Solved: ZBF review and Issues on 871W

asucrews2010 · ‎02-19-2012

Hello, i am working with 871w and i am trying to switch form ip inspect to zone-based firewall. Below are the class-maps, policy-map, zone-pairs, zones, and ACLs. The issues i am having is that onces i depoly the ZBF, i can not get ip via DHCP. Please review and suggest any impovements or fixes needed?

class-map type inspect match-any Egress-Filter

match access-group name egress-filter

class-map type inspect match-any Guest_Protocols

match protocol http

match protocol https

match protocol dns

class-map type inspect match-any Ingress-Filter

match access-group name ingress-filter

class-map type inspect match-any All_Protocols

match protocol tcp

match protocol udp

match protocol icmp

class-map type inspect match-all DHCP-Allow

match access-group name dhcp-allow

policy-map type inspect Self_to_Internet
 class type inspect Egress-Filter
  inspect
 class class-default
  drop log
policy-map type inspect Internet_to_Self
 class type inspect Ingress-Filter
  inspect
 class class-default
  drop log
policy-map type inspect Trusted_To_Self
 class type inspect All_Protocols
  inspect
 class type inspect DHCP-Allow
  pass
 class class-default
  drop log
policy-map type inspect Guest_to_Internet
 class type inspect Guest_Protocols
  inspect
 class class-default
  drop log
policy-map type inspect Internet_to_Guest
 class type inspect Ingress-Filter
  inspect
 class class-default
  drop log
policy-map type inspect Trusted_to_Self
 class type inspect All_Protocols
  inspect
 class type inspect DHCP-Allow
  pass
 class class-default
  drop log
policy-map type inspect Self_to_Trusted
 class type inspect All_Protocols
  inspect
 class type inspect DHCP-Allow
  pass
 class class-default
  drop log
policy-map type inspect Trusted_to_Internet
 class type inspect All_Protocols
  inspect
 class class-default
  drop log
policy-map type inspect Internet_to_Trusted
 class type inspect Ingress-Filter
  inspect
 class class-default
  drop log
policy-map type inspect Guest_to_Self
 class type inspect All_Protocols
  inspect
 class type inspect DHCP-Allow
  pass
 class class-default
  drop log
policy-map type inspect Self_to_Guest
 class type inspect All_Protocols
  inspect
 class type inspect DHCP-Allow
  pass
 class class-default
  drop log

zone-pair security Trusted->Internet source Trusted destination Internet

service-policy type inspect Trusted_to_Internet

zone-pair security Guest->Internet source Guest destination Internet

service-policy type inspect Guest_to_Internet

zone-pair security Internet->Trusted source Internet destination Trusted

service-policy type inspect Internet_to_Trusted

zone-pair security Internet->Guest source Internet destination Guest

service-policy type inspect Internet_to_Guest

zone-pair security Self->Internet source self destination Internet

service-policy type inspect Self_to_Internet

zone-pair security Internet->Self source Internet destination self

service-policy type inspect Internet_to_Self

zone-pair security Self->Trusted source self destination Trusted

service-policy type inspect Self_to_Trusted

zone-pair security Trusted->Self source Trusted destination self

service-policy type inspect Trusted_to_Self

zone-pair security Self->Guest source self destination Guest

service-policy type inspect Self_to_Guest

zone-pair security Guest->Self source Guest destination self

service-policy type inspect Guest_to_Self

zone security Trusted

zone security Guest

zone security Internet

ip access-list extended NAT

deny ip 192.168.16.0 0.0.0.63 192.168.16.64 0.0.0.15
permit ip any any

ip access-list extended dhcp-allow

permit udp any eq bootps any
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any eq bootpc any

ip access-list extended egress-filter

permit ip <REMOVED> 0.0.0.2 any
remark ----- Junk Traffic -----
deny   ip any host <REMOVED>
deny   ip any host <REMOVED>
deny   ip host <REMOVED> any
deny   ip host <REMOVED> any
remark ----- Bogons Filter -----
deny   ip 0.0.0.0 0.255.255.255 any
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip 169.254.0.0 0.0.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.0.0.0 0.0.0.255 any
deny   ip 192.0.2.0 0.0.0.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 198.18.0.0 0.1.255.255 any
deny   ip 198.51.100.0 0.0.0.255 any
deny   ip 203.0.113.0 0.0.0.255 any
deny   ip 224.0.0.0 31.255.255.255 any
deny   ip any any

ip access-list extended ingress-filter

remark ----- Allow access from work
permit ip <REMOVED> 0.0.0.127 any
permit ip <REMOVED 0.0.0.31 any
permit ip <REMOVED> 0.0.0.255 any
permit esp any host <REMOVED>
permit gre any host <REMOVED> permit udp any host <REMOVED> eq isakmp
remark ----- To get IP form COX -----

permit udp any eq bootps any eq bootpc

deny   icmp any any
deny   udp any any eq echo
deny   udp any eq echo any
deny   tcp any any fragments
deny   udp any any fragments
deny   ip any any fragments
deny   ip any any option any-options
deny   ip any any ttl lt 4
deny   ip any host <REMOVED> deny   ip any host <REMOVED>
deny   udp any any range 33400 34400
remark ----- Bogons Filter -----
deny   ip 0.0.0.0 0.255.255.255 any
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip 169.254.0.0 0.0.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.0.0.0 0.0.0.255 any
deny   ip 192.0.2.0 0.0.0.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 198.18.0.0 0.1.255.255 any
deny   ip 198.51.100.0 0.0.0.255 any
deny   ip 203.0.113.0 0.0.0.255 any
deny   ip 224.0.0.0 31.255.255.255 any
remark ----- Internal networks -----
deny   ip <REMOVED> 0.0.0.3 any
deny   ip any any

cadet alain · ‎02-21-2012

Hi,

Can you ping outside addresses?

Can you ping by name?

Look at this doc for troubleshooting ZBF commands:https://supportforums.cisco.com/docs/DOC-15803

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎02-19-2012

Hi,

post your entire running config and also you can't get dhcp to work for your lan clients?

Regards.

Alain

Don't forget to rate helpful posts.

asucrews2010 · ‎02-20-2012

Hello Alain,

I though i had a update copy of the config at work but i do not. So i have a post with the config when i get home today.

Yes, it is for my LAN clients, i am able to get DHCP for the internet connection with no issues.

Thanks,

Jeremy

asucrews2010 · ‎02-20-2012

Running Config

!

! Last configuration change at 05:24:59 AZT Sun Feb 19 2012 by asucrews

! NVRAM config last updated at 05:25:57 AZT Sun Feb 19 2012 by asucrews

!

version 12.4

configuration mode exclusive auto expire 600

parser cache

no service log backtrace

no service config

no service exec-callback

service nagle

service slave-log

no service slave-coredump

no service pad to-xot

no service pad from-xot

no service pad cmns

no service pad

no service telnet-zeroidle

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

no service exec-wait

service linenumber

no service internal

no service scripting

no service compress-config

service prompt config

no service old-slip-prompts

service pt-vty-logging

no service disable-ip-fast-frag

service sequence-numbers

!

hostname rtwan

!

boot-start-marker

boot-end-marker

!

logging exception 4096

logging count

no logging message-counter log

no logging message-counter debug

logging message-counter syslog

no logging snmp-authfail

no logging userinfo

logging buginf

logging queue-limit 100

logging queue-limit esm 0

logging queue-limit trap 100

logging buffered 65536

no logging persistent

logging rate-limit 512 except critical

logging console guaranteed

logging console critical

logging monitor debugging

logging on

enable secret 5

enable password 7

!

aaa new-model

!

aaa group server radius rad_eap

server auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login default local

aaa authentication login eap_methods group rad_eap

aaa authorization exec default local

aaa accounting network acct_methods

action-type start-stop

group rad_acct

!

aaa session-id common

memory-size iomem 10

clock timezone AZT -7

clock save interval 8

errdisable detect cause all

errdisable recovery interval 300

!

dot11 syslog

dot11 activity-timeout unknown default 60

dot11 activity-timeout client default 60

dot11 activity-timeout repeater default 60

dot11 activity-timeout workgroup-bridge default 60

dot11 activity-timeout bridge default 60

!

dot11 ssid guestonpg

vlan 2

authentication open

authentication key-management wpa optional

guest-mode

wpa-psk ascii 7

!

dot11 ssid playground

vlan 1

authentication open

authentication key-management wpa optional

wpa-psk ascii 7

!

dot11 aaa csid default

no ip source-route

no ip gratuitous-arps

ip icmp redirect subnet

ip spd queue threshold minimum 73 maximum 74

ip options drop

ip dhcp bootp ignore

ip dhcp excluded-address 192.168.16.33 192.168.16.40

ip dhcp excluded-address 192.168.16.1 192.168.16.7

!

ip dhcp pool vlan1pool

import all

network 192.168.16.0 255.255.255.224

default-router 192.168.16.1

domain-name jeremycrews.home

lease 4

!

ip dhcp pool vlan2pool

import all

network 192.168.16.32 255.255.255.224

default-router 192.168.16.33

domain-name guest.jeremycrews.home

lease 0 6

!

ip cef

ip inspect name firewall tcp router-traffic

ip inspect name firewall udp router-traffic

ip inspect name firewall icmp router-traffic

no ip bootp server

no ip domain lookup

ip domain name jeremycrews.home

ip host rtwan.jeremycrews.home 192.168.16.1 192.168.16.33

ip host ap1.jeremycrews.home 192.168.16.2 192.168.16.34

ip host ap2.jeremycrews.home 192.168.16.3 192.168.16.35

ip host ap3.jeremycrews.home 192.168.16.4 192.168.16.36

ip host ooma.jeremycrews.home 192.168.16.5

ip host xbox.jeremycrews.home 192.168.16.6

ip host wii.jeremycrews.home 192.168.16.7

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip accounting-threshold 100

ip accounting-list 192.168.16.0 0.0.0.31

ip accounting-list 192.168.16.32 0.0.0.31

ip accounting-transits 25

ip igmp snooping vlan 1

ip igmp snooping vlan 1 mrouter learn pim-dvmrp

ip igmp snooping vlan 2

ip igmp snooping vlan 2 mrouter learn pim-dvmrp

ip igmp snooping

login block-for 120 attempts 5 within 60

login delay 5

login on-failure log

!

parameter-map type inspect log

audit-trail on

dot1x system-auth-control

!

memory free low-watermark processor 65536

memory free low-watermark IO 16384

file prompt alert

emm clear 1b5b324a1b5b303b30480d

vtp file flash:vlan.dat

vtp mode server

vtp version 1

username privilege 15 password 7

!

no crypto isakmp diagnose error

!

archive

log config

no record rc

logging enable

no logging persistent reload

no logging persistent

logging size 255

notify syslog contenttype plaintext

no notify syslog contenttype xml

hidekeys

path tftp://192.168.16.12/rtwan-config

maximum 10

no rollback filter adaptive

rollback retry timeout 0

write-memory

time-period 10080

scripting tcl low-memory 28965007

scripting tcl trustpoint untrusted terminate

no scripting tcl secure-mode

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh break-string ~break

ip ssh logging events

ip ssh version 2

ip ssh dh min size 1024

!

class-map type inspect match-any Egress-Filter

match access-group name egress-filter

class-map type inspect match-any Guest_Protocols

match protocol http

match protocol https

match protocol dns

match protocol bootpc

match protocol bootps

class-map type inspect match-any Ingress-Filter

match access-group name ingress-filter

class-map type inspect match-any All_Protocols

match protocol tcp

match protocol udp

match protocol icmp

class-map type inspect match-all DHCP-Allow

match access-group name dhcp-allow

!

policy-map type inspect Self_to_Internet

class type inspect Egress-Filter

inspect

class class-default

drop log

policy-map type inspect Internet_to_Self

class type inspect Ingress-Filter

inspect

class class-default

drop log

policy-map type inspect Self_To_Self

class class-default

drop log

policy-map type inspect Trusted_To_Self

class type inspect All_Protocols

inspect

class type inspect DHCP-Allow

pass

class class-default

drop log

policy-map type inspect Guest_to_Internet

class type inspect Guest_Protocols

inspect

class class-default

drop log

policy-map type inspect Internet_to_Guest

class type inspect Ingress-Filter

inspect

class class-default

drop log

policy-map type inspect Trusted_to_Self

class type inspect All_Protocols

inspect

class type inspect DHCP-Allow

pass

class class-default

drop log

policy-map type inspect Self_to_Trusted

class type inspect All_Protocols

inspect

class type inspect DHCP-Allow

pass

class class-default

drop log

policy-map type inspect Trusted_to_Internet

class type inspect All_Protocols

inspect

class class-default

drop log

policy-map type inspect Internet_to_Trusted

class type inspect Ingress-Filter

inspect

class class-default

drop log

policy-map type inspect Guest_to_Self

class type inspect All_Protocols

inspect

class class-default

drop log

policy-map type inspect Self_to_Guest

class type inspect All_Protocols

inspect

class class-default

drop log

!

zone security Trusted

zone security Guest

zone security Internet

zone-pair security Trusted->Internet source Trusted destination Internet

service-policy type inspect Trusted_to_Internet

zone-pair security Guest->Internet source Guest destination Internet

service-policy type inspect Guest_to_Internet

zone-pair security Internet->Trusted source Internet destination Trusted

service-policy type inspect Internet_to_Trusted

zone-pair security Internet->Guest source Internet destination Guest

service-policy type inspect Internet_to_Guest

zone-pair security Self->Internet source self destination Internet

service-policy type inspect Self_to_Internet

zone-pair security Internet->Self source Internet destination self

service-policy type inspect Internet_to_Self

zone-pair security Self->Trusted source self destination Trusted

service-policy type inspect Self_to_Trusted

zone-pair security Trusted->Self source Trusted destination self

service-policy type inspect Trusted_to_Self

zone-pair security Self->Guest source self destination Guest

service-policy type inspect Self_to_Guest

zone-pair security Guest->Self source Guest destination self

service-policy type inspect Guest_to_Self

!

bridge irb

!

interface Loopback0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

shutdown

snmp trap link-status

!

interface Null0

no ip unreachables

!

interface FastEthernet0

description To switch

switchport access vlan 1

switchport trunk encapsulation dot1q

switchport trunk native vlan 1

switchport trunk allowed vlan 1-4094

switchport mode trunk

switchport voice vlan none

switchport priority extend none

switchport priority default 0

snmp trap link-status

ip igmp snooping tcn flood

!

interface FastEthernet1

switchport access vlan 1

switchport trunk encapsulation dot1q

switchport trunk native vlan 1

switchport trunk allowed vlan 1-4094

switchport mode trunk

switchport voice vlan none

switchport priority extend none

switchport priority default 0

shutdown

snmp trap link-status

spanning-tree portfast

ip igmp snooping tcn flood

!

interface FastEthernet2

switchport access vlan 1

switchport trunk encapsulation dot1q

switchport trunk native vlan 1

switchport trunk allowed vlan 1-4094

switchport mode access

switchport voice vlan none

switchport priority extend none

switchport priority default 0

shutdown

snmp trap link-status

spanning-tree portfast

ip igmp snooping tcn flood

!

interface FastEthernet3

description Ooma Hub 192.168.16.5

switchport access vlan 1

switchport trunk encapsulation dot1q

switchport trunk native vlan 1

switchport trunk allowed vlan 1-4094

switchport mode access

switchport voice vlan none

switchport priority extend none

switchport priority default 0

shutdown

snmp trap link-status

spanning-tree portfast

ip igmp snooping tcn flood

!

interface FastEthernet4

description Cox Internet Connection

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip accounting access-violations

ip flow ingress

ip flow egress

ip nat outside

no ip virtual-reassembly

duplex auto

speed auto

snmp trap link-status

no cdp enable

zone-member security Internet

!

interface Dot11Radio0

description Radio b/g

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

shutdown

beacon period 100

beacon dtim-period 2

dot11 extension aironet

!

encryption vlan 1 mode ciphers aes-ccm tkip wep128

!

encryption vlan 2 mode ciphers aes-ccm tkip wep128

!

broadcast-key vlan 1 change 3600 membership-termination

!

broadcast-key vlan 2 change 3600 membership-termination

!

ssid guestonpg

!

ssid playground

!

countermeasure tkip hold-time 60

short-slot-time

speed ofdm join

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

packet retries 64

preamble-short

channel least-congested

fragment-threshold 2346

station-role root

rts threshold 2312

rts retries 64

antenna receive diversity

antenna transmit diversity

payload-encapsulation rfc1042

snmp trap link-status

!

interface Dot11Radio0.1

description Home WLAN

encapsulation dot1Q 1 native

no ip redirects

no ip unreachables

no ip proxy-arp

no snmp trap link-status

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.2

description Guest WLAN

encapsulation dot1Q 2

no ip redirects

no ip unreachables

no ip proxy-arp

no snmp trap link-status

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 spanning-disabled

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

!

interface Vlan1

description Home LAN

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no ip virtual-reassembly

autostate

snmp trap link-status

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Vlan2

description Guest LAN

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no ip virtual-reassembly

autostate

snmp trap link-status

bridge-group 2

bridge-group 2 spanning-disabled

!

interface BVI1

description Home Bridge LAN to WLAN

ip address 192.168.16.1 255.255.255.224

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no ip virtual-reassembly

snmp trap link-status

zone-member security Trusted

!

interface BVI2

description Guest Bridge LAN to WLAN

ip address 192.168.16.33 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no ip virtual-reassembly

snmp trap link-status

zone-member security Guest

!

ip classless

ip forward-protocol nd

no ip http server

ip http port 80

ip http authentication enable

no ip http secure-server

ip http secure-port 443

ip http secure-active-session-modules all

ip http max-connections 5

ip http timeout-policy idle 180 life 180 requests 1

ip http active-session-modules all

ip http digest algorithm md5

ip http client cache memory pool 100

ip http client cache memory file 2

ip http client cache ager interval 5

ip http client connection timeout 10

ip http client connection retry 1

ip http client connection idle timeout 30

ip http client response timeout 30

ip http path

ip flow-top-talkers

top 10

sort-by bytes

!

ip nat inside source static tcp 192.168.16.6 53 interface FastEthernet4 53

ip nat inside source static tcp 192.168.16.6 3074 interface FastEthernet4 3074

ip nat inside source static udp 192.168.16.6 3074 interface FastEthernet4 3074

ip nat inside source static tcp 192.168.16.6 80 interface FastEthernet4 80

ip nat inside source static udp 192.168.16.6 88 interface FastEthernet4 88

ip nat inside source static udp 192.168.16.6 53 interface FastEthernet4 53

ip nat inside source list NAT interface FastEthernet4 overload

!

ip access-list extended NAT

deny ip 192.168.16.0 0.0.0.63 192.168.16.64 0.0.0.15

permit ip any any

ip access-list extended dhcp-allow

permit udp any eq bootps any

permit udp any any eq bootpc

permit udp any any eq bootps

permit udp any eq bootpc any

ip access-list extended egress-filter

permit ip 0.0.0.2 any

remark ----- Junk Traffic -----

deny ip any host

deny ip host any

remark ----- Bogons Filter -----

deny ip 0.0.0.0 0.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 169.254.0.0 0.0.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.0.0.0 0.0.0.255 any

deny ip 192.0.2.0 0.0.0.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 198.18.0.0 0.1.255.255 any

deny ip 198.51.100.0 0.0.0.255 any

deny ip 203.0.113.0 0.0.0.255 any

deny ip 224.0.0.0 31.255.255.255 any

deny ip any any

ip access-list extended ingress-filter

remark ----- Allow access from work

permit ip 0.0.0.127 any

permit ip 0.0.0.31 any

permit ip 0.0.0.255 any

permit esp any host

permit gre any host

permit udp any host eq isakmp

remark ----- To get IP form COX -----

permit udp any eq bootps any eq bootpc

deny icmp any any

deny udp any any eq echo

deny udp any eq echo any

deny tcp any any fragments

deny udp any any fragments

deny ip any any fragments

deny ip any any option any-options

deny ip any any ttl lt 4

deny ip any host

deny udp any any range 33400 34400

remark ----- Bogons Filter -----

deny ip 0.0.0.0 0.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 169.254.0.0 0.0.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.0.0.0 0.0.0.255 any

deny ip 192.0.2.0 0.0.0.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 198.18.0.0 0.1.255.255 any

deny ip 198.51.100.0 0.0.0.255 any

deny ip 203.0.113.0 0.0.0.255 any

deny ip 224.0.0.0 31.255.255.255 any

remark ----- Internal networks -----

deny ip 0.0.0.2 any

deny ip any any

!

no ip sla logging traps

ip sla 1

icmp-echo 8.8.4.4 source-interface FastEthernet4

frequency 120

history hours-of-statistics-kept 1

history filter failures

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 8.8.8.8 source-interface FastEthernet4

frequency 30

history hours-of-statistics-kept 1

history filter failures

ip sla reaction-configuration 1 react connectionLoss threshold-type consecutive 5 action-type trapAndTrigger

ip sla reaction-trigger 1 2

logging history size 1

logging history warnings

logging trap informational

logging delimiter tcp

logging facility local7

no logging source-interface

access-list 1 permit 192.168.16.0 0.0.0.63

access-list 20 permit 127.127.1.1

access-list 20 permit 192.43.244.18

access-list 20 permit 204.235.61.9

access-list 20 permit 173.201.38.85

access-list 20 permit 216.229.4.69

access-list 20 permit 152.2.21.1

access-list 20 permit 130.126.24.24

access-list 21 permit 192.168.16.0 0.0.0.63

access-list 22 permit 192.168.16.0 0.0.0.63

mac-address-table aging-time 300

cdp run

!

snmp-server engineID local

snmp-server view *ilmi system included

snmp-server view *ilmi atmForumUni included

snmp-server view v1default iso included

snmp-server view v1default internet.6.3.15 excluded

snmp-server view v1default internet.6.3.16 excluded

snmp-server view v1default internet.6.3.18 excluded

snmp-server view v1default ciscoMgmt.394 excluded

snmp-server view v1default ciscoMgmt.395 excluded

snmp-server view v1default ciscoMgmt.399 excluded

snmp-server view v1default ciscoMgmt.400 excluded

snmp-server view *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F ieee802dot11 included

snmp-server view *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F internet included

snmp-server community 1682CrewsSNMP v1default RW 22

snmp-server priority normal

no snmp-server trap link ietf

snmp-server trap authentication vrf

snmp-server trap authentication acl-failure

snmp-server trap authentication unknown-content

snmp-server packetsize 1500

snmp-server queue-limit notification-host 10

snmp-server chassis-id FHK111016LX

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps vrrp

snmp-server enable traps tty

snmp-server enable traps pw vc

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps isdn chan-not-avail

snmp-server enable traps isdn ietf

snmp-server enable traps disassociate

snmp-server enable traps deauthenticate

snmp-server enable traps authenticate-fail

snmp-server enable traps dot11-qos

snmp-server enable traps switch-over

snmp-server enable traps rogue-ap

snmp-server enable traps wlan-wep

snmp-server enable traps adslline

snmp-server enable traps flash insertion removal

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps fru-ctrl

snmp-server enable traps resource-policy

snmp-server enable traps event-manager

snmp-server enable traps hsrp

snmp-server enable traps ipmulticast

snmp-server enable traps msdp

snmp-server enable traps mvpn

snmp-server enable traps ospf state-change

snmp-server enable traps ospf errors

snmp-server enable traps ospf retransmit

snmp-server enable traps ospf lsa

snmp-server enable traps ospf cisco-specific state-change nssa-trans-change

snmp-server enable traps ospf cisco-specific state-change shamlink interface-old

snmp-server enable traps ospf cisco-specific state-change shamlink neighbor

snmp-server enable traps ospf cisco-specific errors

snmp-server enable traps ospf cisco-specific retransmit

snmp-server enable traps ospf cisco-specific lsa

snmp-server enable traps cpu threshold

snmp-server enable traps syslog

snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency

snmp-server enable traps l2tun session

snmp-server enable traps l2tun pseudowire status

snmp-server enable traps vtp

snmp-server enable traps aaa_server

snmp-server enable traps atm subif

snmp-server enable traps firewall serverstatus

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

snmp-server enable traps ipsla

snmp-server host 192.168.16.10 traps version 1 udp-port 162

snmp-server inform retries 3 timeout 15 pending 25

snmp mib nhrp

snmp mib notification-log globalsize 500

snmp mib notification-log globalageout 15

snmp mib community-map ILMI engineid

snmp mib community-map engineid

radius-server local

no authentication mac

eapfast authority id

eapfast authority info

eapfast server-key primary 7

eapfast server-key secondary 7

nas key 7

group users

vlan 1

ssid playground

block count 5 time 60

reauthentication time 3600

!

group guest

vlan 2

ssid guestonpg

block count 3 time 60

reauthentication time 3600

!

user nthash 7 group users

user nthash 7 group guest

!

radius-server attribute 32 include-in-access-req format %h

radius-server host auth-port 1645 acct-port 1646 key 7

radius-server vsa send accounting

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

bridge 2 protocol ieee

bridge 2 route ip

bridge 3 protocol ieee

bridge 3 route ip

alias exec h help

alias exec lo logout

alias exec p ping

alias exec r resume

alias exec s show

alias exec u undebug

alias exec un undebug

alias exec w where

default-value exec-character-bits 7

default-value special-character-bits 7

default-value data-character-bits 8

!

line con 0

password 7

logging synchronous

no modem enable

transport output ssh

line aux 0

password 7

logging synchronous

transport output ssh

line vty 0 4

password 7

logging synchronous

transport preferred ssh

transport input all

transport output ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

process cpu threshold type total rising 80 interval 10 falling 40 interval 10

ntp authentication-key 1 md5 7

ntp authenticate

ntp trusted-key 1

ntp source FastEthernet4

ntp access-group peer 20

ntp access-group serve-only 21

ntp master 1

ntp server 152.2.21.1 maxpoll 4

ntp server 204.235.61.9 maxpoll 4

ntp server 130.126.24.24

ntp server 216.229.4.69 maxpoll 4

ntp server 173.201.38.85 maxpoll 4

cns id hostname

cns id hostname event

cns id hostname image

cns image retry 60

netconf max-sessions 4

netconf lock-time 10

netconf max-message 0

event manager scheduler script thread class default number 1

event manager scheduler applet thread class default number 32

event manager history size events 10

event manager history size traps 10

end

cadet alain · ‎02-20-2012

Hi,

I've never used ZBF in transparent mode before but I've done some research and I found this:

http://myccienotes.wikispaces.com/ZFW-Based+IOS+Transparent+Firewall

So it appears the BVI is part of self zone but you made them members of other zones, can you try putting these zones on the VLAN interfaces.

Regards.

Alain

Don't forget to rate helpful posts.

asucrews2010 · ‎02-21-2012

Hello,

That link help me figure out my dhcp issue, however after i fixed that issues, the Trusted Zone or the Guest Zone are not able to get out to the internet? Any ideas?

cadet alain · ‎02-21-2012

hi,

can you post your latest config.

Regards.

Alain

Don't forget to rate helpful posts.

asucrews2010 · ‎02-21-2012

updated config

!

! Last configuration change at 01:10:06 AZT Tue Feb 21 2012 by asucrews

! NVRAM config last updated at 05:25:57 AZT Sun Feb 19 2012 by asucrews

!

version 12.4

configuration mode exclusive auto

service nagle

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service linenumber

service pt-vty-logging

service sequence-numbers

!

hostname rtwan

!

boot-start-marker

boot-end-marker

!

logging count

logging message-counter syslog

logging buffered 65536

logging rate-limit 512 except critical

logging console critical

enable secret 5

enable password 7

!

aaa new-model

!

aaa group server radius rad_eap

server 192.168.16.1 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login default local

aaa authentication login eap_methods group rad_eap

aaa authorization exec default local

aaa accounting network acct_methods

action-type start-stop

group rad_acct

!

aaa session-id common

clock timezone AZT -7

clock save interval 8

!

dot11 syslog

!

dot11 ssid guestonpg

vlan 2

authentication open

authentication key-management wpa optional

guest-mode

wpa-psk ascii 7

!

dot11 ssid playground

vlan 1

authentication open

authentication key-management wpa optional

wpa-psk ascii 7

!

no ip source-route

no ip gratuitous-arps

ip options drop

ip dhcp bootp ignore

ip dhcp excluded-address 192.168.16.33 192.168.16.40

ip dhcp excluded-address 192.168.16.1 192.168.16.7

!

ip dhcp pool vlan1pool

import all

network 192.168.16.0 255.255.255.224

default-router 192.168.16.1

domain-name jeremycrews.home

lease 4

!

ip dhcp pool vlan2pool

import all

network 192.168.16.32 255.255.255.224

default-router 192.168.16.33

domain-name guest.jeremycrews.home

lease 0 6

!

ip cef

ip inspect name firewall tcp router-traffic

ip inspect name firewall udp router-traffic

ip inspect name firewall icmp router-traffic

no ip bootp server

no ip domain lookup

ip domain name jeremycrews.home

ip host rtwan.jeremycrews.home 192.168.16.1 192.168.16.33

ip host ap1.jeremycrews.home 192.168.16.2 192.168.16.34

ip host ap2.jeremycrews.home 192.168.16.3 192.168.16.35

ip host ap3.jeremycrews.home 192.168.16.4 192.168.16.36

ip host ooma.jeremycrews.home 192.168.16.5

ip host xbox.jeremycrews.home 192.168.16.6

ip host wii.jeremycrews.home 192.168.16.7

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip accounting-threshold 100

ip accounting-list 192.168.16.0 0.0.0.31

ip accounting-list 192.168.16.32 0.0.0.31

ip accounting-transits 25

login block-for 120 attempts 5 within 60

login delay 5

login on-failure log

!

parameter-map type inspect log

audit-trail on

dot1x system-auth-control

!

memory free low-watermark processor 65536

memory free low-watermark IO 16384

username privilege 15 password 7

!

archive

log config

logging enable

logging size 255

notify syslog contenttype plaintext

hidekeys

path tftp://192.168.16.12/rtwan-config

write-memory

time-period 10080

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh logging events

ip ssh version 2

!

class-map type inspect match-any Egress-Filter

match access-group name egress-filter

class-map type inspect match-any Guest_Protocols

match protocol http

match protocol https

match protocol dns

match protocol bootpc

match protocol bootps

class-map type inspect match-any Ingress-Filter

match access-group name ingress-filter

class-map type inspect match-any All_Protocols

match protocol tcp

match protocol udp

match protocol icmp

class-map type inspect match-all DHCP-Allow

match access-group name dhcp-allow

!

policy-map type inspect Self_to_Internet

class type inspect Egress-Filter

inspect

class class-default

drop log

policy-map type inspect Internet_to_Self

class type inspect Ingress-Filter

inspect

class class-default

drop log

policy-map type inspect Trusted_To_Self

class type inspect DHCP-Allow

pass

class type inspect All_Protocols

inspect

class class-default

drop log

policy-map type inspect Guest_to_Internet

class type inspect All_Protocols

inspect

class class-default

drop log

policy-map type inspect Internet_to_Guest

class type inspect Ingress-Filter

inspect

class class-default

drop log

policy-map type inspect Self_to_Trusted

class type inspect DHCP-Allow

pass

class type inspect All_Protocols

inspect

class class-default

drop log

policy-map type inspect Trusted_to_Internet

class type inspect All_Protocols

inspect

class class-default

drop log

policy-map type inspect Internet_to_Trusted

class type inspect Ingress-Filter

inspect

class class-default

drop log

policy-map type inspect Guest_to_Self

class type inspect DHCP-Allow

pass

class type inspect All_Protocols

inspect

class class-default

drop log

policy-map type inspect Self_to_Guest

class type inspect DHCP-Allow

pass

class type inspect All_Protocols

inspect

class class-default

drop log

!

zone security Trusted

zone security Guest

zone security Internet

zone-pair security Trusted->Internet source Trusted destination Internet

service-policy type inspect Trusted_to_Internet

zone-pair security Guest->Internet source Guest destination Internet

service-policy type inspect Guest_to_Internet

zone-pair security Internet->Trusted source Internet destination Trusted

service-policy type inspect Internet_to_Trusted

zone-pair security Internet->Guest source Internet destination Guest

service-policy type inspect Internet_to_Guest

zone-pair security Self->Internet source self destination Internet

service-policy type inspect Self_to_Internet

zone-pair security Internet->Self source Internet destination self

service-policy type inspect Internet_to_Self

zone-pair security Self->Trusted source self destination Trusted

service-policy type inspect Self_to_Trusted

zone-pair security Trusted->Self source Trusted destination self

service-policy type inspect Trusted_to_Self

zone-pair security Self->Guest source self destination Guest

service-policy type inspect Self_to_Guest

zone-pair security Guest->Self source Guest destination self

service-policy type inspect Guest_to_Self

!

bridge irb

!

interface Loopback0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

shutdown

!

interface Null0

no ip unreachables

!

interface FastEthernet0

description To switch

switchport mode trunk

!

interface FastEthernet1

switchport mode trunk

shutdown

spanning-tree portfast

!

interface FastEthernet2

shutdown

spanning-tree portfast

!

interface FastEthernet3

description Ooma Hub 192.168.16.5

shutdown

spanning-tree portfast

!

interface FastEthernet4

description Cox Internet Connection

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip accounting access-violations

ip flow ingress

ip flow egress

ip nat outside

no ip virtual-reassembly

zone-member security Internet

duplex auto

speed auto

no cdp enable

!

interface Dot11Radio0

description Radio b/g

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

shutdown

!

encryption vlan 1 mode ciphers aes-ccm tkip wep128

!

encryption vlan 2 mode ciphers aes-ccm tkip wep128

!

broadcast-key vlan 1 change 3600 membership-termination

!

broadcast-key vlan 2 change 3600 membership-termination

!

ssid guestonpg

!

ssid playground

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

rts threshold 2312

!

interface Dot11Radio0.1

description Home WLAN

encapsulation dot1Q 1 native

no ip redirects

no ip unreachables

no ip proxy-arp

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.2

description Guest WLAN

encapsulation dot1Q 2

no ip redirects

no ip unreachables

no ip proxy-arp

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 spanning-disabled

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

!

interface Vlan1

description Home LAN

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no ip virtual-reassembly

zone-member security Trusted

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Vlan2

description Guest LAN

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no ip virtual-reassembly

zone-member security Guest

bridge-group 2

bridge-group 2 spanning-disabled

!

interface BVI1

description Home Bridge LAN to WLAN

ip address 192.168.16.1 255.255.255.224

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no ip virtual-reassembly

!

interface BVI2

description Guest Bridge LAN to WLAN

ip address 192.168.16.33 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no ip virtual-reassembly

!

ip forward-protocol nd

no ip http server

no ip http secure-server

ip flow-top-talkers

top 10

sort-by bytes

!

ip nat inside source static tcp 192.168.16.6 53 interface FastEthernet4 53

ip nat inside source static tcp 192.168.16.6 3074 interface FastEthernet4 3074

ip nat inside source static udp 192.168.16.6 3074 interface FastEthernet4 3074

ip nat inside source static tcp 192.168.16.6 80 interface FastEthernet4 80

ip nat inside source static udp 192.168.16.6 88 interface FastEthernet4 88

ip nat inside source static udp 192.168.16.6 53 interface FastEthernet4 53

ip nat inside source list NAT interface FastEthernet4 overload

!

ip access-list extended NAT

deny ip 192.168.16.0 0.0.0.63 192.168.16.64 0.0.0.15

permit ip any any

ip access-list extended dhcp-allow

permit udp any eq bootps any

permit udp any any eq bootpc

permit udp any any eq bootps

permit udp any eq bootpc any

ip access-list extended egress-filter

permit ip 0.0.0.2 any

remark ----- Junk Traffic -----

deny ip any host

deny ip host any

remark ----- Bogons Filter -----

deny ip 0.0.0.0 0.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 169.254.0.0 0.0.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.0.0.0 0.0.0.255 any

deny ip 192.0.2.0 0.0.0.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 198.18.0.0 0.1.255.255 any

deny ip 198.51.100.0 0.0.0.255 any

deny ip 203.0.113.0 0.0.0.255 any

deny ip 224.0.0.0 31.255.255.255 any

deny ip any any

ip access-list extended ingress-filter

remark ----- Allow access from work

permit ip 0.0.0.127 any

permit ip 0.0.0.31 any

permit ip 0.0.0.255 any

permit esp any host

permit gre any host

permit udp any host eq isakmp

remark ----- To get IP form COX -----

permit udp any eq bootps any eq bootpc

deny icmp any any

deny udp any any eq echo

deny udp any eq echo any

deny tcp any any fragments

deny udp any any fragments

deny ip any any fragments

deny ip any any option any-options

deny ip any any ttl lt 4

deny ip any host

deny udp any any range 33400 34400

remark ----- Bogons Filter -----

deny ip 0.0.0.0 0.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 169.254.0.0 0.0.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.0.0.0 0.0.0.255 any

deny ip 192.0.2.0 0.0.0.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 198.18.0.0 0.1.255.255 any

deny ip 198.51.100.0 0.0.0.255 any

deny ip 203.0.113.0 0.0.0.255 any

deny ip 224.0.0.0 31.255.255.255 any

remark ----- Internal networks -----

deny ip 0.0.0.3 any

deny ip any any

!

ip sla 1

icmp-echo 8.8.4.4 source-interface FastEthernet4

frequency 120

history hours-of-statistics-kept 1

history filter failures

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 8.8.8.8 source-interface FastEthernet4

frequency 30

history hours-of-statistics-kept 1

history filter failures

ip sla reaction-configuration 1 react connectionLoss threshold-type consecutive action-type trapAndTrigger

ip sla reaction-trigger 1 2

access-list 1 permit 192.168.16.0 0.0.0.63

access-list 20 permit 127.127.1.1

access-list 20 permit 192.43.244.18

access-list 20 permit 204.235.61.9

access-list 20 permit 173.201.38.85

access-list 20 permit 216.229.4.69

access-list 20 permit 152.2.21.1

access-list 20 permit 130.126.24.24

access-list 21 permit 192.168.16.0 0.0.0.63

access-list 22 permit 192.168.16.0 0.0.0.63

!

snmp-server community RW 22

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps vrrp

snmp-server enable traps tty

snmp-server enable traps pw vc

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps isdn chan-not-avail

snmp-server enable traps isdn ietf

snmp-server enable traps disassociate

snmp-server enable traps deauthenticate

snmp-server enable traps authenticate-fail

snmp-server enable traps dot11-qos

snmp-server enable traps switch-over

snmp-server enable traps rogue-ap

snmp-server enable traps wlan-wep

snmp-server enable traps adslline

snmp-server enable traps flash insertion removal

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps fru-ctrl

snmp-server enable traps resource-policy

snmp-server enable traps event-manager

snmp-server enable traps hsrp

snmp-server enable traps ipmulticast

snmp-server enable traps msdp

snmp-server enable traps mvpn

snmp-server enable traps ospf state-change

snmp-server enable traps ospf errors

snmp-server enable traps ospf retransmit

snmp-server enable traps ospf lsa

snmp-server enable traps ospf cisco-specific state-change nssa-trans-change

snmp-server enable traps ospf cisco-specific state-change shamlink interface-old

snmp-server enable traps ospf cisco-specific state-change shamlink neighbor

snmp-server enable traps ospf cisco-specific errors

snmp-server enable traps ospf cisco-specific retransmit

snmp-server enable traps ospf cisco-specific lsa

snmp-server enable traps cpu threshold

snmp-server enable traps syslog

snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency

snmp-server enable traps l2tun session

snmp-server enable traps l2tun pseudowire status

snmp-server enable traps vtp

snmp-server enable traps aaa_server

snmp-server enable traps atm subif

snmp-server enable traps firewall serverstatus

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

snmp-server enable traps ipsla

snmp-server host 192.168.16.10

radius-server local

no authentication mac

eapfast authority id

eapfast authority info

eapfast server-key primary 7

eapfast server-key secondary 7

nas 192.168.16.1 key 7

group users

vlan 1

ssid playground

block count 5 time 60

reauthentication time 3600

!

group guest

vlan 2

ssid guestonpg

block count 3 time 60

reauthentication time 3600

!

user nthash 7 group users

user nthash 7 group guest

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.16.1 auth-port 1645 acct-port 1646 key 7

radius-server vsa send accounting

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

bridge 2 protocol ieee

bridge 2 route ip

bridge 3 protocol ieee

bridge 3 route ip

!

line con 0

password 7

logging synchronous

no modem enable

transport output ssh

line aux 0

password 7

logging synchronous

transport output ssh

line vty 0 4

password 7

logging synchronous

transport preferred ssh

transport input all

transport output ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

process cpu threshold type total rising 80 interval 10 falling 40 interval 10

ntp authentication-key 1 md5

ntp authenticate

ntp trusted-key 1

ntp source FastEthernet4

ntp access-group peer 20

ntp access-group serve-only 21

ntp master 1

ntp server 152.2.21.1 maxpoll 4

ntp server 204.235.61.9 maxpoll 4

ntp server 130.126.24.24

ntp server 216.229.4.69 maxpoll 4

ntp server 173.201.38.85 maxpoll 4

end

cadet alain · ‎02-21-2012

Hi,

Can you ping outside addresses?

Can you ping by name?

Look at this doc for troubleshooting ZBF commands:https://supportforums.cisco.com/docs/DOC-15803

Regards.

Alain.

Don't forget to rate helpful posts.

asucrews2010 · ‎02-23-2012

Hi,

From the router can ping a ip or domain name. from LAN clinets, i can not ping a ip or host name.

Form the below debug commands i ran off the doc you linked, i think it not allowing dns to pass but i not sure.

I have post the debug here in a few minutes still sorting out what it all means