1811 Multiple VLAN setup config help needed 1

[Bigzizzzle]

Having a difficult time getting my new vlan to access anything IE the WWW. Im using ZBF perhaps its not configured right, or im missing a Route. Please help, i need to keep the traffic separate but i need this new experimental traffic to get out to the internet just as much as the main VLAN does.

Thanks


=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2009.04.29 16:42:52 =~=~=~=~=~=~=~=~=~=~=~=
login as: RTRADMIN
No UnAuthorized Users Allowed!!!Using keyboard-interactive authentication.
Password:

MeRouter#show run
Building configuration...

Current configuration : 11342 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname MeRouter
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000
enable secret 5 XXXXXXXXXXXXXXXXXXXXXX
!
no aaa new-model
--More--  clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2465103528
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2465103528
revocation-check none
rsakeypair TP-self-signed-2465103528
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
!
dot11 syslog
!
dot11 ssid XXXXXXXXXXXX
vlan 1
authentication open
authentication key-management XXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
no ip source-route
--More--  no ip gratuitous-arps
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.10 192.168.1.254
!
ip dhcp pool Lan
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 68.XXX.XXX.XXX 68.XXX.XXX.XXX
lease 5
!
ip dhcp pool Test
network 192.168.5.0 255.255.255.0
dns-server 68.XXX.XXX.XXX 68.XXX.XXX.XXX
domain-name TestNetwork
default-router 192.168.5.1
!
!
no ip bootp server
ip port-map user-protocol--2 port udp 20800
ip port-map user-protocol--3 port udp 20810
--More--  ip port-map user-protocol--1 port udp 28960
no ip ips notify log
login block-for 300 attempts 3 within 30
login on-failure log
!
multilink bundle-name authenticated
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]

!
!
no memory validate-checksum
!
no spanning-tree vlan 1
username RTRADMIN privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXXXX
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
--More--  ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 104
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 103
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 102
match protocol user-protocol--1
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
--More--   match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
--More--   match access-group 101
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
--More--   class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
bridge irb
!
!
--More--  !
interface Null0
no ip unreachables
!
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0
ip access-group 110 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
--More--   no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface FastEthernet4
no cdp enable
!
interface FastEthernet5
no cdp enable
!
interface FastEthernet6
switchport access vlan 10
no cdp enable
!
--More--  interface FastEthernet7
no cdp enable
!
interface FastEthernet8
no cdp enable
!
interface FastEthernet9
no cdp enable
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
encryption mode ciphers tkip
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key change 3600
!
--More--   broadcast-key vlan 1 change 3600 membership-termination capability-change
!
!
ssid XXXXXXXXXX
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2452
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
--More--   bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
no cdp enable
!
interface Vlan1
no ip address
bridge-group 1
!
interface Vlan10
ip address 192.168.5.1 255.255.255.0
ip access-group Deny-Traffic-VLAN10-MAIN out
--More--   ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
shutdown
!
interface BVI1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
--More--  !
ip forward-protocol nd
!
!
no ip http server
ip http access-class 6
ip http authentication local
no ip http secure-server
ip nat source list 10 interface FastEthernet6 overload
ip nat inside source list 3 interface FastEthernet0 overload
ip nat inside source static udp 192.168.1.1 28960 interface BVI1 28960
ip nat inside source static udp 192.168.1.1 20800 interface BVI1 20800
ip nat inside source static udp 192.168.1.1 20810 interface BVI1 20810
!
ip access-list extended Deny-Traffic-VLAN10-MAIN
deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended OutboundBlock
deny ip 0.0.0.0 0.255.255.255 any log-input
deny ip 10.0.0.0 0.255.255.255 any log-input
deny ip 127.0.0.0 0.255.255.255 any log-input
deny ip 169.254.0.0 0.0.255.255 any log-input
deny ip 172.16.0.0 0.15.255.255 any log-input
--More--   deny ip 192.168.0.0 0.0.255.255 any log-input
deny ip 224.0.0.0 15.255.255.255 any log-input
deny ip any 0.0.0.0 0.255.255.255 log-input
deny ip any 10.0.0.0 0.255.255.255 log-input
deny ip any 127.0.0.0 0.255.255.255 log-input
deny ip any 169.254.0.0 0.0.255.255 log-input
deny ip any 172.16.0.0 0.15.255.255 log-input
deny ip any 192.168.0.0 0.0.255.255 log-input
deny ip any 224.0.0.0 15.255.255.255 log-input
deny udp any any eq netbios-ns log-input
deny udp any any eq netbios-dgm log-input
deny udp any any eq netbios-ss log-input
permit ip any any
!
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny any
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 3 remark INSIDE_IF=BVI1
--More--  access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 4 remark HTTP Access-class list
access-list 4 remark SDM_ACL Category=1
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 4 deny any
access-list 5 remark HTTP Access-class list
access-list 5 remark SDM_ACL Category=1
access-list 5 permit 192.168.1.0 0.0.0.255
access-list 5 deny any
access-list 6 remark HTTP Access-class list
access-list 6 remark SDM_ACL Category=1
access-list 6 permit 192.168.1.0 0.0.0.255
access-list 6 deny any
access-list 10 permit 192.168.5.0 0.0.0.255
access-list 100 remark SDM_ACL Category=1
access-list 100 remark VTY Access-class list
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.1.1
access-list 103 remark SDM_ACL Category=0
--More--  access-list 103 permit ip any host 192.168.1.1
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.1.1
access-list 110 remark SDM_ACL Category=17
access-list 110 permit udp any eq bootps any eq bootpc
access-list 110 permit udp host 68.XXX.XXX.XXX eq domain any
access-list 110 permit udp host 68.XXX.XXX.XXX eq domain any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any log
access-list 110 deny ip 10.0.0.0 0.255.255.255 any log
access-list 110 deny ip 224.0.0.0 31.255.255.255 any log
access-list 110 deny ip host 0.0.0.0 any log
access-list 110 deny ip host 255.255.255.255 any log
access-list 110 deny ip 192.168.0.0 0.0.255.255 any log
access-list 110 deny ip 172.16.0.0 0.0.255.255 any log
access-list 110 permit ip any any
no cdp run
!
!
!
!
!
!
control-plane
--More--  !
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CNo UnAuthorized Users Allowed!!!^C
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
session-timeout 3 output
access-class 1 in
privilege level 15
login local
transport input ssh
!
--More--  scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

MeRouter#      exit

 

[unclerico]

i only skimmed your config but you do need a default route:
ip route 0.0.0.0 0.0.0.0 f0/0

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Bigzizzzle]

That being said, when i've done that in the past it basically kills all my internet activity. Not sure if its cause i didn't have the rest of the config setup. Who knows, i mean i will try it later to night and post a GO or NO GO status. Lets keep formulating.

 

[Bigzizzzle]

No go, disconnected all internet.

 

[unclerico]

change the exit interface to bvi1. I'm confused as to which interface is actually going to be used for connecting to your upstream device for Internet access. This confuses me:

ip nat inside source list 3 interface FastEthernet0 overload
ip nat inside source static udp 192.168.1.1 28960 interface BVI1 28960
ip nat inside source static udp 192.168.1.1 20800 interface BVI1 20800
ip nat inside source static udp 192.168.1.1 20810 interface BVI1 20810

You are NATing traffic outbound on f0/0 but you have statics set up on your BVI1 interface. Can you go into more detail about how your topology is set up??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Bigzizzzle]

I use the BVI so i can have a few clients on the WLAN connect to the same subnet. However my WAN port is FA0, perhaps my configuration is a little off. from what i thought the only way to get the wireless to connect together was through the BVI creation. Have a least 5 WiFI clients and print Server that all must use and 2 Desktop Workstations.

This new vlan is for expermentation and also for say a quarantined lan environment say i work with infected pcs at my house i don't want that crap traffic to interfere.

In the near feature I need to develop a Wireless AP for a new Coffee Shop my Sister is rolling out. I need to use VLANs to separate the POS traffic and the Free but limited internet. Thats why im experimenting with LANS.

So Far the cisco equip i looked for in that job would be theire Wireless LAN controller. I dealing im looking for a Starbucks like WIFI deployment but ATT have not returned my sales calls. I'm about to spend a pretty penny in this terrible enconomy and you think they would call me back for a sales call.

 

[Bigzizzzle]

Bump still need help

 

[unclerico]

You have so much stuff going on in that config it is difficult to follow it all. To start with:
You don't need this in here:

ip nat source list 10 interface FastEthernet6 overload

Your haven't included your .5 subnet in your NAT config:

access-list 3 permit ip 192.168.5.0 0.0.0.255

Without a default route it surprises me that your VLAN1 can get to the Internet at all.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Bigzizzzle]

Thats what did it, thanks

 

[burtsbees]

Ready? Change this

ip nat source list 10 interface FastEthernet6 overload

to this

ip nat inside source list 10 interface FastEthernet6 overload

Missing the keyword "inside".

/