Solved

Cisco 3845 configured with CCP no internet access for users but works from router (ACL issue?)

Posted on 2010-11-13
4
1,011 Views
Last Modified: 2012-06-21
Hi All,

I am using CCP 2.3 to configure a Cisco 3845 with integrated switch

I configured the interfaces, NAT, and ran the firewall wizard.
GigaEth0/0 - Internet
GigaEth2/0 - LAN

From the router I can do the following
ping www.google.com - OK
ping www.google.com source GigaEth2/0 - OK

When a users tries the internet or ping no luck at all. I am looking for a basic setup all traffic out and nothing in. (will setup some site2site vpns later).

I have pasted the config below and any help would be great.

Cheers!
resource policy
!
no ip routing
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.5.1 192.168.5.99
ip dhcp excluded-address 192.168.5.201 192.168.5.254
!
ip dhcp pool SG-Users
   import all
   network 192.168.5.0 255.255.255.0
   dns-server 192.168.5.10 8.8.8.8
   default-router 192.168.5.1
   lease 4
!
!
no ip cef

!
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
 match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol pptp
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class class-default
  pass
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class class-default
policy-map type inspect ccp-permit
 class type inspect ccp-h323-inspect
  inspect
 class class-default
policy-map type inspect ccp-pol-outToIn
 class type inspect CCP_PPTP
  pass
 class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
 service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
!
!
!
!
interface GigabitEthernet0/0
 description $FW_OUTSIDE$$ETH-WAN$
 ip address [** WAN IP **] 255.255.255.240
 ip nbar protocol-discovery
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 no ip route-cache
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
interface GigabitEthernet0/1
 no ip address
 no ip route-cache
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet2/0
 description $ETH-LAN$$FW_INSIDE$
 ip address 192.168.5.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 no ip route-cache
 no mop enabled
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip [** WAN IP **] 0.0.0.15 any
access-list 100 permit ip 192.168.5.0 0.0.0.255 any

Open in new window

0
Comment
Question by:Eirejp
  • 3
4 Comments
 
LVL 1

Author Comment

by:Eirejp
Comment Utility
Screenshot attached of firewall
2010-11-13-19h07-11.jpg
0
 
LVL 11

Expert Comment

by:Giladn
Comment Utility
try this, take a station for testing and do ipconfig.
on your firewall create a rule :
machine ip/32 --> out zone --> any --> allow
put this one on top of other rules and try pinging.
does it work?

Cheers,

Gilad
0
 
LVL 1

Accepted Solution

by:
Eirejp earned 0 total points
Comment Utility
Sorry and thanks for your help.

I found out the guys that we took over from handed over the wrong IP address details for one. I also re did the config from scratch which seems to be much better.

0
 
LVL 1

Author Closing Comment

by:Eirejp
Comment Utility
wrong IP address not really config related.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now