Announcement

Collapse
No announcement yet.

unable to browse in VLAN 2

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • unable to browse in VLAN 2

    I am trying to configure advanced firewall in my Cisco router 1841 using SDM. Router has Two fast Ethernet ports and two serial ports. I am giving my configuration below. MY problem is, I am not able to browse from VLAN 2 . I am able to ping the websites but sites are not loading in browsers. Can anyone help?

    Fast Ethernet f0/0 xxx.xxx.xxx.xxx public ip address DMZ

    Fast Ethernet f0/1 no ipaddress
    Fast Ethernet f0/1.1 192.168.0.1 VLAN 1 encapsulation dot1q 1 ( inside trusted )
    Fast Ethernet f0/1.2 192.168.10.1 VLAN 2 encapsulation dot1q 2 ( inside trusted )

    Serial Interface s0/0/0 connected isp outside ( untrusted )

    Router start up config after firewall configuration

    version 12.4
    service password-encryption
    aaa new-model
    !
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 local
    aaa authentication login sdm_vpn_xauth_ml_2 local
    aaa authorization exec default local
    aaa authorization network sdm_vpn_group_ml_1 local
    aaa authorization network sdm_vpn_group_ml_2 local
    !
    aaa session-id common
    !
    resource policy
    !
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    ip subnet-zero
    ip cef
    !
    ip ssh time-out 60
    ip inspect name SDM_LOW cuseeme
    ip inspect name SDM_LOW dns
    ip inspect name SDM_LOW ftp
    ip inspect name SDM_LOW h323
    ip inspect name SDM_LOW https
    ip inspect name SDM_LOW icmp
    ip inspect name SDM_LOW netshow
    ip inspect name SDM_LOW rcmd
    ip inspect name SDM_LOW realaudio
    ip inspect name SDM_LOW rtsp
    ip inspect name SDM_LOW sqlnet
    ip inspect name SDM_LOW streamworks
    ip inspect name SDM_LOW tftp
    ip inspect name SDM_LOW tcp
    ip inspect name SDM_LOW udp
    ip inspect name SDM_LOW vdolive
    ip inspect name SDM_LOW imap
    ip inspect name SDM_LOW pop3
    ip inspect name SDM_LOW esmtp
    ip inspect name dmzinspect tcp
    ip inspect name dmzinspect udp
    !
    !
    crypto dynamic-map SDM_DYNMAP_1 1
    set transform-set rvpnset
    reverse-route
    !
    crypto dynamic-map dynamap 10
    set transform-set rvpnset
    !
    crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
    crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
    crypto map SDM_CMAP_1 client configuration address respond
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

    interface FastEthernet0/0
    description $DMZ FOR PUBLIC SERVERS$$FW_DMZ$
    ip address yyy.yyy.yyy.177 255.255.255.240
    ip access-group 106 in
    ip inspect dmzinspect out
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet0/1.1
    description $VLAN ONE QA & ADMIN$$FW_INSIDE$
    encapsulation dot1Q 1 native
    ip address 192.168.0.1 255.255.255.0
    ip access-group 104 in
    ip nbar protocol-discovery
    ip flow ingress
    ip flow egress
    ip nat inside
    ip inspect SDM_LOW in
    ip virtual-reassembly
    no snmp trap link-status
    !
    interface FastEthernet0/1.2
    description $VLAN TWO FOR DEVELOPERS$$FW_INSIDE$
    encapsulation dot1Q 2
    ip address 192.168.10.1 255.255.255.0
    ip access-group 105 in
    ip nat inside
    ip inspect SDM_LOW in
    ip virtual-reassembly
    no snmp trap link-status
    !
    interface Serial0/0/0
    description Router External Interface
    ip address xxx.xxx.xxx.154 255.255.255.252
    ip access-group 107 in
    ip verify unicast reverse-path
    ip nat outside
    ip virtual-reassembly
    crypto map SDM_CMAP_1
    !
    interface Serial0/0/1
    no ip address
    shutdown
    clock rate 2000000
    !
    ip local pool vpnpool 192.168.50.1 192.168.50.254
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0/0/0

    ip http server
    no ip http secure-server
    ip nat inside source route-map SDM_RMAP_1 interface Serial0/0/0 overload
    !
    access-list 1 remark SDM_ACL Category=16
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 100 remark SDM_ACL Category=4
    access-list 100 permit ip 192.168.0.0 0.0.255.255 any
    access-list 100 permit ip 192.168.10.0 0.0.0.255 any
    access-list 100 remark SDM_ACL Category=4
    access-list 101 remark SDM_ACL Category=18
    access-list 101 deny ip any 192.168.50.0 0.0.0.255
    access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
    access-list 101 permit ip 192.168.0.0 0.0.255.255 any
    access-list 101 permit ip 192.168.10.0 0.0.0.255 any
    access-list 101 remark SDM_ACL Category=18
    access-list 102 remark SDM_ACL Category=16
    access-list 102 permit ip 192.168.10.0 0.0.0.255 any
    access-list 102 deny ip any any
    access-list 103 remark SDM_ACL Category=16
    access-list 103 permit ip 192.168.0.0 0.0.255.255 any
    access-list 103 deny ip any any
    access-list 104 remark auto generated by SDM firewall configuration
    access-list 104 remark SDM_ACL Category=1
    access-list 104 deny ip 192.168.10.0 0.0.0.255 any
    access-list 104 deny ip xxx.xxx.xxx.152 0.0.0.3 any
    access-list 104 deny ip yyy.yyy.yyy.176 0.0.0.15 any
    access-list 104 deny ip host 255.255.255.255 any
    access-list 104 deny ip 127.0.0.0 0.255.255.255 any
    access-list 104 permit ip any any
    access-list 105 remark auto generated by SDM firewall configuration
    access-list 105 remark SDM_ACL Category=1
    access-list 105 deny ip 192.168.0.0 0.0.0.255 any
    access-list 105 deny ip xxx.xxx.xxx.152 0.0.0.3 any
    access-list 105 deny ip yyy.yyy.yyy.176 0.0.0.15 any
    access-list 105 deny ip host 255.255.255.255 any
    access-list 105 deny ip 127.0.0.0 0.255.255.255 any
    access-list 105 permit ip any any
    access-list 106 remark auto generated by SDM firewall configuration
    access-list 106 remark SDM_ACL Category=1
    access-list 106 permit ip yyy.yyy.yyy.0 0.0.0.255 any
    access-list 106 deny ip any any log
    access-list 107 remark auto generated by SDM firewall configuration
    access-list 107 remark SDM_ACL Category=1
    access-list 107 permit ip 192.168.50.0 0.0.0.255 any
    access-list 107 permit ahp any host xxx.xxx.xxx.154
    access-list 107 permit esp any host xxx.xxx.xxx.154
    access-list 107 permit udp any host xxx.xxx.xxx.154 eq isakmp
    access-list 107 permit udp any host xxx.xxx.xxx.154 eq non500-isakmp
    access-list 107 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
    access-list 107 permit ip 192.168.50.0 0.0.0.255 192.168.0.0 0.0.255.255
    access-list 107 deny ip 192.168.10.0 0.0.0.255 any
    access-list 107 deny ip 192.168.0.0 0.0.0.255 any
    access-list 107 deny ip yyy.yyy.yyy .176 0.0.0.15 any
    access-list 107 permit icmp any host xxx.xxx.xxx.154 echo-reply
    access-list 107 permit icmp any host xxx.xxx.xxx.154 time-exceeded
    access-list 107 permit icmp any host xxx.xxx.xxx.154 unreachable
    access-list 107 permit tcp any host yyy.yyy.yyy.186 eq www
    access-list 107 permit tcp any host yyy.yyy.yyy.186 eq 22
    access-list 107 permit tcp any host yyy.yyy.yyy.186 eq 443
    access-list 107 deny ip 10.0.0.0 0.255.255.255 any
    access-list 107 deny ip 172.16.0.0 0.15.255.255 any
    access-list 107 deny ip 192.168.0.0 0.0.255.255 any
    access-list 107 deny ip 127.0.0.0 0.255.255.255 any
    access-list 107 deny ip host 255.255.255.255 any
    access-list 107 deny ip host 0.0.0.0 any
    access-list 107 deny ip any any log
    snmp-server community xxxxxxx RO
    !
    route-map SDM_RMAP_1 permit 1
    match ip address 101
    !
    route-map SDM_RMAP_2 permit 1
    match ip address 103
    !
    route-map SDM_RMAP_3 permit 1
    match ip address 103
    !

  • #2
    Re: unable to browse in VLAN 2

    Try this:

    Remove
    Code:
    access-list 104 deny ip 192.168.10.0 0.0.0.255 any
    And

    Code:
    access-list 105 deny ip 192.168.0.0 0.0.0.255 any
    CCNA, Network+

    Comment


    • #3
      Re: unable to browse in VLAN 2

      Thank you

      I will try this and let you know the results.

      Comment

      Working...
      X