Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > General Computer Discussion > General Computer Support > unable to browse in VLAN 2

Reply
Thread Tools

unable to browse in VLAN 2

 
 
worm worm is offline
Junior Member
Join Date: Nov 2009
Posts: 1
 
      11-24-2009
I am trying to configure advanced firewall in my Cisco router 1841 using SDM. Router has Two fast Ethernet ports and two serial ports. I am giving my configuration below. MY problem is, I am not able to browse from VLAN 2 . I am able to ping the websites but sites are not loading in browsers. Can anyone help?

Fast Ethernet f0/0 xxx.xxx.xxx.xxx public ip address DMZ

Fast Ethernet f0/1 no ipaddress
Fast Ethernet f0/1.1 192.168.0.1 VLAN 1 encapsulation dot1q 1 ( inside trusted )
Fast Ethernet f0/1.2 192.168.10.1 VLAN 2 encapsulation dot1q 2 ( inside trusted )

Serial Interface s0/0/0 connected isp outside ( untrusted )

Router start up config after firewall configuration

version 12.4
service password-encryption
aaa new-model
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
ip ssh time-out 60
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW esmtp
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
!
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set rvpnset
reverse-route
!
crypto dynamic-map dynamap 10
set transform-set rvpnset
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

interface FastEthernet0/0
description $DMZ FOR PUBLIC SERVERS$$FW_DMZ$
ip address yyy.yyy.yyy.177 255.255.255.240
ip access-group 106 in
ip inspect dmzinspect out
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
description $VLAN ONE QA & ADMIN$$FW_INSIDE$
encapsulation dot1Q 1 native
ip address 192.168.0.1 255.255.255.0
ip access-group 104 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip inspect SDM_LOW in
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet0/1.2
description $VLAN TWO FOR DEVELOPERS$$FW_INSIDE$
encapsulation dot1Q 2
ip address 192.168.10.1 255.255.255.0
ip access-group 105 in
ip nat inside
ip inspect SDM_LOW in
ip virtual-reassembly
no snmp trap link-status
!
interface Serial0/0/0
description Router External Interface
ip address xxx.xxx.xxx.154 255.255.255.252
ip access-group 107 in
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
crypto map SDM_CMAP_1
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip local pool vpnpool 192.168.50.1 192.168.50.254
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0

ip http server
no ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Serial0/0/0 overload
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 remark SDM_ACL Category=4
access-list 101 remark SDM_ACL Category=18
access-list 101 deny ip any 192.168.50.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=18
access-list 102 remark SDM_ACL Category=16
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 103 remark SDM_ACL Category=16
access-list 103 permit ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny ip 192.168.10.0 0.0.0.255 any
access-list 104 deny ip xxx.xxx.xxx.152 0.0.0.3 any
access-list 104 deny ip yyy.yyy.yyy.176 0.0.0.15 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip any any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 deny ip 192.168.0.0 0.0.0.255 any
access-list 105 deny ip xxx.xxx.xxx.152 0.0.0.3 any
access-list 105 deny ip yyy.yyy.yyy.176 0.0.0.15 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 permit ip yyy.yyy.yyy.0 0.0.0.255 any
access-list 106 deny ip any any log
access-list 107 remark auto generated by SDM firewall configuration
access-list 107 remark SDM_ACL Category=1
access-list 107 permit ip 192.168.50.0 0.0.0.255 any
access-list 107 permit ahp any host xxx.xxx.xxx.154
access-list 107 permit esp any host xxx.xxx.xxx.154
access-list 107 permit udp any host xxx.xxx.xxx.154 eq isakmp
access-list 107 permit udp any host xxx.xxx.xxx.154 eq non500-isakmp
access-list 107 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 107 permit ip 192.168.50.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 107 deny ip 192.168.10.0 0.0.0.255 any
access-list 107 deny ip 192.168.0.0 0.0.0.255 any
access-list 107 deny ip yyy.yyy.yyy .176 0.0.0.15 any
access-list 107 permit icmp any host xxx.xxx.xxx.154 echo-reply
access-list 107 permit icmp any host xxx.xxx.xxx.154 time-exceeded
access-list 107 permit icmp any host xxx.xxx.xxx.154 unreachable
access-list 107 permit tcp any host yyy.yyy.yyy.186 eq www
access-list 107 permit tcp any host yyy.yyy.yyy.186 eq 22
access-list 107 permit tcp any host yyy.yyy.yyy.186 eq 443
access-list 107 deny ip 10.0.0.0 0.255.255.255 any
access-list 107 deny ip 172.16.0.0 0.15.255.255 any
access-list 107 deny ip 192.168.0.0 0.0.255.255 any
access-list 107 deny ip 127.0.0.0 0.255.255.255 any
access-list 107 deny ip host 255.255.255.255 any
access-list 107 deny ip host 0.0.0.0 any
access-list 107 deny ip any any log
snmp-server community xxxxxxx RO
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
route-map SDM_RMAP_2 permit 1
match ip address 103
!
route-map SDM_RMAP_3 permit 1
match ip address 103
!
 
Reply With Quote
 
 
 
 
Akilla21 Akilla21 is offline
Junior Member
Join Date: Nov 2010
Location: Wiesbaden, Germany
Posts: 14
 
      11-04-2010
Not sure what you are trying to accomplish with your ACL's. But in ACL 105 you have all deny statements. I'm surprised any of the user's traffic is being passed.

Well, what happens when you remove ACL 105? I'm curious to know if you direction is being applied properly based on what you're trying to accomplish.

Essentially, on the inbound you are denying everything coming from your users as you don't have a permit rule.

Also, is the trunk even getting established?
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Assigning value to Browse button without using browse button in HTML balakrishnan.dinesh@gmail.com Javascript 0 10-12-2007 06:45 AM
Xp machine causes ME machine to get error 'unable to browse networ =?Utf-8?B?Sm9obg==?= Wireless Networking 1 12-01-2005 03:15 PM
Unable to browse certain sites through Wireless router mpr_prabhu@yahoo.com Wireless Networking 0 08-10-2005 04:33 AM
Internet Explorer 6 Can't Browse, Other Programs Browse Fine... Ike Computer Support 1 08-02-2005 09:20 PM
Unable to Browse Network w/Netgear wireless adapter TomYoung Wireless Networking 1 04-19-2005 10:44 PM



Advertisments