cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
415
Views
0
Helpful
39
Replies
Highlighted
Beginner

Re: ZBF - Port Forwarding

I can contact the webserver locally. Cannot via external interface. It also has internet routability.

---------------------
"Fortune favors the brave."
▊▊▊
Highlighted
VIP Mentor

Re: ZBF - Port Forwarding

Hello,

 

when you access the webserver using the external, public IP address, do you see a translation in the NAT table (show ip nat translation *) ?

Highlighted
Beginner

Re: ZBF - Port Forwarding

NASA#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 71.17.160.174:22 192.168.30.10:22 --- ---
tcp 71.17.160.174:80 192.168.30.10:80 --- ---
tcp 71.17.160.174:443 192.168.30.10:443 --- ---

 

I can't access it from the outside.... That's what I'm saying.

 

 

 

---------------------
"Fortune favors the brave."
▊▊▊
Highlighted
VIP Mentor

Re: ZBF - Port Forwarding

Hello,

 

try and disable the ZBF (by removing the zone member statements from the interfaces) and try to access the webserver from the outside...does that work then ?

Highlighted
VIP Mentor

Re: ZBF - Port Forwarding

Hello,

 

try and add the below:

 

ip nat pool WEBSERVER 192.168.30.10 192.168.30.10 netmask 255.255.255.0
ip nat outside source list 1 pool WEBSERVER add-route
!
access-list 1 permit any

 

and change the policy map to:


policy-map type inspect OUTSIDE-TO-V30-POLICY
class type inspect OUTSIDE-TO-V30-CLASS
inspect

Highlighted
Beginner

Re: ZBF - Port Forwarding

I lost all internet connectivity for web browsing. I tried this.

 

ip nat pool WEBSERVER 192.168.30.10 192.168.30.10 netmask 255.255.255.0
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.30.10 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 192.168.30.10 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 192.168.30.10 22 interface GigabitEthernet0/0 22
ip nat outside source list 2 pool WEBSERVER add-route


access-list 2 permit any

 

Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                192.168.30.10      172.217.165.10
tcp 71.17.160.174:22   192.168.30.10:22   ---                ---
tcp 71.17.160.174:80   192.168.30.10:80   ---                ---
tcp 71.17.160.174:443  192.168.30.10:443  ---                ---

 Didn't get the internet back until

 

NASA(config)#no ip nat outside source list 2 pool WEBSERVER add-route

Dynamic mapping in use, do you want to delete all entries? [no]: yes

 Same result

---------------------
"Fortune favors the brave."
▊▊▊
Highlighted
VIP Mentor

Re: ZBF - Port Forwarding

Hello,

 

remove:

 

ip nat outside source list 2 pool WEBSERVER add-route

access-list 2 permit any

 

and disable the ZBF. We need to find out if the webserver is accessible at all from the outside...

Highlighted
Beginner

Re: ZBF - Port Forwarding

Similar concept. I enabled https server.

You can visit https://earth.vastspace.ca/ which is secure server on the cisco box. So the system is reachable.

 

The server/vm is going over two 802.1Q trunks, and three vland devices. I can reach the internet through it and there is no other security than whats on the router.

---------------------
"Fortune favors the brave."
▊▊▊
Highlighted
VIP Mentor

Re: ZBF - Port Forwarding

Hello,

 

I cannot reach the website. Either way, I will lab this and get back with you. It will be tomorrow, as I am in GMT +1, so it is midnight over here...

Highlighted
Beginner

Re: ZBF - Port Forwarding

Thank you sir

---------------------
"Fortune favors the brave."
▊▊▊
Highlighted
VIP Mentor

Re: ZBF - Port Forwarding

Hello

You have a quite convoluted ZBF configuration which could do with a tidy up

 

- However to gain access instead of using access-lists for the inspection traffic to/from vlan30 and the Internet and just match on the protocol.

 

Example:

class-map type inspect match-any V30-TO-OUTSIDE-CLASS_NEW
match protocol tcp
match protocol udp
match protocol icmp

policy-map type inspect V30-TO-OUTSIDE-POLICY

no class type inspect V30-TO-OUTSIDE-CLASS
class type inspect V30-TO-OUTSIDE-CLASS_NEW

class-map type inspect match-any OUTSIDE-TO-V30-CLASS

no match access-group name OUTSIDE-TO-V30
no match access-group name OUTSIDE-TO-V30_80
no match access-group name OUTSIDE-TO-V30_443
match protocol http
match protocol https

policy-map type inspect OUTSIDE-TO-V30-POLICY

class type inspect OUTSIDE-TO-V30-CLASS
inspect
class class-default
no drop log
no drop



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
Beginner

Re: ZBF - Port Forwarding

It would appear you are trolling.

---------------------
"Fortune favors the brave."
▊▊▊
Highlighted
VIP Mentor

Re: ZBF - Port Forwarding

@NathanLKoch 

What do you mean by that remark?



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
VIP Mentor

Re: ZBF - Port Forwarding

Hello,

 

I got HTTP and HTTPS access from the outside to the inside webserver to work with the configuration changes below (marked in bold). Try these out and see if you get it to work. Apparently the class map for the out to v30 needs a parent class matching both protocols...

 

Building configuration...

Current configuration : 16181 bytes
!
! Last configuration change at 18:48:28 UTC Wed Feb 12 2020 by nkoch
! NVRAM config last updated at 18:42:38 UTC Wed Feb 12 2020 by nkoch
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable
aaa new-model
!
aaa authentication login local_auth local
!
aaa session-id common
!
vlan ifdescr detail
!
no ip source-route
no ip gratuitous-arps
!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 60
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 70
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 80
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
dns-server 208.67.222.222 208.67.220.220
!
no ip bootp server
ip domain name earth.vastspace.ca
ip host JPL 192.168.2.2
ip host GOLDSTONE 192.168.2.6
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect WAAS flush-timeout 10
ip ddns update method update
HTTP
add
interval maximum 0 0 5 0
!
ip cef
login block-for 13500 attempts 35 within 13500
ipv6 unicast-routing
ipv6 dhcp pool vlan
!
ipv6 dhcp pool vlan20
address prefix 2001:470:1F19:AB:2000::/68
dns-server 2620:119:35::35
dns-server 2620:119:53::53
!
ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
vtp mode transparent
username nkoch password
!
redundancy
notification-timer 120000
!
no cdp run
!
--> class-map type inspect match-any HTTP_HTPS
--> match protocol http
--> match protocol https
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all V80-TO-OUTSIDE-CLASS
match access-group name V80-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V80-CLASS
match access-group name OUTSIDE-TO-V80
class-map type inspect match-all V30-TO-OUTSIDE-CLASS
match access-group name V30-TO-OUTSIDE
--> class-map type inspect match-all OUTSIDE-TO-V30-CLASS
--> match class-map HTTP_HTTPS
--> match access-group name OUTSIDE-TO-V30_80_443
class-map type inspect match-all V20-TO-OUTSIDE-CLASS
match access-group name V20-TO-OUTSIDE
match access-group name ip620-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V20-CLASS
match access-group name OUTSIDE-TO-V20
match access-group name OUTSIDE-TO-ip620
class-map type inspect match-all V70-TO-OUTSIDE-CLASS
match access-group name V70-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V70-CLASS
match access-group name OUTSIDE-TO-V70
class-map type inspect match-all V60-TO-OUTSIDE-CLASS
match access-group name V60-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V60-CLASS
match access-group name OUTSIDE-TO-V60
class-map type inspect match-all V50-TO-OUTSIDE-CLASS
match access-group name V50-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V50-CLASS
match access-group name OUTSIDE-TO-V50
class-map type inspect match-all V40-TO-OUTSIDE-CLASS
match access-group name V40-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V40-CLASS
match access-group name OUTSIDE-TO-V40
!
policy-map type inspect V60-TO-OUTSIDE-POLICY
class type inspect V60-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect V40-TO-OUTSIDE-POLICY
class type inspect V40-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V60-POLICY
class type inspect OUTSIDE-TO-V60-CLASS
drop
class class-default
drop
policy-map type inspect V20-TO-OUTSIDE-POLICY
class type inspect V20-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect V70-TO-OUTSIDE-POLICY
class type inspect V70-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V40-POLICY
class type inspect OUTSIDE-TO-V40-CLASS
drop
class class-default
drop
policy-map type inspect V30-TO-OUTSIDE-POLICY
class type inspect V30-TO-OUTSIDE-CLASS
inspect
class class-default
--> drop
policy-map type inspect OUTSIDE-TO-V80-POLICY
class type inspect OUTSIDE-TO-V80-CLASS
drop
class class-default
drop
policy-map type inspect OUTSIDE-TO-V30-POLICY
class type inspect OUTSIDE-TO-V30-CLASS
--> inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-V50-POLICY
class type inspect OUTSIDE-TO-V50-CLASS
drop
class class-default
drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect V50-TO-OUTSIDE-POLICY
class type inspect V50-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V20-POLICY
class type inspect OUTSIDE-TO-V20-CLASS
drop
class class-default
drop
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
drop
class class-default
drop
policy-map type inspect V80-TO-OUTSIDE-POLICY
class type inspect V80-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V70-POLICY
class type inspect OUTSIDE-TO-V70-CLASS
drop
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone security vlan20
zone security vlan30
zone security vlan40
zone security vlan50
zone security vlan60
zone security vlan70
zone security vlan80
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security 20-TO-OUT source vlan20 destination OUTSIDE
service-policy type inspect V20-TO-OUTSIDE-POLICY
zone-pair security 30-TO-OUT source vlan30 destination OUTSIDE
service-policy type inspect V30-TO-OUTSIDE-POLICY
zone-pair security 40-TO-OUT source vlan40 destination OUTSIDE
service-policy type inspect V40-TO-OUTSIDE-POLICY
zone-pair security 50-TO-OUT source vlan50 destination OUTSIDE
service-policy type inspect V50-TO-OUTSIDE-POLICY
zone-pair security 60-TO-OUT source vlan60 destination OUTSIDE
service-policy type inspect V60-TO-OUTSIDE-POLICY
zone-pair security 70-TO-OUT source vlan70 destination OUTSIDE
service-policy type inspect V70-TO-OUTSIDE-POLICY
zone-pair security 80-TO-OUT source vlan80 destination OUTSIDE
service-policy type inspect V80-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-20 source OUTSIDE destination vlan20
service-policy type inspect OUTSIDE-TO-V20-POLICY
zone-pair security OUT-TO-30 source OUTSIDE destination vlan30
service-policy type inspect OUTSIDE-TO-V30-POLICY
zone-pair security OUT-TO-40 source OUTSIDE destination vlan40
service-policy type inspect OUTSIDE-TO-V40-POLICY
zone-pair security OUT-TO-50 source OUTSIDE destination vlan50
service-policy type inspect OUTSIDE-TO-V50-POLICY
zone-pair security OUT-TO-60 source OUTSIDE destination vlan60
service-policy type inspect OUTSIDE-TO-V60-POLICY
zone-pair security OUT-TO-70 source OUTSIDE destination vlan70
service-policy type inspect OUTSIDE-TO-V70-POLICY
zone-pair security OUT-TO-80 source OUTSIDE destination vlan80
service-policy type inspect OUTSIDE-TO-V80-POLICY
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
no ip address
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security OUTSIDE
ipv6 address
ipv6 enable
tunnel source GigabitEthernet0/0
tunnel mode ipv6ip
tunnel destination
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
ip ddns update update
ip address dhcp hostname NASA
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0
zone-member security INSIDE
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan20
no cdp enable
ipv6 enable
ipv6 nd managed-config-flag
ipv6 dhcp server vlan20
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan30
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan40
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan50
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan60
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.70
encapsulation dot1Q 70
ip address 192.168.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan70
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.80
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan80
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.400
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns view default
domain resolver source-interface GigabitEthernet0/0
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.30.10 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 192.168.30.10 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 192.168.30.10 22 interface GigabitEthernet0/0 22
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
no ip ssh server authenticate user password
ip identd
!
--> ip access-list extended OUTSIDE-TO-V30_80_443
--> permit tcp any host 192.168.30.10 eq 80
--> permit tcp any host 192.168.30.10 eq 443

ip access-list extended OUTSIDE-TO-V40
ip access-list extended OUTSIDE-TO-V50
ip access-list extended OUTSIDE-TO-V60
ip access-list extended OUTSIDE-TO-V70
ip access-list extended OUTSIDE-TO-V80
ip access-list extended V20-TO-OUTSIDE
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended V30-TO-OUTSIDE
permit ip 192.168.30.0 0.0.0.255 any
ip access-list extended V40-TO-OUTSIDE
permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended V50-TO-OUTSIDE
permit ip 192.168.50.0 0.0.0.255 any
ip access-list extended V60-TO-OUTSIDE
ip access-list extended V70-TO-OUTSIDE
ip access-list extended V80-TO-OUTSIDE
permit ip 192.168.80.0 0.0.0.255 any
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 route ::/0 Tunnel0
ipv6 ioam timestamp
!
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.80.0 0.0.0.255
!
!
!
ipv6 access-list OUTSIDE-TO-ip620
permit icmp any any unreachable
permit icmp any any packet-too-big
permit icmp any any hop-limit
permit icmp any any reassembly-timeout
permit icmp any any header
permit icmp any any next-header
permit icmp any any parameter-option
permit icmp any any echo-request
permit icmp any any echo-reply
permit icmp any any dhaad-request
permit icmp any any dhaad-reply
permit icmp any any mpd-solicitation
permit icmp any any mpd-advertisement
permit icmp any any nd-na
permit icmp any any nd-ns
!
ipv6 access-list ip620-TO-OUTSIDE
permit ipv6 2001:470:1F19:AB:2000::/68 any
control-plane host
!
!
control-plane
!
!
vstack
banner login ^C

******* ***** ,******. ,************** ,******,
**********, ***** .********** ,***************** **********
******,***** ***** ************ ******************* ************
***** ***** ***** ***** ****** ***** ***** ,*****
***** *****, ***** ****** ***** ***** ,***** *****
***** ***** ***** ***** ***** ,**************** ***** *****
***** ,***** ***** ***** ****** ***************** ***** ,*****
***** ***** ***** ***** ***** ,,,,,,,,****** .***** *****
***** ,***** ***** ***** ***** ***** ***** *****
***** ***** ********** *****, ***********, ******
***** ***********.***** *********************** ***** *****
***** ********* ***** ******************** ***** ***** ^C
banner motd ^C
Welcome to ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
speed 115200
line aux 0
exec-timeout 15 0
login authentication local_auth
modem InOut
transport input telnet
transport output telnet
flowcontrol hardware
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7
login authentication local_auth
transport input none
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0
ntp update-calendar
ntp server 0.us.pool.ntp.org
!
end

VIP Mentor

Re: ZBF - Port Forwarding

Hello,

 

actually, for the sake of clarity, I also completed the empty access lists...

 

The full (hopefully working) config with the changes maked in bold:

 

Building configuration...

Current configuration : 16181 bytes
!
! Last configuration change at 18:48:28 UTC Wed Feb 12 2020 by nkoch
! NVRAM config last updated at 18:42:38 UTC Wed Feb 12 2020 by nkoch
!
version 15.7
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable
aaa new-model
!
aaa authentication login local_auth local
!
aaa session-id common
!
vlan ifdescr detail
!
no ip source-route
no ip gratuitous-arps
!
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.60
ip dhcp excluded-address 192.168.40.1 192.168.40.60
ip dhcp excluded-address 192.168.50.1 192.168.50.60
ip dhcp excluded-address 192.168.60.1 192.168.60.60
ip dhcp excluded-address 192.168.70.1 192.168.70.60
ip dhcp excluded-address 192.168.80.1 192.168.80.60
!
ip dhcp pool vlan 20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 40
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 60
network 192.168.60.0 255.255.255.0
default-router 192.168.60.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 70
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 208.67.222.222 208.67.220.220
!
ip dhcp pool vlan 80
network 192.168.80.0 255.255.255.0
default-router 192.168.80.1
dns-server 208.67.222.222 208.67.220.220
!
no ip bootp server
ip domain name earth.vastspace.ca
ip host JPL 192.168.2.2
ip host GOLDSTONE 192.168.2.6
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect WAAS flush-timeout 10
ip ddns update method update
HTTP
add
interval maximum 0 0 5 0
!
ip cef
login block-for 13500 attempts 35 within 13500
ipv6 unicast-routing
ipv6 dhcp pool vlan
!
ipv6 dhcp pool vlan20
address prefix 2001:470:1F19:AB:2000::/68
dns-server 2620:119:35::35
dns-server 2620:119:53::53
!
ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO2911/K9 sn FGL1741129H
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
vtp mode transparent
username nkoch password
!
redundancy
notification-timer 120000
!
no cdp run
!
--> class-map type inspect match-any HTTP_HTPS
--> match protocol http
--> match protocol https
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all V80-TO-OUTSIDE-CLASS
match access-group name V80-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V80-CLASS
match access-group name OUTSIDE-TO-V80
class-map type inspect match-all V30-TO-OUTSIDE-CLASS
match access-group name V30-TO-OUTSIDE
--> class-map type inspect match-all OUTSIDE-TO-V30-CLASS
--> match class-map HTTP_HTTPS
--> match access-group name OUTSIDE-TO-V30_80_443
class-map type inspect match-all V20-TO-OUTSIDE-CLASS
match access-group name V20-TO-OUTSIDE
match access-group name ip620-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V20-CLASS
match access-group name OUTSIDE-TO-V20
match access-group name OUTSIDE-TO-ip620
class-map type inspect match-all V70-TO-OUTSIDE-CLASS
match access-group name V70-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V70-CLASS
match access-group name OUTSIDE-TO-V70
class-map type inspect match-all V60-TO-OUTSIDE-CLASS
match access-group name V60-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V60-CLASS
match access-group name OUTSIDE-TO-V60
class-map type inspect match-all V50-TO-OUTSIDE-CLASS
match access-group name V50-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V50-CLASS
match access-group name OUTSIDE-TO-V50
class-map type inspect match-all V40-TO-OUTSIDE-CLASS
match access-group name V40-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-V40-CLASS
match access-group name OUTSIDE-TO-V40
!
policy-map type inspect V60-TO-OUTSIDE-POLICY
class type inspect V60-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect V40-TO-OUTSIDE-POLICY
class type inspect V40-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V60-POLICY
class type inspect OUTSIDE-TO-V60-CLASS
drop
class class-default
drop
policy-map type inspect V20-TO-OUTSIDE-POLICY
class type inspect V20-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect V70-TO-OUTSIDE-POLICY
class type inspect V70-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V40-POLICY
class type inspect OUTSIDE-TO-V40-CLASS
drop
class class-default
drop
policy-map type inspect V30-TO-OUTSIDE-POLICY
class type inspect V30-TO-OUTSIDE-CLASS
inspect
class class-default
--> drop
policy-map type inspect OUTSIDE-TO-V80-POLICY
class type inspect OUTSIDE-TO-V80-CLASS
drop
class class-default
drop
policy-map type inspect OUTSIDE-TO-V30-POLICY
class type inspect OUTSIDE-TO-V30-CLASS
--> inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-V50-POLICY
class type inspect OUTSIDE-TO-V50-CLASS
drop
class class-default
drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect V50-TO-OUTSIDE-POLICY
class type inspect V50-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V20-POLICY
class type inspect OUTSIDE-TO-V20-CLASS
drop
class class-default
drop
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
drop
class class-default
drop
policy-map type inspect V80-TO-OUTSIDE-POLICY
class type inspect V80-TO-OUTSIDE-CLASS
inspect
class class-default
pass
policy-map type inspect OUTSIDE-TO-V70-POLICY
class type inspect OUTSIDE-TO-V70-CLASS
drop
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone security vlan20
zone security vlan30
zone security vlan40
zone security vlan50
zone security vlan60
zone security vlan70
zone security vlan80
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security 20-TO-OUT source vlan20 destination OUTSIDE
service-policy type inspect V20-TO-OUTSIDE-POLICY
zone-pair security 30-TO-OUT source vlan30 destination OUTSIDE
service-policy type inspect V30-TO-OUTSIDE-POLICY
zone-pair security 40-TO-OUT source vlan40 destination OUTSIDE
service-policy type inspect V40-TO-OUTSIDE-POLICY
zone-pair security 50-TO-OUT source vlan50 destination OUTSIDE
service-policy type inspect V50-TO-OUTSIDE-POLICY
zone-pair security 60-TO-OUT source vlan60 destination OUTSIDE
service-policy type inspect V60-TO-OUTSIDE-POLICY
zone-pair security 70-TO-OUT source vlan70 destination OUTSIDE
service-policy type inspect V70-TO-OUTSIDE-POLICY
zone-pair security 80-TO-OUT source vlan80 destination OUTSIDE
service-policy type inspect V80-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-20 source OUTSIDE destination vlan20
service-policy type inspect OUTSIDE-TO-V20-POLICY
zone-pair security OUT-TO-30 source OUTSIDE destination vlan30
service-policy type inspect OUTSIDE-TO-V30-POLICY
zone-pair security OUT-TO-40 source OUTSIDE destination vlan40
service-policy type inspect OUTSIDE-TO-V40-POLICY
zone-pair security OUT-TO-50 source OUTSIDE destination vlan50
service-policy type inspect OUTSIDE-TO-V50-POLICY
zone-pair security OUT-TO-60 source OUTSIDE destination vlan60
service-policy type inspect OUTSIDE-TO-V60-POLICY
zone-pair security OUT-TO-70 source OUTSIDE destination vlan70
service-policy type inspect OUTSIDE-TO-V70-POLICY
zone-pair security OUT-TO-80 source OUTSIDE destination vlan80
service-policy type inspect OUTSIDE-TO-V80-POLICY
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
no ip address
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security OUTSIDE
ipv6 address
ipv6 enable
tunnel source GigabitEthernet0/0
tunnel mode ipv6ip
tunnel destination
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
ip ddns update update
ip address dhcp hostname NASA
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.2.1 255.255.255.0

--> ip nat inside
zone-member security INSIDE
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan20
no cdp enable
ipv6 enable
ipv6 nd managed-config-flag
ipv6 dhcp server vlan20
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan30
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan40
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan50
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan60
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.70
encapsulation dot1Q 70
ip address 192.168.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan70
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.80
encapsulation dot1Q 80
ip address 192.168.80.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security vlan80
no cdp enable
ipv6 enable
!
interface GigabitEthernet0/1.400
no cdp enable
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns view default
domain resolver source-interface GigabitEthernet0/0
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.30.10 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 192.168.30.10 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 192.168.30.10 22 interface GigabitEthernet0/0 22
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
no ip ssh server authenticate user password
ip identd
!
ip access-list extended INSIDE-TO-OUTSIDE
--> permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended OUTSIDE-TO-INSIDE
--> permit ip any 192.168.2.0 0.0.0.255
ip access-list extended OUTSIDE-TO-V20
--> permit ip any 192.168.20.0 0.0.0.255
--> no ip access-list extended OUTSIDE-TO-V30
--> ip access-list extended OUTSIDE-TO-V30_80_443
--> permit tcp any host 192.168.30.10 eq 80
--> permit tcp any host 192.168.30.10 eq 443

ip access-list extended OUTSIDE-TO-V40
--> permit ip any 192.168.40.0 0.0.0.255
ip access-list extended OUTSIDE-TO-V50
--> permit ip any 192.168.50.0 0.0.0.255
ip access-list extended OUTSIDE-TO-V60
--> permit ip any 192.168.60.0 0.0.0.255
ip access-list extended OUTSIDE-TO-V70
--> permit ip any 192.168.70.0 0.0.0.255
ip access-list extended OUTSIDE-TO-V80
--> permit ip any 192.168.80.0 0.0.0.255
ip access-list extended V20-TO-OUTSIDE
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended V30-TO-OUTSIDE
permit ip 192.168.30.0 0.0.0.255 any
ip access-list extended V40-TO-OUTSIDE
permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended V50-TO-OUTSIDE
permit ip 192.168.50.0 0.0.0.255 any
ip access-list extended V60-TO-OUTSIDE
--> permit ip 192.168.60.0 0.0.0.255 any
ip access-list extended V70-TO-OUTSIDE
--> permit ip 192.168.70.0 0.0.0.255 any
ip access-list extended V80-TO-OUTSIDE
permit ip 192.168.80.0 0.0.0.255 any
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
ipv6 route ::/0 Tunnel0
ipv6 ioam timestamp
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.80.0 0.0.0.255
!
ipv6 access-list OUTSIDE-TO-ip620
permit icmp any any unreachable
permit icmp any any packet-too-big
permit icmp any any hop-limit
permit icmp any any reassembly-timeout
permit icmp any any header
permit icmp any any next-header
permit icmp any any parameter-option
permit icmp any any echo-request
permit icmp any any echo-reply
permit icmp any any dhaad-request
permit icmp any any dhaad-reply
permit icmp any any mpd-solicitation
permit icmp any any mpd-advertisement
permit icmp any any nd-na
permit icmp any any nd-ns
!
ipv6 access-list ip620-TO-OUTSIDE
permit ipv6 2001:470:1F19:AB:2000::/68 any
control-plane host
!
control-plane
!
vstack
banner login ^C

******* ***** ,******. ,************** ,******,
**********, ***** .********** ,***************** **********
******,***** ***** ************ ******************* ************
***** ***** ***** ***** ****** ***** ***** ,*****
***** *****, ***** ****** ***** ***** ,***** *****
***** ***** ***** ***** ***** ,**************** ***** *****
***** ,***** ***** ***** ****** ***************** ***** ,*****
***** ***** ***** ***** ***** ,,,,,,,,****** .***** *****
***** ,***** ***** ***** ***** ***** ***** *****
***** ***** ********** *****, ***********, ******
***** ***********.***** *********************** ***** *****
***** ********* ***** ******************** ***** ***** ^C
banner motd ^C
Welcome to ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
speed 115200
line aux 0
exec-timeout 15 0
login authentication local_auth
modem InOut
transport input telnet
transport output telnet
flowcontrol hardware
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7
login authentication local_auth
transport input none
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0
ntp update-calendar
ntp server 0.us.pool.ntp.org
!
end

CreatePlease to create content