VLAN Subnet to Access Internet via Default Gateway

Hello Experts,

I just created a VLAN on my Cisco 1841 router and configured the switch ports and everything works fine except my new VLAN cannot access the Internet. DNS is working internally and externally (pinging but not actually replying) but is unable to view web pages. I am thinking that it is because of some kind of NAT Translation issue.

My default LAN subnet is 192.168.1.x and my VLAN subnet is 192.168.2.x. Do I have to add my new VLAN subnet and have NAT entry in my router?
LVL 1
katredrumAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PWeerakoonCommented:
Can you please post the configs for the router and the switch attached immediately to the router? Leave out sensitive information such as public IPs and passwords.

Thanks.
0
GJHopkinsCommented:
Bit difficult to troubleshoot from the information given but yes, the new VLAN will need a nat inside statement on the interface and the access-lists/route maps used to define traffic for NAT will need to pick up traffic from 192.168.2.x to the Internet
0
beat-eichenbergerCommented:
Yes, configuration information would be helpfull. Also keep in mind that ICMP is stateless handled. So if there is an asymetric path, a reply is also possible. TCP and UDP are statlfull handeled by that firewall, so in case of an asymetric path, you will never get a reply.
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

katredrumAuthor Commented:
I apologize for not giving too much info. I am new to this config and do not know what is sensitive info. Here are my  LAN interface:

interface FastEthernet0/0
 description LAN Interface$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 106 in
 ip access-group 114 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 speed auto
 crypto map SDM_CMAP_3
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 no cdp enable

Can two the two LAN interfaces be configured with NAT inside as the FastEthernet0/0 interface is already configure as "ip nat inside"?

0
katredrumAuthor Commented:
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_vpn_xauth_ml_6 local
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authentication login sdm_vpn_xauth_ml_8 local
aaa authentication login sdm_vpn_xauth_ml_9 local
aaa authentication login sdm_vpn_xauth_ml_10 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
aaa authorization network sdm_vpn_group_ml_6 local
aaa authorization network sdm_vpn_group_ml_7 local
aaa authorization network sdm_vpn_group_ml_8 local
aaa authorization network sdm_vpn_group_ml_9 local
aaa authorization network sdm_vpn_group_ml_10 local
!
aaa session-id common
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
ip dhcp smart-relay
ip dhcp relay information option
!
!
no ip bootp server
ip name-server 4.2.2.2
ip name-server 64.65.64.1
ip inspect name sdm_ins_in_100 dns
ip inspect name sdm_ins_in_100 https
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 http
ip inspect name sdm_ins_out_100 https
ip inspect name sdm_ins_out_100 http
ip inspect name sdm_ins_out_100 tcp
ip inspect name sdm_ins_out_100 udp
ip inspect name sdm_ins_out_100 ftp
ip inspect name SDM_LOW http
ip inspect name SDM_LOW https
!
!
!
!
!
class-map match-any VOICE
 match  dscp ef
!
!
policy-map QOS
 class VOICE
  priority 512

!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
crypto dynamic-map SDM_DYNMAP_2 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
crypto dynamic-map SDM_DYNMAP_3 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_9
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_9
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map SDM_CMAP_2 client authentication list sdm_vpn_xauth_ml_4
crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_4
crypto map SDM_CMAP_2 client configuration address respond
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
!
crypto map SDM_CMAP_3 client authentication list sdm_vpn_xauth_ml_10
crypto map SDM_CMAP_3 isakmp authorization list sdm_vpn_group_ml_10
crypto map SDM_CMAP_3 client configuration address respond
crypto map SDM_CMAP_3 65535 ipsec-isakmp dynamic SDM_DYNMAP_3
!
!
!
!
!
interface FastEthernet0/0
 description LAN Interface$FW_INSIDE$$ETH-LAN$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 106 in
 ip access-group 114 out
 ip helper-address 192.168.37.4
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 speed auto
 crypto map SDM_CMAP_3
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 no cdp enable
!
interface FastEthernet0/0.11
 encapsulation dot1Q 11
 ip address 192.168.5.1 255.255.255.0
 no cdp enable
!
interface Serial0/0
 description WAN Interface$FW_OUTSIDE$
 ip address (public_ip) 255.255.255.252
 ip access-group 113 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect sdm_ins_in_100 in
 ip inspect sdm_ins_out_100 out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 crypto map SDM_CMAP_1
!
interface Serial1/0
 description P2P to Branch Office
 ip address 192.168.7.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 ip route-cache flow
 service-module t1 timeslots 1-24
 service-policy output QOS
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10
ip local pool SDM_POOL_4 192.168.37.1 192.168.37.254
ip local pool SDM_POOL_2 192.168.3.1
ip route 0.0.0.0 0.0.0.0 (public_ip) permanent
ip route 192.168.4.0 255.255.255.0 192.168.7.2 permanent
ip route 192.168.37.0 255.255.255.0 192.168.7.2 permanent
!
ip flow-top-talkers
 top 25
 sort-by bytes
 cache-timeout 100
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat create flow-entries
ip nat inside source route-map SDM_RMAP_1 interface Serial0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark Network(s) to be NATed
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny   any
access-list 2 remark HTTP(S) Access to SDM
access-list 10 remark Permit Java
access-list 10 remark SDM_ACL Category=1
access-list 10 permit any
access-list 100 remark VTY Access
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip host 192.168.37.4 any
access-list 100 deny   ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 deny   ip any any
access-list 101 remark VTY Access-class list
access-list 101 remark SDM_ACL Category=1
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.37.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark SDM_ACL Category=4
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.1
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.2
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.3
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.4
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.5
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.6
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.7
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.8
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.9
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.10
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.3.1
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.3.1
access-list 103 deny   ip 192.168.2.0 0.0.0.255 host 192.168.1.61
access-list 103 deny   ip any host 192.168.2.1
access-list 103 deny   ip any host 192.168.2.2
access-list 103 deny   ip any host 192.168.2.3
access-list 103 deny   ip any host 192.168.2.4
access-list 103 deny   ip any host 192.168.2.5
access-list 103 deny   ip any host 192.168.2.6
access-list 103 deny   ip any host 192.168.2.7
access-list 103 deny   ip any host 192.168.2.8
access-list 103 deny   ip any host 192.168.2.9
access-list 103 permit ip any host 192.168.2.10
access-list 103 deny   ip 192.168.1.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 103 deny   ip host 192.168.1.1 any
access-list 103 deny   ip any 192.168.37.0 0.0.0.255
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.1
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.2
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.3
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.4
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.5
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.6
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.7
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.8
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.9
access-list 103 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.37.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 105 remark Test DNS ACL
access-list 105 permit udp any any eq domain
access-list 105 permit udp any eq domain any
access-list 106 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 106 permit ahp any host 192.168.1.1
access-list 106 permit esp any host 192.168.1.1
access-list 106 permit udp any host 192.168.1.1 eq isakmp
access-list 106 permit udp any host 192.168.1.1 eq non500-isakmp
access-list 106 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 106 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 106 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 106 deny   ip (public_ip) 0.0.0.3 any
access-list 106 deny   ip host 255.255.255.255 any
access-list 106 deny   ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.10
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.9
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.8
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.7
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.6
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.5
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.4
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.3
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.2
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.1
access-list 111 permit ip host 192.168.1.60 any
access-list 111 remark SDM_ACL Category=2
access-list 113 remark WAN Interface Inbound
access-list 113 remark SDM_ACL Category=1
access-list 113 permit tcp host 165.248.35.72 any
access-list 113 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 113 permit ahp any host (public_ip)
access-list 113 permit esp any host (public_ip)
access-list 113 permit udp any host (public_ip) eq isakmp
access-list 113 permit udp any host (public_ip) eq non500-isakmp
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 113 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 113 deny   ip 192.168.1.0 0.0.0.255 any
access-list 113 permit icmp any host (public_ip) echo-reply
access-list 113 permit icmp any host (public_ip) time-exceeded
access-list 113 permit icmp any host (public_ip) unreachable
access-list 113 permit ahp any host (public_ip) log
access-list 113 permit tcp any host (public_ip) eq 22
access-list 113 permit tcp any host (public_ip) eq cmd
access-list 113 deny   ip 10.0.0.0 0.255.255.255 any
access-list 113 deny   ip 172.16.0.0 0.15.255.255 any
access-list 113 deny   ip 192.168.0.0 0.0.255.255 any
access-list 113 deny   ip 127.0.0.0 0.255.255.255 any
access-list 113 deny   ip host 255.255.255.255 any
access-list 113 deny   ip host 0.0.0.0 any
access-list 113 permit esp any host (public_ip) log
access-list 113 permit udp any host (public_ip) eq non500-isakmp log
access-list 113 permit udp any host (public_ip) eq isakmp log
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255 log
access-list 113 permit tcp any host (public_ip) eq 443
access-list 113 permit tcp any host (public_ip) eq smtp
access-list 113 permit tcp any host (public_ip) eq www
access-list 113 deny   ip any any log
access-list 114 permit ip any any
access-list 114 remark LAN Interface Outbound
access-list 114 remark SDM_ACL Category=17
access-list 121 permit ip 192.168.37.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 remark SDM_ACL Category=1
snmp-server community public RO
no cdp run
!
route-map SDM_RMAP_4 permit 1
 match ip address 110
!
route-map SDM_RMAP_5 permit 1
 match ip address 111
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
route-map SDM_RMAP_2 permit 1
 match ip address 108
!
route-map SDM_RMAP_3 permit 1
 match ip address 109
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 100 in
 transport input telnet ssh
line vty 5 15
 access-class 101 in
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
endversion 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_vpn_xauth_ml_6 local
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authentication login sdm_vpn_xauth_ml_8 local
aaa authentication login sdm_vpn_xauth_ml_9 local
aaa authentication login sdm_vpn_xauth_ml_10 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
aaa authorization network sdm_vpn_group_ml_6 local
aaa authorization network sdm_vpn_group_ml_7 local
aaa authorization network sdm_vpn_group_ml_8 local
aaa authorization network sdm_vpn_group_ml_9 local
aaa authorization network sdm_vpn_group_ml_10 local
!
aaa session-id common
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
ip dhcp smart-relay
ip dhcp relay information option
!
!
no ip bootp server
ip name-server 4.2.2.2
ip name-server 64.65.64.1
ip inspect name sdm_ins_in_100 dns
ip inspect name sdm_ins_in_100 https
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 http
ip inspect name sdm_ins_out_100 https
ip inspect name sdm_ins_out_100 http
ip inspect name sdm_ins_out_100 tcp
ip inspect name sdm_ins_out_100 udp
ip inspect name sdm_ins_out_100 ftp
ip inspect name SDM_LOW http
ip inspect name SDM_LOW https
!
!
!
!
!
class-map match-any VOICE
 match  dscp ef
!
!
policy-map QOS
 class VOICE
  priority 512

!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
crypto dynamic-map SDM_DYNMAP_2 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
crypto dynamic-map SDM_DYNMAP_3 1
 set transform-set ESP-3DES-SHA1
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_9
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_9
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map SDM_CMAP_2 client authentication list sdm_vpn_xauth_ml_4
crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_4
crypto map SDM_CMAP_2 client configuration address respond
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
!
crypto map SDM_CMAP_3 client authentication list sdm_vpn_xauth_ml_10
crypto map SDM_CMAP_3 isakmp authorization list sdm_vpn_group_ml_10
crypto map SDM_CMAP_3 client configuration address respond
crypto map SDM_CMAP_3 65535 ipsec-isakmp dynamic SDM_DYNMAP_3
!
!
!
!
!
interface FastEthernet0/0
 description LAN Interface$FW_INSIDE$$ETH-LAN$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 106 in
 ip access-group 114 out
 ip helper-address 192.168.37.4
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 speed auto
 crypto map SDM_CMAP_3
!
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 no cdp enable
!
interface FastEthernet0/0.11
 encapsulation dot1Q 11
 ip address 192.168.5.1 255.255.255.0
 no cdp enable
!
interface Serial0/0
 description WAN Interface$FW_OUTSIDE$
 ip address (public_ip) 255.255.255.252
 ip access-group 113 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect sdm_ins_in_100 in
 ip inspect sdm_ins_out_100 out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 crypto map SDM_CMAP_1
!
interface Serial1/0
 description P2P to Branch Office
 ip address 192.168.7.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 ip route-cache flow
 service-module t1 timeslots 1-24
 service-policy output QOS
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10
ip local pool SDM_POOL_4 192.168.37.1 192.168.37.254
ip local pool SDM_POOL_2 192.168.3.1
ip route 0.0.0.0 0.0.0.0 (public_ip) permanent
ip route 192.168.4.0 255.255.255.0 192.168.7.2 permanent
ip route 192.168.37.0 255.255.255.0 192.168.7.2 permanent
!
ip flow-top-talkers
 top 25
 sort-by bytes
 cache-timeout 100
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat create flow-entries
ip nat inside source route-map SDM_RMAP_1 interface Serial0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark Network(s) to be NATed
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny   any
access-list 2 remark HTTP(S) Access to SDM
access-list 10 remark Permit Java
access-list 10 remark SDM_ACL Category=1
access-list 10 permit any
access-list 100 remark VTY Access
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip host 192.168.37.4 any
access-list 100 deny   ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 deny   ip any any
access-list 101 remark VTY Access-class list
access-list 101 remark SDM_ACL Category=1
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.37.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark SDM_ACL Category=4
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.1
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.2
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.3
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.4
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.5
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.6
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.7
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.8
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.9
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.2.10
access-list 103 deny   ip 192.168.37.0 0.0.0.255 host 192.168.3.1
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.3.1
access-list 103 deny   ip 192.168.2.0 0.0.0.255 host 192.168.1.61
access-list 103 deny   ip any host 192.168.2.1
access-list 103 deny   ip any host 192.168.2.2
access-list 103 deny   ip any host 192.168.2.3
access-list 103 deny   ip any host 192.168.2.4
access-list 103 deny   ip any host 192.168.2.5
access-list 103 deny   ip any host 192.168.2.6
access-list 103 deny   ip any host 192.168.2.7
access-list 103 deny   ip any host 192.168.2.8
access-list 103 deny   ip any host 192.168.2.9
access-list 103 permit ip any host 192.168.2.10
access-list 103 deny   ip 192.168.1.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 103 deny   ip host 192.168.1.1 any
access-list 103 deny   ip any 192.168.37.0 0.0.0.255
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.1
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.2
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.3
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.4
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.5
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.6
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.7
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.8
access-list 103 deny   ip 192.168.1.0 0.0.0.255 host 192.168.2.9
access-list 103 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.37.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 105 remark Test DNS ACL
access-list 105 permit udp any any eq domain
access-list 105 permit udp any eq domain any
access-list 106 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 106 permit ahp any host 192.168.1.1
access-list 106 permit esp any host 192.168.1.1
access-list 106 permit udp any host 192.168.1.1 eq isakmp
access-list 106 permit udp any host 192.168.1.1 eq non500-isakmp
access-list 106 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 106 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 106 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 106 deny   ip (public_ip) 0.0.0.3 any
access-list 106 deny   ip host 255.255.255.255 any
access-list 106 deny   ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.10
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.9
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.8
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.7
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.6
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.5
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.4
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.3
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.2
access-list 111 deny   ip host 192.168.1.60 host 192.168.2.1
access-list 111 permit ip host 192.168.1.60 any
access-list 111 remark SDM_ACL Category=2
access-list 113 remark WAN Interface Inbound
access-list 113 remark SDM_ACL Category=1
access-list 113 permit tcp host 165.248.35.72 any
access-list 113 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 113 permit ahp any host (public_ip)
access-list 113 permit esp any host (public_ip)
access-list 113 permit udp any host (public_ip) eq isakmp
access-list 113 permit udp any host (public_ip) eq non500-isakmp
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 113 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 113 deny   ip 192.168.1.0 0.0.0.255 any
access-list 113 permit icmp any host (public_ip) echo-reply
access-list 113 permit icmp any host (public_ip) time-exceeded
access-list 113 permit icmp any host (public_ip) unreachable
access-list 113 permit ahp any host (public_ip) log
access-list 113 permit tcp any host (public_ip) eq 22
access-list 113 permit tcp any host (public_ip) eq cmd
access-list 113 deny   ip 10.0.0.0 0.255.255.255 any
access-list 113 deny   ip 172.16.0.0 0.15.255.255 any
access-list 113 deny   ip 192.168.0.0 0.0.255.255 any
access-list 113 deny   ip 127.0.0.0 0.255.255.255 any
access-list 113 deny   ip host 255.255.255.255 any
access-list 113 deny   ip host 0.0.0.0 any
access-list 113 permit esp any host (public_ip) log
access-list 113 permit udp any host (public_ip) eq non500-isakmp log
access-list 113 permit udp any host (public_ip) eq isakmp log
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255 log
access-list 113 permit tcp any host (public_ip) eq 443
access-list 113 permit tcp any host (public_ip) eq smtp
access-list 113 permit tcp any host (public_ip) eq www
access-list 113 deny   ip any any log
access-list 114 permit ip any any
access-list 114 remark LAN Interface Outbound
access-list 114 remark SDM_ACL Category=17
access-list 121 permit ip 192.168.37.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 remark SDM_ACL Category=1
snmp-server community public RO
no cdp run
!
route-map SDM_RMAP_4 permit 1
 match ip address 110
!
route-map SDM_RMAP_5 permit 1
 match ip address 111
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
route-map SDM_RMAP_2 permit 1
 match ip address 108
!
route-map SDM_RMAP_3 permit 1
 match ip address 109
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 100 in
 transport input telnet ssh
line vty 5 15
 access-class 101 in
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
0
GJHopkinsCommented:
yes you will need

interface FastEthernet0/0.2
 ip nat inside

access-list 103 permit ip 192.168.2.0 0.0.0.255 sny
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
katredrumAuthor Commented:
Perfect! It was exactly what I was looking for!
0
katredrumAuthor Commented:
Thanks for your help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.