VLAN 2 won't route to Internet with Cisco 891

For some reason VLAN 2 won't route to the internet .  I have used this configuration many times without a problem.  What is even stranger is that when I do a ping on the router to 8.8.8.8 with 192.168.70.1 as a source address it works.  But when I plug into VLAN 2 I get an IP address but can't get to the Internet.  VLAN 1 works all the time.  I am stumped.



boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 4096000

!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2187075706
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2187075706
 revocation-check none
 rsakeypair TP-self-signed-2187075706
!
!
crypto pki certificate chain TP-self-signed-2187075706
 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
!
!
!
!
 
 
!
ip dhcp excluded-address 192.168.70.1
!
!
ip dhcp pool wirelesspool2
 network 192.168.70.0 255.255.255.0
 default-router 192.168.70.1
 dns-server 75.75.75.75 75.75.76.76
 lease 0 1
!
!
!
ip flow-cache timeout active 1
no ip domain lookup
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9 sn FTX1908806S
!

!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 description Internet Access
 ip address xx.xx.153.186 255.255.255.248
 ip access-group inboundfilters in
 ip access-group outboundfilters out
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 switchport access vlan 2
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 switchport mode trunk
 no ip address
!
interface GigabitEthernet8
 description Connection to COLO
 ip address 192.168.1.159 255.255.255.0
 duplex full
 speed 100
!
interface Vlan1
 description Connection to LAN
 ip address 10.xx.xx.1 255.255.255.0
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan2
 description Connection to Public_Wireless
 ip address 192.168.70.1 255.255.255.0
ip access-group protect_corp_in in
ip access-group protect_corp_out out
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
!
interface Async3
 no ip address
 encapsulation slip
!
!
router eigrp 100
 network 10.0.0.0
 network 192.168.0.0 0.0.255.255
 redistribute static
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-export source Vlan1
ip flow-export version 5
ip flow-export destination 10.xx.xx.17 9996
!
ip nat pool main-nat-pool xx.xx.153.187 xx.xx.153.187 netmask 255.255.255.248
ip nat inside source list 101 pool main-nat-pool overload
ip route 0.0.0.0 0.0.0.0 xx.xx.153.185
!
ip access-list extended inboundfilters
 evaluate iptraffic
 permit tcp host xx.xx.xx.32 host xx.xx.153.186 eq telnet
 deny   ip any host xx.xx.153.186
 permit ip 10.xx.xx.0 0.0.0.255 10.xx.xx.0 0.0.0.255
 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
ip access-list extended outboundfilters
 permit ip any any reflect iptraffic timeout 300
ip access-list extended protect_corp_in
 evaluate corptraffic
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.0.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip any any
ip access-list extended protect_corp_out
 permit ip any any reflect corptraffic timeout 300
!
!
snmp-server community
snmp-server enable traps tty
access-list 101 deny   ip 10.xx.xx.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny   ip 10.xx.xx.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 101 deny   ip 10.xx.xx.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 172.16.0.0 0.15.255.255 any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 login local
 no modem enable
line aux 0
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
ktylmanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jody LemoineNetwork ArchitectCommented:
If you're able to ping using VLAN 2's source address, I'm thinking that something is wonky with those reflexive ACLs. They look fine at first glance, but I would remove them from the interface for a few moments as a test to see if you get anywhere. At the very least, that will help narrow it all down.
0
Don JohnstonInstructorCommented:
Please use the "code" feature when posting configs or large output. It makes it easier to read.

interface Vlan2
 ip address 192.168.70.1 255.255.255.0
 ip access-group protect_corp_in in
 ip access-group protect_corp_out out

ip access-list extended protect_corp_in
 evaluate corptraffic
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.0.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip any any

Open in new window


Your inbound "protect_corp_in" ACL is denying traffic coming from the VLAN2 network if the source address is 10.0.0.0, 172.16.0.0 or 192.168.0.0. Since the traffic coming from VLAN2 is always going to be coming from 192.168.70.0, it will be denied.

What is even stranger is that when I do a ping on the router to 8.8.8.8 with 192.168.70.1 as a source address it works.
Routers are for the most part immune to their own ACLs when it comes to outbound traffic.
0
Jody LemoineNetwork ArchitectCommented:
@donjohnston: I thought that might be the case too, but the inbound ACL is only denying private destination addresses and is allowing any source address.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Don JohnstonInstructorCommented:
crap... Missed the "any" at the beginning. :-(
0
Don JohnstonInstructorCommented:
I'd have to agree with Jody.  Been a while since I played with reflexive ACL's but I don't recall putting them on inside interfaces.

I would try removing the "ip access-group protect_corp_out out" from the VLAN2 interface and see what happens.

If it still doesn't work, remove the "evaluate corptraffic" statement from the "protect_corp_in" ACL.

But that's just a SWAG.  I can't see anything else.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
asavenerCommented:
I would recommend implementing context-based access control (CBAC) or zone-based firewall rather than reflexive access lists.  Reflexive access lists aren't very smart.  CBAC will not only allow traffic back in, it will also inspect the traffic to ensure it conforms to the protocol.  (So stateful inspection plus packet inspection)

For a simple CBAC implementation:

ip inspect name CBAC_Inspect http
ip inspect name CBAC_Inspect smtp
ip inspect name CBAC_Inspect ftp
ip inspect name CBAC_Inspect tcp
ip inspect name CBAC_Inspect udp


interface FastEthernet0
no ip access-group outboundfilters out
ip inspect CBAC_Inspect out

interface Vlan2
no ip access-group protect_corp_out out
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.