asked on
VLAN 2 won't route to Internet with Cisco 891
For some reason VLAN 2 won't route to the internet . I have used this configuration many times without a problem. What is even stranger is that when I do a ping on the router to 8.8.8.8 with 192.168.70.1 as a source address it works. But when I plug into VLAN 2 I get an IP address but can't get to the Internet. VLAN 1 works all the time. I am stumped.
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 4096000
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2187075706
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2187075706
!
!
crypto pki certificate chain TP-self-signed-2187075706
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
!
!
!
!
!
ip dhcp excluded-address 192.168.70.1
!
!
ip dhcp pool wirelesspool2
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 75.75.75.75 75.75.76.76
lease 0 1
!
!
!
ip flow-cache timeout active 1
no ip domain lookup
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9 sn FTX1908806S
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
description Internet Access
ip address xx.xx.153.186 255.255.255.248
ip access-group inboundfilters in
ip access-group outboundfilters out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
switchport access vlan 2
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
switchport mode trunk
no ip address
!
interface GigabitEthernet8
description Connection to COLO
ip address 192.168.1.159 255.255.255.0
duplex full
speed 100
!
interface Vlan1
description Connection to LAN
ip address 10.xx.xx.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan2
description Connection to Public_Wireless
ip address 192.168.70.1 255.255.255.0
ip access-group protect_corp_in in
ip access-group protect_corp_out out
ip flow ingress
ip nat inside
ip virtual-reassembly in
!
interface Async3
no ip address
encapsulation slip
!
!
router eigrp 100
network 10.0.0.0
network 192.168.0.0 0.0.255.255
redistribute static
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-export source Vlan1
ip flow-export version 5
ip flow-export destination 10.xx.xx.17 9996
!
ip nat pool main-nat-pool xx.xx.153.187 xx.xx.153.187 netmask 255.255.255.248
ip nat inside source list 101 pool main-nat-pool overload
ip route 0.0.0.0 0.0.0.0 xx.xx.153.185
!
ip access-list extended inboundfilters
evaluate iptraffic
permit tcp host xx.xx.xx.32 host xx.xx.153.186 eq telnet
deny ip any host xx.xx.153.186
permit ip 10.xx.xx.0 0.0.0.255 10.xx.xx.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
ip access-list extended outboundfilters
permit ip any any reflect iptraffic timeout 300
ip access-list extended protect_corp_in
evaluate corptraffic
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
ip access-list extended protect_corp_out
permit ip any any reflect corptraffic timeout 300
!
!
snmp-server community
snmp-server enable traps tty
access-list 101 deny ip 10.xx.xx.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 10.xx.xx.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 101 deny ip 10.xx.xx.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 172.16.0.0 0.15.255.255 any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
login local
no modem enable
line aux 0
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 4096000
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2187075706
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2187075706
!
!
crypto pki certificate chain TP-self-signed-2187075706
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
!
!
!
!
!
ip dhcp excluded-address 192.168.70.1
!
!
ip dhcp pool wirelesspool2
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 75.75.75.75 75.75.76.76
lease 0 1
!
!
!
ip flow-cache timeout active 1
no ip domain lookup
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9 sn FTX1908806S
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
description Internet Access
ip address xx.xx.153.186 255.255.255.248
ip access-group inboundfilters in
ip access-group outboundfilters out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
switchport access vlan 2
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
switchport mode trunk
no ip address
!
interface GigabitEthernet8
description Connection to COLO
ip address 192.168.1.159 255.255.255.0
duplex full
speed 100
!
interface Vlan1
description Connection to LAN
ip address 10.xx.xx.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan2
description Connection to Public_Wireless
ip address 192.168.70.1 255.255.255.0
ip access-group protect_corp_in in
ip access-group protect_corp_out out
ip flow ingress
ip nat inside
ip virtual-reassembly in
!
interface Async3
no ip address
encapsulation slip
!
!
router eigrp 100
network 10.0.0.0
network 192.168.0.0 0.0.255.255
redistribute static
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-export source Vlan1
ip flow-export version 5
ip flow-export destination 10.xx.xx.17 9996
!
ip nat pool main-nat-pool xx.xx.153.187 xx.xx.153.187 netmask 255.255.255.248
ip nat inside source list 101 pool main-nat-pool overload
ip route 0.0.0.0 0.0.0.0 xx.xx.153.185
!
ip access-list extended inboundfilters
evaluate iptraffic
permit tcp host xx.xx.xx.32 host xx.xx.153.186 eq telnet
deny ip any host xx.xx.153.186
permit ip 10.xx.xx.0 0.0.0.255 10.xx.xx.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
ip access-list extended outboundfilters
permit ip any any reflect iptraffic timeout 300
ip access-list extended protect_corp_in
evaluate corptraffic
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
ip access-list extended protect_corp_out
permit ip any any reflect corptraffic timeout 300
!
!
snmp-server community
snmp-server enable traps tty
access-list 101 deny ip 10.xx.xx.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 10.xx.xx.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 101 deny ip 10.xx.xx.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 172.16.0.0 0.15.255.255 any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
login local
no modem enable
line aux 0
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
RoutersNetworkingNetworking Protocols
Last Comment
asavener
If you're able to ping using VLAN 2's source address, I'm thinking that something is wonky with those reflexive ACLs. They look fine at first glance, but I would remove them from the interface for a few moments as a test to see if you get anywhere. At the very least, that will help narrow it all down.
Please use the "code" feature when posting configs or large output. It makes it easier to read.
Your inbound "protect_corp_in" ACL is denying traffic coming from the VLAN2 network if the source address is 10.0.0.0, 172.16.0.0 or 192.168.0.0. Since the traffic coming from VLAN2 is always going to be coming from 192.168.70.0, it will be denied.
interface Vlan2
ip address 192.168.70.1 255.255.255.0
ip access-group protect_corp_in in
ip access-group protect_corp_out out
ip access-list extended protect_corp_in
evaluate corptraffic
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
Your inbound "protect_corp_in" ACL is denying traffic coming from the VLAN2 network if the source address is 10.0.0.0, 172.16.0.0 or 192.168.0.0. Since the traffic coming from VLAN2 is always going to be coming from 192.168.70.0, it will be denied.
What is even stranger is that when I do a ping on the router to 8.8.8.8 with 192.168.70.1 as a source address it works.Routers are for the most part immune to their own ACLs when it comes to outbound traffic.
@donjohnston: I thought that might be the case too, but the inbound ACL is only denying private destination addresses and is allowing any source address.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
crap... Missed the "any" at the beginning. :-(
ASKER CERTIFIED SOLUTION
Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
I would recommend implementing context-based access control (CBAC) or zone-based firewall rather than reflexive access lists. Reflexive access lists aren't very smart. CBAC will not only allow traffic back in, it will also inspect the traffic to ensure it conforms to the protocol. (So stateful inspection plus packet inspection)
For a simple CBAC implementation:
ip inspect name CBAC_Inspect http
ip inspect name CBAC_Inspect smtp
ip inspect name CBAC_Inspect ftp
ip inspect name CBAC_Inspect tcp
ip inspect name CBAC_Inspect udp
interface FastEthernet0
no ip access-group outboundfilters out
ip inspect CBAC_Inspect out
interface Vlan2
no ip access-group protect_corp_out out
For a simple CBAC implementation:
ip inspect name CBAC_Inspect http
ip inspect name CBAC_Inspect smtp
ip inspect name CBAC_Inspect ftp
ip inspect name CBAC_Inspect tcp
ip inspect name CBAC_Inspect udp
interface FastEthernet0
no ip access-group outboundfilters out
ip inspect CBAC_Inspect out
interface Vlan2
no ip access-group protect_corp_out out