Solved: Re: access internet with with 2960X

bdeandrade · ‎09-14-2017

Hello,

I created a network with 3 VLANs and a DHCP server but I can't access to Internet except the native vlan.

I use an 2960X device who are connected to a Checkpoint Equipment. I had configure the checkpoint with an IP who's part the native VLAN and the out side he takes automatically the IP from the internet provider device. No rules are configured on the checkpoint.

Here my configuration on the 2960x:

PAR-BDA#sh run
Building configuration...

Current configuration : 4715 bytes
!
! Last configuration change at 16:58:57 UTC Wed Sep 13 2017
! NVRAM config last updated at 08:54:30 UTC Wed Sep 13 2017
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PAR-BDA
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$aClI$HjQ70Xk0el9MAgy77wR/X/
enable password mega
!
no aaa new-model
switch 1 provision ws-c2960x-48ts-l
ip routing
!
!
!
!
crypto pki trustpoint TP-self-signed-2381121792
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2381121792
 revocation-check none
 rsakeypair TP-self-signed-2381121792
!
!
crypto pki certificate chain TP-self-signed-2381121792
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32333831 31323137 3932301E 170D3137 30393131 30393132
  30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33383131
  32313739 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100E48E 752DCF27 D407D071 C6809526 C11651B4 C0BF48CA 6665EF1C BAE6260D
  2170D282 A0F8E410 EECE668A C07F364F B96C707F F5E0A24E 33BE22D5 432EF8FC
  A179E150 ED9390FB 25FDCEA5 C00E53FA B31CC487 3BCF4B6E 66083B31 55EE1956
  7024375B F1027BC9 3F5F0991 7296FB4D 0487D30C 880C843A 64B726DB 2ABDDC69
  5E6F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14F73D01 7D17A854 A8DFEDB6 91BA7B19 67030DE3 A0301D06
  03551D0E 04160414 F73D017D 17A854A8 DFEDB691 BA7B1967 030DE3A0 300D0609
  2A864886 F70D0101 05050003 81810080 E95D012C 0794E692 CDFA71C7 715EBFBD
  33657925 0C6B734C 28ACCB81 3A20E807 23E5882C C49C6DAC B1529D00 88C9A9FA
  FF2ABF97 C73ABBF9 5068CC25 EC923807 B83CADB9 1004363A 89B43B23 D12C9C61
  7CB15B87 1B3AC810 0A858497 6D769FBD F3F75C0C CE6F7AAF 6A023353 379EC6CC
  DFDCEB51 3C1FD6FC 9360E8C9 01C4E2
        quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0
 no ip address
 no ip route-cache
 shutdown
!
interface GigabitEthernet1/0/1
 switchport mode trunk
!
interface GigabitEthernet1/0/2
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/3
 switchport access vlan 3
 switchport mode access
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
 switchport mode access
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
 switchport mode access
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface GigabitEthernet1/0/29
!
interface GigabitEthernet1/0/30
!
interface GigabitEthernet1/0/31
!
interface GigabitEthernet1/0/32
!
interface GigabitEthernet1/0/33
!
interface GigabitEthernet1/0/34
!
interface GigabitEthernet1/0/35
!
interface GigabitEthernet1/0/36
!
interface GigabitEthernet1/0/37
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
!
interface GigabitEthernet1/0/46
!
interface GigabitEthernet1/0/47
!
interface GigabitEthernet1/0/48
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
 ip address 192.168.10.254 255.255.255.0
!
interface Vlan2
 description VLAN_MCS
 ip address 192.168.20.254 255.255.255.0
 ip helper-address 192.168.10.5
!
interface Vlan3
 description VLAN_USERS
 ip address 192.168.30.254 255.255.255.0
 ip helper-address 192.168.10.5
!
interface Vlan11
 no ip address
!
ip default-gateway 192.168.10.254
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.10.1
!
!
!
line con 0
line vty 0 4
 password mega
 login
line vty 5 15
 password mega
 login
!
end

I would like to know if my problem to can't access to internet with the VLAN comes from my configuration or the checkpoint.

DHCP Server: 192.168.10.5 (port 1/0/1)

Checkpoint: 192.168.10.1 (port 1/0/11)

Thanks for your help and if you need more explanation let me know.

Julio E. Moisa · ‎09-14-2017

Ok, the next step is verify on the Checkpoint:

- Static routes pointing to the switch in order to know how to reach the computer networks

- Verify if the computer networks are included on the NAT statement

- Verify the ACLs to allow access to Internet.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Seb Rupik · ‎09-14-2017

Hi there,

Can devices connected to VLANs 2 and 3 reach the DHCP server at 192.168.10.5 ? If devices are recieving leases or devices with static addresses can ping the DHCP server, then your routing on the switch is fine.

I suspect the problem lays with the Checkpoint FW, in particular IP spoofing. On the Checkpoint you need to define all of the subnets which are 'inside'. Currently I imagine it only knows about the VLAN1 subnet, traffic arriving on its interface (192.168.10.1) from VLANs 2 and 3 will assumed to be spoofed and should be dropped. It should appear in its logs.

cheers,

Seb.

bdeandrade · ‎09-14-2017

Hi,

Yes, in the Checkpoint log, when I use a laptop who are in the vlan 3 (192.168.30.1 ip laptop), I had in the description Address Spoofing.

So I need to configure on the Checkpoint the subnets or configure the NAT ?

Thanks.

Seb Rupik · ‎09-14-2017

You'll need to do both. My Checkpoint-fu is a bit rusty, but you will need to define a network object of the inside subnets, and specifiy which interface these subnets reside behind. That will resolve your IP spoofing issue.

You can then use the same network object in your NAT rules.

cheers,

Seb.

Julio E. Moisa · ‎09-14-2017

Hi

Asumming the IP addressing with the specific default gateway is configured on the computers, you have to verify if the checkpoint has:

- Static routes to know the networks 192.168.20.0/24 and 192.168.30.0/24

example: On Checkpoint static route 192.168.20.0 255.255.255.0 192.168.10.254

- If these 192.168.x.0/24 networks are included on the NAT statement on the Checkpoint

- If there are ACLs to allow navigation ports 80,443 and/or ICMP and DNS (tcp/udp if you are using public DNS)

The Cisco 2960X has limited routing, If Im not wrong it suppors static routing only, so have you enabled globally: ip routing command?

conf t

ip routing

Also it could be removed if you are going to use routing mode: no ip default-gateway 192.168.10.254

Other way is create a router in a stick scheme but I dont really sure how Checkpoint works.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

bdeandrade · ‎09-14-2017

thanks for your answers.

So if I summarize my problem doesn't come of my Cisco configuration but on the Checkpoint. Right ?

Thanks.

Julio E. Moisa · ‎09-14-2017

Hi

The problem could be pointing to the checkpoint, but also the switchport connected to the checkpoint is configured as trunk but it should be configured as access mode, because you are not passing VLANs over it unless you have a router in a stick scheme (but it is not the case), so it should look like a point to point, so the config should be:

int g1/0/1

description TO-CHECKPOINT

no switchport mode trunk

switchport mode access

no shutdown

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

bdeandrade · ‎09-14-2017

OK thanks.

I changed the port for access mode but unfortunately, the problem still the same: no internet (ip laptop 192.168.30.1).

Julio E. Moisa · ‎09-14-2017

Ok, the next step is verify on the Checkpoint:

- Static routes pointing to the switch in order to know how to reach the computer networks

- Verify if the computer networks are included on the NAT statement

- Verify the ACLs to allow access to Internet.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

bdeandrade · ‎09-14-2017

Many thanks for your help.

Now it's working.

Julio E. Moisa · ‎09-14-2017

Perfect!, it was a pleasure.

Have a great day

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<