11-13-2013 12:45 AM - edited 03-04-2019 09:33 PM
Dear All,
I need your urgent advise, i have a cisco router which just moved to another site hence we changed the ISP IP only. I tested from router and everything is working fine. when connected the switch users in the LAN not able to access the Internet but able to access Intranet.
Router show below logs'
003068: *Nov 13 08:25:57 UTC: %FW-6-LOG_SUMMARY: 1 packet were dropped from (target:class)-(ZP_In_Out:Invalid_SRC)
I just removed the IP.
Please advise ASAP, appreciate your support
11-13-2013 01:16 AM
Hi,
This is a zone based firewall log.
Can you post following:
-sh run | s ip nat
-sh run | i access-list
-sh policy-map type inspect
-sh class-map type inspect
-sh run | i zone
Regards.
Alain
Don't forget to rate helpful posts.
11-13-2013 02:10 AM
Hi Alain,
please see below;
ip nat inside
ip nat outside
ip nat inside
ip nat inside source list internet_acl interface GigabitEthernet0/1 overload
++++++++++++++++++++++++++++++++++++
ip access-list standard SNMP_INC
ip access-list extended Anti-spoof_ACL
ip access-list extended DMVPN_ACL
ip access-list extended VTY_Sources
ip access-list extended SSH_ICMP_ACL
ip access-list extended Telnet/SSH
ip access-list extended filter_in
ip access-list extended filter_out
ip access-list extended internet_acl
+++++++++++++++++++++++++++++++++++++++
Policy Map type inspect Inspect_Policy
Class Invalid_SRC
Drop log
Class Traffic_Insp
Inspect
Class HTTP_Inspect
Inspect
Class class-default
Drop
Policy Map type inspect Permit_Policy
Class GRE
Pass
Class SSH_ICMP
Inspect
Class Invalid_SRC
Drop log
Class DMVPN
Pass
Class class-default
Drop
Policy Map type inspect Permit_ICMP_Reply
Class ICMP_Access
Inspect
Class GRE
Pass
Class SSH_ICMP
Inspect
Class DMVPN
Pass
Class class-default
Pass
+++++++++++++++++++++++++++++++++++++++++++++++++++
Class Map type inspect match-any SSH_ICMP (id 2)
Match class-map SSH_ICMP_ACL
Class Map type inspect match-any Class_Map_ICMP (id 3)
Match protocol icmp
Class Map type inspect match-any SSH_ICMP_ACL (id 1)
Match access-group name SSH_ICMP_ACL
Class Map type inspect match-all HTTP_Inspect (id 4)
Match protocol http
Class Map type inspect match-any Class_Map_Traffic_Insp (id 5)
Match protocol cuseeme
Match protocol dns
Match protocol ftp
Match protocol h323
Match protocol https
Match protocol icmp
Match protocol imap
Match protocol pop3
Match protocol netshow
Match protocol shell
Match protocol realmedia
Match protocol rtsp
Match protocol smtp extended
Match protocol sql-net
Match protocol streamworks
Match protocol tftp
Match protocol vdolive
Match protocol tcp
Match protocol udp
Class Map type inspect match-all Traffic_Insp (id 6)
Match class-map Class_Map_Traffic_Insp
Class Map type inspect match-any DMVPN (id 8)
Match class-map DMVPN_ACL
Class Map type inspect match-all Invalid_SRC (id 10)
Match class-map Anti-spoof_ACL
Class Map type inspect match-any DMVPN_ACL (id 7)
Match access-group name DMVPN_ACL
Class Map type inspect match-any GRE (id 11)
Match class-map DMVPN_ACL
Class Map type inspect match-all Anti-spoof_ACL (id 9)
Match access-group name Anti-spoof_ACL
Class Map type inspect match-all ICMP_Access (id 12)
Match class-map Class_Map_ICMP
++++++++++++++++++++++++++++++++++++++++++++++++++
zone security in-zone
zone security out-zone
zone-pair security ZP_Self_Out source self destination out-zone
zone-pair security ZP_Out_Self source out-zone destination self
zone-pair security ZP_In_Out source in-zone destination out-zone
zone-member security in-zone
zone-member security in-zone
zone-member security in-zone
zone-member security in-zone
zone-member security in-zone
zone-member security in-zone
11-13-2013 02:33 AM
Hi,
post following :
sh access-list Anti-spoof_ACL
sh policy-map type inspect zone-pair security ZP_In_Out
Regards
Alain
Don't forget to rate helpful posts.
11-13-2013 02:38 AM
this one not working;
sh policy-map type inspect zone-pair security ZP_In_Out
^
% Invalid input detected at '^' marker.
++++++++++++++++++++++++++++++++++++++++
Extended IP access list Anti-spoof_ACL
10 permit ip 0.0.0.0 0.255.255.255 any
20 permit ip host 255.255.255.255 any
30 permit ip 127.0.0.0 0.255.255.255 any
40 permit ip 169.254.0.0 0.0.255.255 any
50 permit ip 192.0.2.0 0.0.0.255 any
60 permit ip 192.88.99.0 0.0.0.255 any
70 permit ip 192.168.0.0 0.0.255.255 any (30158 matches)
80 permit ip 198.18.0.0 0.0.0.128 any
90 permit ip 224.0.0.0 31.255.255.255 any
11-13-2013 03:03 AM
Hi,
70 permit ip 192.168.0.0 0.0.255.255 any (30158 matches)
Is the interface in in-zone in this subnet ?
can you do clear access-list Anti-spoof_ACL counters and try to go outside and do sh access-list Anti-spoof_ACL again
as well as post any log.
try this one instead then but it should have worked:
sh policy-map type inspect zone-pair
Regards
Alain
Don't forget to rate helpful posts.
11-13-2013 05:55 PM
Hi,
Issue solved, i've added default router on the switch pointing to the ISP default gateway.
Thanks Alain for your help
Fady
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: