05-07-2012 10:02 AM - edited 03-11-2019 04:03 PM
Hello all,
I recently configured my 881W for dual SSID, and NATing to separate the VLAN traffic. Afterwards, I used Cisco Configuration Professional to configure the firewall for medium security, and then I tested it by connecting it to my U-Verse residential gateway in DMZplus mode. I was able to get a DHCP address from my IP to the 881W, but I can't resolve DNS, or get to any outside internet sites. Based on my configuration below, does anyone have any insight into what could be wrong?
R1-881W#show run
Building configuration...
Current configuration : 14484 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1-881W
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-1234567890
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1234567890
revocation-check none
rsakeypair TP-self-signed-1392450818
!
!
crypto pki certificate chain TP-self-signed-1234567890
certificate self-signed 01
<some cert>
quit
no ip source-route
!
!
ip dhcp excluded-address 172.16.1.1 172.16.1.200
ip dhcp excluded-address 192.168.12.200 192.168.12.254
!
ip dhcp pool Private
import all
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
dns-server 172.16.1.1 255.255.255.0
!
ip dhcp pool Guest
network 192.168.12.0 255.255.255.0
default-router 192.168.12.1
dns-server 192.168.12.1 255.255.255.0
!
!
ip cef
no ip bootp server
ip domain name somedomain.local
ip name-server 68.94.156.1
ip name-server 68.94.157.1
ip name-server 8.8.8.8
login block-for 120 attempts 5 within 60
login delay 3
!
no ipv6 cef
!
multilink bundle-name authenticated
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
!
!
username someuser privilege 15 secret 5 xxxxxxxxxxxxxx
!
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh version 2
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
switchport access vlan 11
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 11
!
interface FastEthernet3
!
interface FastEthernet4
description ISP Connection$FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
shutdown
duplex auto
speed auto
no cdp enable
!
interface wlan-ap0
description Service module to manage the enbedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
interface Vlan1
description $FW_INSIDE$
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Vlan11
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Vlan12
description Guest Vlan$FW_INSIDE$
ip address 192.168.12.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat inside source list 100 interface FastEthernet4 overload
!
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
!
logging trap debugging
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
no cdp run
!
!
!
!
!
control-plane
!
banner login ^CWarning! Authorized Access Only!^C
!
line con 0
password 7 xxxxxxxxxxxxxx
logging synchronous
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
password 7 xxxxxxxxxxxxxx
transport input telnet ssh
transport output telnet
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Solved! Go to Solution.
05-07-2012 10:11 AM
Hi!
Is it the router or the client connected to the router that can't resolv domain-names?
If it's the client and you manually set the DNS-server to 8.8.8.8 (or something simple), can you resolv domain-names then?
05-09-2012 02:14 AM
Can't find anything wrong the firewall, but I think it's the NAT - again(?). You said erlier that you added the 192.168.12.0 network to the allowed NAT:ing list but in this config it is still just the 172.16.1.0 network.
I will suggest removing the old access-lists and make a new one:
no ip nat inside source list 100 interface FastEthernet4 overload
no access-list 99 remark CCP_ACL Category=16
no access-list 99 permit 192.168.12.0 0.0.0.255
no access-list 100 remark CCP_ACL Category=130
no access-list 100 permit ip host 255.255.255.255 any
no access-list 100 permit ip 127.0.0.0 0.255.255.255 any
no access-list 100 permit ip 172.16.1.0 0.0.0.255 any
ip nat inside source list NAT interface FastEthernet4 overload
ip access-list extended NAT
remark These networks are allowed to be NAT:ed
permit ip 172.16.1.0 0.0.0.255 any
permit ip 192.168.12.0 0.0.0.255 any
05-09-2012 09:45 AM
Yes, the removal of the old access-list and to add the new one was just to clean up the config. But it's important to know that "GUEST-TO-OUTSIDE_ACL" has nothing to do with NAT in this configuration. You need an additional access-list that has both your local networks in it (just like the one i showed you).
About the pings. The zone-based firewall works by configuring zones, like the out-zone and guest-zone. But there is also a default zone, and that is the self zone and that zone includes the routers own IP-addresses. So when you ping 172.16.1.1 you are pinging the self zone.
If you wan't I can help you to configure a policy for the self zone so the guest-zone can't telnet to the router, but still be able to get an IP-address through DHCP.
05-09-2012 01:48 PM
That config looks good.
This config will make the guest-zone only allowed to ping and get an IP-address of the router:
class-map type inspect match-any GUEST-TO-SELF_CMAP
match access-group name SDM_BOOTPC
match protocol icmp
policy-map type inspect GUEST-TO-SELF_PMAP
class type inspect GUEST-TO-SELF_CMAP
zone-pair security GUEST-TO-SELF source guest-zone dest self
service-policy type inspect GUEST-TO-SELF_PMAP
------------------------
I though the CCNA Security was a really great, it's hard to understand all the new config for CBAC, ZFW and then IPS at first, but with a little hands on configuration the pieces falls together.
This youtube-video is really helpfull for understanding:
http://www.youtube.com/watch?v=cTxyM_ZCceI
And this cisco-document contains everything you need to know about ZFW.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
05-10-2012 11:19 AM
There is a line missing in the policy map:
policy-map type inspect GUEST-TO-OUTSIDE_PMAP
class type inspect GUEST-TO-OUTSIDE_CMAP
inspect
Copy-past that.
Are you still using static dns-server on the clients btw?
05-07-2012 10:11 AM
Hi!
Is it the router or the client connected to the router that can't resolv domain-names?
If it's the client and you manually set the DNS-server to 8.8.8.8 (or something simple), can you resolv domain-names then?
05-07-2012 04:47 PM
It looks like I cannot resolve any hostnames from the router's CLI, but it appears when I specify a DNS server on the host connected to the router, I can resolve and get out to the net...
Shouldn't the router be hanling DNS resolution according to my configuration?
05-07-2012 11:31 PM
I haven't configured the router as a DNS on a router connected to the internet, so i don't really know. Maybe someone else knows...
05-08-2012 10:13 AM
Henrick,
Thank you for your help. I have one more issue. My latest problem is that I can't ping, or get out from the WLAN SSID attached to vlan12 (network 192.168.12.0 255.255.255.0). I can associate, and get an IP address just fine on the AP, but I can't ping, or go to any websites (yes, dns servers are specified on the host). Am I missing something in the firewall rules, or NAT?
05-08-2012 11:05 AM
Looks like I was able to get conectivity by adding the following:
access-list 99 permit 192.168.12.0 0.0.0.255
ip nat inside source list 99 interface FastEthernet4 overload
05-08-2012 11:44 AM
Ok, after some more testing it looks like that vlan 12 can reach destinations on vlan 1. I want vlan 12 (network 192.168.12.0 255.255.255.0) to only have access to the internet WAN (FastEthernet4) interface. Any ideas how to do this? I thought about adding a deny statement, but then processing would stop there...
05-08-2012 12:58 PM
Yes, it's really simple with the zone-based firewall.
You will need to put vlan12 it its own zone and then create a policy for that zone-pair.
I created the configuration you need here. Vlan12 will be able to reach the internet, but it can't communicate with any other vlan.
zone security GUEST-ZONE
ip access-list extended GUEST-TO-OUTSIDE_ACL
permit ip 192.168.12.0 0.0.0.255 any
class-map type inspect GUEST-TO-OUTSIDE_CMAP
match access-group name GUEST-TO-OUTSIDE_ACL
policy-map type inspect GUEST-TO-OUTSIDE_PMAP
class type inspect GUEST-TO-OUTSIDE_CMAP
inspect
zone-pair security GUEST-TO-OUTSIDE source GUEST-ZONE dest out-zone
service-policy type inspect GUEST-TO-OUTSIDE_PMAP
interface vlan 12
zone member GUEST-ZONE
** I haven't verified that all commands are correct, I just wrote it right here.
If this works, I can help you (if you want) with a policy for the guest-zone for reaching the router itself, so they can't telnet/ssh to the router etc.
05-08-2012 02:20 PM
Henrik,
I tried what you asked, and I get no connectivity on vlan 12 to the internet. Here is my latest config with changes in BOLD:
R1-881W#show run
Building configuration...
Current configuration : 9055 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1-881W
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-1234567890
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1234567890
revocation-check none
rsakeypair TP-self-signed-1234567890
!
!
crypto pki certificate chain TP-self-signed-1234567890
certificate self-signed 01
quit
no ip source-route
!
!
ip dhcp excluded-address 172.16.1.1 172.16.1.200
ip dhcp excluded-address 192.168.12.200 192.168.12.254
!
ip dhcp pool Private
import all
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
dns-server 172.16.1.1 255.255.255.0
!
ip dhcp pool Guest
network 192.168.12.0 255.255.255.0
default-router 192.168.12.1
dns-server 192.168.12.1 255.255.255.0
!
!
ip cef
no ip bootp server
ip domain name lab.local
ip name-server 68.94.156.1
ip name-server 68.94.157.1
ip name-server 8.8.8.8
login block-for 120 attempts 5 within 60
login delay 3
!
no ipv6 cef
!
multilink bundle-name authenticated
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
!
!
username someuser privilege 15 secret 5 xxxxxxxxxxxxxxx
!
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh version 2
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all GUEST-TO-OUTSIDE_CMAP
match access-group name GUEST-TO-OUTSIDE_ACL
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
policy-map type inspect GUEST-TO-OUTSIDE_PMAP
class type inspect GUEST-TO-OUTSIDE_CMAP
inspect
class class-default
drop
!
zone security out-zone
zone security in-zone
zone security guest-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
zone-pair security ccp-zp-guest-out source guest-zone destination out-zone
service-policy type inspect GUEST-TO-OUTSIDE_PMAP
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description ISP Connection$FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
no cdp enable
!
interface wlan-ap0
description Service module to manage the enbedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
interface Vlan1
description $FW_INSIDE$
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Vlan11
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Vlan12
description Guest Vlan$FW_INSIDE$
ip address 192.168.12.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security guest-zone
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat inside source list 100 interface FastEthernet4 overload
!
ip access-list extended GUEST-TO-OUTSIDE_ACL
permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
!
logging trap debugging
access-list 99 remark CCP_ACL Category=16
access-list 99 permit 192.168.12.0 0.0.0.255
access-list 100 remark CCP_ACL Category=130
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
no cdp run
!
!
!
!
!
control-plane
!
banner login ^CWarning! Authorized Access Only!^C
!
line con 0
password 7 xxxxxxxxxxxxxxx
logging synchronous
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
password 7 xxxxxxxxxxxxxxx
transport input telnet ssh
transport output telnet
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
05-09-2012 02:14 AM
Can't find anything wrong the firewall, but I think it's the NAT - again(?). You said erlier that you added the 192.168.12.0 network to the allowed NAT:ing list but in this config it is still just the 172.16.1.0 network.
I will suggest removing the old access-lists and make a new one:
no ip nat inside source list 100 interface FastEthernet4 overload
no access-list 99 remark CCP_ACL Category=16
no access-list 99 permit 192.168.12.0 0.0.0.255
no access-list 100 remark CCP_ACL Category=130
no access-list 100 permit ip host 255.255.255.255 any
no access-list 100 permit ip 127.0.0.0 0.255.255.255 any
no access-list 100 permit ip 172.16.1.0 0.0.0.255 any
ip nat inside source list NAT interface FastEthernet4 overload
ip access-list extended NAT
remark These networks are allowed to be NAT:ed
permit ip 172.16.1.0 0.0.0.255 any
permit ip 192.168.12.0 0.0.0.255 any
05-09-2012 07:24 AM
Henrik,
You are right, I forgot to add the line allowing the access list GUEST-TO-OUTSIDE_ACL to NAT, so I just added the following, and everything now seems to work (and not allowing vlan 12 access to vlan1, just like I wanted):
ip nat inside source list GUEST-TO-OUTSIDE_ACL interface FastEthernet4 overload
One thing I did notice is that I can ping the vlan 1 gateway (172.16.1.1) from the wlan vlan 12 (192.168.12.0/24) host, but can't get to or ping anything else in the vlan 1 network (172.16.1.0/24) from the vlan 12 host.
As far as the advice you just gave about scrapping the old access lists, and creating a combined new one, is that just to clean up the configuration?
05-09-2012 09:45 AM
Yes, the removal of the old access-list and to add the new one was just to clean up the config. But it's important to know that "GUEST-TO-OUTSIDE_ACL" has nothing to do with NAT in this configuration. You need an additional access-list that has both your local networks in it (just like the one i showed you).
About the pings. The zone-based firewall works by configuring zones, like the out-zone and guest-zone. But there is also a default zone, and that is the self zone and that zone includes the routers own IP-addresses. So when you ping 172.16.1.1 you are pinging the self zone.
If you wan't I can help you to configure a policy for the self zone so the guest-zone can't telnet to the router, but still be able to get an IP-address through DHCP.
05-09-2012 01:28 PM
I went back and looked, and I understand now. Here is how it ended up:
ip nat inside source list NAT_ALLOWED interface FastEthernet4 overload
!
ip access-list extended NAT_ALLOWED
remark These networks are allowed to NAT
permit ip 172.16.1.0 0.0.0.255 any
permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
!
logging trap debugging
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
no cdp run
Also, I'm always game for help if you feel so inclined.
I should be going after my CCNA Security in a couple of months, and I feel this will really help in my understanding.
05-09-2012 01:48 PM
That config looks good.
This config will make the guest-zone only allowed to ping and get an IP-address of the router:
class-map type inspect match-any GUEST-TO-SELF_CMAP
match access-group name SDM_BOOTPC
match protocol icmp
policy-map type inspect GUEST-TO-SELF_PMAP
class type inspect GUEST-TO-SELF_CMAP
zone-pair security GUEST-TO-SELF source guest-zone dest self
service-policy type inspect GUEST-TO-SELF_PMAP
------------------------
I though the CCNA Security was a really great, it's hard to understand all the new config for CBAC, ZFW and then IPS at first, but with a little hands on configuration the pieces falls together.
This youtube-video is really helpfull for understanding:
http://www.youtube.com/watch?v=cTxyM_ZCceI
And this cisco-document contains everything you need to know about ZFW.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
05-09-2012 01:57 PM
Ok, so now I have no internet connection for vlan 12. Isn't it true that you can only have one access list per protocol, per direction? If this is the case, shouldn't I get rid of the following?:
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide