No Internet via LAN

fadyawad1 · ‎11-13-2013

Dear All,

I need your urgent advise, i have a cisco router which just moved to another site hence we changed the ISP IP only. I tested from router and everything is working fine. when connected the switch users in the LAN not able to access the Internet but able to access Intranet.

Router show below logs'

003068: *Nov 13 08:25:57 UTC: %FW-6-LOG_SUMMARY: 1 packet were dropped from (target:class)-(ZP_In_Out:Invalid_SRC)

I just removed the IP.

Please advise ASAP, appreciate your support

cadet alain · ‎11-13-2013

Hi,

This is a zone based firewall log.

Can you post following:

-sh run | s ip nat

-sh run | i access-list

-sh policy-map type inspect

-sh class-map type inspect

-sh run | i zone

Regards.

Alain

Don't forget to rate helpful posts.

fadyawad1 · ‎11-13-2013

Hi Alain,

please see below;

ip nat inside
ip nat outside
ip nat inside
ip nat inside source list internet_acl interface GigabitEthernet0/1 overload

++++++++++++++++++++++++++++++++++++

ip access-list standard SNMP_INC
ip access-list extended Anti-spoof_ACL
ip access-list extended DMVPN_ACL
ip access-list extended VTY_Sources
ip access-list extended SSH_ICMP_ACL
ip access-list extended Telnet/SSH
ip access-list extended filter_in
ip access-list extended filter_out
ip access-list extended internet_acl
+++++++++++++++++++++++++++++++++++++++

Policy Map type inspect Inspect_Policy
    Class Invalid_SRC
      Drop log
    Class Traffic_Insp
      Inspect
    Class HTTP_Inspect
      Inspect
    Class class-default
      Drop

Policy Map type inspect Permit_Policy
    Class GRE
      Pass
    Class SSH_ICMP
      Inspect
    Class Invalid_SRC
      Drop log
    Class DMVPN
      Pass
    Class class-default
      Drop

Policy Map type inspect Permit_ICMP_Reply
    Class ICMP_Access
      Inspect
    Class GRE
      Pass
    Class SSH_ICMP
      Inspect
    Class DMVPN
      Pass
    Class class-default
      Pass
+++++++++++++++++++++++++++++++++++++++++++++++++++
Class Map type inspect match-any SSH_ICMP (id 2)
   Match class-map SSH_ICMP_ACL

Class Map type inspect match-any Class_Map_ICMP (id 3)
Match protocol icmp

Class Map type inspect match-any SSH_ICMP_ACL (id 1)
Match access-group name SSH_ICMP_ACL

Class Map type inspect match-all HTTP_Inspect (id 4)
Match protocol http

Class Map type inspect match-any Class_Map_Traffic_Insp (id 5)
   Match protocol cuseeme
   Match protocol dns
   Match protocol ftp
   Match protocol h323
   Match protocol https
   Match protocol icmp
   Match protocol imap
   Match protocol pop3
   Match protocol netshow
   Match protocol shell
   Match protocol realmedia
   Match protocol rtsp
   Match protocol smtp extended
   Match protocol sql-net
   Match protocol streamworks
   Match protocol tftp
   Match protocol vdolive
   Match protocol tcp
   Match protocol udp

Class Map type inspect match-all Traffic_Insp (id 6)
Match class-map Class_Map_Traffic_Insp

Class Map type inspect match-any DMVPN (id 8)
Match class-map DMVPN_ACL

Class Map type inspect match-all Invalid_SRC (id 10)
Match class-map Anti-spoof_ACL

Class Map type inspect match-any DMVPN_ACL (id 7)
Match access-group name DMVPN_ACL

Class Map type inspect match-any GRE (id 11)
Match class-map DMVPN_ACL

Class Map type inspect match-all Anti-spoof_ACL (id 9)
Match access-group name Anti-spoof_ACL

Class Map type inspect match-all ICMP_Access (id 12)
Match class-map Class_Map_ICMP

++++++++++++++++++++++++++++++++++++++++++++++++++

zone security in-zone
zone security out-zone
zone-pair security ZP_Self_Out source self destination out-zone
zone-pair security ZP_Out_Self source out-zone destination self
zone-pair security ZP_In_Out source in-zone destination out-zone
zone-member security in-zone
zone-member security in-zone
zone-member security in-zone
zone-member security in-zone
zone-member security in-zone
zone-member security in-zone

cadet alain · ‎11-13-2013

Hi,

post following :

sh access-list Anti-spoof_ACL

sh policy-map type inspect zone-pair security ZP_In_Out

Regards

Alain

Don't forget to rate helpful posts.

fadyawad1 · ‎11-13-2013

this one not working;

sh policy-map type inspect zone-pair security ZP_In_Out

^

% Invalid input detected at '^' marker.

++++++++++++++++++++++++++++++++++++++++

Extended IP access list Anti-spoof_ACL

10 permit ip 0.0.0.0 0.255.255.255 any

20 permit ip host 255.255.255.255 any

30 permit ip 127.0.0.0 0.255.255.255 any

40 permit ip 169.254.0.0 0.0.255.255 any

50 permit ip 192.0.2.0 0.0.0.255 any

60 permit ip 192.88.99.0 0.0.0.255 any

70 permit ip 192.168.0.0 0.0.255.255 any (30158 matches)

80 permit ip 198.18.0.0 0.0.0.128 any

90 permit ip 224.0.0.0 31.255.255.255 any

cadet alain · ‎11-13-2013

Hi,


70 permit ip 192.168.0.0 0.0.255.255 any (30158 matches)

Is the interface in in-zone in this subnet ?

can you do clear access-list Anti-spoof_ACL counters and try to go outside and do sh access-list Anti-spoof_ACL again

as well as post any log.

try this one instead then but it should have worked:

sh policy-map type inspect zone-pair

Regards

Alain

Don't forget to rate helpful posts.

fadyawad1 · ‎11-13-2013

Hi,

Issue solved, i've added default router on the switch pointing to the ISP default gateway.

Thanks Alain for your help

Fady