Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

No INTERNET Access

I have a Cisco 2600 router with two FETHERs. 0/0 is connected to a closed network and 0/1 is connected to our regular corporate network. I have setup a firewall PC between the closed network and the corporate network. When I connect the firewall PC directly to the switch of our corporate network, I am able to browse the Internet. When I place the router between the firewall and the corporate network, in the same port, from the firewall I can no longer browse the Internet. From the router, I am able to ping both the firewall, which is directly connected, and the VLAN gateway, which is also directly connected. I am also able to ping just about anywhere else on the corporate network to include out to the Internet. However, when the firewall pings, it is only able to ping to the far-side of the router. It can't even ping the next hop which is the VLAN gateway on the switch. I have added a route to the outside on the router but whenever I do a traceroute from the firewall, it always ends on the near-side router interface. I have also added a gateway of last resort which is pointing to the far-side interface. Can anyone tell me what I am missing? (Please don't bother asking why I want the router between the firewall and our corporate network..... long story & not important.)

  • Other Network Infrastructure Subjects
3 REPLIES

Re: No INTERNET Access

For browsing the internet, I assume you are using NAT on your router. Has the nat access-list been set-up to allow the firewall?

For pinging, does the corp network have a route to the firewalls network? The firewall's gateway should be the routers local IP and the corp network must have a route to get to the firewall.

Any access-lists anywhere?

Steve

New Member

Re: No INTERNET Access

Acutally, the only access-lists that I have are deny anything from that network except www traffic. Actually, your right about the ICMP traffic from the firewall to the corp net. I remembered after I sent the message. I will try NATting. Thank you. I'll let you know. Any recommendation/examples on access-lists for internet.

Re: No INTERNET Access

An example:

access-list 180 deny ip host 0.0.0.0 any log

access-list 180 deny ip 0.0.0.0 0.255.255.255 any log

access-list 180 deny ip 10.0.0.0 0.255.255.255 any log

access-list 180 deny ip 127.0.0.0 0.255.255.255 any log

access-list 180 deny ip 172.16.0.0 0.15.255.255 anylog

access-list 180 deny ip 192.168.0.0 0.0.255.255 any log

access-list 180 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 log

access-list 180 deny ip any 255.255.255.128 0.0.0.127 log

access-list 180 deny ip your_network_ip any log (prevents spoofing)

access-list 180 permit tcp ....

access-list 180 deny ip any any log

Hope it helps.

Steve

312
Views
4
Helpful
3
Replies