Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
654
Views
4
Helpful
3
Replies

No INTERNET Access

tward
Level 1
Level 1

‎09-10-2002 07:19 AM - edited ‎03-02-2019 01:14 AM

I have a Cisco 2600 router with two FETHERs. 0/0 is connected to a closed network and 0/1 is connected to our regular corporate network. I have setup a firewall PC between the closed network and the corporate network. When I connect the firewall PC directly to the switch of our corporate network, I am able to browse the Internet. When I place the router between the firewall and the corporate network, in the same port, from the firewall I can no longer browse the Internet. From the router, I am able to ping both the firewall, which is directly connected, and the VLAN gateway, which is also directly connected. I am also able to ping just about anywhere else on the corporate network to include out to the Internet. However, when the firewall pings, it is only able to ping to the far-side of the router. It can't even ping the next hop which is the VLAN gateway on the switch. I have added a route to the outside on the router but whenever I do a traceroute from the firewall, it always ends on the near-side router interface. I have also added a gateway of last resort which is pointing to the far-side interface. Can anyone tell me what I am missing? (Please don't bother asking why I want the router between the firewall and our corporate network..... long story & not important.)

Labels:
0 Helpful
3 Replies 3

steve.barlow
Level 7
Level 7

‎09-10-2002 07:41 AM

For browsing the internet, I assume you are using NAT on your router. Has the nat access-list been set-up to allow the firewall?

For pinging, does the corp network have a route to the firewalls network? The firewall's gateway should be the routers local IP and the corp network must have a route to get to the firewall.

Any access-lists anywhere?

Steve

0 Helpful

tward
Level 1
Level 1
In response to steve.barlow

‎09-10-2002 08:30 AM

Acutally, the only access-lists that I have are deny anything from that network except www traffic. Actually, your right about the ICMP traffic from the firewall to the corp net. I remembered after I sent the message. I will try NATting. Thank you. I'll let you know. Any recommendation/examples on access-lists for internet.

0 Helpful

steve.barlow
Level 7
Level 7
In response to tward

‎09-10-2002 09:29 AM

An example:

access-list 180 deny ip host 0.0.0.0 any log

access-list 180 deny ip 0.0.0.0 0.255.255.255 any log

access-list 180 deny ip 10.0.0.0 0.255.255.255 any log

access-list 180 deny ip 127.0.0.0 0.255.255.255 any log

access-list 180 deny ip 172.16.0.0 0.15.255.255 anylog

access-list 180 deny ip 192.168.0.0 0.0.255.255 any log

access-list 180 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 log

access-list 180 deny ip any 255.255.255.128 0.0.0.127 log

access-list 180 deny ip your_network_ip any log (prevents spoofing)

access-list 180 permit tcp ....

access-list 180 deny ip any any log

Hope it helps.

Steve

Customers Also Viewed These Support Documents