Solved

Cisco 3845 configured with CCP no internet access for users but works from router (ACL issue?)

Posted on 2010-11-13
4
1,035 Views
Last Modified: 2012-06-21
Hi All,

I am using CCP 2.3 to configure a Cisco 3845 with integrated switch

I configured the interfaces, NAT, and ran the firewall wizard.
GigaEth0/0 - Internet
GigaEth2/0 - LAN

From the router I can do the following
ping www.google.com - OK
ping www.google.com source GigaEth2/0 - OK

When a users tries the internet or ping no luck at all. I am looking for a basic setup all traffic out and nothing in. (will setup some site2site vpns later).

I have pasted the config below and any help would be great.

Cheers!
resource policy
!
no ip routing
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.5.1 192.168.5.99
ip dhcp excluded-address 192.168.5.201 192.168.5.254
!
ip dhcp pool SG-Users
   import all
   network 192.168.5.0 255.255.255.0
   dns-server 192.168.5.10 8.8.8.8
   default-router 192.168.5.1
   lease 4
!
!
no ip cef

!
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
 match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol pptp
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class class-default
  pass
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class class-default
policy-map type inspect ccp-permit
 class type inspect ccp-h323-inspect
  inspect
 class class-default
policy-map type inspect ccp-pol-outToIn
 class type inspect CCP_PPTP
  pass
 class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
 service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
!
!
!
!
interface GigabitEthernet0/0
 description $FW_OUTSIDE$$ETH-WAN$
 ip address [** WAN IP **] 255.255.255.240
 ip nbar protocol-discovery
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 no ip route-cache
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
interface GigabitEthernet0/1
 no ip address
 no ip route-cache
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet2/0
 description $ETH-LAN$$FW_INSIDE$
 ip address 192.168.5.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 no ip route-cache
 no mop enabled
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip [** WAN IP **] 0.0.0.15 any
access-list 100 permit ip 192.168.5.0 0.0.0.255 any

Open in new window

0
Comment
Question by:Eirejp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 1

Author Comment

by:Eirejp
ID: 34126904
Screenshot attached of firewall
2010-11-13-19h07-11.jpg
0
 
LVL 11

Expert Comment

by:Giladn
ID: 34126943
try this, take a station for testing and do ipconfig.
on your firewall create a rule :
machine ip/32 --> out zone --> any --> allow
put this one on top of other rules and try pinging.
does it work?

Cheers,

Gilad
0
 
LVL 1

Accepted Solution

by:
Eirejp earned 0 total points
ID: 34127789
Sorry and thanks for your help.

I found out the guys that we took over from handed over the wrong IP address details for one. I also re did the config from scratch which seems to be much better.

0
 
LVL 1

Author Closing Comment

by:Eirejp
ID: 34162462
wrong IP address not really config related.
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port 808 is being blocked 9 141
How VPC help preventing STP Loops 4 150
Expanding Subnet Mask 20 203
route-map permit with a number 1 53
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question