Neeraj,

Thank you for replying!

Ok, on the LAN side, the network side is setup up as 10.10.X.X/16, with 10.10.0.1 as the default gateway. There are two devices (wireless bridges) to the rest of the network.

On the WAN side, it is connected to our corporate network which is 10.0.0.X/24, and has a static IP address of 10.0.0.250.

I've been able to ping the router now, but still cannot access the router on the WAN port. I can access it via SSH and CCP on the LAN port IP. SSH and HTTP are enabled, and I don't think I have any ACLs blocking it.

Here is the config:

Building configuration...

Current configuration : 11756 bytes
!
! Last configuration change at 15:28:56 UTC Wed Feb 15 2012 by XXXXX
! NVRAM config last updated at 15:28:26 UTC Wed Feb 15 2012 by XXXXX
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXXXMotoTrbo
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-2425340614
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2425340614
revocation-check none
rsakeypair TP-self-signed-2425340614
!
!
crypto pki certificate chain TP-self-signed-2425340614
certificate self-signed 01
30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32343235 33343036 3134301E 170D3131 31313131 32313032
35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34323533
34303631 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A511 C545F048 874DCE83 1BCA90B4 F2C8D372 54431A24 FC0473CB AA57ED9D
C9CAB8E0 EF626503 C8F8DD43 81E7957C B3118620 7CD4EE69 513EF45D 73E1AF51
8A874409 47B7858D D3848304 391811E1 1AB0F17E 1F7E8B2F 47954F33 4FB2E713
81E567F3 A02C80AC 4845E492 FA4266E3 6E32E854 936495C8 7A8D8356 18F6DFA9
16550203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603
551D1104 1F301D82 1B547557 61794D6F 746F5472 626F2E74 75776179 636F6D6D
2E696E74 301F0603 551D2304 18301680 1464D6B7 D3B1C4DE 3ABBF9EC 5FD6B9FE
60210DD2 B0301D06 03551D0E 04160414 64D6B7D3 B1C4DE3A BBF9EC5F D6B9FE60
210DD2B0 300D0609 2A864886 F70D0101 04050003 81810063 BFF64257 1D0543A1
018CFA63 8B1750A6 69D48DA6 D296CAF4 F0DC77AD 4E5AA801 A1E85AAA B5E8E24D
1D563004 76E9649A E6BFC90E 515758BB 3D0DB877 313BE469 34DD6934 86ED9BD5
DCB77DC9 C28C6BA0 35EFEF64 AE2DF62C 591EF1A1 4385E8AE 6A9ABA34 EC13A744
0EA3AF3E D7573C38 30F4FF90 E0345BD9 32A5077A 5EC2C4
quit
ip source-route
!
!
ip dhcp excluded-address 10.10.0.1 10.10.0.99
ip dhcp excluded-address 10.10.0.251 10.10.255.254
!
ip dhcp pool ccp-pool1
network 10.10.0.0 255.255.0.0
dns-server 10.10.0.1 10.0.0.8
default-router 10.10.0.1
!
!
ip cef
ip domain name XXXXXcomm.int
ip name-server 10.0.0.3
ip name-server 10.0.0.8
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FTX153982EN
!
!
username XXXXX privilege 15 secret 5 $1$LfFH$Siy2H2E6kK8rgSaBznHjC0
username admin privilege 15 secret 5 $1$tB8L$NPGy6titboqVbuESBQ8xz0
!
!
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_TELNET
match access-group name SDM_TELNET
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect match-any sdm-mgmt-cls-0
match class-map SDM_TELNET
match class-map SDM_HTTP
match class-map SDM_SHELL
match class-map SDM_SSH
match class-map SDM_HTTPS
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ICMP-Enable
match protocol icmp
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-icmpreply-0
match class-map sdm-mgmt-cls-0
match access-group 104
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-any rmgmt
match protocol http
match protocol https
match protocol telnet
match protocol ssh
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-any Rmgmt2
match protocol http
match protocol https
match protocol ssh
match protocol telnet
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect rmgmt
pass
class type inspect ccp-icmp-access
pass
class type inspect sdm-mgmt-cls-ccp-permit-icmpreply-0
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect ICMP-Enable
pass
class type inspect Rmgmt2
pass
class type inspect sdm-access
inspect
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
!
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description Connection to XXXXX LAN$FW_OUTSIDE$$ETH-WAN$
ip address 10.0.0.250 255.255.255.0
ip access-group 102 in
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.0.1 255.255.0.0
ip access-group 105 in
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list Global interface FastEthernet4 overload
ip nat outside source static udp 10.0.0.250 4001 10.10.1.200 4001 extendable
ip nat outside source static tcp 10.0.0.250 4005 10.10.1.200 4005 extendable
ip nat outside source static udp 10.0.0.250 4007 10.10.1.200 4007 extendable
ip nat outside source static udp 10.0.0.250 38000 10.10.1.200 38000 extendable
ip route 0.0.0.0 0.0.0.0 FastEthernet4 10.0.0.1 permanent
ip route 10.0.0.0 255.255.255.0 FastEthernet4 permanent
ip route 10.10.0.0 255.255.0.0 Vlan1 permanent
!
ip access-list extended Global
remark CCP_ACL Category=2
permit ip any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended SDM_TELNET
remark CCP_ACL Category=0
permit tcp any any eq telnet
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.0.0 0.0.255.255
access-list 23 remark CCP_ACL Category=16
access-list 23 permit 10.10.0.0 0.0.255.255
access-list 23 permit 10.0.0.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.250 eq telnet
access-list 102 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.250 eq 22
access-list 102 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.250 eq www
access-list 102 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.250 eq 443
access-list 102 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.250 eq cmd
access-list 102 deny tcp any host 10.0.0.250 eq telnet
access-list 102 deny tcp any host 10.0.0.250 eq 22
access-list 102 deny tcp any host 10.0.0.250 eq www
access-list 102 deny tcp any host 10.0.0.250 eq 443
access-list 102 deny tcp any host 10.0.0.250 eq cmd
access-list 102 deny udp any host 10.0.0.250 eq snmp
access-list 102 permit ip any any
access-list 103 remark CCP_ACL Category=1
access-list 103 permit ip 10.10.0.0 0.0.255.255 any
access-list 103 permit ip 10.0.0.0 0.0.0.255 any
access-list 103 permit ip 10.10.10.0 0.0.0.7 any
access-list 103 permit ip any any
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark CCP_ACL Category=1
access-list 104 permit ip 10.0.0.0 0.0.0.255 host 10.0.0.250
access-list 105 remark Auto generated by SDM Management Access feature
access-list 105 remark CCP_ACL Category=1
access-list 105 permit tcp 10.10.0.0 0.0.255.255 host 10.10.0.1 eq telnet
access-list 105 permit tcp 10.10.0.0 0.0.255.255 host 10.10.0.1 eq 22
access-list 105 permit tcp 10.10.0.0 0.0.255.255 host 10.10.0.1 eq www
access-list 105 permit tcp 10.10.0.0 0.0.255.255 host 10.10.0.1 eq 443
access-list 105 permit tcp 10.10.0.0 0.0.255.255 host 10.10.0.1 eq cmd
access-list 105 deny tcp any host 10.10.0.1 eq telnet
access-list 105 deny tcp any host 10.10.0.1 eq 22
access-list 105 deny tcp any host 10.10.0.1 eq www
access-list 105 deny tcp any host 10.10.0.1 eq 443
access-list 105 deny tcp any host 10.10.0.1 eq cmd
access-list 105 deny udp any host 10.10.0.1 eq snmp
access-list 105 permit ip any any
no cdp run

!
!
!
!
!
control-plane
!
banner exec ^C ^C
banner login ^CAccess to this router is restricted to authorized personnel only.^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 103 in
transport input telnet ssh
!
scheduler max-task-time 5000
ntp update-calendar
ntp server 96.47.67.105 source FastEthernet4
end

Are you trying this from inside ? Can you try it from an outside address.

Regards.

Alain

I have tried it from both inside and outside.  From the inside, it works flawlessly.  From the outside, it does not work at all.

Thanks for your help!

Jason

Hi,

ip route 0.0.0.0 0.0.0.0 FastEthernet4 10.0.0.1 permanent

this is vlan1 ip as next-hop but it should be the IP address of the next-hop on the fa4 interface.

Have you tried pinging  8.8.8.8 from the router ? with such a default it should fail, if not can you do this test and add this to your config:

access-list 199 permit icmp any any

logging buffered 7

logging buffered 10000

no service timestamp debug

do debug ip pack detail 199

do ping 8.8.8.8 rep 2

do sh log

Post output

Regards.

Alain.

Alain,

10.0.0.1 ip is the correct for next-hop as it falls in the same subnet as fa4 interface. I think you got confused with vlan 1  subnet: 10.10.0.0/16

Jason,

Although the ACL's applied on the interfaces should not block SSH or HTTP/HTTPS, still I would suggest you the following steps to try and narrow down the issue(provided you can play with the config if its not in production):

- Modify the NAT ACL and use the inside subnet as configuring "permit ip any any" in NAT ACL can have unwanted effects, so do  this:

ip access-list extended Global

permit 10.10.0.0 0.0.255.255 any

no permit ip any any

- Console into the router (as a precautionary measure) and Remove the Zone based firewall commands from the interfaces:

interface FastEthernet4

no zone-member security out-zone

interface Vlan1

no zone-member security in-zone

- If the above options do not work, then the last option I would suggest is to remove the ACL from the interface and then test again

interface FastEthernet4

no ip access-group 102 in

interface Vlan1

no ip access-group 105 in

These steps should atleast help us in chosing the right direction to move in

Neeraj

Hi Neeraj,

10.0.0.1

ip is the correct for next-hop as it falls in  the same subnet as fa4 interface. I think you got confused with vlan 1   subnet: 10.10.0.0/16

Yep you're right , my bad 

Regards.

Alain