JRosario78
MIS
Hi All,
I need help getting out to the internet on a server that is in a VLAN on my Cisco 3550. The 3550 switch is connected to a Cisco 2611XM. I configured the router as a firewall/router and NAT/PAT using Cisco SDM. Everything seems good, I'm able to ping yahoo.com and goole.com from the switch. I can ping the server from the router. I can ping the router from the server (both IPs on the router). Someone please help...
IP Route on Router:
XX.0.0.0/29 is subnetted, 1 subnets
C XX.XX.XXX.XX is directly connected, FastEthernet0/0
172.10.0.0/29 is subnetted, 1 subnets
C 172.10.5.0 is directly connected, FastEthernet0/1
172.16.0.0/27 is subnetted, 1 subnets
S 172.16.1.0 [1/0] via 172.10.5.2
172.23.0.0/27 is subnetted, 1 subnets
S 172.23.1.0 [1/0] via 172.10.5.2
S* 0.0.0.0/0 [1/0] via Internet Gateway IP
IP Route on Switch:
172.10.0.0/29 is subnetted, 1 subnets
C 172.10.5.0 is directly connected, FastEthernet0/1
172.16.0.0/27 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Vlan10
S* 0.0.0.0/0 [1/0] via 172.10.5.1
Switch Interface Info:
Vlan1 unassigned YES unset administratively down down
Vlan10 172.16.1.1 YES manual up up
Vlan20 172.23.1.1 YES manual up up
FastEthernet0/1 172.10.5.2 YES manual up up
The server's IP is 172.16.1.2 and the switch is routing the VLANs. I did enable ip routing on the switch. I created a L2 VLAN and then created the L3 SVI to go with the VLAN. The default gateway on the server is set to the SVI of the VLAN that the server is in.
Router's Running Config:
INT-RTR#sh run
Building configuration...
Current configuration : 5959 bytes
!
!
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname INT-RTR
!
boot-start-marker
boot-end-marker
!
no logging buffered
no logging console
enable secret 5 $1$.Li7$VIQhL2zJd5dZxUBEzoaHL/
!
no aaa new-model
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip domain name ccnplab.com
ip name-server xxx.xx.xxx.xxx
ip name-server xxx.xx.xxx.xxx
!
!
!
crypto pki trustpoint TP-self-signed-1326915613
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1326915613
revocation-check none
rsakeypair TP-self-signed-1326915613
!
!
crypto pki certificate chain TP-self-signed-1326915613
certificate self-signed 01
3082025E 308201C7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31333236 39313536 3133301E 170D3038 31313033 30343232
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33323639
31353631 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E6EE 67146EE8 1FF27086 488072BA 78E9FF94 A95E55EA 86E70B4B D94690D9
C3834C7F C07DFF53 02C6D03E AC07D435 CDC942D6 A3D696FB F1330503 CE09B881
CAC1CD71 8ED5AA0F 9B7EE2DD 5ACFD717 C7C604FA EE7DBCE1 0F1CF027 AD81709C
C3F48663 B6C1FBBA CB56617E 897E8E63 B22710EA 2490078D 4FC8F627 6C53FA8E
69110203 010001A3 81853081 82300F06 03551D13 0101FF04 05300301 01FF302F
0603551D 11042830 26822453 424E502D 494E542D 5254522E 696E7465 726E616C
2E736D62 6E657470 726F732E 636F6D30 1F060355 1D230418 30168014 1135142F
7F27458C 74CD3F87 2821106E 0E449361 301D0603 551D0E04 16041411 35142F7F
27458C74 CD3F8728 21106E0E 44936130 0D06092A 864886F7 0D010104 05000381
8100366F EE79CCDC 20B6AC5A 818CD7F1 51030412 616F014A 8BD19F6E 5B486269
0B46CDC9 8FCB062B FF0C3293 9387BB87 67BA7E63 F3681DA8 4560ECCA 3C392BAB
C6EF5508 66D33703 659DC1B8 EBC75DE8 4A92CF56 4D126914 2D64807F 93587077
296424FA 80B0FB6E 3560AC46 BB10CC0D FE66FCAF B745B41A 1E859C64 8BE81D56 021E
quit
username netadmin password 7 0525261506590F
!
!
ip ssh version 2
!
!
!
!
interface FastEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address xx.xx.xxx.xx 255.255.255.248
ip access-group 101 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
keepalive 160
!
interface FastEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 172.10.5.1 255.255.255.248
ip access-group 100 in
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
keepalive 160
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.xx.xxx.xx
ip route 172.16.1.0 255.255.255.224 172.10.5.2
ip route 172.23.1.0 255.255.255.224 172.10.5.2
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.10.5.0 0.0.0.7
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip xx.xx.xxx.xx 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host xxx.xx.xxx.xxx eq domain host xx.xx.xxx.xx
access-list 101 permit udp host xxx.xx.xxx.xxx eq domain host xx.xx.xxx.xx
access-list 101 deny ip 172.10.5.0 0.0.0.7 any
access-list 101 permit icmp any host xx.xx.xxx.xx echo-reply
access-list 101 permit icmp any host xx.xx.xxx.xx time-exceeded
access-list 101 permit icmp any host xx.xx.xxx.xx unreachable
access-list 101 permit tcp any host xx.xx.xxx.xx eq 443
access-list 101 permit tcp any host xx.xx.xxx.xx eq 22
access-list 101 permit tcp any host xx.xx.xxx.xx eq cmd
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
!
!
control-plane
!
!
!
banner login ^C
****************************** WARNING ******************************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
********************************************************************* ^C
!
line con 0
exec-timeout 60 0
logging synchronous
login local
history size 100
line aux 0
line vty 0 4
exec-timeout 60 0
logging synchronous
login local
history size 100
transport input telnet ssh
!
!
end
Running Config on Switch:
CORESW#sh run
Building configuration...
Current configuration : 6446 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname CORESW
!
no logging console
enable secret 5 $1$qFCQ$if5FwrQwXno8SF8T/KgRc0
!
username netadmin password 7 10602903220253
ip subnet-zero
ip routing
!
ip domain-name ccnplab.com
ip name-server xxx.xx.xxx.xxx
ip name-server xxx.xx.xxx.xxx
ip ssh time-out 120
ip ssh authentication-retries 3
ip ssh version 2
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
interface FastEthernet0/1
no switchport
ip address 172.10.5.2 255.255.255.248
speed 100
duplex full
!
interface FastEthernet0/2
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/3
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
!
interface FastEthernet0/14
switchport access vlan 10
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/15
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/16
switchport access vlan 10
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
!
interface FastEthernet0/46
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/47
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/48
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface GigabitEthernet0/1
switchport mode access
shutdown
!
interface GigabitEthernet0/2
switchport mode access
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 172.16.1.1 255.255.255.224
!
interface Vlan20
ip address 172.23.1.1 255.255.255.224
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.10.5.1
no ip http server
!
banner login ^C
****************************** WARNING ******************************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
********************************************************************* ^C
!
line con 0
exec-timeout 60 0
logging synchronous
login local
history size 100
line vty 0 4
exec-timeout 60 0
logging synchronous
login local
history size 100
transport input telnet ssh
line vty 5 15
exec-timeout 60 0
logging synchronous
login local
history size 100
transport input telnet ssh
!
!
end
I need help getting out to the internet on a server that is in a VLAN on my Cisco 3550. The 3550 switch is connected to a Cisco 2611XM. I configured the router as a firewall/router and NAT/PAT using Cisco SDM. Everything seems good, I'm able to ping yahoo.com and goole.com from the switch. I can ping the server from the router. I can ping the router from the server (both IPs on the router). Someone please help...
IP Route on Router:
XX.0.0.0/29 is subnetted, 1 subnets
C XX.XX.XXX.XX is directly connected, FastEthernet0/0
172.10.0.0/29 is subnetted, 1 subnets
C 172.10.5.0 is directly connected, FastEthernet0/1
172.16.0.0/27 is subnetted, 1 subnets
S 172.16.1.0 [1/0] via 172.10.5.2
172.23.0.0/27 is subnetted, 1 subnets
S 172.23.1.0 [1/0] via 172.10.5.2
S* 0.0.0.0/0 [1/0] via Internet Gateway IP
IP Route on Switch:
172.10.0.0/29 is subnetted, 1 subnets
C 172.10.5.0 is directly connected, FastEthernet0/1
172.16.0.0/27 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Vlan10
S* 0.0.0.0/0 [1/0] via 172.10.5.1
Switch Interface Info:
Vlan1 unassigned YES unset administratively down down
Vlan10 172.16.1.1 YES manual up up
Vlan20 172.23.1.1 YES manual up up
FastEthernet0/1 172.10.5.2 YES manual up up
The server's IP is 172.16.1.2 and the switch is routing the VLANs. I did enable ip routing on the switch. I created a L2 VLAN and then created the L3 SVI to go with the VLAN. The default gateway on the server is set to the SVI of the VLAN that the server is in.
Router's Running Config:
INT-RTR#sh run
Building configuration...
Current configuration : 5959 bytes
!
!
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname INT-RTR
!
boot-start-marker
boot-end-marker
!
no logging buffered
no logging console
enable secret 5 $1$.Li7$VIQhL2zJd5dZxUBEzoaHL/
!
no aaa new-model
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip domain name ccnplab.com
ip name-server xxx.xx.xxx.xxx
ip name-server xxx.xx.xxx.xxx
!
!
!
crypto pki trustpoint TP-self-signed-1326915613
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1326915613
revocation-check none
rsakeypair TP-self-signed-1326915613
!
!
crypto pki certificate chain TP-self-signed-1326915613
certificate self-signed 01
3082025E 308201C7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31333236 39313536 3133301E 170D3038 31313033 30343232
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33323639
31353631 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E6EE 67146EE8 1FF27086 488072BA 78E9FF94 A95E55EA 86E70B4B D94690D9
C3834C7F C07DFF53 02C6D03E AC07D435 CDC942D6 A3D696FB F1330503 CE09B881
CAC1CD71 8ED5AA0F 9B7EE2DD 5ACFD717 C7C604FA EE7DBCE1 0F1CF027 AD81709C
C3F48663 B6C1FBBA CB56617E 897E8E63 B22710EA 2490078D 4FC8F627 6C53FA8E
69110203 010001A3 81853081 82300F06 03551D13 0101FF04 05300301 01FF302F
0603551D 11042830 26822453 424E502D 494E542D 5254522E 696E7465 726E616C
2E736D62 6E657470 726F732E 636F6D30 1F060355 1D230418 30168014 1135142F
7F27458C 74CD3F87 2821106E 0E449361 301D0603 551D0E04 16041411 35142F7F
27458C74 CD3F8728 21106E0E 44936130 0D06092A 864886F7 0D010104 05000381
8100366F EE79CCDC 20B6AC5A 818CD7F1 51030412 616F014A 8BD19F6E 5B486269
0B46CDC9 8FCB062B FF0C3293 9387BB87 67BA7E63 F3681DA8 4560ECCA 3C392BAB
C6EF5508 66D33703 659DC1B8 EBC75DE8 4A92CF56 4D126914 2D64807F 93587077
296424FA 80B0FB6E 3560AC46 BB10CC0D FE66FCAF B745B41A 1E859C64 8BE81D56 021E
quit
username netadmin password 7 0525261506590F
!
!
ip ssh version 2
!
!
!
!
interface FastEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address xx.xx.xxx.xx 255.255.255.248
ip access-group 101 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
keepalive 160
!
interface FastEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 172.10.5.1 255.255.255.248
ip access-group 100 in
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
keepalive 160
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.xx.xxx.xx
ip route 172.16.1.0 255.255.255.224 172.10.5.2
ip route 172.23.1.0 255.255.255.224 172.10.5.2
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.10.5.0 0.0.0.7
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip xx.xx.xxx.xx 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host xxx.xx.xxx.xxx eq domain host xx.xx.xxx.xx
access-list 101 permit udp host xxx.xx.xxx.xxx eq domain host xx.xx.xxx.xx
access-list 101 deny ip 172.10.5.0 0.0.0.7 any
access-list 101 permit icmp any host xx.xx.xxx.xx echo-reply
access-list 101 permit icmp any host xx.xx.xxx.xx time-exceeded
access-list 101 permit icmp any host xx.xx.xxx.xx unreachable
access-list 101 permit tcp any host xx.xx.xxx.xx eq 443
access-list 101 permit tcp any host xx.xx.xxx.xx eq 22
access-list 101 permit tcp any host xx.xx.xxx.xx eq cmd
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
!
!
control-plane
!
!
!
banner login ^C
****************************** WARNING ******************************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
********************************************************************* ^C
!
line con 0
exec-timeout 60 0
logging synchronous
login local
history size 100
line aux 0
line vty 0 4
exec-timeout 60 0
logging synchronous
login local
history size 100
transport input telnet ssh
!
!
end
Running Config on Switch:
CORESW#sh run
Building configuration...
Current configuration : 6446 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname CORESW
!
no logging console
enable secret 5 $1$qFCQ$if5FwrQwXno8SF8T/KgRc0
!
username netadmin password 7 10602903220253
ip subnet-zero
ip routing
!
ip domain-name ccnplab.com
ip name-server xxx.xx.xxx.xxx
ip name-server xxx.xx.xxx.xxx
ip ssh time-out 120
ip ssh authentication-retries 3
ip ssh version 2
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
interface FastEthernet0/1
no switchport
ip address 172.10.5.2 255.255.255.248
speed 100
duplex full
!
interface FastEthernet0/2
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/3
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
!
interface FastEthernet0/14
switchport access vlan 10
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/15
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/16
switchport access vlan 10
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
!
interface FastEthernet0/46
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/47
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface FastEthernet0/48
switchport mode access
speed 100
duplex full
spanning-tree portfast
!
interface GigabitEthernet0/1
switchport mode access
shutdown
!
interface GigabitEthernet0/2
switchport mode access
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 172.16.1.1 255.255.255.224
!
interface Vlan20
ip address 172.23.1.1 255.255.255.224
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.10.5.1
no ip http server
!
banner login ^C
****************************** WARNING ******************************
Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.
********************************************************************* ^C
!
line con 0
exec-timeout 60 0
logging synchronous
login local
history size 100
line vty 0 4
exec-timeout 60 0
logging synchronous
login local
history size 100
transport input telnet ssh
line vty 5 15
exec-timeout 60 0
logging synchronous
login local
history size 100
transport input telnet ssh
!
!
end
