unable to browse in VLAN 2

Discussion in 'General Computer Support' started by worm, Nov 24, 2009.

  1. worm

    worm

    Joined:
    Nov 24, 2009
    Messages:
    1
    I am trying to configure advanced firewall in my Cisco router 1841 using SDM. Router has Two fast Ethernet ports and two serial ports. I am giving my configuration below. MY problem is, I am not able to browse from VLAN 2 . I am able to ping the websites but sites are not loading in browsers. Can anyone help?

    Fast Ethernet f0/0 – xxx.xxx.xxx.xxx public ip address DMZ

    Fast Ethernet f0/1 – no ipaddress
    Fast Ethernet f0/1.1 – 192.168.0.1 – VLAN 1 – encapsulation dot1q 1 ( inside trusted )
    Fast Ethernet f0/1.2 – 192.168.10.1 – VLAN 2 – encapsulation dot1q 2 ( inside trusted )

    Serial Interface – s0/0/0 – connected isp – outside ( untrusted )

    Router start up config after firewall configuration

    version 12.4
    service password-encryption
    aaa new-model
    !
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 local
    aaa authentication login sdm_vpn_xauth_ml_2 local
    aaa authorization exec default local
    aaa authorization network sdm_vpn_group_ml_1 local
    aaa authorization network sdm_vpn_group_ml_2 local
    !
    aaa session-id common
    !
    resource policy
    !
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    ip subnet-zero
    ip cef
    !
    ip ssh time-out 60
    ip inspect name SDM_LOW cuseeme
    ip inspect name SDM_LOW dns
    ip inspect name SDM_LOW ftp
    ip inspect name SDM_LOW h323
    ip inspect name SDM_LOW https
    ip inspect name SDM_LOW icmp
    ip inspect name SDM_LOW netshow
    ip inspect name SDM_LOW rcmd
    ip inspect name SDM_LOW realaudio
    ip inspect name SDM_LOW rtsp
    ip inspect name SDM_LOW sqlnet
    ip inspect name SDM_LOW streamworks
    ip inspect name SDM_LOW tftp
    ip inspect name SDM_LOW tcp
    ip inspect name SDM_LOW udp
    ip inspect name SDM_LOW vdolive
    ip inspect name SDM_LOW imap
    ip inspect name SDM_LOW pop3
    ip inspect name SDM_LOW esmtp
    ip inspect name dmzinspect tcp
    ip inspect name dmzinspect udp
    !
    !
    crypto dynamic-map SDM_DYNMAP_1 1
    set transform-set rvpnset
    reverse-route
    !
    crypto dynamic-map dynamap 10
    set transform-set rvpnset
    !
    crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
    crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
    crypto map SDM_CMAP_1 client configuration address respond
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

    interface FastEthernet0/0
    description $DMZ FOR PUBLIC SERVERS$$FW_DMZ$
    ip address yyy.yyy.yyy.177 255.255.255.240
    ip access-group 106 in
    ip inspect dmzinspect out
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet0/1.1
    description $VLAN ONE QA & ADMIN$$FW_INSIDE$
    encapsulation dot1Q 1 native
    ip address 192.168.0.1 255.255.255.0
    ip access-group 104 in
    ip nbar protocol-discovery
    ip flow ingress
    ip flow egress
    ip nat inside
    ip inspect SDM_LOW in
    ip virtual-reassembly
    no snmp trap link-status
    !
    interface FastEthernet0/1.2
    description $VLAN TWO FOR DEVELOPERS$$FW_INSIDE$
    encapsulation dot1Q 2
    ip address 192.168.10.1 255.255.255.0
    ip access-group 105 in
    ip nat inside
    ip inspect SDM_LOW in
    ip virtual-reassembly
    no snmp trap link-status
    !
    interface Serial0/0/0
    description Router External Interface
    ip address xxx.xxx.xxx.154 255.255.255.252
    ip access-group 107 in
    ip verify unicast reverse-path
    ip nat outside
    ip virtual-reassembly
    crypto map SDM_CMAP_1
    !
    interface Serial0/0/1
    no ip address
    shutdown
    clock rate 2000000
    !
    ip local pool vpnpool 192.168.50.1 192.168.50.254
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0/0/0

    ip http server
    no ip http secure-server
    ip nat inside source route-map SDM_RMAP_1 interface Serial0/0/0 overload
    !
    access-list 1 remark SDM_ACL Category=16
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 100 remark SDM_ACL Category=4
    access-list 100 permit ip 192.168.0.0 0.0.255.255 any
    access-list 100 permit ip 192.168.10.0 0.0.0.255 any
    access-list 100 remark SDM_ACL Category=4
    access-list 101 remark SDM_ACL Category=18
    access-list 101 deny ip any 192.168.50.0 0.0.0.255
    access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
    access-list 101 permit ip 192.168.0.0 0.0.255.255 any
    access-list 101 permit ip 192.168.10.0 0.0.0.255 any
    access-list 101 remark SDM_ACL Category=18
    access-list 102 remark SDM_ACL Category=16
    access-list 102 permit ip 192.168.10.0 0.0.0.255 any
    access-list 102 deny ip any any
    access-list 103 remark SDM_ACL Category=16
    access-list 103 permit ip 192.168.0.0 0.0.255.255 any
    access-list 103 deny ip any any
    access-list 104 remark auto generated by SDM firewall configuration
    access-list 104 remark SDM_ACL Category=1
    access-list 104 deny ip 192.168.10.0 0.0.0.255 any
    access-list 104 deny ip xxx.xxx.xxx.152 0.0.0.3 any
    access-list 104 deny ip yyy.yyy.yyy.176 0.0.0.15 any
    access-list 104 deny ip host 255.255.255.255 any
    access-list 104 deny ip 127.0.0.0 0.255.255.255 any
    access-list 104 permit ip any any
    access-list 105 remark auto generated by SDM firewall configuration
    access-list 105 remark SDM_ACL Category=1
    access-list 105 deny ip 192.168.0.0 0.0.0.255 any
    access-list 105 deny ip xxx.xxx.xxx.152 0.0.0.3 any
    access-list 105 deny ip yyy.yyy.yyy.176 0.0.0.15 any
    access-list 105 deny ip host 255.255.255.255 any
    access-list 105 deny ip 127.0.0.0 0.255.255.255 any
    access-list 105 permit ip any any
    access-list 106 remark auto generated by SDM firewall configuration
    access-list 106 remark SDM_ACL Category=1
    access-list 106 permit ip yyy.yyy.yyy.0 0.0.0.255 any
    access-list 106 deny ip any any log
    access-list 107 remark auto generated by SDM firewall configuration
    access-list 107 remark SDM_ACL Category=1
    access-list 107 permit ip 192.168.50.0 0.0.0.255 any
    access-list 107 permit ahp any host xxx.xxx.xxx.154
    access-list 107 permit esp any host xxx.xxx.xxx.154
    access-list 107 permit udp any host xxx.xxx.xxx.154 eq isakmp
    access-list 107 permit udp any host xxx.xxx.xxx.154 eq non500-isakmp
    access-list 107 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
    access-list 107 permit ip 192.168.50.0 0.0.0.255 192.168.0.0 0.0.255.255
    access-list 107 deny ip 192.168.10.0 0.0.0.255 any
    access-list 107 deny ip 192.168.0.0 0.0.0.255 any
    access-list 107 deny ip yyy.yyy.yyy .176 0.0.0.15 any
    access-list 107 permit icmp any host xxx.xxx.xxx.154 echo-reply
    access-list 107 permit icmp any host xxx.xxx.xxx.154 time-exceeded
    access-list 107 permit icmp any host xxx.xxx.xxx.154 unreachable
    access-list 107 permit tcp any host yyy.yyy.yyy.186 eq www
    access-list 107 permit tcp any host yyy.yyy.yyy.186 eq 22
    access-list 107 permit tcp any host yyy.yyy.yyy.186 eq 443
    access-list 107 deny ip 10.0.0.0 0.255.255.255 any
    access-list 107 deny ip 172.16.0.0 0.15.255.255 any
    access-list 107 deny ip 192.168.0.0 0.0.255.255 any
    access-list 107 deny ip 127.0.0.0 0.255.255.255 any
    access-list 107 deny ip host 255.255.255.255 any
    access-list 107 deny ip host 0.0.0.0 any
    access-list 107 deny ip any any log
    snmp-server community xxxxxxx RO
    !
    route-map SDM_RMAP_1 permit 1
    match ip address 101
    !
    route-map SDM_RMAP_2 permit 1
    match ip address 103
    !
    route-map SDM_RMAP_3 permit 1
    match ip address 103
    !
     
    worm, Nov 24, 2009
    #1
    1. Advertising

  2. worm

    Akilla21

    Joined:
    Nov 2, 2010
    Messages:
    14
    Location:
    Wiesbaden, Germany
    Not sure what you are trying to accomplish with your ACL's. But in ACL 105 you have all deny statements. I'm surprised any of the user's traffic is being passed.

    Well, what happens when you remove ACL 105? I'm curious to know if you direction is being applied properly based on what you're trying to accomplish.

    Essentially, on the inbound you are denying everything coming from your users as you don't have a permit rule.

    Also, is the trunk even getting established?
     
    Akilla21, Nov 4, 2010
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. TomYoung

    Unable to Browse Network w/Netgear wireless adapter

    TomYoung, Apr 18, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    1,626
    TomYoung
    Apr 19, 2005
  2. mpr_prabhu@yahoo.com

    Unable to browse certain sites through Wireless router

    mpr_prabhu@yahoo.com, Aug 10, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    805
    mpr_prabhu@yahoo.com
    Aug 10, 2005
  3. =?Utf-8?B?Sm9obg==?=

    Xp machine causes ME machine to get error 'unable to browse networ

    =?Utf-8?B?Sm9obg==?=, Nov 30, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    1,010
    Ryan Younger
    Dec 1, 2005
  4. Mark Day
    Replies:
    3
    Views:
    13,749
    AnyBody43
    Jun 4, 2004
  5. Ike
    Replies:
    1
    Views:
    2,885
    Evan Platt
    Aug 2, 2005
Loading...

Share This Page