Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1017
Views
0
Helpful
7
Replies

Problem with VLAN Routing and ZPF

danielborowski05
Level 1
Level 1

‎11-23-2023 08:32 AM

Hello, i am trying to do an assignment in Packet Tracer which requires me to create an ZPF Public-Private zone and also a vlan 10 so the zone Public-Private should only inspect packets going out. The ZPF works, but when i add an vlan configuration and an subinterface everthing stops working. The PDU stops at Layer 3:

 

 

 

 

 

1. The routing table finds a routing entry to the destination IP address.

2. The destination network is directly connected. The device sets destination as the next-hop.

3. The device decrements the TTL on the packet.

 

 

 

 

 

 And when i issue debug ip packet command it says that encapsulation failed. Is there anything i should also configure? Here is my config for router and switch. I will also attach my topology.

 

 

 

 

 

!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname RA
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.129 192.168.1.139
!
ip dhcp pool vlan10_1
 network 192.168.1.0 255.255.255.128
 default-router 192.168.1.1
 dns-server 209.165.201.14
ip dhcp pool vlan10_2
 network 192.168.1.128 255.255.255.128
 default-router 192.168.1.129
 dns-server 209.165.201.14
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
 encr aes 128
 authentication pre-share
 group 2
 lifetime 1800
!
crypto isakmp key ciscovpnboro3 address 172.17.2.34
!
!
!
crypto ipsec transform-set R1-R3 esp-aes 256 esp-sha-hmac
!
crypto map R1-R3 10 ipsec-isakmp 
 set peer 172.17.2.34
 set pfs group2
 set security-association lifetime seconds 1800
 set transform-set R1-R3 
 match address 101
!
!
!
!
!
!
spanning-tree mode pvst
!
class-map type inspect match-any OUT-TO-DMZ
 match protocol http
 match protocol https
class-map type inspect match-all IN-2-OUT
 match access-group 102
!
policy-map type inspect OUT-TO-DMZ-POLICY
 class type inspect OUT-TO-DMZ
  inspect
!
policy-map type inspect IN-2-OUT-P
 class type inspect IN-2-OUT
  inspect
!
!
!
zone security IN
zone security OUT
zone security DMZ
zone-pair security OUT-TO-DMZ-PAIR source OUT destination DMZ
 service-policy type inspect OUT-TO-DMZ-POLICY
zone-pair security IN-2-OUT-PAIR source IN destination OUT
 service-policy type inspect IN-2-OUT-P
!
!
interface FastEthernet0/0
 no ip address
 zone-member security IN
 duplex auto
 speed auto
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.1.1 255.255.255.128
!
interface FastEthernet0/1
 ip address 192.168.1.129 255.255.255.128
 zone-member security DMZ
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 172.17.2.18 255.255.255.252
 zone-member security OUT
 clock rate 128000
 crypto map R1-R3
!
interface Serial0/0/1
 no ip address
 clock rate 2000000
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
router eigrp 100
 network 0.0.0.0
 no auto-summary
!
router rip
!
ip classless
!
ip flow-export version 9
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.127 172.17.5.0 0.0.0.255
access-list 101 permit icmp 192.168.1.0 0.0.0.127 172.17.5.0 0.0.0.255
access-list 101 permit tcp 192.168.1.0 0.0.0.127 172.17.5.0 0.0.0.255
access-list 101 permit esp 192.168.1.0 0.0.0.127 172.17.5.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.127 any
access-list 102 permit icmp 192.168.1.0 0.0.0.127 any
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
interface FastEthernet0/1
 switchport trunk allowed vlan 10
 switchport mode trunk
!
interface FastEthernet0/2
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet0/3
 switchport mode access
!
interface FastEthernet0/4
 switchport mode access
!
interface FastEthernet0/5
 switchport mode access
!
interface FastEthernet0/6
 switchport mode access
!
interface FastEthernet0/7
 switchport mode access
!
interface FastEthernet0/8
 switchport mode access
!
interface FastEthernet0/9
 switchport mode access
!
interface FastEthernet0/10
 switchport mode access
!
interface FastEthernet0/11
 switchport mode access
!
interface FastEthernet0/12
 switchport mode access
!
interface FastEthernet0/13
 switchport mode access
!
interface FastEthernet0/14
 switchport mode access
!
interface FastEthernet0/15
 switchport mode access
!
interface FastEthernet0/16
 switchport mode access
!
interface FastEthernet0/17
 switchport mode access
!
interface FastEthernet0/18
 switchport mode access
!
interface FastEthernet0/19
 switchport mode access
!
interface FastEthernet0/20
 switchport mode access
!
interface FastEthernet0/21
 switchport mode access
!
interface FastEthernet0/22
 switchport mode access
!
interface FastEthernet0/23
 switchport mode access
!
interface FastEthernet0/24
 switchport mode access
!
interface GigabitEthernet0/1
 switchport mode access
!
interface GigabitEthernet0/2
 switchport mode access
!
interface Vlan1
 no ip address
 shutdown
!
!
!
!
line con 0
!
line vty 0 4
 login
line vty 5 15
 login
!
!
!
!
end

 

 

 

 

 

 

0 Helpful
7 Replies 7

marce1000
Hall of Fame
Hall of Fame

‎11-23-2023 10:08 AM

 

                  - Post here : Packter tracer discussions

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

danielborowski05
Level 1
Level 1
In response to marce1000

‎11-23-2023 10:27 AM

Thank you i will post it there.

0 Helpful

MHM Cisco World
VIP
VIP

‎11-23-2023 10:19 AM

Is this packet tracer or real network?

0 Helpful

danielborowski05
Level 1
Level 1
In response to MHM Cisco World

‎11-23-2023 10:25 AM

Packet tracer

0 Helpful

MHM Cisco World
VIP
VIP
In response to danielborowski05

‎11-23-2023 11:00 AM

I dont know if packet tracer can support this task

Anyway 

It hard task

For tcp traffic

You have to config two way if you select pass not inspect 

You can use one way (only one zone pairs) if you use inspect 

But be sure that traffic initiate from source zone.

For udp and other traffic you need two way zone pairs you can select pass or inspect 

Traffic can initiate from both source and destiantion zone

That what you need.

MHM

0 Helpful

danielborowski05
Level 1
Level 1
In response to MHM Cisco World

‎11-23-2023 11:13 AM

If you would do it on actual device, would you need to apply security zone to sub-interface? I am asking because you can't do this in PT and my firewall worked until i configured sub-interfaces.

0 Helpful

MHM Cisco World
VIP
VIP
In response to danielborowski05

‎11-23-2023 11:16 AM

Zone firewall is l3 base'

So you need to apply zone member on each subinterface 

Note:- any interface that not member of any zone it by defualt all any traffic 

0 Helpful
Customers Also Viewed These Support Documents
Top