09-14-2017 01:30 AM - edited 03-08-2019 12:01 PM
Hello,
I created a network with 3 VLANs and a DHCP server but I can't access to Internet except the native vlan.
I use an 2960X device who are connected to a Checkpoint Equipment. I had configure the checkpoint with an IP who's part the native VLAN and the out side he takes automatically the IP from the internet provider device. No rules are configured on the checkpoint.
Here my configuration on the 2960x:
PAR-BDA#sh run Building configuration... Current configuration : 4715 bytes ! ! Last configuration change at 16:58:57 UTC Wed Sep 13 2017 ! NVRAM config last updated at 08:54:30 UTC Wed Sep 13 2017 ! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname PAR-BDA ! boot-start-marker boot-end-marker ! enable secret 5 $1$aClI$HjQ70Xk0el9MAgy77wR/X/ enable password mega ! no aaa new-model switch 1 provision ws-c2960x-48ts-l ip routing ! ! ! ! crypto pki trustpoint TP-self-signed-2381121792 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2381121792 revocation-check none rsakeypair TP-self-signed-2381121792 ! ! crypto pki certificate chain TP-self-signed-2381121792 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 32333831 31323137 3932301E 170D3137 30393131 30393132 30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33383131 32313739 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100E48E 752DCF27 D407D071 C6809526 C11651B4 C0BF48CA 6665EF1C BAE6260D 2170D282 A0F8E410 EECE668A C07F364F B96C707F F5E0A24E 33BE22D5 432EF8FC A179E150 ED9390FB 25FDCEA5 C00E53FA B31CC487 3BCF4B6E 66083B31 55EE1956 7024375B F1027BC9 3F5F0991 7296FB4D 0487D30C 880C843A 64B726DB 2ABDDC69 5E6F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 14F73D01 7D17A854 A8DFEDB6 91BA7B19 67030DE3 A0301D06 03551D0E 04160414 F73D017D 17A854A8 DFEDB691 BA7B1967 030DE3A0 300D0609 2A864886 F70D0101 05050003 81810080 E95D012C 0794E692 CDFA71C7 715EBFBD 33657925 0C6B734C 28ACCB81 3A20E807 23E5882C C49C6DAC B1529D00 88C9A9FA FF2ABF97 C73ABBF9 5068CC25 EC923807 B83CADB9 1004363A 89B43B23 D12C9C61 7CB15B87 1B3AC810 0A858497 6D769FBD F3F75C0C CE6F7AAF 6A023353 379EC6CC DFDCEB51 3C1FD6FC 9360E8C9 01C4E2 quit spanning-tree mode pvst spanning-tree extend system-id ! ! ! ! ! ! vlan internal allocation policy ascending ! ! ! ! ! ! interface FastEthernet0 no ip address no ip route-cache shutdown ! interface GigabitEthernet1/0/1 switchport mode trunk ! interface GigabitEthernet1/0/2 switchport access vlan 2 switchport mode access ! interface GigabitEthernet1/0/3 switchport access vlan 3 switchport mode access ! interface GigabitEthernet1/0/4 ! interface GigabitEthernet1/0/5 ! interface GigabitEthernet1/0/6 ! interface GigabitEthernet1/0/7 ! interface GigabitEthernet1/0/8 ! interface GigabitEthernet1/0/9 ! interface GigabitEthernet1/0/10 ! interface GigabitEthernet1/0/11 switchport mode access ! interface GigabitEthernet1/0/12 ! interface GigabitEthernet1/0/13 ! interface GigabitEthernet1/0/14 ! interface GigabitEthernet1/0/15 ! interface GigabitEthernet1/0/16 ! interface GigabitEthernet1/0/17 ! interface GigabitEthernet1/0/18 ! interface GigabitEthernet1/0/19 ! interface GigabitEthernet1/0/20 ! interface GigabitEthernet1/0/21 ! interface GigabitEthernet1/0/22 ! interface GigabitEthernet1/0/23 switchport mode access ! interface GigabitEthernet1/0/24 ! interface GigabitEthernet1/0/25 ! interface GigabitEthernet1/0/26 ! interface GigabitEthernet1/0/27 ! interface GigabitEthernet1/0/28 ! interface GigabitEthernet1/0/29 ! interface GigabitEthernet1/0/30 ! interface GigabitEthernet1/0/31 ! interface GigabitEthernet1/0/32 ! interface GigabitEthernet1/0/33 ! interface GigabitEthernet1/0/34 ! interface GigabitEthernet1/0/35 ! interface GigabitEthernet1/0/36 ! interface GigabitEthernet1/0/37 ! interface GigabitEthernet1/0/38 ! interface GigabitEthernet1/0/39 ! interface GigabitEthernet1/0/40 ! interface GigabitEthernet1/0/41 ! interface GigabitEthernet1/0/42 ! interface GigabitEthernet1/0/43 ! interface GigabitEthernet1/0/44 ! interface GigabitEthernet1/0/45 ! interface GigabitEthernet1/0/46 ! interface GigabitEthernet1/0/47 ! interface GigabitEthernet1/0/48 ! interface GigabitEthernet1/0/49 ! interface GigabitEthernet1/0/50 ! interface GigabitEthernet1/0/51 ! interface GigabitEthernet1/0/52 ! interface Vlan1 ip address 192.168.10.254 255.255.255.0 ! interface Vlan2 description VLAN_MCS ip address 192.168.20.254 255.255.255.0 ip helper-address 192.168.10.5 ! interface Vlan3 description VLAN_USERS ip address 192.168.30.254 255.255.255.0 ip helper-address 192.168.10.5 ! interface Vlan11 no ip address ! ip default-gateway 192.168.10.254 ip http server ip http secure-server ! ip route 0.0.0.0 0.0.0.0 192.168.10.1 ! ! ! line con 0 line vty 0 4 password mega login line vty 5 15 password mega login ! end
I would like to know if my problem to can't access to internet with the VLAN comes from my configuration or the checkpoint.
DHCP Server: 192.168.10.5 (port 1/0/1)
Checkpoint: 192.168.10.1 (port 1/0/11)
Thanks for your help and if you need more explanation let me know.
Solved! Go to Solution.
09-14-2017 06:31 AM
Ok, the next step is verify on the Checkpoint:
- Static routes pointing to the switch in order to know how to reach the computer networks
- Verify if the computer networks are included on the NAT statement
- Verify the ACLs to allow access to Internet.
09-14-2017 01:46 AM
Hi there,
Can devices connected to VLANs 2 and 3 reach the DHCP server at 192.168.10.5 ? If devices are recieving leases or devices with static addresses can ping the DHCP server, then your routing on the switch is fine.
I suspect the problem lays with the Checkpoint FW, in particular IP spoofing. On the Checkpoint you need to define all of the subnets which are 'inside'. Currently I imagine it only knows about the VLAN1 subnet, traffic arriving on its interface (192.168.10.1) from VLANs 2 and 3 will assumed to be spoofed and should be dropped. It should appear in its logs.
cheers,
Seb.
09-14-2017 01:49 AM
Hi,
Yes, in the Checkpoint log, when I use a laptop who are in the vlan 3 (192.168.30.1 ip laptop), I had in the description Address Spoofing.
So I need to configure on the Checkpoint the subnets or configure the NAT ?
Thanks.
09-14-2017 02:04 AM
You'll need to do both. My Checkpoint-fu is a bit rusty, but you will need to define a network object of the inside subnets, and specifiy which interface these subnets reside behind. That will resolve your IP spoofing issue.
You can then use the same network object in your NAT rules.
cheers,
Seb.
09-14-2017 05:28 AM - edited 09-14-2017 05:30 AM
Hi
Asumming the IP addressing with the specific default gateway is configured on the computers, you have to verify if the checkpoint has:
- Static routes to know the networks 192.168.20.0/24 and 192.168.30.0/24
example: On Checkpoint static route 192.168.20.0 255.255.255.0 192.168.10.254
- If these 192.168.x.0/24 networks are included on the NAT statement on the Checkpoint
- If there are ACLs to allow navigation ports 80,443 and/or ICMP and DNS (tcp/udp if you are using public DNS)
The Cisco 2960X has limited routing, If Im not wrong it suppors static routing only, so have you enabled globally: ip routing command?
conf t
ip routing
Also it could be removed if you are going to use routing mode: no ip default-gateway 192.168.10.254
Other way is create a router in a stick scheme but I dont really sure how Checkpoint works.
Hope it is useful
:-)
09-14-2017 05:41 AM
thanks for your answers.
So if I summarize my problem doesn't come of my Cisco configuration but on the Checkpoint. Right ?
Thanks.
09-14-2017 06:03 AM - edited 09-14-2017 06:05 AM
Hi
The problem could be pointing to the checkpoint, but also the switchport connected to the checkpoint is configured as trunk but it should be configured as access mode, because you are not passing VLANs over it unless you have a router in a stick scheme (but it is not the case), so it should look like a point to point, so the config should be:
int g1/0/1
description TO-CHECKPOINT
no switchport mode trunk
switchport mode access
no shutdown
09-14-2017 06:15 AM
OK thanks.
I changed the port for access mode but unfortunately, the problem still the same: no internet (ip laptop 192.168.30.1).
09-14-2017 06:31 AM
Ok, the next step is verify on the Checkpoint:
- Static routes pointing to the switch in order to know how to reach the computer networks
- Verify if the computer networks are included on the NAT statement
- Verify the ACLs to allow access to Internet.
09-14-2017 07:12 AM
Many thanks for your help.
Now it's working.
09-14-2017 07:44 AM
Perfect!, it was a pleasure.
Have a great day
:-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide