11-14-2013 12:59 AM - edited 03-10-2019 12:24 PM
I’m hoping that someone can help me out.
I managed to set up the internet connection, Vlan1 and Vlan2, but cant seem to allow Vlan2 access to the internet.
I was also hoping to have dmz on Vlan2 but I'm not sure I've got there yet either.
Regards
Chris
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
logging console critical
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime 0 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
crypto pki trustpoint TP-self-signed-2835623675
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2835623675
revocation-check none
rsakeypair TP-self-signed-2835623675
!
!
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain TP-self-signed-2835623675
certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
no ip source-route
!
!
!
!
ip port-map user-protocol--1 port tcp 59225
!
ip dhcp excluded-address 192.168.1.1 192.168.1.239
ip dhcp excluded-address 192.168.1.246 192.168.1.254
!
ip dhcp pool wireless
import all
network 192.168.1.0 255.255.255.0
domain-name cisco
dns-server 194.72.9.34 194.72.9.38
default-router 192.168.1.1
lease infinite
!
!
!
no ip bootp server
ip domain name cisco
ip name-server 194.72.9.34
ip name-server 194.72.9.38
ip name-server 62.6.40.178
ip name-server 62.6.40.162
ip ddns update method ccp_ddns1
DDNS both
!
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn FCZ1603C6QK
!
!
username ******* privilege 15 secret 4 **********************************
!
!
!
!
!
controller VDSL 0
operating mode adsl2+
!
ip tcp synwait-time 10
no ip ftp passive
!
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group name emule
match protocol user-protocol--1
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all dmz-to-in-echorequest
match protocol icmp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-dmz-protocols
match protocol http
match protocol https
match protocol sip
match protocol icmp
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-any emule
match protocol http
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map emule
match access-group name emule
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-dmz-traffic
match access-group name dmz-traffic
match class-map ccp-dmz-protocols
!
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-dmz-traffic
pass
class class-default
drop
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class class-default
drop
policy-map type inspect dmz-to-in-policy
class type inspect dmz-to-in-echorequest
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
!
zone security in-zone
zone security out-zone
zone security dmz-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security dmz-to-in source dmz-zone destination in-zone
service-policy type inspect dmz-to-in-policy
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
!
!
!
!
!
!
!
interface Ethernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 135 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface Vlan2
description $FW_DMZ$
ip address 192.168.5.1 255.255.255.0
ip access-group dmz-traffic in
ip access-group 98 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security dmz-zone
!
interface Dialer0
description $FW_OUTSIDE$
ip address 81.***.***.** 255.255.255.248
ip access-group 99 in
ip access-group 98 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ***********************
ppp chap password 7 **********************
ppp multilink
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list 2 interface Dialer0 overload
ip nat inside source list 3 interface Dialer0 overload
ip nat inside source list NAT-ACL interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended Samsung
remark CCP_ACL Category=128
deny ip any host 192.168.1.30
ip access-list extended dmz
remark CCP_ACL Category=128
permit ip any host 192.168.5.5
ip access-list extended dmz-traffic
remark CCP_ACL Category=1
permit ip any host 192.168.5.6
permit ip any host 192.168.5.7
permit ip any host 192.168.5.8
permit ip any host 192.168.5.9
permit ip any host 192.168.5.10
permit ip any host 192.168.5.11
permit ip any host 192.168.5.12
permit ip any host 192.168.5.13
permit ip any host 192.168.5.14
permit ip any host 192.168.5.15
permit ip any host 192.168.5.16
permit ip any host 192.168.5.17
permit ip any host 192.168.5.18
permit ip any host 192.168.5.19
permit ip any host 192.168.5.20
permit ip any host 192.168.5.21
permit ip any host 192.168.5.22
permit ip any host 192.168.5.23
permit ip any host 192.168.5.24
permit ip any host 192.168.5.25
permit ip any host 192.168.5.5
!
logging trap debugging
dialer-list 1 protocol ip permit
no cdp run
!
snmp-server ifindex persist
tftp-server tftp-server
tftp-server flash:c880data-universalk9-mz.153-1.T.bin
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 192.168.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 81.137.243.16 0.0.0.7 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
!
control-plane
!
!
banner login ^CCThis login is monitored and ip addresses recorded^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
line vty 0 4
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler interval 500
11-14-2013 03:40 AM
Hello Chris,
the ACL dmz_traffic is applied inbound to interface Vlan2, but traffic received from hosts on that interface has source of type 192.168.5.x and not destination!
So you need to review your ACLs applied to DMZ interface Vlan2.
Also the nat statements appear to be redundant with the third statement invoking a named ACL that I don't see in your configuration template.
>>ip nat inside source list 2 interface Dialer0 overload
>>ip nat inside source list 3 interface Dialer0 overload
>>ip nat inside source list NAT-ACL interface Dialer0 overload
I would expect only the last line with NAT-ACL able to cover internal and DMZ IP subnets in different lines
Hope to help
Giuseppe
11-16-2013 05:32 AM
Thanks for taking the time to look at this. Hopefully I can now get this working
Regards
Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide