Cisco 3845 configured with CCP no internet access for users but works from router (ACL issue?)
Hi All,
I am using CCP 2.3 to configure a Cisco 3845 with integrated switch
I configured the interfaces, NAT, and ran the firewall wizard.
GigaEth0/0 - Internet
GigaEth2/0 - LAN
From the router I can do the following
ping www.google.com - OK
ping www.google.com source GigaEth2/0 - OK
When a users tries the internet or ping no luck at all. I am looking for a basic setup all traffic out and nothing in. (will setup some site2site vpns later).
I have pasted the config below and any help would be great.
Cheers!
I am using CCP 2.3 to configure a Cisco 3845 with integrated switch
I configured the interfaces, NAT, and ran the firewall wizard.
GigaEth0/0 - Internet
GigaEth2/0 - LAN
From the router I can do the following
ping www.google.com - OK
ping www.google.com source GigaEth2/0 - OK
When a users tries the internet or ping no luck at all. I am looking for a basic setup all traffic out and nothing in. (will setup some site2site vpns later).
I have pasted the config below and any help would be great.
Cheers!
resource policy
!
no ip routing
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.5.1 192.168.5.99
ip dhcp excluded-address 192.168.5.201 192.168.5.254
!
ip dhcp pool SG-Users
import all
network 192.168.5.0 255.255.255.0
dns-server 192.168.5.10 8.8.8.8
default-router 192.168.5.1
lease 4
!
!
no ip cef
!
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class type inspect ccp-h323-inspect
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-h323-inspect
inspect
class class-default
policy-map type inspect ccp-permit
class type inspect ccp-h323-inspect
inspect
class class-default
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
!
!
!
interface GigabitEthernet0/0
description $FW_OUTSIDE$$ETH-WAN$
ip address [** WAN IP **] 255.255.255.240
ip nbar protocol-discovery
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
no ip route-cache
duplex auto
speed auto
media-type rj45
no cdp enable
!
interface GigabitEthernet0/1
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet2/0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
no ip route-cache
no mop enabled
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip [** WAN IP **] 0.0.0.15 any
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
try this, take a station for testing and do ipconfig.
on your firewall create a rule :
machine ip/32 --> out zone --> any --> allow
put this one on top of other rules and try pinging.
does it work?
Cheers,
Gilad
on your firewall create a rule :
machine ip/32 --> out zone --> any --> allow
put this one on top of other rules and try pinging.
does it work?
Cheers,
Gilad
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
wrong IP address not really config related.
ASKER
2010-11-13-19h07-11.jpg