cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
775
Views
0
Helpful
2
Replies

887va Vlan1 can access internet but Vlan2 can not ping or access internet

carbonfibre
Level 1
Level 1

I’m hoping that someone can help me out.

I managed to set up the internet connection, Vlan1 and Vlan2, but cant seem to allow Vlan2 access to the internet.

I was also hoping to have dmz on Vlan2 but I'm not sure I've got there yet either.

Regards

Chris

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200

logging console critical

!

no aaa new-model

memory-size iomem 10

clock timezone PCTime 0 0

clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name e=sdmtest@sdmtest.com

revocation-check crl

!

crypto pki trustpoint TP-self-signed-2835623675

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2835623675

revocation-check none

rsakeypair TP-self-signed-2835623675

!

!

crypto pki certificate chain test_trustpoint_config_created_for_sdm

crypto pki certificate chain TP-self-signed-2835623675

certificate self-signed 01 nvram:IOS-Self-Sig#2.cer

no ip source-route

!

!

!

!

ip port-map user-protocol--1 port tcp 59225

!

ip dhcp excluded-address 192.168.1.1 192.168.1.239

ip dhcp excluded-address 192.168.1.246 192.168.1.254

!

ip dhcp pool wireless

import all

network 192.168.1.0 255.255.255.0

domain-name cisco

dns-server 194.72.9.34 194.72.9.38

default-router 192.168.1.1

lease infinite

!

!

!

no ip bootp server

ip domain name cisco

ip name-server 194.72.9.34

ip name-server 194.72.9.38

ip name-server 62.6.40.178

ip name-server 62.6.40.162

ip ddns update method ccp_ddns1

DDNS both

!

ip cef

no ipv6 cef

ipv6 multicast rpf use-bgp

!

!

multilink bundle-name authenticated

license udi pid CISCO887VA-SEC-K9 sn FCZ1603C6QK

!

!

username ******* privilege 15 secret 4 **********************************

!

!

!

!

!

controller VDSL 0

operating mode adsl2+

!

ip tcp synwait-time 10

no ip ftp passive

!

class-map type inspect match-all sdm-nat-user-protocol--1-1

match access-group name emule

match protocol user-protocol--1

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all dmz-to-in-echorequest

match protocol icmp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-any ccp-dmz-protocols

match protocol http

match protocol https

match protocol sip

match protocol icmp

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-any emule

match protocol http

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-all ccp-cls-ccp-permit-1

match class-map emule

match access-group name emule

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-dmz-traffic

match access-group name dmz-traffic

match class-map ccp-dmz-protocols

!

policy-map type inspect ccp-permit-dmzservice

class type inspect ccp-dmz-traffic

pass

class class-default

drop

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-user-protocol--1-1

inspect

class class-default

drop

policy-map type inspect dmz-to-in-policy

class type inspect dmz-to-in-echorequest

inspect

class class-default

drop

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class type inspect ccp-sip-inspect

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h323annexe-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class type inspect ccp-h323nxg-inspect

inspect

class type inspect ccp-skinny-inspect

inspect

class class-default

drop

policy-map type inspect ccp-permit

class class-default

drop

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

!

zone security in-zone

zone security out-zone

zone security dmz-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone

service-policy type inspect ccp-permit-dmzservice

zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone

service-policy type inspect ccp-permit-dmzservice

zone-pair security dmz-to-in source dmz-zone destination in-zone

service-policy type inspect dmz-to-in-policy

csdb tcp synwait-time 30

csdb tcp idle-time 3600

csdb tcp finwait-time 5

csdb tcp reassembly max-memory 1024

csdb tcp reassembly max-queue-length 16

csdb udp idle-time 30

csdb icmp idle-time 10

csdb session max-session 65535

!

!

!

!

!

!

!

!

!

interface Ethernet0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

switchport access vlan 2

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface Vlan1

description $FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip access-group 135 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface Vlan2

description $FW_DMZ$

ip address 192.168.5.1 255.255.255.0

ip access-group dmz-traffic in

ip access-group 98 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security dmz-zone

!

interface Dialer0

description $FW_OUTSIDE$

ip address 81.***.***.** 255.255.255.248

ip access-group 99 in

ip access-group 98 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname ***********************

ppp chap password 7 **********************

ppp multilink

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip dns server

ip nat inside source list 2 interface Dialer0 overload

ip nat inside source list 3 interface Dialer0 overload

ip nat inside source list NAT-ACL interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip access-list extended Samsung

remark CCP_ACL Category=128

deny ip any host 192.168.1.30

ip access-list extended dmz

remark CCP_ACL Category=128

permit ip any host 192.168.5.5

ip access-list extended dmz-traffic

remark CCP_ACL Category=1

permit ip any host 192.168.5.6

permit ip any host 192.168.5.7

permit ip any host 192.168.5.8

permit ip any host 192.168.5.9

permit ip any host 192.168.5.10

permit ip any host 192.168.5.11

permit ip any host 192.168.5.12

permit ip any host 192.168.5.13

permit ip any host 192.168.5.14

permit ip any host 192.168.5.15

permit ip any host 192.168.5.16

permit ip any host 192.168.5.17

permit ip any host 192.168.5.18

permit ip any host 192.168.5.19

permit ip any host 192.168.5.20

permit ip any host 192.168.5.21

permit ip any host 192.168.5.22

permit ip any host 192.168.5.23

permit ip any host 192.168.5.24

permit ip any host 192.168.5.25

permit ip any host 192.168.5.5

!

logging trap debugging

dialer-list 1 protocol ip permit

no cdp run

!

snmp-server ifindex persist

tftp-server tftp-server

tftp-server flash:c880data-universalk9-mz.153-1.T.bin

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 2 remark CCP_ACL Category=2

access-list 2 permit 192.168.1.0 0.0.0.255

access-list 3 remark CCP_ACL Category=2

access-list 3 permit 192.168.5.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 81.137.243.16 0.0.0.7 any

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

access-list 100 permit ip 192.168.5.0 0.0.0.255 any

!

control-plane

!

!

banner login ^CCThis login is monitored and ip addresses recorded^C

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

line vty 0 4

privilege level 15

login local

transport input telnet ssh

transport output telnet ssh

!

scheduler interval 500

2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Chris,

the ACL dmz_traffic is applied inbound to  interface Vlan2, but traffic received from hosts on that interface has source of type 192.168.5.x and not destination!

So you need to review your ACLs applied to DMZ interface Vlan2.

Also the nat statements appear to be redundant with the third statement invoking a named ACL that I don't see in your configuration template.

>>ip nat inside source list 2 interface Dialer0 overload

>>ip nat inside source list 3 interface Dialer0 overload

>>ip nat inside source list NAT-ACL interface Dialer0 overload

I would expect only the last line with NAT-ACL able to cover internal and DMZ IP subnets in different lines

Hope to help

Giuseppe

Thanks for taking the time to look at this. Hopefully I can now get this working

Regards

Chris