02-09-2020 10:21 AM
I can't seem to get zbf and port forwarding working.
Current configuration : 15831 bytes ! ! Last configuration change at 10:07:40 UTC Sun Feb 9 2020 by nkoch ! NVRAM config last updated at 04:38:27 UTC Tue Feb 4 2020 by nkoch ! version 15.7 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service internal service sequence-numbers ! hostname NASA ! boot-start-marker boot-end-marker ! ! security authentication failure rate 10 log security passwords min-length 6 logging console critical enable secret 5 enable password 7 ! aaa new-model ! ! aaa authentication login local_auth local ! ! ! ! ! ! aaa session-id common ! vlan ifdescr detail ! ! ! ! ! no ip source-route no ip gratuitous-arps ! ! ! ! ! ! ! ! ! ! ! ! ! ip dhcp excluded-address 192.168.20.1 192.168.20.60 ip dhcp excluded-address 192.168.30.1 192.168.30.60 ip dhcp excluded-address 192.168.40.1 192.168.40.60 ip dhcp excluded-address 192.168.50.1 192.168.50.60 ip dhcp excluded-address 192.168.60.1 192.168.60.60 ip dhcp excluded-address 192.168.70.1 192.168.70.60 ip dhcp excluded-address 192.168.80.1 192.168.80.60 ! ip dhcp pool vlan 20 network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 30 network 192.168.30.0 255.255.255.0 default-router 192.168.30.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 40 network 192.168.40.0 255.255.255.0 default-router 192.168.40.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 50 network 192.168.50.0 255.255.255.0 default-router 192.168.50.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 60 network 192.168.60.0 255.255.255.0 default-router 192.168.60.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 70 network 192.168.70.0 255.255.255.0 default-router 192.168.70.1 dns-server 208.67.222.222 208.67.220.220 ! ip dhcp pool vlan 80 network 192.168.80.0 255.255.255.0 default-router 192.168.80.1 dns-server 208.67.222.222 208.67.220.220 ! ! ! no ip bootp server ip host JPL 192.168.2.2 ip host GOLDSTONE 192.168.2.6 ip name-server 216.218.130.2 ip name-server 216.218.131.2 ip name-server 216.218.132.2 ip inspect WAAS flush-timeout 10 ip ddns update method update HTTP add https://@ipv4.tunnelbroker.net/nic/update?hostname= interval maximum 0 0 5 0 ! ip cef login block-for 13500 attempts 35 within 13500 ipv6 unicast-routing ipv6 dhcp pool vlan ! ipv6 dhcp pool vlan20 address prefix 2001:470:1F19:AB:2000::/68 dns-server 2620:119:35::35 dns-server 2620:119:53::53 ! ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! license udi pid CISCO2911/K9 sn FGL1741129H license accept end user agreement license boot module c2900 technology-package securityk9 license boot module c2900 technology-package datak9 ! ! vtp mode transparent username nkoch password 7 ! redundancy notification-timer 120000 ! ! ! ! no cdp run ! ! class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS match access-group name INSIDE-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS match access-group name OUTSIDE-TO-INSIDE class-map type inspect match-all V80-TO-OUTSIDE-CLASS match access-group name V80-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V80-CLASS match access-group name OUTSIDE-TO-V80 class-map type inspect match-all V30-TO-OUTSIDE-CLASS match access-group name V30-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V30-CLASS match access-group name OUTSIDE-TO-V30 class-map type inspect match-all V20-TO-OUTSIDE-CLASS match access-group name V20-TO-OUTSIDE match access-group name ip620-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V20-CLASS match access-group name OUTSIDE-TO-V20 match access-group name OUTSIDE-TO-ip620 class-map type inspect match-all V70-TO-OUTSIDE-CLASS match access-group name V70-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V70-CLASS match access-group name OUTSIDE-TO-V70 class-map type inspect match-all V60-TO-OUTSIDE-CLASS match access-group name V60-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V60-CLASS match access-group name OUTSIDE-TO-V60 class-map type inspect match-all V50-TO-OUTSIDE-CLASS match access-group name V50-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V50-CLASS match access-group name OUTSIDE-TO-V50 class-map type inspect match-all V40-TO-OUTSIDE-CLASS match access-group name V40-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-V40-CLASS match access-group name OUTSIDE-TO-V40 ! policy-map type inspect V60-TO-OUTSIDE-POLICY class type inspect V60-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect V40-TO-OUTSIDE-POLICY class type inspect V40-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V60-POLICY class type inspect OUTSIDE-TO-V60-CLASS drop class class-default drop policy-map type inspect V20-TO-OUTSIDE-POLICY class type inspect V20-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect V70-TO-OUTSIDE-POLICY class type inspect V70-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V40-POLICY class type inspect OUTSIDE-TO-V40-CLASS drop class class-default drop policy-map type inspect V30-TO-OUTSIDE-POLICY class type inspect V30-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V80-POLICY class type inspect OUTSIDE-TO-V80-CLASS drop class class-default drop policy-map type inspect OUTSIDE-TO-V30-POLICY class type inspect OUTSIDE-TO-V30-CLASS inspect class class-default drop log policy-map type inspect OUTSIDE-TO-V50-POLICY class type inspect OUTSIDE-TO-V50-CLASS drop class class-default drop policy-map type inspect INSIDE-TO-OUTSIDE-POLICY class type inspect INSIDE-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect V50-TO-OUTSIDE-POLICY class type inspect V50-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V20-POLICY class type inspect OUTSIDE-TO-V20-CLASS drop class class-default drop policy-map type inspect OUTSIDE-TO-INSIDE-POLICY class type inspect OUTSIDE-TO-INSIDE-CLASS drop class class-default drop policy-map type inspect V80-TO-OUTSIDE-POLICY class type inspect V80-TO-OUTSIDE-CLASS inspect class class-default pass policy-map type inspect OUTSIDE-TO-V70-POLICY class type inspect OUTSIDE-TO-V70-CLASS drop class class-default drop ! zone security INSIDE zone security OUTSIDE zone security vlan20 zone security vlan30 zone security vlan40 zone security vlan50 zone security vlan60 zone security vlan70 zone security vlan80 zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE-TO-OUTSIDE-POLICY zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE service-policy type inspect OUTSIDE-TO-INSIDE-POLICY zone-pair security 20-TO-OUT source vlan20 destination OUTSIDE service-policy type inspect V20-TO-OUTSIDE-POLICY zone-pair security 30-TO-OUT source vlan30 destination OUTSIDE service-policy type inspect V30-TO-OUTSIDE-POLICY zone-pair security 40-TO-OUT source vlan40 destination OUTSIDE service-policy type inspect V40-TO-OUTSIDE-POLICY zone-pair security 50-TO-OUT source vlan50 destination OUTSIDE service-policy type inspect V50-TO-OUTSIDE-POLICY zone-pair security 60-TO-OUT source vlan60 destination OUTSIDE service-policy type inspect V60-TO-OUTSIDE-POLICY zone-pair security 70-TO-OUT source vlan70 destination OUTSIDE service-policy type inspect V70-TO-OUTSIDE-POLICY zone-pair security 80-TO-OUT source vlan80 destination OUTSIDE service-policy type inspect V80-TO-OUTSIDE-POLICY zone-pair security OUT-TO-20 source OUTSIDE destination vlan20 service-policy type inspect OUTSIDE-TO-V20-POLICY zone-pair security OUT-TO-30 source OUTSIDE destination vlan30 service-policy type inspect OUTSIDE-TO-V30-POLICY zone-pair security OUT-TO-40 source OUTSIDE destination vlan40 service-policy type inspect OUTSIDE-TO-V40-POLICY zone-pair security OUT-TO-50 source OUTSIDE destination vlan50 service-policy type inspect OUTSIDE-TO-V50-POLICY zone-pair security OUT-TO-60 source OUTSIDE destination vlan60 service-policy type inspect OUTSIDE-TO-V60-POLICY zone-pair security OUT-TO-70 source OUTSIDE destination vlan70 service-policy type inspect OUTSIDE-TO-V70-POLICY zone-pair security OUT-TO-80 source OUTSIDE destination vlan80 service-policy type inspect OUTSIDE-TO-V80-POLICY ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.0 ! interface Loopback1 no ip address ! interface Tunnel0 description Hurricane Electric IPv6 Tunnel Broker no ip address zone-member security OUTSIDE ipv6 address ipv6 enable tunnel source GigabitEthernet0/0 tunnel mode ipv6ip tunnel destination ! interface Embedded-Service-Engine0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown no mop enabled ! interface GigabitEthernet0/0 ip ddns update update ip address dhcp hostname NASA no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in zone-member security OUTSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly in zone-member security INSIDE duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1.1 encapsulation dot1Q 1 native ip address 192.168.2.1 255.255.255.0 zone-member security INSIDE no cdp enable ipv6 enable ! interface GigabitEthernet0/1.20 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan20 no cdp enable ipv6 enable ipv6 nd managed-config-flag ipv6 dhcp server vlan20 ! interface GigabitEthernet0/1.30 encapsulation dot1Q 30 ip address 192.168.30.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan30 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.40 encapsulation dot1Q 40 ip address 192.168.40.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan40 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.50 encapsulation dot1Q 50 ip address 192.168.50.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan50 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.60 encapsulation dot1Q 60 ip address 192.168.60.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan60 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.70 encapsulation dot1Q 70 ip address 192.168.70.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan70 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.80 encapsulation dot1Q 80 ip address 192.168.80.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security vlan80 no cdp enable ipv6 enable ! interface GigabitEthernet0/1.400 no cdp enable ! interface GigabitEthernet0/2 no ip address no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly in shutdown duplex auto speed auto no mop enabled ! ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip dns view default domain name vastspace.ca domain resolver source-interface GigabitEthernet0/0 ip nat inside source list 1 interface GigabitEthernet0/0 overload ip nat outside source list 201 interface GigabitEthernet0/0 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp ip identd ! ip access-list extended INSIDE-TO-OUTSIDE ip access-list extended OUTSIDE-TO-INSIDE ip access-list extended OUTSIDE-TO-V20 ip access-list extended OUTSIDE-TO-V30 permit tcp any host 192.168.30.67 eq www permit tcp any host 192.168.30.67 eq 443 ip access-list extended OUTSIDE-TO-V40 ip access-list extended OUTSIDE-TO-V50 ip access-list extended OUTSIDE-TO-V60 ip access-list extended OUTSIDE-TO-V70 ip access-list extended OUTSIDE-TO-V80 ip access-list extended V20-TO-OUTSIDE permit ip 192.168.20.0 0.0.0.255 any ip access-list extended V30-TO-OUTSIDE permit ip 192.168.30.0 0.0.0.255 any ip access-list extended V40-TO-OUTSIDE permit ip 192.168.40.0 0.0.0.255 any ip access-list extended V50-TO-OUTSIDE permit ip 192.168.50.0 0.0.0.255 any ip access-list extended V60-TO-OUTSIDE ip access-list extended V70-TO-OUTSIDE ip access-list extended V80-TO-OUTSIDE permit ip 192.168.80.0 0.0.0.255 any ! logging trap debugging logging facility local2 dialer-list 1 protocol ip permit ipv6 route ::/0 Tunnel0 ipv6 ioam timestamp ! ! access-list 1 permit 192.168.2.0 0.0.0.255 access-list 1 permit 192.168.20.0 0.0.0.255 access-list 1 permit 192.168.30.0 0.0.0.255 access-list 1 permit 192.168.40.0 0.0.0.255 access-list 1 permit 192.168.50.0 0.0.0.255 access-list 1 permit 192.168.60.0 0.0.0.255 access-list 1 permit 192.168.70.0 0.0.0.255 access-list 1 permit 192.168.80.0 0.0.0.255 ! ! ! ipv6 access-list OUTSIDE-TO-ip620 permit icmp any any unreachable permit icmp any any packet-too-big permit icmp any any hop-limit permit icmp any any reassembly-timeout permit icmp any any header permit icmp any any next-header permit icmp any any parameter-option permit icmp any any echo-request permit icmp any any echo-reply permit icmp any any dhaad-request permit icmp any any dhaad-reply permit icmp any any mpd-solicitation permit icmp any any mpd-advertisement permit icmp any any nd-na permit icmp any any nd-ns ! ipv6 access-list ip620-TO-OUTSIDE permit ipv6 2001:470:1F19:AB:2000::/68 any control-plane host ! ! control-plane ! ! vstack banner login ^C ******* ***** ,******. ,************** ,******, **********, ***** .********** ,***************** ********** ******,***** ***** ************ ******************* ************ ***** ***** ***** ***** ****** ***** ***** ,***** ***** *****, ***** ****** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ,**************** ***** ***** ***** ,***** ***** ***** ****** ***************** ***** ,***** ***** ***** ***** ***** ***** ,,,,,,,,****** .***** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ***** ***** ********** *****, ***********, ****** ***** ***********.***** *********************** ***** ***** ***** ********* ***** ******************** ***** ***** ^C banner motd ^C Welcome to ^C ! line con 0 exec-timeout 5 0 login authentication local_auth transport output telnet speed 115200 line aux 0 exec-timeout 15 0 login authentication local_auth modem InOut transport input telnet transport output telnet flowcontrol hardware line 2 exec-timeout 15 0 login authentication local_auth no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 password 7 login authentication local_auth transport input none ! scheduler allocate 20000 1000 ntp source GigabitEthernet0/0 ntp update-calendar ntp server 0.us.pool.ntp.org ! end
02-12-2020 12:47 PM - edited 02-12-2020 12:48 PM
I can contact the webserver locally. Cannot via external interface. It also has internet routability.
02-12-2020 12:51 PM
Hello,
when you access the webserver using the external, public IP address, do you see a translation in the NAT table (show ip nat translation *) ?
02-12-2020 12:54 PM
NASA#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 71.17.160.174:22 192.168.30.10:22 --- ---
tcp 71.17.160.174:80 192.168.30.10:80 --- ---
tcp 71.17.160.174:443 192.168.30.10:443 --- ---
I can't access it from the outside.... That's what I'm saying.
02-12-2020 01:36 PM
Hello,
try and disable the ZBF (by removing the zone member statements from the interfaces) and try to access the webserver from the outside...does that work then ?
02-12-2020 01:11 PM
Hello,
try and add the below:
ip nat pool WEBSERVER 192.168.30.10 192.168.30.10 netmask 255.255.255.0
ip nat outside source list 1 pool WEBSERVER add-route
!
access-list 1 permit any
and change the policy map to:
policy-map type inspect OUTSIDE-TO-V30-POLICY
class type inspect OUTSIDE-TO-V30-CLASS
inspect
02-12-2020 01:37 PM - edited 02-12-2020 02:08 PM
I lost all internet connectivity for web browsing. I tried this.
ip nat pool WEBSERVER 192.168.30.10 192.168.30.10 netmask 255.255.255.0 ip nat inside source list 1 interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.30.10 80 interface GigabitEthernet0/0 80 ip nat inside source static tcp 192.168.30.10 443 interface GigabitEthernet0/0 443 ip nat inside source static tcp 192.168.30.10 22 interface GigabitEthernet0/0 22 ip nat outside source list 2 pool WEBSERVER add-route
access-list 2 permit any
Pro Inside global Inside local Outside local Outside global --- --- --- 192.168.30.10 172.217.165.10 tcp 71.17.160.174:22 192.168.30.10:22 --- --- tcp 71.17.160.174:80 192.168.30.10:80 --- --- tcp 71.17.160.174:443 192.168.30.10:443 --- ---
Didn't get the internet back until
NASA(config)#no ip nat outside source list 2 pool WEBSERVER add-route Dynamic mapping in use, do you want to delete all entries? [no]: yes
Same result
02-12-2020 02:00 PM
Hello,
remove:
ip nat outside source list 2 pool WEBSERVER add-route
access-list 2 permit any
and disable the ZBF. We need to find out if the webserver is accessible at all from the outside...
02-12-2020 02:11 PM - edited 02-12-2020 02:26 PM
Similar concept. I enabled https server.
You can visit https://earth.vastspace.ca/ which is secure server on the cisco box. So the system is reachable.
The server/vm is going over two 802.1Q trunks, and three vland devices. I can reach the internet through it and there is no other security than whats on the router.
02-12-2020 02:52 PM
Hello,
I cannot reach the website. Either way, I will lab this and get back with you. It will be tomorrow, as I am in GMT +1, so it is midnight over here...
02-12-2020 02:54 PM
Thank you sir
02-12-2020 03:04 PM - edited 02-13-2020 06:32 AM
Hello
You have a quite convoluted ZBF configuration which could do with a tidy up
- However to gain access instead of using access-lists for the inspection traffic to/from vlan30 and the Internet and just match on the protocol.
Example:
class-map type inspect match-any V30-TO-OUTSIDE-CLASS_NEW
match protocol tcp
match protocol udp
match protocol icmp
policy-map type inspect V30-TO-OUTSIDE-POLICY
no class type inspect V30-TO-OUTSIDE-CLASS
class type inspect V30-TO-OUTSIDE-CLASS_NEW
class-map type inspect match-any OUTSIDE-TO-V30-CLASS
no match access-group name OUTSIDE-TO-V30
no match access-group name OUTSIDE-TO-V30_80
no match access-group name OUTSIDE-TO-V30_443
match protocol http
match protocol https
policy-map type inspect OUTSIDE-TO-V30-POLICY
class type inspect OUTSIDE-TO-V30-CLASS
inspect
class class-default
no drop log
no drop
02-13-2020 01:36 PM
It would appear you are trolling.
02-13-2020 01:42 PM
What do you mean by that remark?
02-13-2020 03:26 AM
Hello,
I got HTTP and HTTPS access from the outside to the inside webserver to work with the configuration changes below (marked in bold). Try these out and see if you get it to work. Apparently the class map for the out to v30 needs a parent class matching both protocols...
Building configuration...
Current configuration : 16181 bytes
!
! Last configuration change at 18:48:28 UTC Wed Feb 12 2020 by nkoch
! NVRAM config last updated at 18:42:38 UTC Wed Feb 12 2020 by nkoch
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable
aaa new-model
!
aaa authentication login local_auth local
!
aaa session-id common
!
vlan ifdescr detail
!
no ip source-route
no ip gratuitous-arps
!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 60
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 70
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 80
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
dns-server 208.67.222.222 208.67.220.220
!
no ip bootp server
ip domain name earth.vastspace.ca
ip host JPL 192.168.2.2
ip host GOLDSTONE 192.168.2.6
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect WAAS flush-timeout 10
ip ddns update method update
HTTP
add
interval maximum 0 0 5 0
!
ip cef
login block-for 13500 attempts 35 within 13500
ipv6 unicast-routing
ipv6 dhcp pool vlan
!
ipv6 dhcp pool vlan20
address prefix 2001:470:1F19:AB:2000::/68
dns-server 2620:119:35::35
dns-server 2620:119:53::53
!
ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
vtp mode transparent
username nkoch password
!
redundancy
notification-timer 120000
!
no cdp run
!
--> class-map type inspect match-any HTTP_HTPS
--> match protocol http
--> match protocol https
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all V80-TO-OUTSIDE-CLASS
match access-group name V80-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V80-CLASS
match access-group name OUTSIDE-TO-V80
class-map type inspect match-all V30-TO-OUTSIDE-CLASS
match access-group name V30-TO-OUTSIDE
--> class-map type inspect match-all OUTSIDE-TO-V30-CLASS
--> match class-map HTTP_HTTPS
--> match access-group name OUTSIDE-TO-V30_80_443
class-map type inspect match-all V20-TO-OUTSIDE-CLASS
match access-group name V20-TO-OUTSIDE
match access-group name ip620-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V20-CLASS
match access-group name OUTSIDE-TO-V20
match access-group name OUTSIDE-TO-ip620
class-map type inspect match-all V70-TO-OUTSIDE-CLASS
match access-group name V70-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V70-CLASS
match access-group name OUTSIDE-TO-V70
class-map type inspect match-all V60-TO-OUTSIDE-CLASS
match access-group name V60-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V60-CLASS
match access-group name OUTSIDE-TO-V60
class-map type inspect match-all V50-TO-OUTSIDE-CLASS
match access-group name V50-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V50-CLASS
match access-group name OUTSIDE-TO-V50
class-map type inspect match-all V40-TO-OUTSIDE-CLASS
match access-group name V40-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V40-CLASS
match access-group name OUTSIDE-TO-V40
!
policy-map type inspect V60-TO-OUTSIDE-POLICY
class type inspect V60-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect V40-TO-OUTSIDE-POLICY
class type inspect V40-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V60-POLICY
class type inspect OUTSIDE-TO-V60-CLASS
drop
class class-default
drop
policy-map type inspect V20-TO-OUTSIDE-POLICY
class type inspect V20-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect V70-TO-OUTSIDE-POLICY
class type inspect V70-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V40-POLICY
class type inspect OUTSIDE-TO-V40-CLASS
drop
class class-default
drop
policy-map type inspect V30-TO-OUTSIDE-POLICY
class type inspect V30-TO-OUTSIDE-CLASS
inspect
class class-default
--> drop
policy-map type inspect OUTSIDE-TO-V80-POLICY
class type inspect OUTSIDE-TO-V80-CLASS
drop
class class-default
drop
policy-map type inspect OUTSIDE-TO-V30-POLICY
class type inspect OUTSIDE-TO-V30-CLASS
--> inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-V50-POLICY
class type inspect OUTSIDE-TO-V50-CLASS
drop
class class-default
drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect V50-TO-OUTSIDE-POLICY
class type inspect V50-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V20-POLICY
class type inspect OUTSIDE-TO-V20-CLASS
drop
class class-default
drop
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
drop
class class-default
drop
policy-map type inspect V80-TO-OUTSIDE-POLICY
class type inspect V80-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V70-POLICY
class type inspect OUTSIDE-TO-V70-CLASS
drop
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone security vlan20
zone security vlan30
zone security vlan40
zone security vlan50
zone security vlan60
zone security vlan70
zone security vlan80
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security 20-TO-OUT source vlan20 destination OUTSIDE
service-policy type inspect V20-TO-OUTSIDE-POLICY
zone-pair security 30-TO-OUT source vlan30 destination OUTSIDE
service-policy type inspect V30-TO-OUTSIDE-POLICY
zone-pair security 40-TO-OUT source vlan40 destination OUTSIDE
service-policy type inspect V40-TO-OUTSIDE-POLICY
zone-pair security 50-TO-OUT source vlan50 destination OUTSIDE
service-policy type inspect V50-TO-OUTSIDE-POLICY
zone-pair security 60-TO-OUT source vlan60 destination OUTSIDE
service-policy type inspect V60-TO-OUTSIDE-POLICY
zone-pair security 70-TO-OUT source vlan70 destination OUTSIDE
service-policy type inspect V70-TO-OUTSIDE-POLICY
zone-pair security 80-TO-OUT source vlan80 destination OUTSIDE
service-policy type inspect V80-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-20 source OUTSIDE destination vlan20
service-policy type inspect OUTSIDE-TO-V20-POLICY
zone-pair security OUT-TO-30 source OUTSIDE destination vlan30
service-policy type inspect OUTSIDE-TO-V30-POLICY
zone-pair security OUT-TO-40 source OUTSIDE destination vlan40
service-policy type inspect OUTSIDE-TO-V40-POLICY
zone-pair security OUT-TO-50 source OUTSIDE destination vlan50
service-policy type inspect OUTSIDE-TO-V50-POLICY
zone-pair security OUT-TO-60 source OUTSIDE destination vlan60
service-policy type inspect OUTSIDE-TO-V60-POLICY
zone-pair security OUT-TO-70 source OUTSIDE destination vlan70
service-policy type inspect OUTSIDE-TO-V70-POLICY
zone-pair security OUT-TO-80 source OUTSIDE destination vlan80
service-policy type inspect OUTSIDE-TO-V80-POLICY
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
no ip address
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security OUTSIDE
ipv6 address
ipv6 enable
tunnel source GigabitEthernet0/0
tunnel mode ipv6ip
tunnel destination
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
ip ddns update update
ip address dhcp hostname NASA
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
zone-member security INSIDE
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan20
no cdp enable
ipv6 enable
ipv6 nd managed-config-flag
ipv6 dhcp server vlan20
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan30
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan40
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan50
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan60
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.70
encapsulation dot1Q 70
ip address 192.168.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan70
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.80
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan80
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.400
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns view default
domain resolver source-interface GigabitEthernet0/0
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.30.10 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 192.168.30.10 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 192.168.30.10 22 interface GigabitEthernet0/0 22
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
no ip ssh server authenticate user password
ip identd
!
--> ip access-list extended OUTSIDE-TO-V30_80_443
--> permit tcp any host 192.168.30.10 eq 80
--> permit tcp any host 192.168.30.10 eq 443
ip access-list extended OUTSIDE-TO-V40
ip access-list extended OUTSIDE-TO-V50
ip access-list extended OUTSIDE-TO-V60
ip access-list extended OUTSIDE-TO-V70
ip access-list extended OUTSIDE-TO-V80
ip access-list extended V20-TO-OUTSIDE
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended V30-TO-OUTSIDE
permit ip 192.168.30.0 0.0.0.255 any
ip access-list extended V40-TO-OUTSIDE
permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended V50-TO-OUTSIDE
permit ip 192.168.50.0 0.0.0.255 any
ip access-list extended V60-TO-OUTSIDE
ip access-list extended V70-TO-OUTSIDE
ip access-list extended V80-TO-OUTSIDE
permit ip 192.168.80.0 0.0.0.255 any
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 route ::/0 Tunnel0
ipv6 ioam timestamp
!
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.80.0 0.0.0.255
!
!
!
ipv6 access-list OUTSIDE-TO-ip620
permit icmp any any unreachable
permit icmp any any packet-too-big
permit icmp any any hop-limit
permit icmp any any reassembly-timeout
permit icmp any any header
permit icmp any any next-header
permit icmp any any parameter-option
permit icmp any any echo-request
permit icmp any any echo-reply
permit icmp any any dhaad-request
permit icmp any any dhaad-reply
permit icmp any any mpd-solicitation
permit icmp any any mpd-advertisement
permit icmp any any nd-na
permit icmp any any nd-ns
!
ipv6 access-list ip620-TO-OUTSIDE
permit ipv6 2001:470:1F19:AB:2000::/68 any
control-plane host
!
!
control-plane
!
!
vstack
banner login ^C
******* ***** ,******. ,************** ,******,
**********, ***** .********** ,***************** **********
******,***** ***** ************ ******************* ************
***** ***** ***** ***** ****** ***** ***** ,*****
***** *****, ***** ****** ***** ***** ,***** *****
***** ***** ***** ***** ***** ,**************** ***** *****
***** ,***** ***** ***** ****** ***************** ***** ,*****
***** ***** ***** ***** ***** ,,,,,,,,****** .***** *****
***** ,***** ***** ***** ***** ***** ***** *****
***** ***** ********** *****, ***********, ******
***** ***********.***** *********************** ***** *****
***** ********* ***** ******************** ***** ***** ^C
banner motd ^C
Welcome to ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
speed 115200
line aux 0
exec-timeout 15 0
login authentication local_auth
modem InOut
transport input telnet
transport output telnet
flowcontrol hardware
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7
login authentication local_auth
transport input none
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0
ntp update-calendar
ntp server 0.us.pool.ntp.org
!
end
02-13-2020 05:07 AM
Hello,
actually, for the sake of clarity, I also completed the empty access lists...
The full (hopefully working) config with the changes maked in bold:
Building configuration...
Current configuration : 16181 bytes
!
! Last configuration change at 18:48:28 UTC Wed Feb 12 2020 by nkoch
! NVRAM config last updated at 18:42:38 UTC Wed Feb 12 2020 by nkoch
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable
aaa new-model
!
aaa authentication login local_auth local
!
aaa session-id common
!
vlan ifdescr detail
!
no ip source-route
no ip gratuitous-arps
!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 60
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 70
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 80
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
dns-server 208.67.222.222 208.67.220.220
!
no ip bootp server
ip domain name earth.vastspace.ca
ip host JPL 192.168.2.2
ip host GOLDSTONE 192.168.2.6
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect WAAS flush-timeout 10
ip ddns update method update
HTTP
add
interval maximum 0 0 5 0
!
ip cef
login block-for 13500 attempts 35 within 13500
ipv6 unicast-routing
ipv6 dhcp pool vlan
!
ipv6 dhcp pool vlan20
address prefix 2001:470:1F19:AB:2000::/68
dns-server 2620:119:35::35
dns-server 2620:119:53::53
!
ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
vtp mode transparent
username nkoch password
!
redundancy
notification-timer 120000
!
no cdp run
!
--> class-map type inspect match-any HTTP_HTPS
--> match protocol http
--> match protocol https
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all V80-TO-OUTSIDE-CLASS
match access-group name V80-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V80-CLASS
match access-group name OUTSIDE-TO-V80
class-map type inspect match-all V30-TO-OUTSIDE-CLASS
match access-group name V30-TO-OUTSIDE
--> class-map type inspect match-all OUTSIDE-TO-V30-CLASS
--> match class-map HTTP_HTTPS
--> match access-group name OUTSIDE-TO-V30_80_443
class-map type inspect match-all V20-TO-OUTSIDE-CLASS
match access-group name V20-TO-OUTSIDE
match access-group name ip620-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V20-CLASS
match access-group name OUTSIDE-TO-V20
match access-group name OUTSIDE-TO-ip620
class-map type inspect match-all V70-TO-OUTSIDE-CLASS
match access-group name V70-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V70-CLASS
match access-group name OUTSIDE-TO-V70
class-map type inspect match-all V60-TO-OUTSIDE-CLASS
match access-group name V60-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V60-CLASS
match access-group name OUTSIDE-TO-V60
class-map type inspect match-all V50-TO-OUTSIDE-CLASS
match access-group name V50-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V50-CLASS
match access-group name OUTSIDE-TO-V50
class-map type inspect match-all V40-TO-OUTSIDE-CLASS
match access-group name V40-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V40-CLASS
match access-group name OUTSIDE-TO-V40
!
policy-map type inspect V60-TO-OUTSIDE-POLICY
class type inspect V60-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect V40-TO-OUTSIDE-POLICY
class type inspect V40-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V60-POLICY
class type inspect OUTSIDE-TO-V60-CLASS
drop
class class-default
drop
policy-map type inspect V20-TO-OUTSIDE-POLICY
class type inspect V20-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect V70-TO-OUTSIDE-POLICY
class type inspect V70-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V40-POLICY
class type inspect OUTSIDE-TO-V40-CLASS
drop
class class-default
drop
policy-map type inspect V30-TO-OUTSIDE-POLICY
class type inspect V30-TO-OUTSIDE-CLASS
inspect
class class-default
--> drop
policy-map type inspect OUTSIDE-TO-V80-POLICY
class type inspect OUTSIDE-TO-V80-CLASS
drop
class class-default
drop
policy-map type inspect OUTSIDE-TO-V30-POLICY
class type inspect OUTSIDE-TO-V30-CLASS
--> inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-V50-POLICY
class type inspect OUTSIDE-TO-V50-CLASS
drop
class class-default
drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect V50-TO-OUTSIDE-POLICY
class type inspect V50-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V20-POLICY
class type inspect OUTSIDE-TO-V20-CLASS
drop
class class-default
drop
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
drop
class class-default
drop
policy-map type inspect V80-TO-OUTSIDE-POLICY
class type inspect V80-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V70-POLICY
class type inspect OUTSIDE-TO-V70-CLASS
drop
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone security vlan20
zone security vlan30
zone security vlan40
zone security vlan50
zone security vlan60
zone security vlan70
zone security vlan80
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security 20-TO-OUT source vlan20 destination OUTSIDE
service-policy type inspect V20-TO-OUTSIDE-POLICY
zone-pair security 30-TO-OUT source vlan30 destination OUTSIDE
service-policy type inspect V30-TO-OUTSIDE-POLICY
zone-pair security 40-TO-OUT source vlan40 destination OUTSIDE
service-policy type inspect V40-TO-OUTSIDE-POLICY
zone-pair security 50-TO-OUT source vlan50 destination OUTSIDE
service-policy type inspect V50-TO-OUTSIDE-POLICY
zone-pair security 60-TO-OUT source vlan60 destination OUTSIDE
service-policy type inspect V60-TO-OUTSIDE-POLICY
zone-pair security 70-TO-OUT source vlan70 destination OUTSIDE
service-policy type inspect V70-TO-OUTSIDE-POLICY
zone-pair security 80-TO-OUT source vlan80 destination OUTSIDE
service-policy type inspect V80-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-20 source OUTSIDE destination vlan20
service-policy type inspect OUTSIDE-TO-V20-POLICY
zone-pair security OUT-TO-30 source OUTSIDE destination vlan30
service-policy type inspect OUTSIDE-TO-V30-POLICY
zone-pair security OUT-TO-40 source OUTSIDE destination vlan40
service-policy type inspect OUTSIDE-TO-V40-POLICY
zone-pair security OUT-TO-50 source OUTSIDE destination vlan50
service-policy type inspect OUTSIDE-TO-V50-POLICY
zone-pair security OUT-TO-60 source OUTSIDE destination vlan60
service-policy type inspect OUTSIDE-TO-V60-POLICY
zone-pair security OUT-TO-70 source OUTSIDE destination vlan70
service-policy type inspect OUTSIDE-TO-V70-POLICY
zone-pair security OUT-TO-80 source OUTSIDE destination vlan80
service-policy type inspect OUTSIDE-TO-V80-POLICY
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
no ip address
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security OUTSIDE
ipv6 address
ipv6 enable
tunnel source GigabitEthernet0/0
tunnel mode ipv6ip
tunnel destination
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
ip ddns update update
ip address dhcp hostname NASA
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
--> ip nat inside
zone-member security INSIDE
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan20
no cdp enable
ipv6 enable
ipv6 nd managed-config-flag
ipv6 dhcp server vlan20
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan30
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan40
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan50
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan60
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.70
encapsulation dot1Q 70
ip address 192.168.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan70
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.80
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan80
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.400
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns view default
domain resolver source-interface GigabitEthernet0/0
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.30.10 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 192.168.30.10 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 192.168.30.10 22 interface GigabitEthernet0/0 22
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
no ip ssh server authenticate user password
ip identd
!
ip access-list extended INSIDE-TO-OUTSIDE
--> permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended OUTSIDE-TO-INSIDE
--> permit ip any 192.168.2.0 0.0.0.255
ip access-list extended OUTSIDE-TO-V20
--> permit ip any 192.168.20.0 0.0.0.255
--> no ip access-list extended OUTSIDE-TO-V30
--> ip access-list extended OUTSIDE-TO-V30_80_443
--> permit tcp any host 192.168.30.10 eq 80
--> permit tcp any host 192.168.30.10 eq 443
ip access-list extended OUTSIDE-TO-V40
--> permit ip any 192.168.40.0 0.0.0.255
ip access-list extended OUTSIDE-TO-V50
--> permit ip any 192.168.50.0 0.0.0.255
ip access-list extended OUTSIDE-TO-V60
--> permit ip any 192.168.60.0 0.0.0.255
ip access-list extended OUTSIDE-TO-V70
--> permit ip any 192.168.70.0 0.0.0.255
ip access-list extended OUTSIDE-TO-V80
--> permit ip any 192.168.80.0 0.0.0.255
ip access-list extended V20-TO-OUTSIDE
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended V30-TO-OUTSIDE
permit ip 192.168.30.0 0.0.0.255 any
ip access-list extended V40-TO-OUTSIDE
permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended V50-TO-OUTSIDE
permit ip 192.168.50.0 0.0.0.255 any
ip access-list extended V60-TO-OUTSIDE
--> permit ip 192.168.60.0 0.0.0.255 any
ip access-list extended V70-TO-OUTSIDE
--> permit ip 192.168.70.0 0.0.0.255 any
ip access-list extended V80-TO-OUTSIDE
permit ip 192.168.80.0 0.0.0.255 any
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 route ::/0 Tunnel0
ipv6 ioam timestamp
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.80.0 0.0.0.255
!
ipv6 access-list OUTSIDE-TO-ip620
permit icmp any any unreachable
permit icmp any any packet-too-big
permit icmp any any hop-limit
permit icmp any any reassembly-timeout
permit icmp any any header
permit icmp any any next-header
permit icmp any any parameter-option
permit icmp any any echo-request
permit icmp any any echo-reply
permit icmp any any dhaad-request
permit icmp any any dhaad-reply
permit icmp any any mpd-solicitation
permit icmp any any mpd-advertisement
permit icmp any any nd-na
permit icmp any any nd-ns
!
ipv6 access-list ip620-TO-OUTSIDE
permit ipv6 2001:470:1F19:AB:2000::/68 any
control-plane host
!
control-plane
!
vstack
banner login ^C
******* ***** ,******. ,************** ,******,
**********, ***** .********** ,***************** **********
******,***** ***** ************ ******************* ************
***** ***** ***** ***** ****** ***** ***** ,*****
***** *****, ***** ****** ***** ***** ,***** *****
***** ***** ***** ***** ***** ,**************** ***** *****
***** ,***** ***** ***** ****** ***************** ***** ,*****
***** ***** ***** ***** ***** ,,,,,,,,****** .***** *****
***** ,***** ***** ***** ***** ***** ***** *****
***** ***** ********** *****, ***********, ******
***** ***********.***** *********************** ***** *****
***** ********* ***** ******************** ***** ***** ^C
banner motd ^C
Welcome to ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
speed 115200
line aux 0
exec-timeout 15 0
login authentication local_auth
modem InOut
transport input telnet
transport output telnet
flowcontrol hardware
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7
login authentication local_auth
transport input none
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0
ntp update-calendar
ntp server 0.us.pool.ntp.org
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide