Avatar of ktylman
ktylman
 asked on

VLAN 2 won't route to Internet with Cisco 891

For some reason VLAN 2 won't route to the internet .  I have used this configuration many times without a problem.  What is even stranger is that when I do a ping on the router to 8.8.8.8 with 192.168.70.1 as a source address it works.  But when I plug into VLAN 2 I get an IP address but can't get to the Internet.  VLAN 1 works all the time.  I am stumped.



boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 4096000

!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2187075706
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2187075706
 revocation-check none
 rsakeypair TP-self-signed-2187075706
!
!
crypto pki certificate chain TP-self-signed-2187075706
 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
!
!
!
!
 
 
!
ip dhcp excluded-address 192.168.70.1
!
!
ip dhcp pool wirelesspool2
 network 192.168.70.0 255.255.255.0
 default-router 192.168.70.1
 dns-server 75.75.75.75 75.75.76.76
 lease 0 1
!
!
!
ip flow-cache timeout active 1
no ip domain lookup
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9 sn FTX1908806S
!

!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 description Internet Access
 ip address xx.xx.153.186 255.255.255.248
 ip access-group inboundfilters in
 ip access-group outboundfilters out
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 switchport access vlan 2
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 switchport mode trunk
 no ip address
!
interface GigabitEthernet8
 description Connection to COLO
 ip address 192.168.1.159 255.255.255.0
 duplex full
 speed 100
!
interface Vlan1
 description Connection to LAN
 ip address 10.xx.xx.1 255.255.255.0
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan2
 description Connection to Public_Wireless
 ip address 192.168.70.1 255.255.255.0
ip access-group protect_corp_in in
ip access-group protect_corp_out out
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
!
interface Async3
 no ip address
 encapsulation slip
!
!
router eigrp 100
 network 10.0.0.0
 network 192.168.0.0 0.0.255.255
 redistribute static
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-export source Vlan1
ip flow-export version 5
ip flow-export destination 10.xx.xx.17 9996
!
ip nat pool main-nat-pool xx.xx.153.187 xx.xx.153.187 netmask 255.255.255.248
ip nat inside source list 101 pool main-nat-pool overload
ip route 0.0.0.0 0.0.0.0 xx.xx.153.185
!
ip access-list extended inboundfilters
 evaluate iptraffic
 permit tcp host xx.xx.xx.32 host xx.xx.153.186 eq telnet
 deny   ip any host xx.xx.153.186
 permit ip 10.xx.xx.0 0.0.0.255 10.xx.xx.0 0.0.0.255
 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
ip access-list extended outboundfilters
 permit ip any any reflect iptraffic timeout 300
ip access-list extended protect_corp_in
 evaluate corptraffic
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.0.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip any any
ip access-list extended protect_corp_out
 permit ip any any reflect corptraffic timeout 300
!
!
snmp-server community
snmp-server enable traps tty
access-list 101 deny   ip 10.xx.xx.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny   ip 10.xx.xx.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 101 deny   ip 10.xx.xx.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 172.16.0.0 0.15.255.255 any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 login local
 no modem enable
line aux 0
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
RoutersNetworkingNetworking Protocols

Avatar of undefined
Last Comment
asavener

8/22/2022 - Mon
Jody Lemoine

If you're able to ping using VLAN 2's source address, I'm thinking that something is wonky with those reflexive ACLs. They look fine at first glance, but I would remove them from the interface for a few moments as a test to see if you get anywhere. At the very least, that will help narrow it all down.
Don Johnston

Please use the "code" feature when posting configs or large output. It makes it easier to read.

interface Vlan2
 ip address 192.168.70.1 255.255.255.0
 ip access-group protect_corp_in in
 ip access-group protect_corp_out out

ip access-list extended protect_corp_in
 evaluate corptraffic
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.0.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip any any

Open in new window


Your inbound "protect_corp_in" ACL is denying traffic coming from the VLAN2 network if the source address is 10.0.0.0, 172.16.0.0 or 192.168.0.0. Since the traffic coming from VLAN2 is always going to be coming from 192.168.70.0, it will be denied.

What is even stranger is that when I do a ping on the router to 8.8.8.8 with 192.168.70.1 as a source address it works.
Routers are for the most part immune to their own ACLs when it comes to outbound traffic.
Jody Lemoine

@donjohnston: I thought that might be the case too, but the inbound ACL is only denying private destination addresses and is allowing any source address.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Don Johnston

crap... Missed the "any" at the beginning. :-(
ASKER CERTIFIED SOLUTION
Don Johnston

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
asavener

I would recommend implementing context-based access control (CBAC) or zone-based firewall rather than reflexive access lists.  Reflexive access lists aren't very smart.  CBAC will not only allow traffic back in, it will also inspect the traffic to ensure it conforms to the protocol.  (So stateful inspection plus packet inspection)

For a simple CBAC implementation:

ip inspect name CBAC_Inspect http
ip inspect name CBAC_Inspect smtp
ip inspect name CBAC_Inspect ftp
ip inspect name CBAC_Inspect tcp
ip inspect name CBAC_Inspect udp


interface FastEthernet0
no ip access-group outboundfilters out
ip inspect CBAC_Inspect out

interface Vlan2
no ip access-group protect_corp_out out