My configuration works great when accessing published services from the internet but I would like to enable the same services from the guest network as well. I tried applying the internet-private policy to the guest-private zone pair but it didn't work. Is the public IP address considered to be the "self" zone? I tried applying the policy to the guest-self zone pair but it complained about a protocol being invalid for that interface. Would a static route give the same effect or would it cause problems elsewhere? eg. ip route <public IP> <mask> vlan1
Still fairly new to cisco so bear with me...
Sanitised config:
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service password-recovery
!
hostname 871router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret <snip>
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
!
!
!
crypto <snip>
!
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool guest-pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name mybusiness.local
dns-server <ISP DNS 1> <ISP DNS 2>
!
!
ip port-map user-RWW port tcp 4125 description Remocte Web Workplace
ip port-map user-RDP port tcp 3389 description Remote Desktop Protocol
no ip bootp server
no ip domain lookup
ip domain name mybusiness.local
ip name-server <ISP DNS 1>
ip name-server <ISP DNS 2>
login block-for 15 attempts 2 within 30
!
parameter-map type inspect pmap-audit
audit-trail on
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
!
username ciscoadmin privilege 15 secret <snip>
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any permit-internet
description Permitted Traffic to Internet
match protocol dns
match protocol https
match protocol icmp
match protocol ftp
match protocol smtp extended
match protocol ntp
match protocol pop3
match protocol pptp
class-map type inspect match-any gre
match access-group name gre
class-map type inspect match-any sbs-services
description Published SBS Protocols
match protocol smtp extended
match protocol https
match protocol user-RWW
match protocol pptp
match class-map gre
match protocol user-RDP
match protocol ftp
class-map type inspect match-all public-services
description Published Internet Services
match access-group name ToSBS
match class-map sbs-services
class-map type inspect match-any full-internet
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any dmz-protocols
match protocol http
class-map type inspect match-any invalid-source
description Invalid sources addresses
match access-group name InvalidSource
class-map type inspect match-all wireless-admin
match access-group 101
match protocol http
class-map type inspect match-all ICMPReply
description Only certain pings permitted to router
match access-group name ICMPReply
class-map type inspect match-any router-out
description Permit router-generated traffic out
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all cls-http
match protocol http
!
!
policy-map type inspect self-internet-pmap
description Router to Internet
class type inspect router-out
inspect
class class-default
pass
policy-map type inspect internet-self-pmap
description Internet to Router
class type inspect ICMPReply
pass
class class-default
policy-map type inspect private-guest-pmap
description Allow configuration of wireless access point
class type inspect wireless-admin
inspect
class class-default
policy-map type inspect guest-internet-pmap
class type inspect full-internet
inspect
class class-default
policy-map type inspect private-internet-pmap
description LAN to Internet
class type inspect gre
inspect
class type inspect invalid-source
drop log
class type inspect cls-http
inspect
class type inspect permit-internet
inspect
class class-default
drop log
policy-map type inspect internet-private-pmap
description Internet to LAN (SBS Server)
class type inspect public-services
inspect
class class-default
policy-map type inspect self-private-pmap
description Router to Private LAN
class class-default
inspect
policy-map type inspect private-self-pmap
description LAN to Router
class class-default
inspect pmap-audit
!
zone security private
zone security guest
zone security internet
zone security dmz
zone-pair security self-internet source self destination internet
service-policy type inspect self-internet-pmap
zone-pair security self-private source self destination private
service-policy type inspect self-private-pmap
zone-pair security internet-self source internet destination self
service-policy type inspect internet-self-pmap
zone-pair security guest-internet source guest destination internet
service-policy type inspect guest-internet-pmap
zone-pair security private-internet source private destination internet
service-policy type inspect private-internet-pmap
zone-pair security private-self source private destination self
service-policy type inspect private-self-pmap
zone-pair security internet-private source internet destination private
service-policy type inspect internet-private-pmap
zone-pair security private-guest source private destination guest
service-policy type inspect private-guest-pmap
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description Internal Port
!
interface FastEthernet1
description Internal Port
!
interface FastEthernet2
description Guest Port
switchport access vlan 2
!
interface FastEthernet3
description DMZ Port
switchport access vlan 3
shutdown
!
interface FastEthernet4
description ISP aDSL
no ip address
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
description Private Network
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security private
ip tcp adjust-mss 1452
!
interface Vlan2
description Guest Network
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security guest
ip tcp adjust-mss 1452
!
interface Vlan3
description DMZ Network
ip address 192.168.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security dmz
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
no ip unreachables
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security internet
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname <snip>
ppp chap password <snip>
ppp pap sent-username <snip> password <snip>
ppp ipcp route default
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.0.2 25 interface Dialer1 25
ip nat inside source static tcp 192.168.0.2 443 interface Dialer1 443
ip nat inside source static tcp 192.168.0.2 1723 interface Dialer1 1723
ip nat inside source static tcp 192.168.0.2 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.0.2 4125 interface Dialer1 4125
ip nat inside source list 1 interface Dialer1 overload
!
ip access-list extended FromSBS
remark Traffic from SBS Server
permit ip host 192.168.0.2 any
ip access-list extended ICMPReply
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any ttl-exceeded
permit icmp any any packet-too-big
ip access-list extended InvalidSource
remark Invalid Source Address on LAN
permit ip host 255.255.255.255 any
permit ip 127.0.0.0 0.255.255.255 any
permit ip <Gateway Network>
ip access-list extended ToSBS
remark Traffic to SBS Server
permit ip any host 192.168.0.2
ip access-list extended gre
permit gre any any
!
logging trap debugging
logging facility syslog
logging 192.168.0.2
access-list 1 remark NAT ACL
access-list 1 remark Internal Network
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 remark Guest Network
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark DMZ Network
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 remark Wireless AP
access-list 101 permit ip 192.168.0.0 0.0.0.255 host 192.168.1.2
no cdp run
!
!
!
control-plane
!
banner login ^C
You have entered $(hostname).$(domain)
Access is for authorized users only. Disconnect IMMEDIATELY if you are not
an authorized user! Please enter your username and password to begin.^C
alias exec save copy running-config startup-config
alias exec ru sh run
!
line con 0
exec-timeout 5 0
login local
no modem enable
transport output telnet
line aux 0
line vty 0 4
exec-timeout 0 0
no login
transport input none
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp logging
ntp clock-period 17175012
ntp server 128.100.100.128
ntp server 128.100.56.135
!
webvpn cef
end
Still fairly new to cisco so bear with me...
Sanitised config:
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service password-recovery
!
hostname 871router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret <snip>
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
!
!
!
crypto <snip>
!
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool guest-pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name mybusiness.local
dns-server <ISP DNS 1> <ISP DNS 2>
!
!
ip port-map user-RWW port tcp 4125 description Remocte Web Workplace
ip port-map user-RDP port tcp 3389 description Remote Desktop Protocol
no ip bootp server
no ip domain lookup
ip domain name mybusiness.local
ip name-server <ISP DNS 1>
ip name-server <ISP DNS 2>
login block-for 15 attempts 2 within 30
!
parameter-map type inspect pmap-audit
audit-trail on
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
!
username ciscoadmin privilege 15 secret <snip>
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any permit-internet
description Permitted Traffic to Internet
match protocol dns
match protocol https
match protocol icmp
match protocol ftp
match protocol smtp extended
match protocol ntp
match protocol pop3
match protocol pptp
class-map type inspect match-any gre
match access-group name gre
class-map type inspect match-any sbs-services
description Published SBS Protocols
match protocol smtp extended
match protocol https
match protocol user-RWW
match protocol pptp
match class-map gre
match protocol user-RDP
match protocol ftp
class-map type inspect match-all public-services
description Published Internet Services
match access-group name ToSBS
match class-map sbs-services
class-map type inspect match-any full-internet
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any dmz-protocols
match protocol http
class-map type inspect match-any invalid-source
description Invalid sources addresses
match access-group name InvalidSource
class-map type inspect match-all wireless-admin
match access-group 101
match protocol http
class-map type inspect match-all ICMPReply
description Only certain pings permitted to router
match access-group name ICMPReply
class-map type inspect match-any router-out
description Permit router-generated traffic out
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all cls-http
match protocol http
!
!
policy-map type inspect self-internet-pmap
description Router to Internet
class type inspect router-out
inspect
class class-default
pass
policy-map type inspect internet-self-pmap
description Internet to Router
class type inspect ICMPReply
pass
class class-default
policy-map type inspect private-guest-pmap
description Allow configuration of wireless access point
class type inspect wireless-admin
inspect
class class-default
policy-map type inspect guest-internet-pmap
class type inspect full-internet
inspect
class class-default
policy-map type inspect private-internet-pmap
description LAN to Internet
class type inspect gre
inspect
class type inspect invalid-source
drop log
class type inspect cls-http
inspect
class type inspect permit-internet
inspect
class class-default
drop log
policy-map type inspect internet-private-pmap
description Internet to LAN (SBS Server)
class type inspect public-services
inspect
class class-default
policy-map type inspect self-private-pmap
description Router to Private LAN
class class-default
inspect
policy-map type inspect private-self-pmap
description LAN to Router
class class-default
inspect pmap-audit
!
zone security private
zone security guest
zone security internet
zone security dmz
zone-pair security self-internet source self destination internet
service-policy type inspect self-internet-pmap
zone-pair security self-private source self destination private
service-policy type inspect self-private-pmap
zone-pair security internet-self source internet destination self
service-policy type inspect internet-self-pmap
zone-pair security guest-internet source guest destination internet
service-policy type inspect guest-internet-pmap
zone-pair security private-internet source private destination internet
service-policy type inspect private-internet-pmap
zone-pair security private-self source private destination self
service-policy type inspect private-self-pmap
zone-pair security internet-private source internet destination private
service-policy type inspect internet-private-pmap
zone-pair security private-guest source private destination guest
service-policy type inspect private-guest-pmap
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description Internal Port
!
interface FastEthernet1
description Internal Port
!
interface FastEthernet2
description Guest Port
switchport access vlan 2
!
interface FastEthernet3
description DMZ Port
switchport access vlan 3
shutdown
!
interface FastEthernet4
description ISP aDSL
no ip address
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
description Private Network
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security private
ip tcp adjust-mss 1452
!
interface Vlan2
description Guest Network
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security guest
ip tcp adjust-mss 1452
!
interface Vlan3
description DMZ Network
ip address 192.168.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security dmz
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
no ip unreachables
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security internet
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname <snip>
ppp chap password <snip>
ppp pap sent-username <snip> password <snip>
ppp ipcp route default
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.0.2 25 interface Dialer1 25
ip nat inside source static tcp 192.168.0.2 443 interface Dialer1 443
ip nat inside source static tcp 192.168.0.2 1723 interface Dialer1 1723
ip nat inside source static tcp 192.168.0.2 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.0.2 4125 interface Dialer1 4125
ip nat inside source list 1 interface Dialer1 overload
!
ip access-list extended FromSBS
remark Traffic from SBS Server
permit ip host 192.168.0.2 any
ip access-list extended ICMPReply
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any ttl-exceeded
permit icmp any any packet-too-big
ip access-list extended InvalidSource
remark Invalid Source Address on LAN
permit ip host 255.255.255.255 any
permit ip 127.0.0.0 0.255.255.255 any
permit ip <Gateway Network>
ip access-list extended ToSBS
remark Traffic to SBS Server
permit ip any host 192.168.0.2
ip access-list extended gre
permit gre any any
!
logging trap debugging
logging facility syslog
logging 192.168.0.2
access-list 1 remark NAT ACL
access-list 1 remark Internal Network
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 remark Guest Network
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark DMZ Network
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 remark Wireless AP
access-list 101 permit ip 192.168.0.0 0.0.0.255 host 192.168.1.2
no cdp run
!
!
!
control-plane
!
banner login ^C
You have entered $(hostname).$(domain)
Access is for authorized users only. Disconnect IMMEDIATELY if you are not
an authorized user! Please enter your username and password to begin.^C
alias exec save copy running-config startup-config
alias exec ru sh run
!
line con 0
exec-timeout 5 0
login local
no modem enable
transport output telnet
line aux 0
line vty 0 4
exec-timeout 0 0
no login
transport input none
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp logging
ntp clock-period 17175012
ntp server 128.100.100.128
ntp server 128.100.56.135
!
webvpn cef
end