Link to home
Create AccountLog in
Avatar of Eirejp
EirejpFlag for Japan

asked on

Cisco 3845 configured with CCP no internet access for users but works from router (ACL issue?)

Hi All,

I am using CCP 2.3 to configure a Cisco 3845 with integrated switch

I configured the interfaces, NAT, and ran the firewall wizard.
GigaEth0/0 - Internet
GigaEth2/0 - LAN

From the router I can do the following
ping www.google.com - OK
ping www.google.com source GigaEth2/0 - OK

When a users tries the internet or ping no luck at all. I am looking for a basic setup all traffic out and nothing in. (will setup some site2site vpns later).

I have pasted the config below and any help would be great.

Cheers!
resource policy
!
no ip routing
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.5.1 192.168.5.99
ip dhcp excluded-address 192.168.5.201 192.168.5.254
!
ip dhcp pool SG-Users
   import all
   network 192.168.5.0 255.255.255.0
   dns-server 192.168.5.10 8.8.8.8
   default-router 192.168.5.1
   lease 4
!
!
no ip cef

!
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
 match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol pptp
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class class-default
  pass
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class class-default
policy-map type inspect ccp-permit
 class type inspect ccp-h323-inspect
  inspect
 class class-default
policy-map type inspect ccp-pol-outToIn
 class type inspect CCP_PPTP
  pass
 class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
 service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
!
!
!
!
interface GigabitEthernet0/0
 description $FW_OUTSIDE$$ETH-WAN$
 ip address [** WAN IP **] 255.255.255.240
 ip nbar protocol-discovery
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 no ip route-cache
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
interface GigabitEthernet0/1
 no ip address
 no ip route-cache
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet2/0
 description $ETH-LAN$$FW_INSIDE$
 ip address 192.168.5.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 no ip route-cache
 no mop enabled
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip [** WAN IP **] 0.0.0.15 any
access-list 100 permit ip 192.168.5.0 0.0.0.255 any

Open in new window

Avatar of Eirejp
Eirejp
Flag of Japan image

ASKER

Screenshot attached of firewall
2010-11-13-19h07-11.jpg
Avatar of Giladn
try this, take a station for testing and do ipconfig.
on your firewall create a rule :
machine ip/32 --> out zone --> any --> allow
put this one on top of other rules and try pinging.
does it work?

Cheers,

Gilad
ASKER CERTIFIED SOLUTION
Avatar of Eirejp
Eirejp
Flag of Japan image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Eirejp

ASKER

wrong IP address not really config related.