StephenL

Member
  • Content count

    1
  • Joined

  • Last visited

Community Reputation

0 Neutral

About StephenL

Profile Information

  • OS
    Server 2008 x64
  1. I have a cisco 877w and ive setup two ssids on it each with different vlans (I intend to use the zone based firewall to lock down the guest zone later) Ive made a quick diagram of my network its a single server with 2 NIC's one for the internal lan and another for the external network (direct connection to the router) The server hosts 3 virtualized servers with the ecternal nic only shared with the tmg 2010 server. So my problem is that when I connect to the 10.0.1.1 network as 10.0.1.2 I can only ping the internal network however the internal network is incapable of responding (pinging back) giving destination host unreachable. I know I need some kind of routing but im not sure where to apply it on the TMG server with the next hop as 10.0.0.10 or on the router. The guest wifi is intended to bypass the network firewall and not allow access to the internal network. I've enabled ip routing on the cisco router and attached the config below. If anyone can suggest what to do next id appreciate it. Current configuration : 11103 bytes ! ! Last configuration change at 08:03:46 UTC Mon Oct 22 2012 by LocalAdmin ! version 15.0 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug uptime service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Cisco877W ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 logging console critical enable secret ! aaa new-model ! ! aaa group server radius rad_eap server 10.0.0.3 auth-port 1645 acct-port 1646 ! aaa group server radius sdm-vpn-server-group-1 server 10.0.0.3 auth-port 1645 acct-port 1646 ! aaa group server radius rad_mac server 10.0.0.3 auth-port 1645 acct-port 1646 ! aaa group server radius rad_acct server 10.0.0.3 auth-port 1645 acct-port 1646 ! aaa group server radius rad_admin server 10.0.0.3 auth-port 1645 acct-port 1646 ! aaa group server radius rad_pmip server 10.0.0.3 auth-port 1645 acct-port 1646 ! aaa group server radius dummy ! aaa authentication login default group radius local aaa authentication login local_authen local aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization exec local_author local aaa accounting network acct_methods action-type start-stop group rad_acct ! ! ! ! ! ! aaa session-id common ! ! ! ! ! dot11 ssid Guest Wifi vlan 2 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa accounting acct_methods mbssid guest-mode ! dot11 ssid InternalDomain.com vlan 1 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa accounting acct_methods mbssid guest-mode ! no ip source-route ! ! ip dhcp smart-relay ip dhcp relay information trust-all ! ! ip cef no ip bootp server ip domain name InternalDomain.com ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip dhcp-server 10.0.0.1 no ipv6 cef ! multilink bundle-name authenticated ! ! ! username LocalAdmin privilege 15 secret ! ! ip tcp synwait-time 10 ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh version 2 ! ! ! ! bridge irb ! ! ! interface Null0 no ip unreachables ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress no atm ilmi-keepalive ! ! interface ATM0.1 point-to-point no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress snmp trap link-status pvc 8/35 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 description TMG Firewall Port switchport access vlan 10 spanning-tree portfast ! ! interface FastEthernet1 description Internal Network Port switchport access vlan 11 spanning-tree portfast ! ! interface FastEthernet2 switchport access vlan 12 shutdown spanning-tree portfast ! ! interface FastEthernet3 shutdown spanning-tree portfast ! ! interface Dot11Radio0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress beacon period 50 beacon dtim-period 50 ! encryption vlan 1 mode ciphers aes-ccm ! encryption vlan 2 mode ciphers aes-ccm ! ssid Guest Wifi ! ssid InternalDomain.com ! mbssid speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 packet retries 100 fragment-threshold 2307 station-role root access-point rts threshold 2306 rts retries 100 world-mode dot11d country IE indoor ! ! interface Dot11Radio0.1 description Internal Network Radio encapsulation dot1Q 1 native ip address 10.0.1.1 255.255.255.0 ip helper-address 10.0.0.1 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ! interface Dot11Radio0.2 description Guest WiFi Radio encapsulation dot1Q 2 ip address 10.0.2.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ! interface Vlan1 description VLAN For Internal Wireless Network ip dhcp relay information trusted no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip tcp adjust-mss 1452 ! ! interface Vlan2 description VLAN For Guest Wireless Network ip dhcp relay information trusted no ip address ip helper-address 10.0.0.1 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip tcp adjust-mss 1452 ! ! interface Vlan10 description VLAN For TMG Network ip address 10.0.3.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! ! interface Vlan11 description VLAN For Internal Network ip address 10.0.0.10 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! ! interface Dialer0 description ADSL Connection ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip flow ingress ip flow egress ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname ppp chap password ! ! ip forward-protocol nd ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ! ip flow-export version 9 ip flow-export destination 10.0.0.1 2055 ip flow-top-talkers top 10 sort-by bytes ! ip nat inside source list 1 interface Dialer0 overload ip route profile ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip access-list extended Guest-ACL permit ip any any ! logging trap debugging logging 10.0.0.1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.0.0.0 0.0.0.255 access-list 1 permit 10.0.1.0 0.0.0.255 access-list 1 permit 10.0.2.0 0.0.0.255 access-list 1 permit 10.0.3.0 0.0.0.255 dialer-list 1 protocol ip permit no cdp run ! ! ! ! radius-server local nas 10.0.0.3 key 7 ! radius-server host 10.0.0.3 auth-port 1645 acct-port 1646 ! control-plane ! ! ! line con 0 login authentication local_authen no modem enable line aux 0 login authentication local_authen line vty 0 4 privilege level 15 transport input ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 ntp server 10.0.0.2 source FastEthernet1 end