUTSIDE-POLICY zone-pair security 60-TO-OUT source vlan60 destination OUTSIDE service-policy type inspect V60-TO-OUTSIDE-POLICY zone-pair security 70-TO-OUT source vlan70 destination OUTSIDE service-policy type inspect V70-TO-OUTSIDE-POLICY zone-pair security 80-TO-OUT source vlan80 destination OUTSIDE service-policy type inspect V80-TO-OUTSIDE-POLICY zone-pair security OUT-TO-20 source OUTSIDE destination vlan20 service-policy type inspect OUTSIDE-TO-V20-POLICY zone-pair security OUT-TO-30 source OUTSIDE destination vlan30 service-policy type inspect OUTSIDE-TO-V30-POLICY zone-pair security OUT-TO-40 source OUTSIDE destination vlan40 service-policy type inspect OUTSIDE-TO-V40-POLICY zone-pair security OUT-TO-50 source OUTSIDE destination vlan50 service-policy type inspect OUTSIDE-TO-V50-POLICY zone-pair security OUT-TO-60 source OUTSIDE destination vlan60 service-policy type inspect OUTSIDE-TO-V60-POLICY zone-pair security OUT-TO-70 source OUTSIDE destination vlan70 service-policy type inspect OUTSIDE-TO-V70-POLICY zone-pair security OUT-TO-80 source OUTSIDE destination vlan80 service-policy type inspect OUTSIDE-TO-V80-POLICY ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.0 ! interface Loopback1 no ip address ! interface Tunnel0 description Hurricane Electric IPv6 Tunnel Broker no ip address zone-member security OUTSIDE ipv6 address ipv6 enable tunnel source GigabitEthernet0/0 tunnel mode ipv6ip tunnel destination ! interface Embedded-Service-Engine0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown no mop enabled ! interface GigabitEthernet0/0 ip ddns update update ip address dhcp hostname NASA no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in zone-member security OUTSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly in zone-member security INSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1.1 encapsulation dot1Q 1 native ip address 192.168.2.1 255.255.255.0 zone-member security INSIDE no cdp enable ipv6 enable ! interface GigabitEthernet0/1.20 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan20 no cdp enable ipv6 enable ipv6 nd managed-config-flag ipv6 dhcp server vlan20 ! interface GigabitEthernet0/1.30 encapsulation dot1Q 30 ip address 192.168.30.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan30 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.40 encapsulation dot1Q 40 ip address 192.168.40.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan40 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.50 encapsulation dot1Q 50 ip address 192.168.50.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan50 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.60 encapsulation dot1Q 60 ip address 192.168.60.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan60 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.70 encapsulation dot1Q 70 ip address 192.168.70.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan70 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.80 encapsulation dot1Q 80 ip address 192.168.80.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan80 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.400 no cdp enable ! interface GigabitEthernet0/2 no ip address no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly in shutdown duplex auto speed auto no mop enabled ! ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip dns view default domain resolver source-interface GigabitEthernet0/0 ip nat inside source list 1 interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.30.67 80 interface GigabitEthernet0/0 80 ip nat inside source static tcp 192.168.30.67 443 interface GigabitEthernet0/0 443 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp ip identd ! ip access-list extended INSIDE-TO-OUTSIDE ip access-list extended OUTSIDE-TO-INSIDE ip access-list extended OUTSIDE-TO-V20 ip access-list extended OUTSIDE-TO-V30 permit tcp any any eq www permit tcp any any eq 443 ip access-list extended OUTSIDE-TO-V40 ip access-list extended OUTSIDE-TO-V50 ip access-list extended OUTSIDE-TO-V60 ip access-list extended OUTSIDE-TO-V70 ip access-list extended OUTSIDE-TO-V80 ip access-list extended V20-TO-OUTSIDE permit ip 192.168.20.0 0.0.0.255 any ip access-list extended V30-TO-OUTSIDE permit ip 192.168.30.0 0.0.0.255 any ip access-list extended V40-TO-OUTSIDE permit ip 192.168.40.0 0.0.0.255 any ip access-list extended V50-TO-OUTSIDE permit ip 192.168.50.0 0.0.0.255 any ip access-list extended V60-TO-OUTSIDE ip access-list extended V70-TO-OUTSIDE ip access-list extended V80-TO-OUTSIDE permit ip 192.168.80.0 0.0.0.255 any ! logging trap debugging logging facility local2 dialer-list 1 protocol ip permit ipv6 route ::/0 Tunnel0 ipv6 ioam timestamp ! ! access-list 1 permit 192.168.2.0 0.0.0.255 access-list 1 permit 192.168.20.0 0.0.0.255 access-list 1 permit 192.168.30.0 0.0.0.255 access-list 1 permit 192.168.40.0 0.0.0.255 access-list 1 permit 192.168.50.0 0.0.0.255 access-list 1 permit 192.168.60.0 0.0.0.255 access-list 1 permit 192.168.70.0 0.0.0.255 access-list 1 permit 192.168.80.0 0.0.0.255 ! ! ! ipv6 access-list OUTSIDE-TO-ip620 permit icmp any any unreachable permit icmp any any packet-too-big permit icmp any any hop-limit permit icmp any any reassembly-timeout permit icmp any any header permit icmp any any next-header permit icmp any any parameter-option permit icmp any any echo-request permit icmp any any echo-reply permit icmp any any dhaad-request permit icmp any any dhaad-reply permit icmp any any mpd-solicitation permit icmp any any mpd-advertisement permit icmp any any nd-na permit icmp any any nd-ns ! ipv6 access-list ip620-TO-OUTSIDE permit ipv6 2001:470:1F19:AB:2000::/68 any control-plane host ! ! control-plane ! ! vstack banner login ^C ******* ***** ,******. ,************** ,******, **********, ***** .********** ,***************** ********** ******,***** ***** ************ ******************* ************ ***** ***** ***** ***** ****** ***** ***** ,***** ***** *****, ***** ****** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ,**************** ***** ***** ***** ,***** ***** ***** ****** ***************** ***** ,***** ***** ***** ***** ***** ***** ,,,,,,,,****** .***** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ***** ***** ********** *****, ***********, ****** ***** ***********.***** *********************** ***** ***** ***** ********* ***** ******************** ***** ***** ^C banner motd ^C Welcome to ^C ! line con 0 exec-timeout 5 0 login authentication local_auth transport output telnet speed 115200 line aux 0 exec-timeout 15 0 login authentication local_auth modem InOut transport input telnet transport output telnet flowcontrol hardware line 2 exec-timeout 15 0 login authentication local_auth no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 password 7 login authentication local_auth transport input none ! scheduler allocate 20000 1000 ntp source GigabitEthernet0/0 ntp update-calendar ntp server 0.us.pool.ntp.org ! end NASA#
02-09-2020 06:44 PM
You did not make the changes I suggested correctly. Make sure your configuration looks exactly like the one I sent you, line by line, and no additional lines. When you are finished, post it again...
02-09-2020 07:35 PM
The only difference is this:
zone-pair security OUT-TO-30 source OUTSIDE destination vlan30
service-policy type inspect OUTSIDE-TO-V30-POLICY
!
ip access-list extended OUTSIDE-TO-V30_80
permiy tcp any any eq 80
!
ip access-list extended OUTSIDE-TO-V30_443
permiy tcp any any eq 443
I'm just adding permitts to existing lists. Everything else is the same
02-09-2020 11:57 PM
Hello,
what you have posted contains many empty access lists and zone policies matching these lists. What is the purpose of these empty access lists ?
I have consolidated the configuration below, try and get this in your router exactly as is, line by line. That said, is your NAT working without the ZBF ?
Current configuration : 15831 bytes
!
! Last configuration change at 10:07:40 UTC Sun Feb 9 2020 by nkoch
! NVRAM config last updated at 04:38:27 UTC Tue Feb 4 2020 by nkoch
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
!
vlan ifdescr detail
!
no ip source-route
no ip gratuitous-arps
!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 60
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 70
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 80
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
dns-server 208.67.222.222 208.67.220.220
!
no ip bootp server
ip host JPL 192.168.2.2
ip host GOLDSTONE 192.168.2.6
ip name-server 216.218.130.2
ip name-server 216.218.131.2
ip name-server 216.218.132.2
ip inspect WAAS flush-timeout 10
ip ddns update method update
HTTP
add https://@ipv4.tunnelbroker.net/nic/update?hostname=
interval maximum 0 0 5 0
!
ip cef
login block-for 13500 attempts 35 within 13500
ipv6 unicast-routing
ipv6 dhcp pool vlan
!
ipv6 dhcp pool vlan20
address prefix 2001:470:1F19:AB:2000::/68
dns-server 2620:119:35::35
dns-server 2620:119:53::53
!
ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
vtp mode transparent
username nkoch password 7
!
redundancy
notification-timer 120000
!
no cdp run
!
class-map type inspect match-any OUTSIDE-TO-V30-CLASS
match access-group name OUTSIDE-TO-V30_80
match access-group name OUTSIDE-TO-V30_443
class-map type inspect match-all V1-TO-OUTSIDE-CLASS
match access-group name V1-TO-OUTSIDE
class-map type inspect match-all V20-TO-OUTSIDE-CLASS
match access-group name V20-TO-OUTSIDE
class-map type inspect match-all V30-TO-OUTSIDE-CLASS
match access-group name V30-TO-OUTSIDE
class-map type inspect match-all V40-TO-OUTSIDE-CLASS
match access-group name V40-TO-OUTSIDE
class-map type inspect match-all V50-TO-OUTSIDE-CLASS
match access-group name V50-TO-OUTSIDE
class-map type inspect match-all V60-TO-OUTSIDE-CLASS
match access-group name V60-TO-OUTSIDE
class-map type inspect match-all V70-TO-OUTSIDE-CLASS
match access-group name V70-TO-OUTSIDE
class-map type inspect match-all V80-TO-OUTSIDE-CLASS
match access-group name V80-TO-OUTSIDE
!
policy-map type inspect OUTSIDE-TO-V30-POLICY
class type inspect OUTSIDE-TO-V30-CLASS
pass
class class-default
drop log
!
policy-map type inspect V1-TO-OUTSIDE-POLICY
class type inspect V1-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V20-TO-OUTSIDE-POLICY
class type inspect V20-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V30-TO-OUTSIDE-POLICY
class type inspect V30-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V40-TO-OUTSIDE-POLICY
class type inspect V40-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V50-TO-OUTSIDE-POLICY
class type inspect V50-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V60-TO-OUTSIDE-POLICY
class type inspect V60-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V70-TO-OUTSIDE-POLICY
class type inspect V70-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V80-TO-OUTSIDE-POLICY
class type inspect V80-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
zone security OUTSIDE
zone security INSIDE
zone security vlan20
zone security vlan30
zone security vlan40
zone security vlan50
zone security vlan60
zone security vlan70
zone security vlan80
!
zone-pair security OUT-TO-30 source OUTSIDE destination vlan30
service-policy type inspect OUTSIDE-TO-V30-POLICY
zone-pair security 20-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect V1-TO-OUTSIDE-POLICY
zone-pair security 20-TO-OUT source vlan20 destination OUTSIDE
service-policy type inspect V20-TO-OUTSIDE-POLICY
zone-pair security 30-TO-OUT source vlan30 destination OUTSIDE
service-policy type inspect V30-TO-OUTSIDE-POLICY
zone-pair security 40-TO-OUT source vlan40 destination OUTSIDE
service-policy type inspect V40-TO-OUTSIDE-POLICY
zone-pair security 50-TO-OUT source vlan50 destination OUTSIDE
service-policy type inspect V50-TO-OUTSIDE-POLICY
zone-pair security 60-TO-OUT source vlan60 destination OUTSIDE
service-policy type inspect V60-TO-OUTSIDE-POLICY
zone-pair security 70-TO-OUT source vlan70 destination OUTSIDE
service-policy type inspect V70-TO-OUTSIDE-POLICY
zone-pair security 80-TO-OUT source vlan80 destination OUTSIDE
service-policy type inspect V80-TO-OUTSIDE-POLICY
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
no ip address
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security OUTSIDE
ipv6 address
ipv6 enable
tunnel source GigabitEthernet0/0
tunnel mode ipv6ip
tunnel destination
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
ip ddns update update
ip address dhcp hostname NASA
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
ip nat inside
zone-member security INSIDE
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan20
no cdp enable
ipv6 enable
ipv6 nd managed-config-flag
ipv6 dhcp server vlan20
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan30
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan40
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan50
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan60
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.70
encapsulation dot1Q 70
ip address 192.168.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan70
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.80
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan80
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.400
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns view default
domain name vastspace.ca
domain resolver source-interface GigabitEthernet0/0
ip nat inside source static tcp 192.168.30.67 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 192.168.30.67 443 interface GigabitEthernet0/0 443 ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip identd
!
ip access-list extended OUTSIDE-TO-V30_80
permiy tcp any any eq 80
ip access-list extended OUTSIDE-TO-V30_443
permiy tcp any any eq 443
ip access-list extended V1-TO-OUTSIDE
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended V20-TO-OUTSIDE
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended V30-TO-OUTSIDE
permit ip 192.168.30.0 0.0.0.255 any
ip access-list extended V40-TO-OUTSIDE
permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended V50-TO-OUTSIDE
permit ip 192.168.50.0 0.0.0.255 any
ip access-list extended V60-TO-OUTSIDE
permit ip 192.168.60.0 0.0.0.255 any
ip access-list extended V70-TO-OUTSIDE
permit ip 192.168.70.0 0.0.0.255 any
ip access-list extended V80-TO-OUTSIDE
permit ip 192.168.80.0 0.0.0.255 any
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 route ::/0 Tunnel0
ipv6 ioam timestamp
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.80.0 0.0.0.255
!
ipv6 access-list OUTSIDE-TO-ip620
permit icmp any any unreachable
permit icmp any any packet-too-big
permit icmp any any hop-limit
permit icmp any any reassembly-timeout
permit icmp any any header
permit icmp any any next-header
permit icmp any any parameter-option
permit icmp any any echo-request
permit icmp any any echo-reply
permit icmp any any dhaad-request
permit icmp any any dhaad-reply
permit icmp any any mpd-solicitation
permit icmp any any mpd-advertisement
permit icmp any any nd-na
permit icmp any any nd-ns
!
ipv6 access-list ip620-TO-OUTSIDE
permit ipv6 2001:470:1F19:AB:2000::/68 any
control-plane host
!
control-plane
!
vstack
banner login ^C
******* ***** ,******. ,************** ,******,
**********, ***** .********** ,***************** **********
******,***** ***** ************ ******************* ************
***** ***** ***** ***** ****** ***** ***** ,*****
***** *****, ***** ****** ***** ***** ,***** *****
***** ***** ***** ***** ***** ,**************** ***** *****
***** ,***** ***** ***** ****** ***************** ***** ,*****
***** ***** ***** ***** ***** ,,,,,,,,****** .***** *****
***** ,***** ***** ***** ***** ***** ***** *****
***** ***** ********** *****, ***********, ******
***** ***********.***** *********************** ***** *****
***** ********* ***** ******************** ***** ***** ^C
banner motd ^C
Welcome to ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
speed 115200
line aux 0
exec-timeout 15 0
login authentication local_auth
modem InOut
transport input telnet
transport output telnet
flowcontrol hardware
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7
login authentication local_auth
transport input none
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0
ntp update-calendar
ntp server 0.us.pool.ntp.org
!
end
02-12-2020 10:53 AM - edited 02-12-2020 11:04 AM
I added the changes and still nothing. I turned on the webserv for a short moments to see if I could reach it from the outside and I could. It appears things at getting to the outside interface but not being forwarded. Could be be something with interface 192.168.30.1? Do I need to tell it to forward g0/0 to 192.168.30.1 and then tell 192.168.30.1 to forward to 192.168.30.10?
02-12-2020 11:51 AM
Hello,
post the current running configuration. In theory, everything should be allowed (and inspected) out...
02-12-2020 12:00 PM
Building configuration... Current configuration : 16181 bytes ! ! Last configuration change at 18:48:28 UTC Wed Feb 12 2020 by nkoch ! NVRAM config last updated at 18:42:38 UTC Wed Feb 12 2020 by nkoch ! version 15.7 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service internal service sequence-numbers ! hostname NASA ! boot-start-marker boot-end-marker ! ! security authentication failure rate 10 log security passwords min-length 6 logging console critical enable aaa new-model ! ! aaa authentication login local_auth local ! ! ! ! ! ! aaa session-id common ! vlan ifdescr detail ! ! ! ! ! no ip source-route no ip gratuitous-arps ! ! ! ! ! ! ! ! ! ! ! ! ! ip dhcp excluded-address 192.168.20.1 192.168.20.60 ip dhcp excluded-address 192.168.30.1 192.168.30.60 ip dhcp excluded-address 192.168.40.1 192.168.40.60 ip dhcp excluded-address 192.168.50.1 192.168.50.60 ip dhcp excluded-address 192.168.60.1 192.168.60.60 ip dhcp excluded-address 192.168.70.1 192.168.70.60 ip dhcp excluded-address 192.168.80.1 192.168.80.60 ! ip dhcp pool vlan 20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 30 network 192.168.30.0 255.255.255.0 default-router 192.168.30.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 40 network 192.168.40.0 255.255.255.0 default-router 192.168.40.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 50 network 192.168.50.0 255.255.255.0 default-router 192.168.50.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 60 network 192.168.60.0 255.255.255.0 default-router 192.168.60.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 70 network 192.168.70.0 255.255.255.0 default-router 192.168.70.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 80 network 192.168.80.0 255.255.255.0 default-router 192.168.80.1 dns-server 208.67.222.222 208.67.220.220 ! ! ! no ip bootp server ip domain name earth.vastspace.ca ip host JPL 192.168.2.2 ip host GOLDSTONE 192.168.2.6 ip name-server 208.67.222.222 ip name-server 208.67.220.220 ip inspect WAAS flush-timeout 10 ip ddns update method update HTTP add interval maximum 0 0 5 0 ! ip cef login block-for 13500 attempts 35 within 13500 ipv6 unicast-routing ipv6 dhcp pool vlan ! ipv6 dhcp pool vlan20 address prefix 2001:470:1F19:AB:2000::/68 dns-server 2620:119:35::35 dns-server 2620:119:53::53 ! ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! license udi pid CISCO2911/K9 sn FGL1741129H license accept end user agreement license boot module c2900 technology-package securityk9 license boot module c2900 technology-package datak9 ! ! vtp mode transparent username nkoch password ! redundancy notification-timer 120000 ! ! ! ! no cdp run ! ! class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS match access-group name INSIDE-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS match access-group name OUTSIDE-TO-INSIDE class-map type inspect match-all V80-TO-OUTSIDE-CLASS match access-group name V80-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V80-CLASS match access-group name OUTSIDE-TO-V80 class-map type inspect match-all V30-TO-OUTSIDE-CLASS match access-group name V30-TO-OUTSIDE class-map type inspect match-any OUTSIDE-TO-V30-CLASS match access-group name OUTSIDE-TO-V30 match access-group name OUTSIDE-TO-V30_80 match access-group name OUTSIDE-TO-V30_443 class-map type inspect match-all V20-TO-OUTSIDE-CLASS match access-group name V20-TO-OUTSIDE match access-group name ip620-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V20-CLASS match access-group name OUTSIDE-TO-V20 match access-group name OUTSIDE-TO-ip620 class-map type inspect match-all V70-TO-OUTSIDE-CLASS match access-group name V70-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V70-CLASS match access-group name OUTSIDE-TO-V70 class-map type inspect match-all V60-TO-OUTSIDE-CLASS match access-group name V60-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V60-CLASS match access-group name OUTSIDE-TO-V60 class-map type inspect match-all V50-TO-OUTSIDE-CLASS match access-group name V50-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V50-CLASS match access-group name OUTSIDE-TO-V50 class-map type inspect match-all V40-TO-OUTSIDE-CLASS match access-group name V40-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V40-CLASS match access-group name OUTSIDE-TO-V40 ! policy-map type inspect V60-TO-OUTSIDE-POLICY class type inspect V60-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect V40-TO-OUTSIDE-POLICY class type inspect V40-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V60-POLICY class type inspect OUTSIDE-TO-V60-CLASS drop class class-default drop policy-map type inspect V20-TO-OUTSIDE-POLICY class type inspect V20-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect V70-TO-OUTSIDE-POLICY class type inspect V70-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V40-POLICY class type inspect OUTSIDE-TO-V40-CLASS drop class class-default drop policy-map type inspect V30-TO-OUTSIDE-POLICY class type inspect V30-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V80-POLICY class type inspect OUTSIDE-TO-V80-CLASS drop class class-default drop policy-map type inspect OUTSIDE-TO-V30-POLICY class type inspect OUTSIDE-TO-V30-CLASS pass class class-default drop log policy-map type inspect OUTSIDE-TO-V50-POLICY class type inspect OUTSIDE-TO-V50-CLASS drop class class-default drop policy-map type inspect INSIDE-TO-OUTSIDE-POLICY class type inspect INSIDE-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect V50-TO-OUTSIDE-POLICY class type inspect V50-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V20-POLICY class type inspect OUTSIDE-TO-V20-CLASS drop class class-default drop policy-map type inspect OUTSIDE-TO-INSIDE-POLICY class type inspect OUTSIDE-TO-INSIDE-CLASS drop class class-default drop policy-map type inspect V80-TO-OUTSIDE-POLICY class type inspect V80-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V70-POLICY class type inspect OUTSIDE-TO-V70-CLASS drop class class-default drop ! zone security INSIDE zone security OUTSIDE zone security vlan20 zone security vlan30 zone security vlan40 zone security vlan50 zone security vlan60 zone security vlan70 zone security vlan80 zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE-TO-OUTSIDE-POLICY zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE service-policy type inspect OUTSIDE-TO-INSIDE-POLICY zone-pair security 20-TO-OUT source vlan20 destination OUTSIDE service-policy type inspect V20-TO-OUTSIDE-POLICY zone-pair security 30-TO-OUT source vlan30 destination OUTSIDE service-policy type inspect V30-TO-OUTSIDE-POLICY zone-pair security 40-TO-OUT source vlan40 destination OUTSIDE service-policy type inspect V40-TO-OUTSIDE-POLICY zone-pair security 50-TO-OUT source vlan50 destination OUTSIDE service-policy type inspect V50-TO-OUTSIDE-POLICY zone-pair security 60-TO-OUT source vlan60 destination OUTSIDE service-policy type inspect V60-TO-OUTSIDE-POLICY zone-pair security 70-TO-OUT source vlan70 destination OUTSIDE service-policy type inspect V70-TO-OUTSIDE-POLICY zone-pair security 80-TO-OUT source vlan80 destination OUTSIDE service-policy type inspect V80-TO-OUTSIDE-POLICY zone-pair security OUT-TO-20 source OUTSIDE destination vlan20 service-policy type inspect OUTSIDE-TO-V20-POLICY zone-pair security OUT-TO-30 source OUTSIDE destination vlan30 service-policy type inspect OUTSIDE-TO-V30-POLICY zone-pair security OUT-TO-40 source OUTSIDE destination vlan40 service-policy type inspect OUTSIDE-TO-V40-POLICY zone-pair security OUT-TO-50 source OUTSIDE destination vlan50 service-policy type inspect OUTSIDE-TO-V50-POLICY zone-pair security OUT-TO-60 source OUTSIDE destination vlan60 service-policy type inspect OUTSIDE-TO-V60-POLICY zone-pair security OUT-TO-70 source OUTSIDE destination vlan70 service-policy type inspect OUTSIDE-TO-V70-POLICY zone-pair security OUT-TO-80 source OUTSIDE destination vlan80 service-policy type inspect OUTSIDE-TO-V80-POLICY ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.0 ! interface Loopback1 no ip address ! interface Tunnel0 description Hurricane Electric IPv6 Tunnel Broker no ip address zone-member security OUTSIDE ipv6 address ipv6 enable tunnel source GigabitEthernet0/0 tunnel mode ipv6ip tunnel destination ! interface Embedded-Service-Engine0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown no mop enabled ! interface GigabitEthernet0/0 ip ddns update update ip address dhcp hostname NASA no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in zone-member security OUTSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly in zone-member security INSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1.1 encapsulation dot1Q 1 native ip address 192.168.2.1 255.255.255.0 zone-member security INSIDE no cdp enable ipv6 enable ! interface GigabitEthernet0/1.20 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan20 no cdp enable ipv6 enable ipv6 nd managed-config-flag ipv6 dhcp server vlan20 ! interface GigabitEthernet0/1.30 encapsulation dot1Q 30 ip address 192.168.30.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan30 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.40 encapsulation dot1Q 40 ip address 192.168.40.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan40 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.50 encapsulation dot1Q 50 ip address 192.168.50.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan50 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.60 encapsulation dot1Q 60 ip address 192.168.60.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan60 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.70 encapsulation dot1Q 70 ip address 192.168.70.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan70 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.80 encapsulation dot1Q 80 ip address 192.168.80.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan80 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.400 no cdp enable ! interface GigabitEthernet0/2 no ip address no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly in shutdown duplex auto speed auto no mop enabled ! ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip dns view default domain resolver source-interface GigabitEthernet0/0 ip nat inside source list 1 interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.30.10 80 interface GigabitEthernet0/0 80 ip nat inside source static tcp 192.168.30.10 443 interface GigabitEthernet0/0 443 ip nat inside source static tcp 192.168.30.10 22 interface GigabitEthernet0/0 22 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp no ip ssh server authenticate user password ip identd ! ip access-list extended INSIDE-TO-OUTSIDE ip access-list extended OUTSIDE-TO-INSIDE ip access-list extended OUTSIDE-TO-V20 ip access-list extended OUTSIDE-TO-V30 ip access-list extended OUTSIDE-TO-V30_443 permit tcp any any eq 443 ip access-list extended OUTSIDE-TO-V30_80 permit tcp any any eq www ip access-list extended OUTSIDE-TO-V40 ip access-list extended OUTSIDE-TO-V50 ip access-list extended OUTSIDE-TO-V60 ip access-list extended OUTSIDE-TO-V70 ip access-list extended OUTSIDE-TO-V80 ip access-list extended V20-TO-OUTSIDE permit ip 192.168.20.0 0.0.0.255 any ip access-list extended V30-TO-OUTSIDE permit ip 192.168.30.0 0.0.0.255 any ip access-list extended V40-TO-OUTSIDE permit ip 192.168.40.0 0.0.0.255 any ip access-list extended V50-TO-OUTSIDE permit ip 192.168.50.0 0.0.0.255 any ip access-list extended V60-TO-OUTSIDE ip access-list extended V70-TO-OUTSIDE ip access-list extended V80-TO-OUTSIDE permit ip 192.168.80.0 0.0.0.255 any ! logging trap debugging logging facility local2 dialer-list 1 protocol ip permit ipv6 route ::/0 Tunnel0 ipv6 ioam timestamp ! ! access-list 1 permit 192.168.2.0 0.0.0.255 access-list 1 permit 192.168.20.0 0.0.0.255 access-list 1 permit 192.168.30.0 0.0.0.255 access-list 1 permit 192.168.40.0 0.0.0.255 access-list 1 permit 192.168.50.0 0.0.0.255 access-list 1 permit 192.168.60.0 0.0.0.255 access-list 1 permit 192.168.70.0 0.0.0.255 access-list 1 permit 192.168.80.0 0.0.0.255 ! ! ! ipv6 access-list OUTSIDE-TO-ip620 permit icmp any any unreachable permit icmp any any packet-too-big permit icmp any any hop-limit permit icmp any any reassembly-timeout permit icmp any any header permit icmp any any next-header permit icmp any any parameter-option permit icmp any any echo-request permit icmp any any echo-reply permit icmp any any dhaad-request permit icmp any any dhaad-reply permit icmp any any mpd-solicitation permit icmp any any mpd-advertisement permit icmp any any nd-na permit icmp any any nd-ns ! ipv6 access-list ip620-TO-OUTSIDE permit ipv6 2001:470:1F19:AB:2000::/68 any control-plane host ! ! control-plane ! ! vstack banner login ^C ******* ***** ,******. ,************** ,******, **********, ***** .********** ,***************** ********** ******,***** ***** ************ ******************* ************ ***** ***** ***** ***** ****** ***** ***** ,***** ***** *****, ***** ****** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ,**************** ***** ***** ***** ,***** ***** ***** ****** ***************** ***** ,***** ***** ***** ***** ***** ***** ,,,,,,,,****** .***** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ***** ***** ********** *****, ***********, ****** ***** ***********.***** *********************** ***** ***** ***** ********* ***** ******************** ***** ***** ^C banner motd ^C Welcome to ^C ! line con 0 exec-timeout 5 0 login authentication local_auth transport output telnet speed 115200 line aux 0 exec-timeout 15 0 login authentication local_auth modem InOut transport input telnet transport output telnet flowcontrol hardware line 2 exec-timeout 15 0 login authentication local_auth no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 password 7 login authentication local_auth transport input none ! scheduler allocate 20000 1000 ntp source GigabitEthernet0/0 ntp update-calendar ntp server 0.us.pool.ntp.org ! end
02-12-2020 12:40 PM
Hello,
the config looks good actually. If you can access the webserver 192.168.30.10 from the outside,that means the NAT and the ZBF are working, otherwise the traffic from the webserver to the outside would not work either. Try and ping anything (e.g. 8.8.8.8) from the webserver, does that work ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: