cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3042
Views
0
Helpful
39
Replies

ZBF - Port Forwarding

NathanLKoch
Level 1
Level 1

I can't seem to get zbf and port forwarding working.

 

Current configuration : 15831 bytes
!
! Last configuration change at 10:07:40 UTC Sun Feb 9 2020 by nkoch
! NVRAM config last updated at 04:38:27 UTC Tue Feb 4 2020 by nkoch
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5 
enable password 7 
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
!
aaa session-id common
!
vlan ifdescr detail
!
!
!
!
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
 network 192.168.20.0 255.255.255.0
 default-router 192.168.20.1 
 dns-server 208.67.222.222 208.67.220.220 
!
ip dhcp pool vlan 30
 network 192.168.30.0 255.255.255.0
 default-router 192.168.30.1 
 dns-server 208.67.222.222 208.67.220.220 
!
ip dhcp pool vlan 40
 network 192.168.40.0 255.255.255.0
 default-router 192.168.40.1 
 dns-server 208.67.222.222 208.67.220.220 
!
ip dhcp pool vlan 50
 network 192.168.50.0 255.255.255.0
 default-router 192.168.50.1 
 dns-server 208.67.222.222 208.67.220.220 
!
ip dhcp pool vlan 60
 network 192.168.60.0 255.255.255.0
 default-router 192.168.60.1 
 dns-server 208.67.222.222 208.67.220.220 
!
ip dhcp pool vlan 70
 network 192.168.70.0 255.255.255.0
 default-router 192.168.70.1 
 dns-server 208.67.222.222 208.67.220.220 
!
ip dhcp pool vlan 80
 network 192.168.80.0 255.255.255.0
 default-router 192.168.80.1 
 dns-server 208.67.222.222 208.67.220.220 
!
!
!
no ip bootp server
ip host JPL 192.168.2.2
ip host GOLDSTONE 192.168.2.6
ip name-server 216.218.130.2
ip name-server 216.218.131.2
ip name-server 216.218.132.2
ip inspect WAAS flush-timeout 10
ip ddns update method update
 HTTP
  add https://@ipv4.tunnelbroker.net/nic/update?hostname=
 interval maximum 0 0 5 0
!
ip cef
login block-for 13500 attempts 35 within 13500
ipv6 unicast-routing
ipv6 dhcp pool vlan
!
ipv6 dhcp pool vlan20
 address prefix 2001:470:1F19:AB:2000::/68
 dns-server 2620:119:35::35
 dns-server 2620:119:53::53
!
ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!         
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
!
vtp mode transparent
username nkoch password 7 
!
redundancy
 notification-timer 120000
!
!
!
!
no cdp run
!
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
 match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
 match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all V80-TO-OUTSIDE-CLASS
 match access-group name V80-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V80-CLASS
 match access-group name OUTSIDE-TO-V80
class-map type inspect match-all V30-TO-OUTSIDE-CLASS
 match access-group name V30-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V30-CLASS
 match access-group name OUTSIDE-TO-V30
class-map type inspect match-all V20-TO-OUTSIDE-CLASS
 match access-group name V20-TO-OUTSIDE
 match access-group name ip620-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V20-CLASS
 match access-group name OUTSIDE-TO-V20
 match access-group name OUTSIDE-TO-ip620
class-map type inspect match-all V70-TO-OUTSIDE-CLASS
 match access-group name V70-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V70-CLASS
 match access-group name OUTSIDE-TO-V70
class-map type inspect match-all V60-TO-OUTSIDE-CLASS
 match access-group name V60-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V60-CLASS
 match access-group name OUTSIDE-TO-V60
class-map type inspect match-all V50-TO-OUTSIDE-CLASS
 match access-group name V50-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V50-CLASS
 match access-group name OUTSIDE-TO-V50
class-map type inspect match-all V40-TO-OUTSIDE-CLASS
 match access-group name V40-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V40-CLASS
 match access-group name OUTSIDE-TO-V40
!
policy-map type inspect V60-TO-OUTSIDE-POLICY
 class type inspect V60-TO-OUTSIDE-CLASS
  inspect 
 class class-default
  pass
policy-map type inspect V40-TO-OUTSIDE-POLICY
 class type inspect V40-TO-OUTSIDE-CLASS
  inspect 
 class class-default
  pass
policy-map type inspect OUTSIDE-TO-V60-POLICY
 class type inspect OUTSIDE-TO-V60-CLASS
  drop
 class class-default
  drop
policy-map type inspect V20-TO-OUTSIDE-POLICY
 class type inspect V20-TO-OUTSIDE-CLASS
  inspect 
 class class-default
  pass
policy-map type inspect V70-TO-OUTSIDE-POLICY
 class type inspect V70-TO-OUTSIDE-CLASS
  inspect 
 class class-default
  pass
policy-map type inspect OUTSIDE-TO-V40-POLICY
 class type inspect OUTSIDE-TO-V40-CLASS
  drop
 class class-default
  drop
policy-map type inspect V30-TO-OUTSIDE-POLICY
 class type inspect V30-TO-OUTSIDE-CLASS
  inspect 
 class class-default
  pass
policy-map type inspect OUTSIDE-TO-V80-POLICY
 class type inspect OUTSIDE-TO-V80-CLASS
  drop
 class class-default
  drop
policy-map type inspect OUTSIDE-TO-V30-POLICY
 class type inspect OUTSIDE-TO-V30-CLASS
  inspect 
 class class-default
  drop log
policy-map type inspect OUTSIDE-TO-V50-POLICY
 class type inspect OUTSIDE-TO-V50-CLASS
  drop
 class class-default
  drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect INSIDE-TO-OUTSIDE-CLASS
  inspect 
 class class-default
  pass
policy-map type inspect V50-TO-OUTSIDE-POLICY
 class type inspect V50-TO-OUTSIDE-CLASS
  inspect 
 class class-default
  pass
policy-map type inspect OUTSIDE-TO-V20-POLICY
 class type inspect OUTSIDE-TO-V20-CLASS
  drop
 class class-default
  drop
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
 class type inspect OUTSIDE-TO-INSIDE-CLASS
  drop
 class class-default
  drop
policy-map type inspect V80-TO-OUTSIDE-POLICY
 class type inspect V80-TO-OUTSIDE-CLASS
  inspect 
 class class-default
  pass
policy-map type inspect OUTSIDE-TO-V70-POLICY
 class type inspect OUTSIDE-TO-V70-CLASS
  drop
 class class-default
  drop
!
zone security INSIDE
zone security OUTSIDE
zone security vlan20
zone security vlan30
zone security vlan40
zone security vlan50
zone security vlan60
zone security vlan70
zone security vlan80
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
 service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security 20-TO-OUT source vlan20 destination OUTSIDE
 service-policy type inspect V20-TO-OUTSIDE-POLICY
zone-pair security 30-TO-OUT source vlan30 destination OUTSIDE
 service-policy type inspect V30-TO-OUTSIDE-POLICY
zone-pair security 40-TO-OUT source vlan40 destination OUTSIDE
 service-policy type inspect V40-TO-OUTSIDE-POLICY
zone-pair security 50-TO-OUT source vlan50 destination OUTSIDE
 service-policy type inspect V50-TO-OUTSIDE-POLICY
zone-pair security 60-TO-OUT source vlan60 destination OUTSIDE
 service-policy type inspect V60-TO-OUTSIDE-POLICY
zone-pair security 70-TO-OUT source vlan70 destination OUTSIDE
 service-policy type inspect V70-TO-OUTSIDE-POLICY
zone-pair security 80-TO-OUT source vlan80 destination OUTSIDE
 service-policy type inspect V80-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-20 source OUTSIDE destination vlan20
 service-policy type inspect OUTSIDE-TO-V20-POLICY
zone-pair security OUT-TO-30 source OUTSIDE destination vlan30
 service-policy type inspect OUTSIDE-TO-V30-POLICY
zone-pair security OUT-TO-40 source OUTSIDE destination vlan40
 service-policy type inspect OUTSIDE-TO-V40-POLICY
zone-pair security OUT-TO-50 source OUTSIDE destination vlan50
 service-policy type inspect OUTSIDE-TO-V50-POLICY
zone-pair security OUT-TO-60 source OUTSIDE destination vlan60
 service-policy type inspect OUTSIDE-TO-V60-POLICY
zone-pair security OUT-TO-70 source OUTSIDE destination vlan70
 service-policy type inspect OUTSIDE-TO-V70-POLICY
zone-pair security OUT-TO-80 source OUTSIDE destination vlan80
 service-policy type inspect OUTSIDE-TO-V80-POLICY
! 
!
!
!
!
!
!
!
!         
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
 no ip address
!
interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 zone-member security OUTSIDE
 ipv6 address 
 ipv6 enable
 tunnel source GigabitEthernet0/0
 tunnel mode ipv6ip
 tunnel destination 
!
interface Embedded-Service-Engine0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown 
 no mop enabled
!
interface GigabitEthernet0/0
 ip ddns update update
 ip address dhcp hostname NASA
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 zone-member security OUTSIDE
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly in
 zone-member security INSIDE
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1.1
 encapsulation dot1Q 1 native
 ip address 192.168.2.1 255.255.255.0
 zone-member security INSIDE
 no cdp enable
 ipv6 enable
!
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security vlan20
 no cdp enable
 ipv6 enable
 ipv6 nd managed-config-flag
 ipv6 dhcp server vlan20
!
interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security vlan30
 no cdp enable
 ipv6 enable
!
interface GigabitEthernet0/1.40
 encapsulation dot1Q 40
 ip address 192.168.40.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security vlan40
 no cdp enable
 ipv6 enable
!
interface GigabitEthernet0/1.50
 encapsulation dot1Q 50
 ip address 192.168.50.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security vlan50
 no cdp enable
 ipv6 enable
!
interface GigabitEthernet0/1.60
 encapsulation dot1Q 60
 ip address 192.168.60.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security vlan60
 no cdp enable
 ipv6 enable
!
interface GigabitEthernet0/1.70
 encapsulation dot1Q 70
 ip address 192.168.70.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security vlan70
 no cdp enable
 ipv6 enable
!
interface GigabitEthernet0/1.80
 encapsulation dot1Q 80
 ip address 192.168.80.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security vlan80
 no cdp enable
 ipv6 enable
!
interface GigabitEthernet0/1.400
 no cdp enable
!
interface GigabitEthernet0/2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns view default
 domain name vastspace.ca
 domain resolver source-interface GigabitEthernet0/0
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat outside source list 201 interface GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip identd
!
ip access-list extended INSIDE-TO-OUTSIDE
ip access-list extended OUTSIDE-TO-INSIDE
ip access-list extended OUTSIDE-TO-V20
ip access-list extended OUTSIDE-TO-V30
 permit tcp any host 192.168.30.67 eq www
 permit tcp any host 192.168.30.67 eq 443
ip access-list extended OUTSIDE-TO-V40
ip access-list extended OUTSIDE-TO-V50
ip access-list extended OUTSIDE-TO-V60
ip access-list extended OUTSIDE-TO-V70
ip access-list extended OUTSIDE-TO-V80
ip access-list extended V20-TO-OUTSIDE
 permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended V30-TO-OUTSIDE
 permit ip 192.168.30.0 0.0.0.255 any
ip access-list extended V40-TO-OUTSIDE
 permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended V50-TO-OUTSIDE
 permit ip 192.168.50.0 0.0.0.255 any
ip access-list extended V60-TO-OUTSIDE
ip access-list extended V70-TO-OUTSIDE
ip access-list extended V80-TO-OUTSIDE
 permit ip 192.168.80.0 0.0.0.255 any
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 route ::/0 Tunnel0
ipv6 ioam timestamp
!
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.80.0 0.0.0.255
!
!
!
ipv6 access-list OUTSIDE-TO-ip620
 permit icmp any any unreachable
 permit icmp any any packet-too-big
 permit icmp any any hop-limit
 permit icmp any any reassembly-timeout
 permit icmp any any header
 permit icmp any any next-header
 permit icmp any any parameter-option
 permit icmp any any echo-request
 permit icmp any any echo-reply
 permit icmp any any dhaad-request
 permit icmp any any dhaad-reply
 permit icmp any any mpd-solicitation
 permit icmp any any mpd-advertisement
 permit icmp any any nd-na
 permit icmp any any nd-ns
!
ipv6 access-list ip620-TO-OUTSIDE
 permit ipv6 2001:470:1F19:AB:2000::/68 any
control-plane host
!
!
control-plane
!
!
 vstack
banner login ^C

   *******         *****       ,******.          ,**************        ,******,             
 **********,       *****     .**********      ,*****************       **********            
******,*****       *****     ************    *******************      ************           
*****   *****      *****    *****   ******   *****                   *****   ,*****          
*****   *****,     *****   ******    *****   *****                  ,*****    *****          
*****    *****     *****   *****      *****  ,****************      *****      *****         
*****    ,*****    *****  *****       ******   *****************   *****       ,*****        
*****     *****    *****  *****        *****       ,,,,,,,,****** .*****        *****        
*****     ,*****   ***** *****          *****               ***** *****          *****       
*****      *****   **********           *****,             ***********,          ******      
*****       ***********.*****            *********************** *****            *****      
*****        ********* *****              ********************  *****              *****     ^C
banner motd ^C
Welcome to ^C
!
line con 0
 exec-timeout 5 0
 login authentication local_auth
 transport output telnet
 speed 115200
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 modem InOut
 transport input telnet
 transport output telnet
 flowcontrol hardware
line 2
 exec-timeout 15 0
 login authentication local_auth
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password 7 
 login authentication local_auth
 transport input none
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0
ntp update-calendar
ntp server 0.us.pool.ntp.org
!         
end
---------------------
"Fortune favors the brave."
▊▊▊
39 Replies 39

Richard Burts
Hall of Fame
Hall of Fame

The  description of the issue mentions zbf and port forwarding. The posted config has a fairly elaborate zbf configured and some address translation. But I am not seeing port forwarding. So I have a couple of questions:

1) is the zbf working?

2) what are you configuring for port forwarding?

HTH

Rick

Hello,

 

there are a lot of misconfigured parts in what you have posted. I have revised your configuration, make sure you have the parts marked in bold configured, this will inspect all outgoing traffic. Once you got that working, you need to decide what traffic you want to accept originating from the outside:

 

Current configuration : 15831 bytes
!
! Last configuration change at 10:07:40 UTC Sun Feb 9 2020 by nkoch
! NVRAM config last updated at 04:38:27 UTC Tue Feb 4 2020 by nkoch
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
!
vlan ifdescr detail
!
no ip source-route
no ip gratuitous-arps
!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 60
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 70
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 80
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
dns-server 208.67.222.222 208.67.220.220
!
no ip bootp server
ip host JPL 192.168.2.2
ip host GOLDSTONE 192.168.2.6
ip name-server 216.218.130.2
ip name-server 216.218.131.2
ip name-server 216.218.132.2
ip inspect WAAS flush-timeout 10
ip ddns update method update
HTTP
add https://@ipv4.tunnelbroker.net/nic/update?hostname=
interval maximum 0 0 5 0
!
ip cef
login block-for 13500 attempts 35 within 13500
ipv6 unicast-routing
ipv6 dhcp pool vlan
!
ipv6 dhcp pool vlan20
address prefix 2001:470:1F19:AB:2000::/68
dns-server 2620:119:35::35
dns-server 2620:119:53::53
!
ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
vtp mode transparent
username nkoch password 7
!
redundancy
notification-timer 120000
!
no cdp run
!
class-map type inspect match-all V20-TO-OUTSIDE-CLASS
match access-group name V20-TO-OUTSIDE
class-map type inspect match-all V30-TO-OUTSIDE-CLASS
match access-group name V30-TO-OUTSIDE
class-map type inspect match-all V40-TO-OUTSIDE-CLASS
match access-group name V40-TO-OUTSIDE
class-map type inspect match-all V50-TO-OUTSIDE-CLASS
match access-group name V50-TO-OUTSIDE
class-map type inspect match-all V60-TO-OUTSIDE-CLASS
match access-group name V60-TO-OUTSIDE
class-map type inspect match-all V70-TO-OUTSIDE-CLASS
match access-group name V70-TO-OUTSIDE
class-map type inspect match-all V80-TO-OUTSIDE-CLASS
match access-group name V80-TO-OUTSIDE
!
policy-map type inspect V20-TO-OUTSIDE-POLICY
class type inspect V20-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V30-TO-OUTSIDE-POLICY
class type inspect V30-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V40-TO-OUTSIDE-POLICY
class type inspect V40-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V50-TO-OUTSIDE-POLICY
class type inspect V50-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V60-TO-OUTSIDE-POLICY
class type inspect V60-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V70-TO-OUTSIDE-POLICY
class type inspect V70-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V80-TO-OUTSIDE-POLICY
class type inspect V80-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
zone security OUTSIDE
zone security vlan20
zone security vlan30
zone security vlan40
zone security vlan50
zone security vlan60
zone security vlan70
zone security vlan80
!
zone-pair security 20-TO-OUT source vlan20 destination OUTSIDE
service-policy type inspect V20-TO-OUTSIDE-POLICY
zone-pair security 30-TO-OUT source vlan30 destination OUTSIDE
service-policy type inspect V30-TO-OUTSIDE-POLICY
zone-pair security 40-TO-OUT source vlan40 destination OUTSIDE
service-policy type inspect V40-TO-OUTSIDE-POLICY
zone-pair security 50-TO-OUT source vlan50 destination OUTSIDE
service-policy type inspect V50-TO-OUTSIDE-POLICY
zone-pair security 60-TO-OUT source vlan60 destination OUTSIDE
service-policy type inspect V60-TO-OUTSIDE-POLICY
zone-pair security 70-TO-OUT source vlan70 destination OUTSIDE
service-policy type inspect V70-TO-OUTSIDE-POLICY
zone-pair security 80-TO-OUT source vlan80 destination OUTSIDE
service-policy type inspect V80-TO-OUTSIDE-POLICY
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
no ip address
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security OUTSIDE
ipv6 address
ipv6 enable
tunnel source GigabitEthernet0/0
tunnel mode ipv6ip
tunnel destination
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
ip ddns update update
ip address dhcp hostname NASA
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
zone-member security INSIDE
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan20
no cdp enable
ipv6 enable
ipv6 nd managed-config-flag
ipv6 dhcp server vlan20
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan30
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan40
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan50
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan60
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.70
encapsulation dot1Q 70
ip address 192.168.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan70
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.80
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan80
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.400
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns view default
domain name vastspace.ca
domain resolver source-interface GigabitEthernet0/0
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip identd
!
ip access-list extended V20-TO-OUTSIDE
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended V30-TO-OUTSIDE
permit ip 192.168.30.0 0.0.0.255 any
ip access-list extended V40-TO-OUTSIDE
permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended V50-TO-OUTSIDE
permit ip 192.168.50.0 0.0.0.255 any
ip access-list extended V60-TO-OUTSIDE
permit ip 192.168.60.0 0.0.0.255 any
ip access-list extended V70-TO-OUTSIDE
permit ip 192.168.70.0 0.0.0.255 any
ip access-list extended V80-TO-OUTSIDE
permit ip 192.168.80.0 0.0.0.255 any
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 route ::/0 Tunnel0
ipv6 ioam timestamp
!
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.80.0 0.0.0.255
!
!
!
ipv6 access-list OUTSIDE-TO-ip620
permit icmp any any unreachable
permit icmp any any packet-too-big
permit icmp any any hop-limit
permit icmp any any reassembly-timeout
permit icmp any any header
permit icmp any any next-header
permit icmp any any parameter-option
permit icmp any any echo-request
permit icmp any any echo-reply
permit icmp any any dhaad-request
permit icmp any any dhaad-reply
permit icmp any any mpd-solicitation
permit icmp any any mpd-advertisement
permit icmp any any nd-na
permit icmp any any nd-ns
!
ipv6 access-list ip620-TO-OUTSIDE
permit ipv6 2001:470:1F19:AB:2000::/68 any
control-plane host
!
!
control-plane
!
!
vstack
banner login ^C

******* ***** ,******. ,************** ,******,
**********, ***** .********** ,***************** **********
******,***** ***** ************ ******************* ************
***** ***** ***** ***** ****** ***** ***** ,*****
***** *****, ***** ****** ***** ***** ,***** *****
***** ***** ***** ***** ***** ,**************** ***** *****
***** ,***** ***** ***** ****** ***************** ***** ,*****
***** ***** ***** ***** ***** ,,,,,,,,****** .***** *****
***** ,***** ***** ***** ***** ***** ***** *****
***** ***** ********** *****, ***********, ******
***** ***********.***** *********************** ***** *****
***** ********* ***** ******************** ***** ***** ^C
banner motd ^C
Welcome to ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
speed 115200
line aux 0
exec-timeout 15 0
login authentication local_auth
modem InOut
transport input telnet
transport output telnet
flowcontrol hardware
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7
login authentication local_auth
transport input none
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0
ntp update-calendar
ntp server 0.us.pool.ntp.org
!
end

There was no information on forwarding ports? I want to foward ports 80 and 433 to ip 192.168.30.67.

---------------------
"Fortune favors the brave."
▊▊▊

Hello,

 

if you want to allow access from the outside to this IP address and ports, you need to add the below. Since you have a dynamic IP address on the outside, the access lists match 'any':

 

ip nat inside source static tcp 192.168.30.67 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 192.168.30.67 443 interface GigabitEthernet0/0 443
!
class-map type inspect match-any OUTSIDE-TO-V30-CLASS
match access-group name OUTSIDE-TO-V30_80
match access-group name OUTSIDE-TO-V30_443
!
policy-map type inspect OUTSIDE-TO-V30-POLICY
class type inspect OUTSIDE-TO-V30-CLASS
pass
class class-default
drop log
!
zone-pair security OUT-TO-30 source OUTSIDE destination vlan30
service-policy type inspect OUTSIDE-TO-V30-POLICY
!
ip access-list extended OUTSIDE-TO-V30_80
permiy tcp any any eq 80
!
ip access-list extended OUTSIDE-TO-V30_443
permiy tcp any any eq 443

It's not working.

---------------------
"Fortune favors the brave."
▊▊▊

Hello,

 

what specifically is not working ? Post the full running configuration with the changes you have implemented...

NASA#show run
Building configuration...

Current configuration : 15909 bytes
!
! Last configuration change at 22:20:30 UTC Sun Feb 9 2020 by nkoch
! NVRAM config last updated at 04:38:27 UTC Tue Feb 4 2020 by nkoch
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
!
aaa session-id common
!
vlan ifdescr detail
!
!
!
!
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 60
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 70
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 80
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
dns-server 208.67.222.222 208.67.220.220
!
!
!
no ip bootp server
ip domain name earth.vastspace.ca
ip host JPL 192.168.2.2
ip host GOLDSTONE 192.168.2.6
ip name-server 216.218.130.2
ip name-server 216.218.131.2
ip name-server 216.218.132.2
ip inspect WAAS flush-timeout 10
ip ddns update method update
HTTP
add@ipv4.tunnelbroker.net/nic/update?hostname=567894
interval maximum 0 0 5 0
!
ip cef
login block-for 13500 attempts 35 within 13500
ipv6 unicast-routing
ipv6 dhcp pool vlan
!
ipv6 dhcp pool vlan20
address prefix 2001:470:1F19:AB:2000::/68
dns-server 2620:119:35::35
dns-server 2620:119:53::53
!
ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
!
vtp mode transparent
username nkoch password 7
!
redundancy
notification-timer 120000
!
!
!
!
no cdp run
!
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all V80-TO-OUTSIDE-CLASS
match access-group name V80-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V80-CLASS
match access-group name OUTSIDE-TO-V80
class-map type inspect match-all V30-TO-OUTSIDE-CLASS
match access-group name V30-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V30-CLASS
match access-group name OUTSIDE-TO-V30
class-map type inspect match-all V20-TO-OUTSIDE-CLASS
match access-group name V20-TO-OUTSIDE
match access-group name ip620-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V20-CLASS
match access-group name OUTSIDE-TO-V20
match access-group name OUTSIDE-TO-ip620
class-map type inspect match-all V70-TO-OUTSIDE-CLASS
match access-group name V70-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V70-CLASS
match access-group name OUTSIDE-TO-V70
class-map type inspect match-all V60-TO-OUTSIDE-CLASS
match access-group name V60-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V60-CLASS
match access-group name OUTSIDE-TO-V60
class-map type inspect match-all V50-TO-OUTSIDE-CLASS
match access-group name V50-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V50-CLASS
match access-group name OUTSIDE-TO-V50
class-map type inspect match-all V40-TO-OUTSIDE-CLASS
match access-group name V40-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V40-CLASS
match access-group name OUTSIDE-TO-V40
!
policy-map type inspect V60-TO-OUTSIDE-POLICY
class type inspect V60-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect V40-TO-OUTSIDE-POLICY
class type inspect V40-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V60-POLICY
class type inspect OUTSIDE-TO-V60-CLASS
drop
class class-default
drop
policy-map type inspect V20-TO-OUTSIDE-POLICY
class type inspect V20-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect V70-TO-OUTSIDE-POLICY
class type inspect V70-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V40-POLICY
class type inspect OUTSIDE-TO-V40-CLASS
drop
class class-default
drop
policy-map type inspect V30-TO-OUTSIDE-POLICY
class type inspect V30-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V80-POLICY
class type inspect OUTSIDE-TO-V80-CLASS
drop
class class-default
drop
policy-map type inspect OUTSIDE-TO-V30-POLICY
class type inspect OUTSIDE-TO-V30-CLASS
pass
class class-default
drop log
policy-map type inspect OUTSIDE-TO-V50-POLICY
class type inspect OUTSIDE-TO-V50-CLASS
drop
class class-default
drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect V50-TO-OUTSIDE-POLICY
class type inspect V50-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V20-POLICY
class type inspect OUTSIDE-TO-V20-CLASS
drop
class class-default
drop
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
drop
class class-default
drop
policy-map type inspect V80-TO-OUTSIDE-POLICY
class type inspect V80-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V70-POLICY
class type inspect OUTSIDE-TO-V70-CLASS
drop
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone security vlan20
zone security vlan30
zone security vlan40
zone security vlan50
zone security vlan60
zone security vlan70
zone security vlan80
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security 20-TO-OUT source vlan20 destination OUTSIDE
service-policy type inspect V20-TO-OUTSIDE-POLICY
zone-pair security 30-TO-OUT source vlan30 destination OUTSIDE
service-policy type inspect V30-TO-OUTSIDE-POLICY
zone-pair security 40-TO-OUT source vlan40 destination OUTSIDE
service-policy type inspect V40-TO-OUTSIDE-POLICY
zone-pair security 50-TO-OUT source vlan50 destination OUTSIDE
service-policy type inspect V50-TO-OUTSIDE-POLICY
zone-pair security 60-TO-OUT source vlan60 destination OUTSIDE
service-policy type inspect V60-TO-OUTSIDE-POLICY
zone-pair security 70-TO-OUT source vlan70 destination OUTSIDE
service-policy type inspect V70-TO-OUTSIDE-POLICY
zone-pair security 80-TO-OUT source vlan80 destination OUTSIDE
service-policy type inspect V80-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-20 source OUTSIDE destination vlan20
service-policy type inspect OUTSIDE-TO-V20-POLICY
zone-pair security OUT-TO-30 source OUTSIDE destination vlan30
service-policy type inspect OUTSIDE-TO-V30-POLICY
zone-pair security OUT-TO-40 source OUTSIDE destination vlan40
service-policy type inspect OUTSIDE-TO-V40-POLICY
zone-pair security OUT-TO-50 source OUTSIDE destination vlan50
service-policy type inspect OUTSIDE-TO-V50-POLICY
zone-pair security OUT-TO-60 source OUTSIDE destination vlan60
service-policy type inspect OUTSIDE-TO-V60-POLICY
zone-pair security OUT-TO-70 source OUTSIDE destination vlan70
service-policy type inspect OUTSIDE-TO-V70-POLICY
zone-pair security OUT-TO-80 source OUTSIDE destination vlan80
service-policy type inspect OUTSIDE-TO-V80-POLICY
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
no ip address
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security OUTSIDE
ipv6 address
ipv6 enable
tunnel source GigabitEthernet0/0
tunnel mode ipv6ip
tunnel destination
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
ip ddns update update
ip address dhcp hostname NASA
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
zone-member security INSIDE
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan20
no cdp enable
ipv6 enable
ipv6 nd managed-config-flag
ipv6 dhcp server vlan20
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan30
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan40
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan50
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan60
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.70
encapsulation dot1Q 70
ip address 192.168.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan70
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.80
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan80
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.400
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns view default
domain resolver source-interface GigabitEthernet0/0
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.30.67 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 192.168.30.67 443 interface GigabitEthernet0/0 443
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip identd
!
ip access-list extended INSIDE-TO-OUTSIDE
ip access-list extended OUTSIDE-TO-INSIDE
ip access-list extended OUTSIDE-TO-V20
ip access-list extended OUTSIDE-TO-V30
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended OUTSIDE-TO-V40
ip access-list extended OUTSIDE-TO-V50
ip access-list extended OUTSIDE-TO-V60
ip access-list extended OUTSIDE-TO-V70
ip access-list extended OUTSIDE-TO-V80
ip access-list extended V20-TO-OUTSIDE
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended V30-TO-OUTSIDE
permit ip 192.168.30.0 0.0.0.255 any
ip access-list extended V40-TO-OUTSIDE
permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended V50-TO-OUTSIDE
permit ip 192.168.50.0 0.0.0.255 any
ip access-list extended V60-TO-OUTSIDE
ip access-list extended V70-TO-OUTSIDE
ip access-list extended V80-TO-OUTSIDE
permit ip 192.168.80.0 0.0.0.255 any
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 route ::/0 Tunnel0
ipv6 ioam timestamp
!
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.80.0 0.0.0.255
!
!
!
ipv6 access-list OUTSIDE-TO-ip620
permit icmp any any unreachable
permit icmp any any packet-too-big
permit icmp any any hop-limit
permit icmp any any reassembly-timeout
permit icmp any any header
permit icmp any any next-header
permit icmp any any parameter-option
permit icmp any any echo-request
permit icmp any any echo-reply
permit icmp any any dhaad-request
permit icmp any any dhaad-reply
permit icmp any any mpd-solicitation
permit icmp any any mpd-advertisement
permit icmp any any nd-na
permit icmp any any nd-ns
!
ipv6 access-list ip620-TO-OUTSIDE
permit ipv6 2001:470:1F19:AB:2000::/68 any
control-plane host
!
!
control-plane
!
!
vstack
banner login ^C

******* ***** ,******. ,************** ,******,
**********, ***** .********** ,***************** **********
******,***** ***** ************ ******************* ************
***** ***** ***** ***** ****** ***** ***** ,*****
***** *****, ***** ****** ***** ***** ,***** *****
***** ***** ***** ***** ***** ,**************** ***** *****
***** ,***** ***** ***** ****** ***************** ***** ,*****
***** ***** ***** ***** ***** ,,,,,,,,****** .***** *****
***** ,***** ***** ***** ***** ***** ***** *****
***** ***** ********** *****, ***********, ******
***** ***********.***** *********************** ***** *****
***** ********* ***** ******************** ***** ***** ^C
banner motd ^C
Welcome to ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
speed 115200
line aux 0
exec-timeout 15 0
login authentication local_auth
modem InOut
transport input telnet
transport output telnet
flowcontrol hardware
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7
login authentication local_auth
transport input none
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0
ntp update-calendar
ntp server 0.us.pool.ntp.org
!
end

NASA#
---------------------
"Fortune favors the brave."
▊▊▊

You did not make the changes I suggested correctly. Make sure your configuration looks exactly like the one I sent you, line by line, and no additional lines. When you are finished, post it again...

The only difference is this:

zone-pair security OUT-TO-30 source OUTSIDE destination vlan30
service-policy type inspect OUTSIDE-TO-V30-POLICY
!
ip access-list extended OUTSIDE-TO-V30_80
permiy tcp any any eq 80
!
ip access-list extended OUTSIDE-TO-V30_443
permiy tcp any any eq 443

 

I'm just adding permitts to existing lists. Everything else is the same

---------------------
"Fortune favors the brave."
▊▊▊

Hello,

 

what you have posted contains many empty access lists and zone policies matching these lists. What is the purpose of these empty access lists ?

 

I have consolidated the configuration below, try and get this in your router exactly as is, line by line. That said, is your NAT working without the ZBF ? 

 

Current configuration : 15831 bytes
!
! Last configuration change at 10:07:40 UTC Sun Feb 9 2020 by nkoch
! NVRAM config last updated at 04:38:27 UTC Tue Feb 4 2020 by nkoch
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
!
vlan ifdescr detail
!
no ip source-route
no ip gratuitous-arps
!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 60
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 70
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 80
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
dns-server 208.67.222.222 208.67.220.220
!
no ip bootp server
ip host JPL 192.168.2.2
ip host GOLDSTONE 192.168.2.6
ip name-server 216.218.130.2
ip name-server 216.218.131.2
ip name-server 216.218.132.2
ip inspect WAAS flush-timeout 10
ip ddns update method update
HTTP
add https://@ipv4.tunnelbroker.net/nic/update?hostname=
interval maximum 0 0 5 0
!
ip cef
login block-for 13500 attempts 35 within 13500
ipv6 unicast-routing
ipv6 dhcp pool vlan
!
ipv6 dhcp pool vlan20
address prefix 2001:470:1F19:AB:2000::/68
dns-server 2620:119:35::35
dns-server 2620:119:53::53
!
ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
vtp mode transparent
username nkoch password 7
!
redundancy
notification-timer 120000
!
no cdp run
!
class-map type inspect match-any OUTSIDE-TO-V30-CLASS
match access-group name OUTSIDE-TO-V30_80
match access-group name OUTSIDE-TO-V30_443
class-map type inspect match-all V1-TO-OUTSIDE-CLASS
match access-group name V1-TO-OUTSIDE
class-map type inspect match-all V20-TO-OUTSIDE-CLASS
match access-group name V20-TO-OUTSIDE
class-map type inspect match-all V30-TO-OUTSIDE-CLASS
match access-group name V30-TO-OUTSIDE
class-map type inspect match-all V40-TO-OUTSIDE-CLASS
match access-group name V40-TO-OUTSIDE
class-map type inspect match-all V50-TO-OUTSIDE-CLASS
match access-group name V50-TO-OUTSIDE
class-map type inspect match-all V60-TO-OUTSIDE-CLASS
match access-group name V60-TO-OUTSIDE
class-map type inspect match-all V70-TO-OUTSIDE-CLASS
match access-group name V70-TO-OUTSIDE
class-map type inspect match-all V80-TO-OUTSIDE-CLASS
match access-group name V80-TO-OUTSIDE
!
policy-map type inspect OUTSIDE-TO-V30-POLICY
class type inspect OUTSIDE-TO-V30-CLASS
pass
class class-default
drop log
!
policy-map type inspect V1-TO-OUTSIDE-POLICY
class type inspect V1-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V20-TO-OUTSIDE-POLICY
class type inspect V20-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V30-TO-OUTSIDE-POLICY
class type inspect V30-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V40-TO-OUTSIDE-POLICY
class type inspect V40-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V50-TO-OUTSIDE-POLICY
class type inspect V50-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V60-TO-OUTSIDE-POLICY
class type inspect V60-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V70-TO-OUTSIDE-POLICY
class type inspect V70-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
policy-map type inspect V80-TO-OUTSIDE-POLICY
class type inspect V80-TO-OUTSIDE-CLASS
inspect
class class-default
pass
!
zone security OUTSIDE
zone security INSIDE
zone security vlan20
zone security vlan30
zone security vlan40
zone security vlan50
zone security vlan60
zone security vlan70
zone security vlan80
!
zone-pair security OUT-TO-30 source OUTSIDE destination vlan30
service-policy type inspect OUTSIDE-TO-V30-POLICY
zone-pair security 20-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect V1-TO-OUTSIDE-POLICY
zone-pair security 20-TO-OUT source vlan20 destination OUTSIDE
service-policy type inspect V20-TO-OUTSIDE-POLICY
zone-pair security 30-TO-OUT source vlan30 destination OUTSIDE
service-policy type inspect V30-TO-OUTSIDE-POLICY
zone-pair security 40-TO-OUT source vlan40 destination OUTSIDE
service-policy type inspect V40-TO-OUTSIDE-POLICY
zone-pair security 50-TO-OUT source vlan50 destination OUTSIDE
service-policy type inspect V50-TO-OUTSIDE-POLICY
zone-pair security 60-TO-OUT source vlan60 destination OUTSIDE
service-policy type inspect V60-TO-OUTSIDE-POLICY
zone-pair security 70-TO-OUT source vlan70 destination OUTSIDE
service-policy type inspect V70-TO-OUTSIDE-POLICY
zone-pair security 80-TO-OUT source vlan80 destination OUTSIDE
service-policy type inspect V80-TO-OUTSIDE-POLICY
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
no ip address
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security OUTSIDE
ipv6 address
ipv6 enable
tunnel source GigabitEthernet0/0
tunnel mode ipv6ip
tunnel destination
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
ip ddns update update
ip address dhcp hostname NASA
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
ip nat inside
zone-member security INSIDE
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan20
no cdp enable
ipv6 enable
ipv6 nd managed-config-flag
ipv6 dhcp server vlan20
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan30
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan40
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan50
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan60
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.70
encapsulation dot1Q 70
ip address 192.168.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan70
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.80
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan80
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.400
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns view default
domain name vastspace.ca
domain resolver source-interface GigabitEthernet0/0
ip nat inside source static tcp 192.168.30.67 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 192.168.30.67 443 interface GigabitEthernet0/0 443 ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip identd
!
ip access-list extended OUTSIDE-TO-V30_80
permiy tcp any any eq 80
ip access-list extended OUTSIDE-TO-V30_443
permiy tcp any any eq 443
ip access-list extended V1-TO-OUTSIDE
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended V20-TO-OUTSIDE
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended V30-TO-OUTSIDE
permit ip 192.168.30.0 0.0.0.255 any
ip access-list extended V40-TO-OUTSIDE
permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended V50-TO-OUTSIDE
permit ip 192.168.50.0 0.0.0.255 any
ip access-list extended V60-TO-OUTSIDE
permit ip 192.168.60.0 0.0.0.255 any
ip access-list extended V70-TO-OUTSIDE
permit ip 192.168.70.0 0.0.0.255 any
ip access-list extended V80-TO-OUTSIDE
permit ip 192.168.80.0 0.0.0.255 any
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 route ::/0 Tunnel0
ipv6 ioam timestamp
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.80.0 0.0.0.255
!
ipv6 access-list OUTSIDE-TO-ip620
permit icmp any any unreachable
permit icmp any any packet-too-big
permit icmp any any hop-limit
permit icmp any any reassembly-timeout
permit icmp any any header
permit icmp any any next-header
permit icmp any any parameter-option
permit icmp any any echo-request
permit icmp any any echo-reply
permit icmp any any dhaad-request
permit icmp any any dhaad-reply
permit icmp any any mpd-solicitation
permit icmp any any mpd-advertisement
permit icmp any any nd-na
permit icmp any any nd-ns
!
ipv6 access-list ip620-TO-OUTSIDE
permit ipv6 2001:470:1F19:AB:2000::/68 any
control-plane host
!
control-plane
!
vstack
banner login ^C

******* ***** ,******. ,************** ,******,
**********, ***** .********** ,***************** **********
******,***** ***** ************ ******************* ************
***** ***** ***** ***** ****** ***** ***** ,*****
***** *****, ***** ****** ***** ***** ,***** *****
***** ***** ***** ***** ***** ,**************** ***** *****
***** ,***** ***** ***** ****** ***************** ***** ,*****
***** ***** ***** ***** ***** ,,,,,,,,****** .***** *****
***** ,***** ***** ***** ***** ***** ***** *****
***** ***** ********** *****, ***********, ******
***** ***********.***** *********************** ***** *****
***** ********* ***** ******************** ***** ***** ^C
banner motd ^C
Welcome to ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
speed 115200
line aux 0
exec-timeout 15 0
login authentication local_auth
modem InOut
transport input telnet
transport output telnet
flowcontrol hardware
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7
login authentication local_auth
transport input none
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0
ntp update-calendar
ntp server 0.us.pool.ntp.org
!
end

I added the changes and still nothing. I turned on the webserv for a short moments to see if I could reach it from the outside and I could. It appears things at getting to the outside interface but not being forwarded. Could be be something with interface 192.168.30.1? Do I need to tell it to forward g0/0 to 192.168.30.1 and then tell 192.168.30.1 to forward to 192.168.30.10?

---------------------
"Fortune favors the brave."
▊▊▊

Hello,

 

post the current running configuration. In theory, everything should be allowed (and inspected) out...

Building configuration...
 
Current configuration : 16181 bytes
!
! Last configuration change at 18:48:28 UTC Wed Feb 12 2020 by nkoch
! NVRAM config last updated at 18:42:38 UTC Wed Feb 12 2020 by nkoch
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
!
aaa session-id common
!
vlan ifdescr detail
!
!
!
!
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
!
!
!
!
!
!
 
 
!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
 network 192.168.20.0 255.255.255.0
 default-router 192.168.20.1
 dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 30
 network 192.168.30.0 255.255.255.0
 default-router 192.168.30.1
 dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 40
 network 192.168.40.0 255.255.255.0
 default-router 192.168.40.1
 dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 50
 network 192.168.50.0 255.255.255.0
 default-router 192.168.50.1
 dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 60
 network 192.168.60.0 255.255.255.0
 default-router 192.168.60.1
 dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 70
 network 192.168.70.0 255.255.255.0
 default-router 192.168.70.1
 dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 80
 network 192.168.80.0 255.255.255.0
 default-router 192.168.80.1
 dns-server 208.67.222.222 208.67.220.220
!
!
!
no ip bootp server
ip domain name earth.vastspace.ca
ip host JPL 192.168.2.2
ip host GOLDSTONE 192.168.2.6
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect WAAS flush-timeout 10
ip ddns update method update
 HTTP
  add
 interval maximum 0 0 5 0
!
ip cef
login block-for 13500 attempts 35 within 13500
ipv6 unicast-routing
ipv6 dhcp pool vlan
!
ipv6 dhcp pool vlan20
 address prefix 2001:470:1F19:AB:2000::/68
 dns-server 2620:119:35::35
 dns-server 2620:119:53::53
!
ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!        
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
!
vtp mode transparent
username nkoch password
!
redundancy
 notification-timer 120000
!
!
!
!
no cdp run
!
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
 match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
 match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all V80-TO-OUTSIDE-CLASS
 match access-group name V80-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V80-CLASS
 match access-group name OUTSIDE-TO-V80
class-map type inspect match-all V30-TO-OUTSIDE-CLASS
 match access-group name V30-TO-OUTSIDE
class-map type inspect match-any OUTSIDE-TO-V30-CLASS
 match access-group name OUTSIDE-TO-V30
 match access-group name OUTSIDE-TO-V30_80
 match access-group name OUTSIDE-TO-V30_443
class-map type inspect match-all V20-TO-OUTSIDE-CLASS
 match access-group name V20-TO-OUTSIDE
 match access-group name ip620-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V20-CLASS
 match access-group name OUTSIDE-TO-V20
 match access-group name OUTSIDE-TO-ip620
class-map type inspect match-all V70-TO-OUTSIDE-CLASS
 match access-group name V70-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V70-CLASS
 match access-group name OUTSIDE-TO-V70
class-map type inspect match-all V60-TO-OUTSIDE-CLASS
 match access-group name V60-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V60-CLASS
 match access-group name OUTSIDE-TO-V60
class-map type inspect match-all V50-TO-OUTSIDE-CLASS
 match access-group name V50-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V50-CLASS
 match access-group name OUTSIDE-TO-V50
class-map type inspect match-all V40-TO-OUTSIDE-CLASS
 match access-group name V40-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V40-CLASS
 match access-group name OUTSIDE-TO-V40
!
policy-map type inspect V60-TO-OUTSIDE-POLICY
 class type inspect V60-TO-OUTSIDE-CLASS
  inspect
 class class-default
  pass
policy-map type inspect V40-TO-OUTSIDE-POLICY
 class type inspect V40-TO-OUTSIDE-CLASS
  inspect
 class class-default
  pass
policy-map type inspect OUTSIDE-TO-V60-POLICY
 class type inspect OUTSIDE-TO-V60-CLASS
  drop
 class class-default
  drop
policy-map type inspect V20-TO-OUTSIDE-POLICY
 class type inspect V20-TO-OUTSIDE-CLASS
  inspect
 class class-default
  pass
policy-map type inspect V70-TO-OUTSIDE-POLICY
 class type inspect V70-TO-OUTSIDE-CLASS
  inspect
 class class-default
  pass
policy-map type inspect OUTSIDE-TO-V40-POLICY
 class type inspect OUTSIDE-TO-V40-CLASS
  drop
 class class-default
  drop
policy-map type inspect V30-TO-OUTSIDE-POLICY
 class type inspect V30-TO-OUTSIDE-CLASS
  inspect
 class class-default
  pass
policy-map type inspect OUTSIDE-TO-V80-POLICY
 class type inspect OUTSIDE-TO-V80-CLASS
  drop
 class class-default
  drop
policy-map type inspect OUTSIDE-TO-V30-POLICY
 class type inspect OUTSIDE-TO-V30-CLASS
  pass
 class class-default
  drop log
policy-map type inspect OUTSIDE-TO-V50-POLICY
 class type inspect OUTSIDE-TO-V50-CLASS
  drop
 class class-default
  drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect INSIDE-TO-OUTSIDE-CLASS
  inspect
 class class-default
  pass
policy-map type inspect V50-TO-OUTSIDE-POLICY
 class type inspect V50-TO-OUTSIDE-CLASS
  inspect
 class class-default
  pass    
policy-map type inspect OUTSIDE-TO-V20-POLICY
 class type inspect OUTSIDE-TO-V20-CLASS
  drop
 class class-default
  drop
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
 class type inspect OUTSIDE-TO-INSIDE-CLASS
  drop
 class class-default
  drop
policy-map type inspect V80-TO-OUTSIDE-POLICY
 class type inspect V80-TO-OUTSIDE-CLASS
  inspect
 class class-default
  pass
policy-map type inspect OUTSIDE-TO-V70-POLICY
 class type inspect OUTSIDE-TO-V70-CLASS
  drop
 class class-default
  drop
!
zone security INSIDE
zone security OUTSIDE
zone security vlan20
zone security vlan30
zone security vlan40
zone security vlan50
zone security vlan60
zone security vlan70
zone security vlan80
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
 service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security 20-TO-OUT source vlan20 destination OUTSIDE
 service-policy type inspect V20-TO-OUTSIDE-POLICY
zone-pair security 30-TO-OUT source vlan30 destination OUTSIDE
 service-policy type inspect V30-TO-OUTSIDE-POLICY
zone-pair security 40-TO-OUT source vlan40 destination OUTSIDE
 service-policy type inspect V40-TO-OUTSIDE-POLICY
zone-pair security 50-TO-OUT source vlan50 destination OUTSIDE
 service-policy type inspect V50-TO-OUTSIDE-POLICY
zone-pair security 60-TO-OUT source vlan60 destination OUTSIDE
 service-policy type inspect V60-TO-OUTSIDE-POLICY
zone-pair security 70-TO-OUT source vlan70 destination OUTSIDE
 service-policy type inspect V70-TO-OUTSIDE-POLICY
zone-pair security 80-TO-OUT source vlan80 destination OUTSIDE
 service-policy type inspect V80-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-20 source OUTSIDE destination vlan20
 service-policy type inspect OUTSIDE-TO-V20-POLICY
zone-pair security OUT-TO-30 source OUTSIDE destination vlan30
 service-policy type inspect OUTSIDE-TO-V30-POLICY
zone-pair security OUT-TO-40 source OUTSIDE destination vlan40
 service-policy type inspect OUTSIDE-TO-V40-POLICY
zone-pair security OUT-TO-50 source OUTSIDE destination vlan50
 service-policy type inspect OUTSIDE-TO-V50-POLICY
zone-pair security OUT-TO-60 source OUTSIDE destination vlan60
 service-policy type inspect OUTSIDE-TO-V60-POLICY
zone-pair security OUT-TO-70 source OUTSIDE destination vlan70
 service-policy type inspect OUTSIDE-TO-V70-POLICY
zone-pair security OUT-TO-80 source OUTSIDE destination vlan80
 service-policy type inspect OUTSIDE-TO-V80-POLICY
!
!
!
!
!
!
!        
!
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
 no ip address
!
interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 zone-member security OUTSIDE
 ipv6 address
 ipv6 enable
 tunnel source GigabitEthernet0/0
 tunnel mode ipv6ip
 tunnel destination
!
interface Embedded-Service-Engine0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 no mop enabled
!
interface GigabitEthernet0/0
 ip ddns update update
 ip address dhcp hostname NASA
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 zone-member security OUTSIDE
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly in
 zone-member security INSIDE
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1.1
 encapsulation dot1Q 1 native
 ip address 192.168.2.1 255.255.255.0
 zone-member security INSIDE
 no cdp enable
 ipv6 enable
!
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security vlan20
 no cdp enable
 ipv6 enable
 ipv6 nd managed-config-flag
 ipv6 dhcp server vlan20
!        
interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security vlan30
 no cdp enable
 ipv6 enable
!
interface GigabitEthernet0/1.40
 encapsulation dot1Q 40
 ip address 192.168.40.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security vlan40
 no cdp enable
 ipv6 enable
!
interface GigabitEthernet0/1.50
 encapsulation dot1Q 50
 ip address 192.168.50.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security vlan50
 no cdp enable
 ipv6 enable
!
interface GigabitEthernet0/1.60
 encapsulation dot1Q 60
 ip address 192.168.60.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security vlan60
 no cdp enable
 ipv6 enable
!
interface GigabitEthernet0/1.70
 encapsulation dot1Q 70
 ip address 192.168.70.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security vlan70
 no cdp enable
 ipv6 enable
!
interface GigabitEthernet0/1.80
 encapsulation dot1Q 80
 ip address 192.168.80.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security vlan80
 no cdp enable
 ipv6 enable
!
interface GigabitEthernet0/1.400
 no cdp enable
!
interface GigabitEthernet0/2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 shutdown
 duplex auto
 speed auto
 no mop enabled
!        
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns view default
 domain resolver source-interface GigabitEthernet0/0
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.30.10 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 192.168.30.10 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 192.168.30.10 22 interface GigabitEthernet0/0 22
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
no ip ssh server authenticate user password
ip identd
!
ip access-list extended INSIDE-TO-OUTSIDE
ip access-list extended OUTSIDE-TO-INSIDE
ip access-list extended OUTSIDE-TO-V20
ip access-list extended OUTSIDE-TO-V30
ip access-list extended OUTSIDE-TO-V30_443
 permit tcp any any eq 443
ip access-list extended OUTSIDE-TO-V30_80
 permit tcp any any eq www
ip access-list extended OUTSIDE-TO-V40
ip access-list extended OUTSIDE-TO-V50
ip access-list extended OUTSIDE-TO-V60
ip access-list extended OUTSIDE-TO-V70
ip access-list extended OUTSIDE-TO-V80
ip access-list extended V20-TO-OUTSIDE
 permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended V30-TO-OUTSIDE
 permit ip 192.168.30.0 0.0.0.255 any
ip access-list extended V40-TO-OUTSIDE
 permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended V50-TO-OUTSIDE
 permit ip 192.168.50.0 0.0.0.255 any
ip access-list extended V60-TO-OUTSIDE
ip access-list extended V70-TO-OUTSIDE
ip access-list extended V80-TO-OUTSIDE
 permit ip 192.168.80.0 0.0.0.255 any
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 route ::/0 Tunnel0
ipv6 ioam timestamp
!
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.80.0 0.0.0.255
!
!
!
ipv6 access-list OUTSIDE-TO-ip620
 permit icmp any any unreachable
 permit icmp any any packet-too-big
 permit icmp any any hop-limit
 permit icmp any any reassembly-timeout
 permit icmp any any header
 permit icmp any any next-header
 permit icmp any any parameter-option
 permit icmp any any echo-request
 permit icmp any any echo-reply
 permit icmp any any dhaad-request
 permit icmp any any dhaad-reply
 permit icmp any any mpd-solicitation
 permit icmp any any mpd-advertisement
 permit icmp any any nd-na
 permit icmp any any nd-ns
!
ipv6 access-list ip620-TO-OUTSIDE
 permit ipv6 2001:470:1F19:AB:2000::/68 any
control-plane host
!
!
control-plane
!
!
 vstack
banner login ^C
 
   *******         *****       ,******.          ,**************        ,******,            
 **********,       *****     .**********      ,*****************       **********            
******,*****       *****     ************    *******************      ************          
*****   *****      *****    *****   ******   *****                   *****   ,*****          
*****   *****,     *****   ******    *****   *****                  ,*****    *****          
*****    *****     *****   *****      *****  ,****************      *****      *****        
*****    ,*****    *****  *****       ******   *****************   *****       ,*****        
*****     *****    *****  *****        *****       ,,,,,,,,****** .*****        *****        
*****     ,*****   ***** *****          *****               ***** *****          *****      
*****      *****   **********           *****,             ***********,          ******      
*****       ***********.*****            *********************** *****            *****      
*****        ********* *****              ********************  *****              *****     ^C
banner motd ^C
Welcome to ^C
!
line con 0
 exec-timeout 5 0
 login authentication local_auth
 transport output telnet
 speed 115200
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 modem InOut
 transport input telnet
 transport output telnet
 flowcontrol hardware
line 2
 exec-timeout 15 0
 login authentication local_auth
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password 7
 login authentication local_auth
 transport input none
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0
ntp update-calendar
ntp server 0.us.pool.ntp.org
!
end
---------------------
"Fortune favors the brave."
▊▊▊

Hello,

 

the config looks good actually. If you can access the webserver 192.168.30.10 from the outside,that means the NAT and the ZBF are working, otherwise the traffic from the webserver to the outside would not work either. Try and ping anything (e.g. 8.8.8.8) from the webserver, does that work ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco