cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3941
Views
4
Helpful
13
Replies

Vlan issue in SG500-52 and Cisco 881

Anis Momin
Level 1
Level 1

Hi Everyone,,,

I hope I will get some help here if not atleast a direction,,,

I am configuring cisco 881 router with Layer-3 switch SG500-52,,,with Vlan configuration

Vlan1: 192.168.10.0/24

Vlan2: 192.168.0.0/24

Problem : For some reason I can't ping google.ca from switch:

switch013294#ping google.ca

Pinging google.ca (74.125.225.215) with 18 bytes of data:

PING: no reply from 74.125.225.215

PING: timeout

PING: no reply from 74.125.225.215

PING: timeout

PING: no reply from 74.125.225.215

PING: timeout

PING: no reply from 74.125.225.215

PING: timeout

----74.125.225.215 PING Statistics----

4 packets transmitted, 0 packets received, 100% packet loss

switch013294#tracero ip google.ca

Tracing the route to google.ca (74.125.225.215) from , 30 hops max, 18 byte packets

Type Esc to abort.

1  192.168.10.1 (192.168.10.1)  <20 ms  <20 ms  <20 ms

2   *  *  *

3   *

Trace aborted.

I can ping router public IP but not router's public gateway from Switch:(from Router I can ping

switch013294#tracero ip 24.XX.XX.XXX

Tracing the route to 24.XX.XX.XX (24.XX.XX.XXX) from , 30 hops max, 18 byte packets

Type Esc to abort.

1  192.168.10.1 (192.168.10.1)  <20 ms  <20 ms  <20 ms

Trace complete.

switch013294#tracero ip 24.XX.XX.1

Tracing the route to 24.XX.XX.1 (24.XX.XX.1) from , 30 hops max, 18 byte packets

Type Esc to abort.

1  192.168.10.1 (192.168.10.1)  <20 ms  <20 ms  <20 ms

2   *  *  *

3   *  *

Trace aborted.

NAT Debug:

I have also tested with debug ip NAT and it shows following:

Tried pinging from Switch:

Nov 18 04:16:55.794: NAT*: s=192.168.10.2->24.XX.XX.XX, d=74.125.225.183 [2206]

Nov 18 04:16:55.866: NAT*: s=74.125.225.183, d=24.XX.XX.XX->192.168.10.2 [13679]

Nov 18 04:16:58.034: NAT*: s=192.168.10.2->24.XX.XX.XX, d=74.125.225.183 [37854]

Nov 18 04:16:58.114: NAT*: s=74.125.225.183, d=24.XX.XX.XX->192.168.10.2 [13680]

Tried pinging from Host on Vlan-2:

Nov 18 04:20:30.862: NAT*: s=192.168.0.54->24.XX.XX.XX, d=74.125.225.169 [23980]

Nov 18 04:20:30.958: NAT*: s=74.125.225.169, d=24.XX.XX.XX->192.168.0.54 [40901]

Nov 18 04:20:31.122: NAT*: s=192.168.0.54->24.XX.XX.XX, d=74.125.225.169 [23981]

Nov 18 04:20:31.194: NAT*: s=74.125.225.169, d=24.XX.XX.XX->192.168.0.54 [3341]

Router#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is 24.xx.xx.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 24.xx.xx.1

      24.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        24.xx.xx.0/24 is directly connected, FastEthernet4

L        24.XX.XX.XXx/32 is directly connected, FastEthernet4

S     192.168.0.0/24 [1/0] via 192.168.10.2

      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.10.0/24 is directly connected, Vlan1

L        192.168.10.1/32 is directly connected, Vlan1

switch013294#show ip route

Maximum Parallel Paths: 1 (1 after reset)

IP Forwarding: enabled

Codes: > - best, C - connected, S - static

S   0.0.0.0/0 [1/1] via 192.168.10.1, 01:21:05, vlan 1

C   192.168.0.0/24 is directly connected, vlan 2

C   192.168.10.0/24 is directly connected, vlan 1

C   192.168.30.0/24 is directly connected, vlan 3

Router Running Config:

Router#sh running-config

Building configuration...

Current configuration : 9565 bytes

!

! Last configuration change at 14:11:21 PCTime Mon Nov 18 2013 by XXXXXXX

! NVRAM config last updated at 23:59:41 PCTime Sat Nov 16 2013 by XXXXXXX

! NVRAM config last updated at 23:59:41 PCTime Sat Nov 16 2013 by XXXXXXX

version 15.1

parser view CCP_EasyVPN_Remote

secret 5 $1$xXXT$at0nd7EXXX8s7iXNd5bJ1

commands interface include all crypto

commands interface include all no crypto

commands interface include no

commands configure include end

commands configure include all access-list

commands configure include all ip nat

commands configure include ip dns server

commands configure include ip dns

commands configure include all interface

commands configure include all identity policy

commands configure include identity profile

commands configure include identity

commands configure include all dot1x

commands configure include all ip domain lookup

commands configure include ip domain

commands configure include ip

commands configure include all crypto

commands configure include all aaa

commands configure include no end

commands configure include all no access-list

commands configure include all no ip nat

commands configure include no ip dns server

commands configure include no ip dns

commands configure include all no interface

commands configure include all no identity policy

commands configure include no identity profile

commands configure include no identity

commands configure include all no dot1x

commands configure include all no ip domain lookup

commands configure include no ip domain

commands configure include no ip

commands configure include all no crypto

commands configure include all no aaa

commands configure include no

commands exec include dir all-filesystems

commands exec include dir

commands exec include crypto ipsec client ezvpn connect

commands exec include crypto ipsec client ezvpn xauth

commands exec include crypto ipsec client ezvpn

commands exec include crypto ipsec client

commands exec include crypto ipsec

commands exec include crypto

commands exec include write memory

commands exec include write

commands exec include all ping ip

commands exec include ping

commands exec include configure terminal

commands exec include configure

commands exec include all terminal width

commands exec include all terminal length

commands exec include terminal

commands exec include all show

commands exec include all debug appfw

commands exec include all debug ip inspect

commands exec include debug ip

commands exec include debug

commands exec include all clear

commands exec include no

!

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authentication login ciscocp_vpn_xauth_ml_3 local

aaa authentication login ciscocp_vpn_xauth_ml_4 local

aaa authentication login ciscocp_vpn_xauth_ml_5 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

aaa authorization network ciscocp_vpn_group_ml_3 local

aaa authorization network ciscocp_vpn_group_ml_4 local

aaa authorization network ciscocp_vpn_group_ml_5 local

!

!

!

!

!

aaa session-id common

memory-size iomem 10

clock timezone PCTime -6 0

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3187996699

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3187996699

revocation-check none

rsakeypair TP-self-signed-3187996699

!

!

crypto pki certificate chain TP-self-signed-3187996699

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33313837 39393636 3939301E 170D3133 31313039 32303531

  30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31383739

  39363639 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100AB7B FE64ED81 5853FF1C DAEE4727 BBCFA1DD AB5002CE BC9E0DB2 A6920BE9

  51CBDB48 720EAC77 D2B5EAB0 AF78F0D3 0A0583F0 EDB53C02 76264762 52AA0B89

  B96458A3 FCED1C48 4E2F687A 0D72663C 1F118888 099ECDBA 7AD48215 5D18DFA0

  A769EA45 E893009A 73C0D6E8 74EBED75 B63E12C5 123C1112 9BB90C86 9433A1CB

  44290203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 148472F2 203DD224 6B71B287 185DEEAE D156C1A4 A9301D06

  03551D0E 04160414 8472F220 3DD2246B 71B28718 5DEEAED1 56C1A4A9 300D0609

  2A864886 F70D0101 05050003 818100A0 F431211C 3540849F BF8E0DCE 7DC8E2F1

  A3349CF5 60B7A233 BD6F457E 6E53DE58 63DA9DB9 040FD35F 7D8D8BA5 8BB9D0E4

  F3DF92EC EEA7A912 7F60BC55 E9173147 E21114BC A7ADDBF1 489E7A1D DAB4CE98

  039CC0CF 84A2F3FE 5DD8E88D 81738972 E23E0D82 89B3F470 19405095 6D8803BD

  500867E7 A3582A1C AD3151BD FCAAAE

        quit

ip source-route

!

!

!

!

!

ip cef

ip domain name int.ccs-sk.ca

ip name-server XX.87.XXX.4

ip name-server XX.87.XXX.5

ip name-server 192.168.0.5

ip port-map user-protocol--1 port tcp 587

no ipv6 cef

!

!

license udi pid CISCO881-K9 sn FGL171020FH

!

!

username XXXXX privilege 15 secret 4 4TdGW32lppiywk7GXXXXXXqppUKotcC3qw35q7NbGx0o

username XXXXXX privilege 15 view CCP_EasyVPN_Remote secret 4 Cq2gROSp/6XXXXXXXSIjyGphSJe9KdkL/kxeMwZuIv6

username XXXX privilege 15 secret 4 qPLpXkgs4XXXXXZlVZcI/oxNuuXXXXXXtFwRblxZs

!

!

!

!

!

class-map type inspect match-all sdm-nat-user-protocol--1-1

match access-group 103

match protocol user-protocol--1

class-map type inspect match-all sdm-nat-smtp-1

match access-group 103

match protocol smtp

!

zone security Outside

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group ccsvpn

key Logmein123

dns 192.168.0.5 65.87.230.4

domain int.ccs-sk.ca

pool SDM_POOL_1

acl 101

max-users 25

netmask 255.255.255.0

!

crypto isakmp client configuration group ccsvpn1

key Logmein123

dns 192.168.0.5 65.87.230.4

domain int.ccs-sk.ca

pool SDM_POOL_1

acl 102

max-users 25

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-2

   match identity group ccsvpn1

   client authentication list ciscocp_vpn_xauth_ml_5

   isakmp authorization list ciscocp_vpn_group_ml_5

   client configuration address respond

   virtual-template 2

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile2

set security-association idle-time 43200

set transform-set ESP-3DES-SHA4

set isakmp-profile ciscocp-ike-profile-2

!

!

!

!

!

!

interface Loopback1

no ip address

!

interface FastEthernet0

description Internal

switchport mode trunk

no ip address

spanning-tree portfast

!

interface FastEthernet1

switchport trunk native vlan 3

switchport mode trunk

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description $ETH-WAN$

ip address dhcp client-id FastEthernet4

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly in

zone-member security Outside

duplex auto

speed auto

!

interface Virtual-Template2 type tunnel

no ip address

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile2

!

interface Vlan1

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

router rip

version 2

network 24.0.0.0

network 192.168.10.0

no auto-summary

!

ip local pool SDM_POOL_1 10.10.10.1 10.10.10.25

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 2 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 24.XX.XX.1

ip route 192.168.0.0 255.255.255.0 192.168.10.2

!

access-list 2 permit 192.168.0.0 0.0.0.255

access-list 2 permit 192.168.0.0 0.0.255.255

access-list 100 remark CCP_ACL Category=4

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 100 permit ip 192.168.30.0 0.0.0.255 any

access-list 101 remark CCP_ACL Category=4

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 permit ip 192.168.30.0 0.0.0.255 any

access-list 103 remark CCP_ACL Category=0

access-list 103 permit ip any host 192.168.0.100

access-list 104 remark SMTP

access-list 104 remark CCP_ACL Category=64

access-list 104 remark Mail SMTP

access-list 104 permit tcp host 24.XX.XX.159 eq smtp 192.168.0.0 0.0.0.255 eq smtp established log

access-list 107 remark outsideSMTP

access-list 107 remark CCP_ACL Category=16

access-list 107 remark SMTP

access-list 107 permit tcp any eq smtp 192.168.0.0 0.0.0.255 eq smtp established log

access-list 112 permit ip 192.168.0.0 0.0.255.255 any log

!

!

!

!

route-map outside permit 10

match ip address 112

set ip default next-hop 24.XX.XX.1

!

!

!

!

line con 0

password XXXXXXX123

no modem enable

line aux 0

line vty 0 4

password XXXXXXX123

transport input all

!

ntp update-calendar

ntp server 192.168.0.5 prefer source FastEthernet0

end

Router#

3 Accepted Solutions

Accepted Solutions

cadet alain
VIP Alumni
VIP Alumni

Hi,

if you remove

zone-member security Outside from fa4 interface it should work.

Now the question is do you want to run the Zone Based firewall on this router or not ? And if so what do you want to permit/deny.

Tell us so that we can provide the correct firewall config because what you have so far is the WAN interface in a zone and your inside interface not in a zone.By default traffic between a zone interface and a regular interface is dropped.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

Hi,

Looking at config. I agree with Alain, problem in your config is that your outside interface (FastEthernet4) in a zone (Outside) but your local vlans are not.

To fix it you can remove the zone on F4 but that will let your interface facing the Internet with no ACL or Firewall. Another solution would be to completely configure ZBF, meaing adding a zone on vlans and then add required zone-pairs to allow zones to communication between each others.

Vivien F.

View solution in original post

Hi,

sorry I answered too fast: you should put the inside ip first and the external ip as second like this:

ip nat inside  source static tcp  192.168.0.54  3389 24.XX.XX.XXX 3389 extendable

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

13 Replies 13

cadet alain
VIP Alumni
VIP Alumni

Hi,

if you remove

zone-member security Outside from fa4 interface it should work.

Now the question is do you want to run the Zone Based firewall on this router or not ? And if so what do you want to permit/deny.

Tell us so that we can provide the correct firewall config because what you have so far is the WAN interface in a zone and your inside interface not in a zone.By default traffic between a zone interface and a regular interface is dropped.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi,

Looking at config. I agree with Alain, problem in your config is that your outside interface (FastEthernet4) in a zone (Outside) but your local vlans are not.

To fix it you can remove the zone on F4 but that will let your interface facing the Internet with no ACL or Firewall. Another solution would be to completely configure ZBF, meaing adding a zone on vlans and then add required zone-pairs to allow zones to communication between each others.

Vivien F.

HI ALain,,,

wonder if you have check that VPN output that I attached below ,,

Thanks

Anis Momin
Level 1
Level 1

Thanks @

cadet alain

and @

Vivien FRANCOIS

Seems like I am at the right place now..l.

before we go for firewall I have one more thing to ask,,,,When I connect to VPN ,, as u can see,,,, in my config,,,note(I have added one more permit to ACL that I was missing in above config.,,,(access-list 102 permit ip 192.168.10.0 0.0.0.255 any)

access-list 102 remark CCP_ACL Category=4

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 permit ip 192.168.30.0 0.0.0.255 any

access-list 102 permit ip 192.168.10.0 0.0.0.255 any

I can connect to vpn fine without any issue,,, before making change to VLan,, I was atleast

able to ping to router local IP,,, but now I can't ping any of 192 network

Never Mind I got ,,, VPN working,,,

recreating vpn,,, made is working,,,

How come port forwarding doesn't work,,,

ip nat outside source static tcp 24.XX.XX.XXX 3389 192.168.0.54 3389 extendable

should above command do the trick,,??

Hi,

Is 192.168.0.54 an inside address( I see 192.168.10.x but not 192.168.0.x) and 24.x.x.x your wan address ?

if so then it should be ip nat inside source static xxxx

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Yup I have two vlans as you can below (Vlans are define on switch ) VLan1 only define on router since cisco 881 ethernet port is layer 2 port so you can't assign IP address on interface

Note: Router can ping to both vlans ,, as defined  in static route:

ip route 192.168.0.0 255.255.255.0 192.168.10.2

switch013294#show ip interface vlan 1

    IP Address         I/F      I/F Status      Type     Directed   Precedence   Status

                                admin/oper               Broadcast

------------------- ---------- ------------- ----------- ---------- ---------- -----------

192.168.10.2/24     vlan 1     UP/UP         Static      disable    No         Valid

switch013294#show ip interface vlan 2

    IP Address         I/F      I/F Status      Type     Directed   Precedence   Status

                                admin/oper               Broadcast

------------------- ---------- ------------- ----------- ---------- ---------- -----------

192.168.0.1/24      vlan 2     UP/UP         Static      disable    No         Valid

I am trying to access from outside to one of the server inside???

so shouldn't it be from outside to Inside,,,

p nat outside source static tcp 24.XX.XX.XXX 3389 192.168.0.54 3389 extendable

Hi,

No it is still the inside address which is translated so it should be

ip nat inside  source static tcp 24.XX.XX.XXX 3389 192.168.0.54 3389 extendable

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Nope it didn't work,, I changed it to :

ip nat inside  source static tcp 24.XX.XX.XXX 3389 192.168.0.54 3389 extendable

still getting error: please check below ip packet capture:

Nov 22 18:28:15.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, Stateful Inspection(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:15.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, Virtual Fragment Reassembly(25), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:15.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, Virtual Fragment Reassembly After IPSec Decryption(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:15.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, NAT Outside(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:15.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:15.999: IP: tableid=0, s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), routed via RIB

Nov 22 18:28:15.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), len 52, output feature, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:15.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), len 52, output feature, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:15.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), len 52, rcvd 3

Nov 22 18:28:15.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, stop process pak for forus packet

Nov 22 18:28:15.999: IP: s=24.XX.XX.XXX (local), d=216.XXX.XXX.XX, len 40, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:15.999: IP: s=24.XX.XX.XXX (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, sending

Nov 22 18:28:15.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, output feature, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:15.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, output feature, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:15.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, output feature, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:15.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, sending full packet

Nov 22 18:28:18.995: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, Stateful Inspection(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:18.995: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, Virtual Fragment Reassembly(25), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:18.995: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, Virtual Fragment Reassembly After IPSec Decryption(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:18.995: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, NAT Outside(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:18.995: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:18.999: IP: tableid=0, s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), routed via RIB

Nov 22 18:28:18.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), len 52, output feature, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:18.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), len 52, output feature, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:18.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), len 52, rcvd 3

Nov 22 18:28:18.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 52, stop process pak for forus packet

Nov 22 18:28:18.999: IP: s=24.XX.XX.XXX (local), d=216.XXX.XXX.XX, len 40, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:18.999: IP: s=24.XX.XX.XXX (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, sending

Nov 22 18:28:18.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, output feature, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:18.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, output feature, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:18.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, output feature, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:18.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, sending full packet

Nov 22 18:28:20.199: IP: s=192.168.10.1 (local), d=224.0.0.9 (Vlan1), len 52, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:20.199: IP: s=192.168.10.1 (local), d=224.0.0.9 (Vlan1), len 52, sending broad/multicast

Nov 22 18:28:20.199: IP: s=192.168.10.1 (local), d=224.0.0.9 (Vlan1), len 52, output feature, NAT Inside(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:20.199: IP: s=192.168.10.1 (local), d=224.0.0.9 (Vlan1), len 52, output feature, Stateful Inspection(27), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:20.199: IP: s=192.168.10.1 (local), d=224.0.0.9 (Vlan1), len 52, output feature, NAT ALG proxy(55), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:20.199: IP: s=192.168.10.1 (local), d=224.0.0.9 (Vlan1), len 52, sending full packet

Nov 22 18:28:22.499: IP: s=24.XX.XX.XXX (local), d=224.0.0.9 (FastEthernet4), len 52, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:22.499: IP: s=24.XX.XX.XXX (local), d=224.0.0.9 (FastEthernet4), len 52, sending broad/multicast

Nov 22 18:28:22.499: IP: s=24.XX.XX.XXX (local), d=224.0.0.9 (FastEthernet4), len 52, output feature, Post-routing NAT Outside(24), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:22.499: IP: s=24.XX.XX.XXX (local), d=224.0.0.9 (FastEthernet4), len 52, output feature, Stateful Inspection(27), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:22.499: IP: s=24.XX.XX.XXX (local), d=224.0.0.9 (FastEthernet4), len 52, output feature, NAT ALG proxy(55), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:22.499: IP: s=24.XX.XX.XXX (local), d=224.0.0.9 (FastEthernet4), len 52, sending full packet

Nov 22 18:28:24.995: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 48, input feature, Stateful Inspection(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:24.995: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 48, input feature, Virtual Fragment Reassembly(25), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:24.995: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 48, input feature, Virtual Fragment Reassembly After IPSec Decryption(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:24.995: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 48, input feature, NAT Outside(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:24.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 48, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:24.999: IP: tableid=0, s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), routed via RIB

Nov 22 18:28:24.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), len 48, output feature, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:24.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), len 48, output feature, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:24.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX (FastEthernet4), len 48, rcvd 3

Nov 22 18:28:24.999: IP: s=216.XXX.XXX.XX (FastEthernet4), d=24.XX.XX.XXX, len 48, stop process pak for forus packet

Nov 22 18:28:24.999: IP: s=24.XX.XX.XXX (local), d=216.XXX.XXX.XX, len 40, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:24.999: IP: s=24.XX.XX.XXX (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, sending

Nov 22 18:28:24.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, output feature, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:24.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, output feature, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:24.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, output feature, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Nov 22 18:28:24.999: IP: s=192.168.0.54 (local), d=216.XXX.XXX.XX (FastEthernet4), len 40, sending full packet

Hi,

sorry I answered too fast: you should put the inside ip first and the external ip as second like this:

ip nat inside  source static tcp  192.168.0.54  3389 24.XX.XX.XXX 3389 extendable

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks Alain,, it worked,,,

I have noticed when I run wizard for zone base firewall using cisco configuration professional,,
and check Internet speed it dropped down more than half,, like right nwo I am getting 80+ Mbps but after zone base,, it drops down to 25 Mbps or 30 Mbps,?..

Would you recommend to have zone base or an ACL base firewall????

If zone base m,,what will be simple configuration I can refer so that it wouldn't drop my internet speed ,,,

thanks,,,

Hi,

I don't recommend setting ZBF with the GUI because it does a lot of L7 inspection that you don't necessarily need and also it names stuff  in a very confusing way that doesn't facilitate troubleshooting.

I recommend using a firewall instead of stateless ACL but maybe doing reflexive ACL or basic CBAC would be enough for you security wise and it surely would put less stress on the router.

Post your requirements and your runing config with the ZBF.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi Alain,

Thanks for detail info ,,, on ZBF...

well..I have ezy vpn setup on router so I need that allow in firewall,,

Also I will have my server running that include AD, Mail Server(SMTP, 587),, web server(80 ), SSH  and Asterisk server (SIP 5060),,,

Not sure is it necessary to put any security from Inside network to outlook since user will most of the time browse internet,, p2p can be blocked,,, (any suggestion on that would be hillghy appreciate)

I already have running config,, on my first post,, didn't configure ZBF yet,,,,

Please let me know with above requirement what firewall setting best suits

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco