Solved

Cisco Firewall config won't let web traffic out

Posted on 2014-09-29
10
112 Views
Last Modified: 2015-10-05
I have a Cisco 1921 that we had to make a change to the public IP address as we switch providers.  Now, simply with the new public address assigned, Internet access from inside the network is gone.  Not sure what the issue is in the config but the only thing that was changed was the Gig0/0 int IP address.  Any thoughts?

Current configuration : 16038 bytes
!
! Last configuration change at 18:25:12 UTC Fri Sep 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
logging console critical
enable secret 4 QXgpBprMD57V2pQEc3OYhpTNPAAg53dEpvqTENh13Rw
!
aaa new-model
!
!
aaa authentication login default local group radius
aaa authentication login ciscocp_vpn_xauth_ml_1 group radius
aaa authentication login ciscocp_vpn_xauth_ml_2 group radius
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.1.151 192.168.1.254
!
ip dhcp pool ccp-pool1
 network 192.168.1.0 255.255.255.0
 domain-name xxxx.local
 dns-server 192.168.1.10 10.1.1.9
 default-router 192.168.1.3
!
!
!
no ip bootp server
ip name-server x.x.x.x
ip name-server x.x.x.x
no ipv6 cef
!
parameter-map type inspect global
 log dropped-packets enable
 max-incomplete low 18000
 max-incomplete high 20000
 spoofed-acker off
parameter-map type protocol-info yahoo-servers
 server name scs.msg.yahoo.com
 server name scsa.msg.yahoo.com
 server name scsb.msg.yahoo.com
 server name scsc.msg.yahoo.com
 server name scsd.msg.yahoo.com
 server name cs16.msg.dcn.yahoo.com
 server name cs19.msg.dcn.yahoo.com
 server name cs42.msg.dcn.yahoo.com
 server name cs53.msg.dcn.yahoo.com
 server name cs54.msg.dcn.yahoo.com
 server name ads1.vip.scd.yahoo.com
 server name radio1.launch.vip.dal.yahoo.com
 server name in1.msg.vip.re2.yahoo.com
 server name data1.my.vip.sc5.yahoo.com
 server name address1.pim.vip.mud.yahoo.com
 server name edit.messenger.yahoo.com
 server name messenger.yahoo.com
 server name http.pager.yahoo.com
 server name privacy.yahoo.com
 server name csa.yahoo.com
 server name csb.yahoo.com
 server name csc.yahoo.com

parameter-map type protocol-info msn-servers
 server name messenger.hotmail.com
 server name gateway.messenger.hotmail.com
 server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
 server name login.oscar.aol.com
 server name toc.oscar.aol.com
 server name oam-d09a.blue.aol.com

multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-3648640226
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3648640226
 revocation-check none
 rsakeypair TP-self-signed-3648640226
!
!
crypto pki certificate chain TP-self-signed-3648640226
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33363438 36343032 3236301E 170D3134 30333131 31343432
  35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36343836
  34303232 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D987 DF21CECC D850686C 593BBA05 66FBE034 AC9E7C57 7CB5BDA2 05554BF7
  E5F619EC 980848C1 04C52D1D 74E4B6CD EA536914 044EE82B 8E9E294B AB202C8C
  1B1EC097 31850732 5F61142E BC802DC1 5F4418DE C7E2F810 C73BCA3F 9A50C85E
  D82B3AAF F19B86AE 73777AF6 05401403 5A16B726 DA5FB39C 7FF898CB A69DDB3D
  D4550203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 146FB21E B437C0F5 C857E14C CDAA98E9 4BB87280 D5301D06
  03551D0E 04160414 6FB21EB4 37C0F5C8 57E14CCD AA98E94B B87280D5 300D0609
  2A864886 F70D0101 05050003 8181009D 1BDB8FEB 07481B42 2FC564B1 92CF1545
  27418153 1C40532E 635D9DF2 174C9570 1F1E895B EB52350C DE32FEBB ADC639BF
  5752EAA8 7BE44CC9 005BF413 26CB6575 E6F09160 1ED9360C D5E6ADE4 C70258E3
  61A3E648 7D1F58E0 F75D88EC CD2F2E76 F6245636 12EF1C06 306DD5CE 735F4C1A
  0710C452 186A17D1 D6137142 A5580D
        quit
license udi pid CISCO1921/K9 sn FTX180481GS
!
!
username admin privilege 15 password 0 xxxxxxx
username user privilege 15 secret 4 V9Qj0WLJlr9UO1MCsbm4/AkKaRVgOeoI7NIWN9C/Zqo
!
redundancy
!
!
!
!
!
no ip ftp passive
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 106
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
 match access-group 110
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
 match access-group 107
class-map type inspect match-any ccp-cls-protocol-p2p
 match protocol edonkey signature
 match protocol gnutella signature
 match protocol kazaa2 signature
 match protocol fasttrack signature
 match protocol bittorrent signature
class-map type inspect match-all CCP_SSLVPN01
 match access-group name CCP_IP
class-map type inspect match-all CCP_SSLVPN
 match access-group name aa
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any SDM_WEBVPN
 match access-group name SDM_WEBVPN
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
 match protocol ymsgr yahoo-servers
 match protocol msnmsgr msn-servers
 match protocol aol aol-servers
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-all CCP_SSLVPN0
 match access-group name CCP_IP
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-invalid-src
 match access-group 104
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
 match class-map SDM_WEBVPN
 match access-group 108
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all SDM_VPN_PT
 match access-group 105
 match class-map SDM_VPN_TRAFFIC
!
policy-map type inspect sdm-pol-VPNOutsideToInside-1
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-3
  inspect
 class class-default
  drop
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class class-default
  drop
policy-map type inspect ccp-sslvpn-pol
 class type inspect CCP_SSLVPN01
  pass
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_WEBVPN_TRAFFIC
  inspect
 class type inspect SDM_VPN_PT
  pass
 class class-default
  drop
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
!
zone security a
zone security in-zone
zone security out-zone
zone security sslvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security zp-sslvpn-zone-a source sslvpn-zone destination a
 service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone
 service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone
 service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone
 service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone
 service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-a-sslvpn-zone source a destination sslvpn-zone
 service-policy type inspect ccp-sslvpn-pol
!
!
crypto vpn anyconnect usbflash0:/webvpn/anyconnect-win-3.1.05160-k9.pkg sequence 1
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key xxxxxxx address 1.1.1.2
crypto isakmp key xxxxxxx address 1.1.1.3
crypto isakmp key xxxxxxx address 1.1.1.4
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
 mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to a.a.a.a
 set peer a.a.a.a
 set transform-set ESP-3DES-SHA
 match address 103
crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel toa.a.a.a
 set peer a.a.a.a
 set transform-set ESP-3DES-SHA2
 match address 109
!
!
!
!
!
interface Loopback1
 ip address 192.168.2.1 255.255.255.0
 ip access-group aa in
 ip access-group aa out
 zone-member security sslvpn-zone
!
interface Null0
 no ip unreachables
!
interface Embedded-Service-Engine0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
!
interface GigabitEthernet0/0
 description $ETH-WAN$FW_OUTSIDE$
 ip address c.c.c.c 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description $FW_INSIDE$$ETH-LAN$
 ip address 192.168.1.3 255.255.255.0
 ip access-group tac_test_in in
 ip access-group tac_test out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
!
interface Virtual-Template2
 ip unnumbered GigabitEthernet0/0
 ip access-group aa in
 ip access-group aa out
 zone-member security sslvpn-zone
!
ip local pool vpn_pool 192.168.2.75 192.168.2.99
ip forward-protocol nd
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
ip dns server
ip nat inside source list 199 interface GigabitEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 c.c.c.c
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
ip access-list extended CCP_IP
 remark CCP_ACL Category=128
 permit ip any any
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
ip access-list extended SDM_WEBVPN
 remark CCP_ACL Category=1
 permit tcp any any eq 443
ip access-list extended aa
 remark CCP_ACL Category=1
 permit ip any host 192.168.2.1
 permit ip any any
ip access-list extended tac_test
 permit icmp host 192.168.2.83 host 192.168.1.11 log
 permit icmp host 192.168.2.82 host 192.168.1.30 log
 permit ip any any
ip access-list extended tac_test_in
 remark CCP_ACL Category=17
 permit ip any host 192.168.1.3
 permit icmp host 192.168.1.11 host 192.168.2.83 log
 permit icmp host 192.168.1.30 host 192.168.2.82 log
 permit ip any any
ip access-list extended vpn_acl
 remark CCP_ACL Category=1
 permit ip 192.168.2.0 0.0.0.255 any
!
ip radius source-interface GigabitEthernet0/1
ip sla auto discovery
logging trap debugging
access-list 1 remark INSIDE_IF=GigabitEthernet0/1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 208.40.100.48 0.0.0.7
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 104 remark CCP_ACL Category=128
access-list 104 permit ip host 255.255.255.255 any
access-list 104 permit ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip 208.40.6.96 0.0.0.3 any
access-list 105 remark CCP_ACL Category=128
access-list 105 permit ip host 208.40.100.50 any
access-list 105 permit ip host 207.58.250.138 any
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 remark CCP_ACL Category=128
access-list 108 permit ip any host 208.40.6.98
access-list 109 remark CCP_ACL Category=4
access-list 109 remark IPSec Rule
access-list 109 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 remark CCP_ACL Category=0
access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 199 permit ip any any
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
radius-server host 10.1.1.9 key xxxxxxxxx
radius-server key xxxxxxxx
!
!
!
control-plane
!
!
banner login ^CCUnauthorized access is strictly prohibited.  Violators will be prosecuted.^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
!
webvpn gateway gateway_1
 ip address d.d.d.d port 443
 http-redirect port 80
 ssl trustpoint TP-self-signed-3648640226
 inservice
 !
webvpn context dvpn
 secondary-color white
 title-color #CCCC66
 text-color black
 virtual-template 2
 aaa authentication list default
 gateway gateway_1
 max-users 25
 !
 ssl authenticate verify all
 inservice
 !
 policy group policy_1
   functions svc-enabled
   svc address-pool "vpn_pool" netmask 255.255.255.255
   svc keep-client-installed
   svc split include 192.168.10.0 255.255.255.0
   svc split include 192.168.1.0 255.255.255.0
   svc dns-server primary 192.168.1.10
 default-group-policy policy_1
!
!
webvpn context test
 !
 ssl authenticate verify all
 no inservice
!
end
0
Comment
Question by:ClearBlueTechnologies
  • 6
  • 3
10 Comments
 
LVL 24

Accepted Solution

by:
Ken Boone earned 500 total points
ID: 40350021
Here is what I would look at first.

1)  You changed the IP address on the gig0/0 interface.  Did you use the correct subnet mask for the new provider?
2)  Since you changed this - the default route next hop has changed as well.  I see two default routes configured.  One pointing to an address and the other the interface.  I would remove the default route that simply points to the gig0/0 interface.  Then make sure your route to the default gateway is correct.   The next hop address will be different from the address on the gig0/0 interface.

That is where I would start.
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 40350066
yeah, the route information is correct I just masked it for security. I have removed the route in past testing with no success. I am able to get out to the internet from the unit but cannot from a device behind the unit. so it leads me to believe it is some access list issue but can't figure it out
0
 
LVL 6

Expert Comment

by:Matt
ID: 40350387
interface GigabitEthernet0/0
 description $ETH-WAN$FW_OUTSIDE$
 ip address c.c.c.c 255.255.255.248
 
ip route 0.0.0.0 0.0.0.0 c.c.c.c
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0


Is the IP address on the interface GigabitEthernet0/0 the same as in your "ip route" 0.0.0.0 0.0.0.0 c.c.c.c ? I'm thinking about your c.c.c.c value.

Can you do traceroute from router to external IP, for example 8.8.8.8 and also the same from the internal client?
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 40350405
The c.c.c.c is the public IP address.  I masked the route statement incorrectly. It should be 0.0.0.0 0.0.0.0 c.c.c.1

The route statement is correct.  I can trace route successfully from the router to 8.8.8.8 but from an internal client it fails at the router.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40350415
Can you ping internal IP of the router from the client?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 40350438
yes...just can't get past it
0
 
LVL 6

Expert Comment

by:Matt
ID: 40350485
OK, can you for test remove ACL from interface GigabitEthernet0/1? Just for troubleshooting purposes.

conf t
interface GigabitEthernet0/1
 no ip access-group tac_test_in in
 no ip access-group tac_test out

If you try to ping external IP, do you get any log records on the router?

show logg

Any packet denied?
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 40350594
Still no access.  I get this in the log.

*Sep 29 17:52:59.247: %FW-6-DROP_PKT: Dropping icmp session 8.8.8.8:0 192.168.1.144:0  due to  One of the interfaces not being cfged for zoning with ip ident 0

1.144 is my laptop's IP address.
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 40350634
and I can ping 8.8.8.8 source gigabitethernet 0/1 successfully from the router but not behind it...
0
 
LVL 1

Author Comment

by:ClearBlueTechnologies
ID: 41025129
Ended up swapping out the Cisco device for a Sonicwall.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now