11-20-2013 12:07 PM - edited 03-07-2019 04:42 PM
Hi Everyone,,,
I hope I will get some help here if not atleast a direction,,,
I am configuring cisco 881 router with Layer-3 switch SG500-52,,,with Vlan configuration
Vlan1: 192.168.10.0/24
Vlan2: 192.168.0.0/24
Problem : For some reason I can't ping google.ca from switch:
switch013294#ping google.ca
Pinging google.ca (74.125.225.215) with 18 bytes of data:
PING: no reply from 74.125.225.215
PING: timeout
PING: no reply from 74.125.225.215
PING: timeout
PING: no reply from 74.125.225.215
PING: timeout
PING: no reply from 74.125.225.215
PING: timeout
----74.125.225.215 PING Statistics----
4 packets transmitted, 0 packets received, 100% packet loss
switch013294#tracero ip google.ca
Tracing the route to google.ca (74.125.225.215) from , 30 hops max, 18 byte packets
Type Esc to abort.
1 192.168.10.1 (192.168.10.1) <20 ms <20 ms <20 ms
2 * * *
3 *
Trace aborted.
I can ping router public IP but not router's public gateway from Switch:(from Router I can ping
switch013294#tracero ip 24.XX.XX.XXX
Tracing the route to 24.XX.XX.XX (24.XX.XX.XXX) from , 30 hops max, 18 byte packets
Type Esc to abort.
1 192.168.10.1 (192.168.10.1) <20 ms <20 ms <20 ms
Trace complete.
switch013294#tracero ip 24.XX.XX.1
Tracing the route to 24.XX.XX.1 (24.XX.XX.1) from , 30 hops max, 18 byte packets
Type Esc to abort.
1 192.168.10.1 (192.168.10.1) <20 ms <20 ms <20 ms
2 * * *
3 * *
Trace aborted.
NAT Debug:
I have also tested with debug ip NAT and it shows following:
Tried pinging from Switch:
Nov 18 04:16:55.794: NAT*: s=192.168.10.2->24.XX.XX.XX, d=74.125.225.183 [2206]
Nov 18 04:16:55.866: NAT*: s=74.125.225.183, d=24.XX.XX.XX->192.168.10.2 [13679]
Nov 18 04:16:58.034: NAT*: s=192.168.10.2->24.XX.XX.XX, d=74.125.225.183 [37854]
Nov 18 04:16:58.114: NAT*: s=74.125.225.183, d=24.XX.XX.XX->192.168.10.2 [13680]
Tried pinging from Host on Vlan-2:
Nov 18 04:20:30.862: NAT*: s=192.168.0.54->24.XX.XX.XX, d=74.125.225.169 [23980]
Nov 18 04:20:30.958: NAT*: s=74.125.225.169, d=24.XX.XX.XX->192.168.0.54 [40901]
Nov 18 04:20:31.122: NAT*: s=192.168.0.54->24.XX.XX.XX, d=74.125.225.169 [23981]
Nov 18 04:20:31.194: NAT*: s=74.125.225.169, d=24.XX.XX.XX->192.168.0.54 [3341]
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 24.xx.xx.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 24.xx.xx.1
24.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 24.xx.xx.0/24 is directly connected, FastEthernet4
L 24.XX.XX.XXx/32 is directly connected, FastEthernet4
S 192.168.0.0/24 [1/0] via 192.168.10.2
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, Vlan1
L 192.168.10.1/32 is directly connected, Vlan1
switch013294#show ip route
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static
S 0.0.0.0/0 [1/1] via 192.168.10.1, 01:21:05, vlan 1
C 192.168.0.0/24 is directly connected, vlan 2
C 192.168.10.0/24 is directly connected, vlan 1
C 192.168.30.0/24 is directly connected, vlan 3
Router Running Config:
Router#sh running-config
Building configuration...
Current configuration : 9565 bytes
!
! Last configuration change at 14:11:21 PCTime Mon Nov 18 2013 by XXXXXXX
! NVRAM config last updated at 23:59:41 PCTime Sat Nov 16 2013 by XXXXXXX
! NVRAM config last updated at 23:59:41 PCTime Sat Nov 16 2013 by XXXXXXX
version 15.1
parser view CCP_EasyVPN_Remote
secret 5 $1$xXXT$at0nd7EXXX8s7iXNd5bJ1
commands interface include all crypto
commands interface include all no crypto
commands interface include no
commands configure include end
commands configure include all access-list
commands configure include all ip nat
commands configure include ip dns server
commands configure include ip dns
commands configure include all interface
commands configure include all identity policy
commands configure include identity profile
commands configure include identity
commands configure include all dot1x
commands configure include all ip domain lookup
commands configure include ip domain
commands configure include ip
commands configure include all crypto
commands configure include all aaa
commands configure include no end
commands configure include all no access-list
commands configure include all no ip nat
commands configure include no ip dns server
commands configure include no ip dns
commands configure include all no interface
commands configure include all no identity policy
commands configure include no identity profile
commands configure include no identity
commands configure include all no dot1x
commands configure include all no ip domain lookup
commands configure include no ip domain
commands configure include no ip
commands configure include all no crypto
commands configure include all no aaa
commands configure include no
commands exec include dir all-filesystems
commands exec include dir
commands exec include crypto ipsec client ezvpn connect
commands exec include crypto ipsec client ezvpn xauth
commands exec include crypto ipsec client ezvpn
commands exec include crypto ipsec client
commands exec include crypto ipsec
commands exec include crypto
commands exec include write memory
commands exec include write
commands exec include all ping ip
commands exec include ping
commands exec include configure terminal
commands exec include configure
commands exec include all terminal width
commands exec include all terminal length
commands exec include terminal
commands exec include all show
commands exec include all debug appfw
commands exec include all debug ip inspect
commands exec include debug ip
commands exec include debug
commands exec include all clear
commands exec include no
!
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication login ciscocp_vpn_xauth_ml_3 local
aaa authentication login ciscocp_vpn_xauth_ml_4 local
aaa authentication login ciscocp_vpn_xauth_ml_5 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa authorization network ciscocp_vpn_group_ml_3 local
aaa authorization network ciscocp_vpn_group_ml_4 local
aaa authorization network ciscocp_vpn_group_ml_5 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PCTime -6 0
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3187996699
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3187996699
revocation-check none
rsakeypair TP-self-signed-3187996699
!
!
crypto pki certificate chain TP-self-signed-3187996699
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33313837 39393636 3939301E 170D3133 31313039 32303531
30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31383739
39363639 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AB7B FE64ED81 5853FF1C DAEE4727 BBCFA1DD AB5002CE BC9E0DB2 A6920BE9
51CBDB48 720EAC77 D2B5EAB0 AF78F0D3 0A0583F0 EDB53C02 76264762 52AA0B89
B96458A3 FCED1C48 4E2F687A 0D72663C 1F118888 099ECDBA 7AD48215 5D18DFA0
A769EA45 E893009A 73C0D6E8 74EBED75 B63E12C5 123C1112 9BB90C86 9433A1CB
44290203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 148472F2 203DD224 6B71B287 185DEEAE D156C1A4 A9301D06
03551D0E 04160414 8472F220 3DD2246B 71B28718 5DEEAED1 56C1A4A9 300D0609
2A864886 F70D0101 05050003 818100A0 F431211C 3540849F BF8E0DCE 7DC8E2F1
A3349CF5 60B7A233 BD6F457E 6E53DE58 63DA9DB9 040FD35F 7D8D8BA5 8BB9D0E4
F3DF92EC EEA7A912 7F60BC55 E9173147 E21114BC A7ADDBF1 489E7A1D DAB4CE98
039CC0CF 84A2F3FE 5DD8E88D 81738972 E23E0D82 89B3F470 19405095 6D8803BD
500867E7 A3582A1C AD3151BD FCAAAE
quit
ip source-route
!
!
!
!
!
ip cef
ip domain name int.ccs-sk.ca
ip name-server XX.87.XXX.4
ip name-server XX.87.XXX.5
ip name-server 192.168.0.5
ip port-map user-protocol--1 port tcp 587
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FGL171020FH
!
!
username XXXXX privilege 15 secret 4 4TdGW32lppiywk7GXXXXXXqppUKotcC3qw35q7NbGx0o
username XXXXXX privilege 15 view CCP_EasyVPN_Remote secret 4 Cq2gROSp/6XXXXXXXSIjyGphSJe9KdkL/kxeMwZuIv6
username XXXX privilege 15 secret 4 qPLpXkgs4XXXXXZlVZcI/oxNuuXXXXXXtFwRblxZs
!
!
!
!
!
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 103
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
match access-group 103
match protocol smtp
!
zone security Outside
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ccsvpn
key Logmein123
dns 192.168.0.5 65.87.230.4
domain int.ccs-sk.ca
pool SDM_POOL_1
acl 101
max-users 25
netmask 255.255.255.0
!
crypto isakmp client configuration group ccsvpn1
key Logmein123
dns 192.168.0.5 65.87.230.4
domain int.ccs-sk.ca
pool SDM_POOL_1
acl 102
max-users 25
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-2
match identity group ccsvpn1
client authentication list ciscocp_vpn_xauth_ml_5
isakmp authorization list ciscocp_vpn_group_ml_5
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile2
set security-association idle-time 43200
set transform-set ESP-3DES-SHA4
set isakmp-profile ciscocp-ike-profile-2
!
!
!
!
!
!
interface Loopback1
no ip address
!
interface FastEthernet0
description Internal
switchport mode trunk
no ip address
spanning-tree portfast
!
interface FastEthernet1
switchport trunk native vlan 3
switchport mode trunk
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description $ETH-WAN$
ip address dhcp client-id FastEthernet4
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
zone-member security Outside
duplex auto
speed auto
!
interface Virtual-Template2 type tunnel
no ip address
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile2
!
interface Vlan1
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
router rip
version 2
network 24.0.0.0
network 192.168.10.0
no auto-summary
!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.25
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 2 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 24.XX.XX.1
ip route 192.168.0.0 255.255.255.0 192.168.10.2
!
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.0.0 0.0.255.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.30.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.30.0 0.0.0.255 any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.0.100
access-list 104 remark SMTP
access-list 104 remark CCP_ACL Category=64
access-list 104 remark Mail SMTP
access-list 104 permit tcp host 24.XX.XX.159 eq smtp 192.168.0.0 0.0.0.255 eq smtp established log
access-list 107 remark outsideSMTP
access-list 107 remark CCP_ACL Category=16
access-list 107 remark SMTP
access-list 107 permit tcp any eq smtp 192.168.0.0 0.0.0.255 eq smtp established log
access-list 112 permit ip 192.168.0.0 0.0.255.255 any log
!
!
!
!
route-map outside permit 10
match ip address 112
set ip default next-hop 24.XX.XX.1
!
!
!
!
line con 0
password XXXXXXX123
no modem enable
line aux 0
line vty 0 4
password XXXXXXX123
transport input all
!
ntp update-calendar
ntp server 192.168.0.5 prefer source FastEthernet0
end
Router#
Solved! Go to Solution.
11-20-2013 01:23 PM
Hi,
if you remove
zone-member security Outside from fa4 interface it should work.
Now the question is do you want to run the Zone Based firewall on this router or not ? And if so what do you want to permit/deny.
Tell us so that we can provide the correct firewall config because what you have so far is the WAN interface in a zone and your inside interface not in a zone.By default traffic between a zone interface and a regular interface is dropped.
Regards
Alain
Don't forget to rate helpful posts.
11-20-2013 04:24 PM
Hi,
Looking at config. I agree with Alain, problem in your config is that your outside interface (FastEthernet4) in a zone (Outside) but your local vlans are not.
To fix it you can remove the zone on F4 but that will let your interface facing the Internet with no ACL or Firewall. Another solution would be to completely configure ZBF, meaing adding a zone on vlans and then add required zone-pairs to allow zones to communication between each others.
Vivien F.
11-22-2013 11:24 AM
Hi,
sorry I answered too fast: you should put the inside ip first and the external ip as second like this:
ip nat inside source static tcp 192.168.0.54 3389 24.XX.XX.XXX 3389 extendable
Regards
Alain
Don't forget to rate helpful posts.
11-20-2013 01:23 PM
Hi,
if you remove
zone-member security Outside from fa4 interface it should work.
Now the question is do you want to run the Zone Based firewall on this router or not ? And if so what do you want to permit/deny.
Tell us so that we can provide the correct firewall config because what you have so far is the WAN interface in a zone and your inside interface not in a zone.By default traffic between a zone interface and a regular interface is dropped.
Regards
Alain
Don't forget to rate helpful posts.
11-20-2013 04:24 PM
Hi,
Looking at config. I agree with Alain, problem in your config is that your outside interface (FastEthernet4) in a zone (Outside) but your local vlans are not.
To fix it you can remove the zone on F4 but that will let your interface facing the Internet with no ACL or Firewall. Another solution would be to completely configure ZBF, meaing adding a zone on vlans and then add required zone-pairs to allow zones to communication between each others.
Vivien F.
11-21-2013 10:13 AM
HI ALain,,,
wonder if you have check that VPN output that I attached below ,,
Thanks
11-20-2013 08:03 PM
Thanks @
and @
Seems like I am at the right place now..l.
before we go for firewall I have one more thing to ask,,,,When I connect to VPN ,, as u can see,,,, in my config,,,note(I have added one more permit to ACL that I was missing in above config.,,,(access-list 102 permit ip 192.168.10.0 0.0.0.255 any)
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.30.0 0.0.0.255 any
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
I can connect to vpn fine without any issue,,, before making change to VLan,, I was atleast
able to ping to router local IP,,, but now I can't ping any of 192 network
11-21-2013 09:38 PM
Never Mind I got ,,, VPN working,,,
recreating vpn,,, made is working,,,
How come port forwarding doesn't work,,,
ip nat outside source static tcp 24.XX.XX.XXX 3389 192.168.0.54 3389 extendable
should above command do the trick,,??
11-22-2013 12:09 AM
Hi,
Is 192.168.0.54 an inside address( I see 192.168.10.x but not 192.168.0.x) and 24.x.x.x your wan address ?
if so then it should be ip nat inside source static xxxx
Regards
Alain
Don't forget to rate helpful posts.
11-22-2013 06:19 AM
Yup I have two vlans as you can below (Vlans are define on switch ) VLan1 only define on router since cisco 881 ethernet port is layer 2 port so you can't assign IP address on interface
Note: Router can ping to both vlans ,, as defined in static route:
ip route 192.168.0.0 255.255.255.0 192.168.10.2
switch013294#show ip interface vlan 1
IP Address I/F I/F Status Type Directed Precedence Status
admin/oper Broadcast
------------------- ---------- ------------- ----------- ---------- ---------- -----------
192.168.10.2/24 vlan 1 UP/UP Static disable No Valid
switch013294#show ip interface vlan 2
IP Address I/F I/F Status Type Directed Precedence Status
admin/oper Broadcast
------------------- ---------- ------------- ----------- ---------- ---------- -----------
192.168.0.1/24 vlan 2 UP/UP Static disable No Valid
I am trying to access from outside to one of the server inside???
so shouldn't it be from outside to Inside,,,
p nat outside source static tcp 24.XX.XX.XXX 3389 192.168.0.54 3389 extendable
11-22-2013 10:10 AM
Hi,
No it is still the inside address which is translated so it should be
ip nat inside source static tcp 24.XX.XX.XXX 3389 192.168.0.54 3389 extendable
Regards
Alain
Don't forget to rate helpful posts.
11-22-2013 11:07 AM
Nope it didn't work,, I changed it to :
ip nat inside source static tcp 24.XX.XX.XXX 3389 192.168.0.54 3389 extendable
still getting error: please check below ip packet capture:
Nov 22 18:28:15.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, Stateful Inspection(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:15.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, Virtual Fragment Reassembly(25), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:15.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, Virtual Fragment Reassembly After IPSec Decryption(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:15.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, NAT Outside(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:15.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:15.999: IP: tableid=0, s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), routed via RIB
Nov 22 18:28:15.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), len 52, output feature, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:15.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), len 52, output feature, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:15.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), len 52, rcvd 3
Nov 22 18:28:15.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, stop process pak for forus packet
Nov 22 18:28:15.999: IP: s=24.XX.XX.XXX (local), d=216.XXX.XXX.XX, len 40, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:15.999: IP: s=24.XX.XX.XXX (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, sending
Nov 22 18:28:15.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, output feature, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:15.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, output feature, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:15.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, output feature, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:15.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, sending full packet
Nov 22 18:28:18.995: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, Stateful Inspection(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:18.995: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, Virtual Fragment Reassembly(25), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:18.995: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, Virtual Fragment Reassembly After IPSec Decryption(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:18.995: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, NAT Outside(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:18.995: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:18.999: IP: tableid=0, s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), routed via RIB
Nov 22 18:28:18.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), len 52, output feature, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:18.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), len 52, output feature, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:18.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), len 52, rcvd 3
Nov 22 18:28:18.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, stop process pak for forus packet
Nov 22 18:28:18.999: IP: s=24.XX.XX.XXX (local), d=216.XXX.XXX.XX, len 40, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:18.999: IP: s=24.XX.XX.XXX (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, sending
Nov 22 18:28:18.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, output feature, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:18.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, output feature, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:18.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, output feature, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:18.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, sending full packet
Nov 22 18:28:20.199: IP: s=192.168.10.1 (local), d=224.0.0.9 (Vlan1), len 52, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:20.199: IP: s=192.168.10.1 (local), d=224.0.0.9 (Vlan1), len 52, sending broad/multicast
Nov 22 18:28:20.199: IP: s=192.168.10.1 (local), d=224.0.0.9 (Vlan1), len 52, output feature, NAT Inside(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:20.199: IP: s=192.168.10.1 (local), d=224.0.0.9 (Vlan1), len 52, output feature, Stateful Inspection(27), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:20.199: IP: s=192.168.10.1 (local), d=224.0.0.9 (Vlan1), len 52, output feature, NAT ALG proxy(55), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:20.199: IP: s=192.168.10.1 (local), d=224.0.0.9 (Vlan1), len 52, sending full packet
Nov 22 18:28:22.499: IP: s=24.XX.XX.XXX (local), d=224.0.0.9 (FastEthernet4), len 52, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:22.499: IP: s=24.XX.XX.XXX (local), d=224.0.0.9 (FastEthernet4), len 52, sending broad/multicast
Nov 22 18:28:22.499: IP: s=24.XX.XX.XXX (local), d=224.0.0.9 (FastEthernet4), len 52, output feature, Post-routing NAT Outside(24), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:22.499: IP: s=24.XX.XX.XXX (local), d=224.0.0.9 (FastEthernet4), len 52, output feature, Stateful Inspection(27), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:22.499: IP: s=24.XX.XX.XXX (local), d=224.0.0.9 (FastEthernet4), len 52, output feature, NAT ALG proxy(55), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:22.499: IP: s=24.XX.XX.XXX (local), d=224.0.0.9 (FastEthernet4), len 52, sending full packet
Nov 22 18:28:24.995: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 48, input feature, Stateful Inspection(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:24.995: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 48, input feature, Virtual Fragment Reassembly(25), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:24.995: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 48, input feature, Virtual Fragment Reassembly After IPSec Decryption(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:24.995: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 48, input feature, NAT Outside(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:24.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 48, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:24.999: IP: tableid=0, s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), routed via RIB
Nov 22 18:28:24.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), len 48, output feature, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:24.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), len 48, output feature, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:24.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), len 48, rcvd 3
Nov 22 18:28:24.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 48, stop process pak for forus packet
Nov 22 18:28:24.999: IP: s=24.XX.XX.XXX (local), d=216.XXX.XXX.XX, len 40, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:24.999: IP: s=24.XX.XX.XXX (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, sending
Nov 22 18:28:24.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, output feature, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:24.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, output feature, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:24.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, output feature, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov 22 18:28:24.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, sending full packet
11-22-2013 11:24 AM
Hi,
sorry I answered too fast: you should put the inside ip first and the external ip as second like this:
ip nat inside source static tcp 192.168.0.54 3389 24.XX.XX.XXX 3389 extendable
Regards
Alain
Don't forget to rate helpful posts.
11-22-2013 12:51 PM
Thanks Alain,, it worked,,,
I have noticed when I run wizard for zone base firewall using cisco configuration professional,,
and check Internet speed it dropped down more than half,, like right nwo I am getting 80+ Mbps but after zone base,, it drops down to 25 Mbps or 30 Mbps,?..
Would you recommend to have zone base or an ACL base firewall????
If zone base m,,what will be simple configuration I can refer so that it wouldn't drop my internet speed ,,,
thanks,,,
11-23-2013 02:01 AM
Hi,
I don't recommend setting ZBF with the GUI because it does a lot of L7 inspection that you don't necessarily need and also it names stuff in a very confusing way that doesn't facilitate troubleshooting.
I recommend using a firewall instead of stateless ACL but maybe doing reflexive ACL or basic CBAC would be enough for you security wise and it surely would put less stress on the router.
Post your requirements and your runing config with the ZBF.
Regards
Alain
Don't forget to rate helpful posts.
11-23-2013 12:01 PM
Hi Alain,
Thanks for detail info ,,, on ZBF...
well..I have ezy vpn setup on router so I need that allow in firewall,,
Also I will have my server running that include AD, Mail Server(SMTP, 587),, web server(80 ), SSH and Asterisk server (SIP 5060),,,
Not sure is it necessary to put any security from Inside network to outlook since user will most of the time browse internet,, p2p can be blocked,,, (any suggestion on that would be hillghy appreciate)
I already have running config,, on my first post,, didn't configure ZBF yet,,,,
Please let me know with above requirement what firewall setting best suits
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide