Announcement

Collapse
No announcement yet.

Lab in GNS3 cant ping two DC:s with ZBF

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Lab in GNS3 cant ping two DC:s with ZBF

    Hello
    I'm having a big problem. I have set up two Windows servers 2008 (SHOLM-DC1 and ETUNA-DC1) with Active directory in GNS3 (see image). At first when I hadn't implemented Zone Based Firewall , I could ping each DC and replication was occuring between the two DC:s When I set up ZBF on router e1r and s1r everything stopped. I checked my configs, and I can't see why it doesn't work.

    Cloud C3 (SHOLM-DC1) has ip 200.20.16.130/28
    Cloud C7 (ETUNA-DC1) has ip 205.205.2.130/28

    My router configs:

    Router s1r

    hostname s1r !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$UlmK$LYVNqPRA88QXc2tVvMZA01
    !
    aaa new-model
    !
    !
    !
    !
    aaa session-id common
    memory-size iomem 5
    no ip icmp rate-limit unreachable
    ip cef
    !
    !
    !
    !
    no ip domain lookup
    ip domain name kvarka.local
    login on-failure log
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    !
    username sshadmin password 7 104D000A061843
    username admin privilege 15 secret 5 $1$TISL$sBk8ixrPpvSDOA96825pn0
    archive
    log config
    hidekeys
    !
    !
    ip tcp synwait-time 5
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip ssh version 2
    !
    class-map type inspect match-any DC_REPLICATION
    match access-group name TRUST_TO_TRUST
    match protocol icmp
    match protocol echo
    match protocol dns
    match protocol http
    match protocol isakmp
    match protocol kerberos
    match protocol ldap
    match protocol netbios-dgm
    match protocol netbios-ns
    match protocol netbios-ssn
    match protocol snmptrap
    match protocol tcp
    match protocol udp

    class-map type inspect match-any CMAP-TRUSTED-TO-IN
    match access-group name TRUSTED_TO_IN
    match protocol icmp
    match protocol echo
    match protocol dns
    match protocol http
    match protocol isakmp
    match protocol kerberos
    match protocol ldap
    match protocol netbios-dgm
    match protocol netbios-ns
    match protocol netbios-ssn
    match protocol snmptrap
    match protocol tcp
    match protocol udp
    !
    !
    policy-map type inspect PMAP_OUT_TO_IN
    class type inspect CMAP-TRUSTED-TO-IN
    inspect
    class class-default
    policy-map type inspect PMAP-IN-TO-OUT
    class type inspect DC_REPLICATION
    inspect
    class class-default
    !
    zone security INSIDE
    zone security OUTSIDE
    zone security DMZ
    zone-pair security ZONE_PAIR_IN_TO_OUT source INSIDE destination OUTSIDE
    service-policy type inspect PMAP-IN-TO-OUT
    zone-pair security OUT_TO_DMZ source OUTSIDE destination DMZ
    zone-pair security DMZ_TO_OUT source DMZ destination OUTSIDE
    zone-pair security OUT_TO_TRUSTED source OUTSIDE destination INSIDE
    service-policy type inspect PMAP_OUT_TO_IN
    !
    !
    !
    interface FastEthernet0/0
    description Connects to DMZ
    ip address 200.20.16.161 255.255.255.248
    zone-member security DMZ
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    description Connects to s1s
    no ip address
    zone-member security INSIDE
    duplex auto
    speed auto
    !
    interface FastEthernet0/1.10
    encapsulation dot1Q 10
    ip address 200.20.16.1 255.255.255.192
    ip helper-address 200.20.16.130
    zone-member security INSIDE
    !
    interface FastEthernet0/1.20
    encapsulation dot1Q 20
    ip address 200.20.16.65 255.255.255.192
    ip helper-address 200.20.16.130
    zone-member security INSIDE
    !
    interface FastEthernet0/1.30
    encapsulation dot1Q 30
    ip address 200.20.16.129 255.255.255.240
    ip helper-address 200.20.16.130
    zone-member security INSIDE
    !
    interface FastEthernet0/1.40
    encapsulation dot1Q 40
    ip address 200.20.16.145 255.255.255.240
    ip helper-address 200.20.16.130
    zone-member security INSIDE
    !
    interface Serial1/0
    description Connects to ISP
    ip address 200.20.16.169 255.255.255.252
    zone-member security OUTSIDE
    serial restart-delay 0
    !
    interface Serial1/1
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial1/2
    no ip address
    serial restart-delay 0
    !
    interface Serial1/3
    no ip address
    serial restart-delay 0
    !
    router ospf 1
    log-adjacency-changes
    passive-interface FastEthernet0/0
    network 10.0.0.0 0.0.255.255 area 0
    network 200.20.16.0 0.0.0.63 area 0
    network 200.20.16.64 0.0.0.63 area 0
    network 200.20.16.128 0.0.0.15 area 0
    network 200.20.16.144 0.0.0.15 area 0
    network 200.20.16.160 0.0.0.7 area 0
    network 200.20.16.168 0.0.0.3 area 0
    !
    !
    !
    no ip http server
    no ip http secure-server
    !

    ip access-list extended TRUSTED_TO_IN
    permit icmp 205.205.2.0 0.0.0.255 any echo-reply
    permit ip 205.205.2.0 0.0.0.255 any
    permit icmp 205.205.2.0 0.0.0.255 any echo
    permit tcp 205.205.2.0 0.0.0.255 any
    permit udp 205.205.2.0 0.0.0.255 any

    ip access-list extended TRUST_TO_TRUST
    permit icmp 200.20.16.0 0.0.0.255 205.205.2.0 0.0.0.255 echo
    permit tcp 200.20.16.0 0.0.0.255 205.205.2.0 0.0.0.255
    permit udp 200.20.16.0 0.0.0.255 205.205.2.0 0.0.0.255
    permit ip 200.20.16.0 0.0.0.255 205.205.2.0 0.0.0.255
    permit icmp 200.20.16.0 0.0.0.255 205.205.2.0 0.0.0.255 echo-reply
    !
    logging trap debugging
    logging facility local3
    logging 200.20.16.165
    !
    !
    !
    !
    control-plane
    !
    banner motd No Unauthorized Access!
    !
    line con 0
    exec-timeout 0 0
    privilege level 15
    password 7 047802150C2E0D
    logging synchronous
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line vty 0 4
    privilege level 15
    logging synchronous
    transport input ssh
    line vty 5 15
    logging synchronous
    transport input all
    !
    ntp server 200.20.16.130

    !
    webvpn cef
    !
    end


    Router e1r

    hostname e1r !
    boot-start-marker
    boot-end-marker
    !
    enable password cisco
    !
    aaa new-model
    !
    !
    !
    !
    aaa session-id common
    memory-size iomem 5
    no ip icmp rate-limit unreachable
    ip cef
    !
    !
    !
    !
    no ip domain lookup
    ip domain name kvarka.local
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    !
    username sshadmin password 0 cisco1
    archive
    log config
    hidekeys
    !
    !
    ip tcp synwait-time 5
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip ssh version 2
    !
    class-map type inspect match-any DC_REPLICATION
    match access-group name TRUST_TO_TRUST
    match protocol icmp
    match protocol echo
    match protocol dns
    match protocol http
    match protocol isakmp
    match protocol kerberos
    match protocol ldap
    match protocol netbios-dgm
    match protocol netbios-ns
    match protocol netbios-ssn
    match protocol snmptrap
    match protocol tcp
    match protocol udp

    class-map type inspect match-any CMAP-TRUSTED-TO-IN
    match access-group name TRUSTED_TO_IN
    match protocol icmp
    match protocol echo
    match protocol dns
    match protocol http
    match protocol isakmp
    match protocol kerberos
    match protocol ldap
    match protocol netbios-dgm
    match protocol netbios-ns
    match protocol netbios-ssn
    match protocol snmptrap
    match protocol tcp
    match protocol udp
    !
    !
    policy-map type inspect PMAP_OUT_TO_IN
    class type inspect CMAP-TRUSTED-TO-IN
    inspect
    class class-default
    policy-map type inspect POLICY_MAP_IN_TO_OUT
    class type inspect DC_REPLICATION
    inspect
    class class-default
    !
    zone security OUTSIDE
    zone security INSIDE
    zone-pair security ZONE_PAIR_IN_TO_OUT source INSIDE destination OUTSIDE
    service-policy type inspect POLICY_MAP_IN_TO_OUT
    zone-pair security OUT_TO_TRUSTED source OUTSIDE destination INSIDE
    service-policy type inspect PMAP_OUT_TO_IN
    !
    !
    !
    interface FastEthernet0/0
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    description Connects to e1s
    no ip address
    zone-member security INSIDE
    duplex auto
    speed auto
    !
    interface FastEthernet0/1.10
    encapsulation dot1Q 10
    ip address 205.205.2.1 255.255.255.192
    ip helper-address 205.205.2.130
    zone-member security INSIDE
    !
    interface FastEthernet0/1.20
    encapsulation dot1Q 20
    ip address 205.205.2.65 255.255.255.192
    ip helper-address 205.205.2.130
    zone-member security INSIDE
    !
    interface FastEthernet0/1.30
    encapsulation dot1Q 30
    ip address 205.205.2.129 255.255.255.240
    ip helper-address 205.205.2.130
    zone-member security INSIDE
    !
    interface FastEthernet0/1.40
    encapsulation dot1Q 40
    ip address 205.205.2.145 255.255.255.240
    ip helper-address 205.205.2.130
    zone-member security INSIDE
    !
    interface Serial1/0
    description Connects to ISP
    ip address 205.205.2.161 255.255.255.252
    zone-member security OUTSIDE
    serial restart-delay 0
    !
    interface Serial1/1
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial1/2
    no ip address
    serial restart-delay 0
    !
    interface Serial1/3
    no ip address
    serial restart-delay 0
    !
    router ospf 1
    log-adjacency-changes
    network 205.205.2.0 0.0.0.63 area 0
    network 205.205.2.64 0.0.0.63 area 0
    network 205.205.2.128 0.0.0.15 area 0
    network 205.205.2.144 0.0.0.15 area 0
    network 205.205.2.160 0.0.0.3 area 0
    !
    !
    !
    no ip http server
    no ip http secure-server
    !
    ip access-list extended TRUSTED_TO_IN
    permit icmp 200.20.16.0 0.0.0.255 any echo
    permit icmp 200.20.16.0 0.0.0.255 any echo-reply
    permit tcp 200.20.16.0 0.0.0.255 any
    permit udp 200.20.16.0 0.0.0.255 any
    permit ip 200.20.16.0 0.0.0.255 any

    ip access-list extended TRUST_TO_TRUST
    permit icmp 205.205.2.0 0.0.0.255 200.20.16.0 0.0.0.255 echo
    permit icmp 205.205.2.0 0.0.0.255 200.20.16.0 0.0.0.255 echo-reply
    permit tcp 205.205.2.0 0.0.0.255 200.20.16.0 0.0.0.255
    permit udp 205.205.2.0 0.0.0.255 200.20.16.0 0.0.0.255
    permit ip 205.205.2.0 0.0.0.255 200.20.16.0 0.0.0.255
    !
    logging trap debugging
    logging facility local3
    logging 200.20.16.165
    !
    !


    //Any help would be appriciated
    Lars


Working...
X