Solved: Potential routing/ACL problem between subnets

m.junghage · ‎07-12-2011

Hi,

We've a potential routing or ACL problem between two subnets that's routed in the same router. As I can see it traffic flows fine, there's no problem using rdp, http, ssh, telnet and udp streams between networks. The PBX engineers are complaining that their client applications that resides on Network A can't communicate correctly with the SQL server on Network B (10.0.0.25). When I'm using Wireshark to capture the traffic on both the server and client side I can se two way communication between them but after a few packets the client application chrashas and there's almost no traffic passed between them.

When we put the client on the same network as the server (Network B) everything works fine and a lot mor traffic is shown in Wireshark. I'm not 100% comfortable with old Cisco routers so I can't say definitely that the configuration is OK. Could someone be so kind and shed some light on this? The configuration pasted below.

Networks used:

Network A = Default data vlan 192.168.100.0/24

Default gw: 192.168.100.254 (Cisco 2600 router)

Network B = Voice vlan 10.0.0.0/24

Default gw: 10.0.0.250 (Cisco 2600 router)

Configuration:

!

! Last configuration change at 10:15:15 cet Wed Jun 22 2011 by Admin

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname devicename-1

!

boot-start-marker

boot-end-marker

!

logging buffered 265000 notifications

no logging console

logging monitor informational

enable secret 5 XXXXXXXXXXXXXXXXXXXX

enable password 7 XXXXXXXXXXXXXXXXXX

!

clock timezone cet 1

clock summer-time cet recurring last Sun Mar 2:00 last Sun Oct 3:00

aaa new-model

!

aaa authentication login default local

aaa authentication login no_tacacs enable

aaa authentication ppp default local

aaa session-id common

ip subnet-zero

ip cef

!

ip name-server XXX.XXX.XX.194

ip name-server XXX.XXX.XX.195

!

ip inspect max-incomplete high 1100

ip inspect one-minute high 1100

ip inspect name INTERNET tcp

ip inspect name INTERNET udp

ip inspect name INTERNET cuseeme

ip inspect name INTERNET ftp

ip inspect name INTERNET h323

ip inspect name INTERNET rcmd

ip inspect name INTERNET realaudio

ip inspect name INTERNET rpc program-number 1

ip inspect name INTERNET streamworks

ip inspect name INTERNET vdolive

ip inspect name INTERNET http

ip audit po max-events 100

!

voice call carrier capacity active

!

username XXXXX privilege 15 password 7 XXXXXXXXXXXXXX

!

controller E1 0/0

!

controller E1 0/1

!

ip ssh port XXXXX rotary 1 3

!

interface Loopback0

no ip address

!

interface FastEthernet0/0

no ip address

speed 10

full-duplex

!

interface FastEthernet0/0.100

encapsulation dot1Q 599

ip address XX.XXX.243.206 255.255.255.252

ip nat outside

no cdp enable

!

interface FastEthernet0/0.101

encapsulation dot1Q 1484

ip address 10.10.10.6 255.255.255.252

ip nat inside

!

interface FastEthernet0/1

no ip address

speed 100

full-duplex

!

interface FastEthernet0/1.10

encapsulation dot1Q 10

ip address 172.24.1.1 255.255.255.0

!

interface FastEthernet0/1.100

description **DMZ**

encapsulation dot1Q 100

ip address XX.XXX.135.249 255.255.255.248

ip access-group 2000 out

ip nat outside

ip inspect INTERNET in

!

interface FastEthernet0/1.101

description **internal data vlan**

encapsulation dot1Q 101

ip address 192.168.100.254 255.255.255.0

ip access-group 101 out

ip nat inside

ip inspect INTERNET in

!

interface FastEthernet0/1.102

description **random vlan**

encapsulation dot1Q 102

ip address 192.168.102.1 255.255.255.0

ip access-group 102 out

ip nat inside

ip inspect INTERNET in

!

interface FastEthernet0/1.103

!

interface FastEthernet0/1.150

description VOICE_VLAN

encapsulation dot1Q 150

ip address 10.0.0.250 255.255.255.0

ip access-group 101 out

ip nat inside

ip inspect INTERNET in

!

router rip

version 2

redistribute connected

redistribute static

network 10.0.0.0

network 192.168.100.0

neighbor 10.10.10.5

neighbor 10.10.10.2

distribute-list 1 out FastEthernet0/0.101

!

ip nat pool internet XX.XXX.135.254 XX.XXX.135.254 netmask 255.255.255.252

ip nat inside source list 100 pool internet overload

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 XX.XXX.243.205

ip route 192.168.50.0 255.255.255.0 192.168.100.225 permanent name FINNPOWER

!

access-list 1 remark Filter Routes

access-list 1 deny XX.XXX.135.248

access-list 1 deny XX.0.0.0

access-list 1 deny XX.XXX.243.204

access-list 1 permit any

access-list 10 remark SNMP Access Control

access-list 10 permit 192.168.150.0 0.0.0.255

access-list 10 permit 172.24.0.0 0.0.0.255

access-list 100 remark Nat Overload Networks

access-list 100 permit ip 192.168.100.0 0.0.0.255 any

access-list 100 permit ip 192.168.102.0 0.0.0.255 any

access-list 100 permit ip 192.168.103.0 0.0.0.255 any

access-list 100 permit ip 10.0.0.0 0.0.0.255 any

access-list 101 remark internal data vlan

access-list 101 permit tcp host XX.XXX.110.197 host 192.168.100.20 eq domain

access-list 101 permit udp host XX.XXX.110.197 host 192.168.100.20 eq domain

access-list 101 permit ip 192.168.50.0 0.0.0.255 host 192.168.100.20

access-list 101 permit ip host 192.168.100.20 192.168.50.0 0.0.0.255

access-list 101 permit ip 192.168.50.0 0.0.0.255 host 192.168.100.24

access-list 101 permit ip host 192.168.100.24 192.168.50.0 0.0.0.255

access-list 101 permit ip 172.24.0.0 0.0.0.255 any

access-list 101 permit ip 172.25.0.0 0.0.0.255 any

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any echo

access-list 101 permit tcp any any eq 1723

access-list 101 permit gre any any

access-list 101 permit tcp 192.168.50.0 0.0.0.255 192.168.100.0 0.0.0.255 eq 3389

access-list 101 permit tcp 192.168.100.0 0.0.0.255 192.168.50.0 0.0.0.255 eq 3389

access-list 101 permit ip 0.0.0.0 255.255.255.0 any

access-list 101 permit ip 10.0.0.0 0.0.0.255 any

access-list 101 permit ip 192.168.100.0 0.0.0.255 any

access-list 102 remark **random vlan**

access-list 102 permit ip host 192.168.100.225 192.168.102.0 0.0.0.255

access-list 102 permit ip host 192.168.100.226 192.168.102.0 0.0.0.255

access-list 102 permit ip host 192.168.100.227 192.168.102.0 0.0.0.255

access-list 102 permit ip host 192.168.100.228 192.168.102.0 0.0.0.255

access-list 102 permit ip host 192.168.100.229 192.168.102.0 0.0.0.255

access-list 102 permit ip host 192.168.100.135 192.168.102.0 0.0.0.255

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any unreachable

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any echo

access-list 103 remark TelnetAccess

access-list 103 permit ip 172.24.0.0 0.0.0.255 any

access-list 103 permit ip 192.168.100.0 0.0.0.255 any

access-list 103 permit ip 10.0.0.0 0.0.0.255 any

access-list 104 remark TelnetAccess

access-list 104 permit ip 172.24.0.0 0.0.0.255 any

access-list 104 permit ip 192.168.100.0 0.0.0.255 any

access-list 104 permit ip host YY.YY.163.208 any

access-list 110 remark RateLimit SharePool

access-list 110 permit ip 192.168.102.0 0.0.0.255 any

access-list 110 permit ip any 192.168.102.0 0.0.0.255

access-list 110 permit ip any 192.168.103.0 0.0.0.255

access-list 110 permit ip 192.168.103.0 0.0.0.255 any

access-list 120 permit ip any any

access-list 2000 remark **DMZ**

access-list 2000 permit tcp any host XX.XXX.135.252 eq domain

access-list 2000 permit udp any host XX.XXX.135.252 eq domain

access-list 2000 permit tcp any host XX.XXX.135.252 eq 443

access-list 2000 permit tcp any host XX.XXX.135.252 eq www

access-list 2000 permit tcp any host XX.XXX.135.252 eq smtp

access-list 2000 permit tcp any host XX.XXX.135.252 eq pop3

access-list 2000 permit tcp any host XX.XXX.135.252 eq 143

access-list 2000 permit tcp any host XX.XXX.135.252 eq 636

access-list 2000 permit tcp any host XX.XXX.135.252 eq nntp

access-list 2000 permit tcp any host XX.XXX.135.252 eq 1723

access-list 2000 permit udp any host XX.XXX.135.252 eq netbios-ns

access-list 2000 permit udp any host XX.XXX.135.252 eq netbios-dgm

access-list 2000 permit gre any host XX.XXX.135.252

access-list 2000 permit tcp any host XX.XXX.135.250 eq domain

access-list 2000 permit udp any host XX.XXX.135.250 eq domain

access-list 2000 permit tcp any host XX.XXX.135.250 eq 443

access-list 2000 permit tcp any host XX.XXX.135.250 eq www

access-list 2000 permit tcp any host XX.XXX.135.250 eq smtp

access-list 2000 permit tcp any host XX.XXX.135.250 eq pop3

access-list 2000 permit tcp any host XX.XXX.135.250 eq 143

access-list 2000 permit tcp any host XX.XXX.135.250 eq 636

access-list 2000 permit tcp any host XX.XXX.135.250 eq nntp

access-list 2000 permit tcp any host XX.XXX.135.250 eq 1723

access-list 2000 permit udp any host XX.XXX.135.250 eq netbios-ns

access-list 2000 permit udp any host XX.XXX.135.250 eq netbios-dgm

access-list 2000 permit gre any host XX.XXX.135.250

access-list 2000 permit ip any host XX.XXX.135.251

access-list 2000 permit ip 172.24.0.0 0.0.0.255 any

access-list 2000 permit icmp any any time-exceeded

access-list 2000 permit icmp any any unreachable

access-list 2000 permit icmp any any echo-reply

access-list 2000 permit icmp any any echo

access-list 2000 permit gre any any

access-list 2000 permit tcp any any eq 1723

!

snmp-server community XXXXXXX RO 10

snmp-server community XXXXXXX RW 10

snmp-server enable traps tty

!

dial-peer cor custom

!

banner login

---------------------------------------------------------------------------------

All login attempts is recorded!

---------------------------------------------------------------------------------

!

line con 0

line aux 0

line vty 0

access-class 104 in

password 7 XXXXXXXXXXXXXXXXXXXXXXXX

line vty 1 3

access-class 104 in

password 7 XXXXXXXXXXXXXXXXXXXXXXXX

rotary 1

transport input ssh

line vty 4

access-class 104 in

password 7 XXXXXXXXXXXXXXXXXXXXXXXX

!

ntp clock-period 17179477

ntp server XX.XXX.XXX.XXX prefer

!

end

Latchum Naidu · ‎07-12-2011

Hi Markus,

1. So I should configure two new subinterfaces with vlan:s and add all correct acl:s and when the configuration is complete change "switchport access vlan 1XX" to direct traffic to the new vlan:s?
No you no need to configure any new subinterfaces, only thing is just need to differentiate the access-lists for each vlan (data and voice)

2.

Network A (192.168.100.0/24) should be able ta access all the networks according to the existing acl:s and full access to Network B (10.0.0.0/24)

access-list 101 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 deny any any

Network B (10.0.0.0/24) should be able to use http, https, icmp and ntp towards the outside on vlan 100 and full access to Network A (192.168.100.0/24)

access-list 102 permit tcp 10.0.0.0 0.0.0.255 host XX.XXX.135.252 eq 443
access-list 102 permit tcp 10.0.0.0 0.0.0.255 host XX.XXX.135.252 eq 80
access-list 102 permit tcp 10.0.0.0 0.0.0.255 host XX.XXX.135.252 eq icmp
access-list 102 permit tcp 10.0.0.0 0.0.0.255 host XX.XXX.135.252 eq ntp
access-list 102 permit ip 10.0.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 deny any any

Now apply the above defined access list rules to the vlan's like below....

interface FastEthernet0/1.101
description **internal data vlan**
encapsulation dot1Q 101
ip address 192.168.100.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip inspect INTERNET in

interface FastEthernet0/1.150
description VOICE_VLAN
encapsulation dot1Q 150
ip address 10.0.0.250 255.255.255.0
ip access-group 102 in
ip nat inside
ip inspect INTERNET in

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

View solution in original post

Latchum Naidu · ‎07-13-2011

Hi Markus,

Please remember to rate all the helpfull posts which will encourage others in this forum.

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

View solution in original post

Latchum Naidu · ‎07-12-2011

Hi

The first mistake is that you used the same access-list under both data and voice vlans.
You need to change your accesslists.

I would suggest you to change vlan, I mean use different vlans once defined as per requirement and then apply under the respective vlans.

To suggest in the configuring of vlan's I need to know what and all needs to be access from data vlan (192.168.100.0/24 to 10.0.0./24 and vice versa).

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

m.junghage · ‎07-12-2011

Thank you for your reply Naidu,

Let's see if my answers are sufficient enough for you.

1. So I should configure two new subinterfaces with vlan:s and add all correct acl:s and when the configuration is complete change "switchport access vlan 1XX" to direct traffic to the new vlan:s?

2.

Network A (192.168.100.0/24) should be able ta access all the networks according to the existing acl:s and full access to Network B (10.0.0.0/24)

Network B (10.0.0.0/24) should be able to use http, https, icmp and ntp towards the outside on vlan 100 and full access to Network A (192.168.100.0/24)

Regards

Markus

Latchum Naidu · ‎07-12-2011