Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Routing from border router to internal lan ?

- - - - -

  • Please log in to reply
No replies to this topic

#1
StephenL

StephenL
  • Member
  • 1 posts
  • OS:Server 2008 x64
  • Country: Country Flag
I have a cisco 877w and ive setup two ssids on it each with different vlans (I intend to use the zone based firewall to lock down the guest zone later)

Ive made a quick diagram of my network its a single server with 2 NIC's one for the internal lan and another for the external network (direct connection to the router)

The server hosts 3 virtualized servers with the ecternal nic only shared with the tmg 2010 server.

Posted Image

So my problem is that when I connect to the 10.0.1.1 network as 10.0.1.2 I can only ping the internal network however the internal network is incapable of responding (pinging back) giving destination host unreachable. I know I need some kind of routing but im not sure where to apply it on the TMG server with the next hop as 10.0.0.10 or on the router.

The guest wifi is intended to bypass the network firewall and not allow access to the internal network.

I've enabled ip routing on the cisco router and attached the config below. If anyone can suggest what to do next id appreciate it.


Current configuration : 11103 bytes
!
! Last configuration change at 08:03:46 UTC Mon Oct 22 2012 by LocalAdmin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco877W
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.0.0.3 auth-port 1645 acct-port 1646
!
aaa group server radius sdm-vpn-server-group-1
server 10.0.0.3 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
server 10.0.0.3 auth-port 1645 acct-port 1646
!
aaa group server radius rad_acct
server 10.0.0.3 auth-port 1645 acct-port 1646
!
aaa group server radius rad_admin
server 10.0.0.3 auth-port 1645 acct-port 1646
!
aaa group server radius rad_pmip
server 10.0.0.3 auth-port 1645 acct-port 1646
!
aaa group server radius dummy
!
aaa authentication login default group radius local
aaa authentication login local_authen local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec local_author local
aaa accounting network acct_methods
action-type start-stop
group rad_acct
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
dot11 ssid Guest Wifi
vlan 2
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
accounting acct_methods
mbssid guest-mode
!
dot11 ssid InternalDomain.com
vlan 1
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
accounting acct_methods
mbssid guest-mode
!
no ip source-route
!
!
ip dhcp smart-relay
ip dhcp relay information trust-all
!
!
ip cef
no ip bootp server
ip domain name InternalDomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip dhcp-server 10.0.0.1
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username LocalAdmin privilege 15 secret !
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
bridge irb
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
no atm ilmi-keepalive
!
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description TMG Firewall Port
switchport access vlan 10
spanning-tree portfast
!
!
interface FastEthernet1
description Internal Network Port
switchport access vlan 11
spanning-tree portfast
!
!
interface FastEthernet2
switchport access vlan 12
shutdown
spanning-tree portfast
!
!
interface FastEthernet3
shutdown
spanning-tree portfast
!
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
beacon period 50
beacon dtim-period 50
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 2 mode ciphers aes-ccm
!
ssid Guest Wifi
!
ssid InternalDomain.com
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
packet retries 100
fragment-threshold 2307
station-role root access-point
rts threshold 2306
rts retries 100
world-mode dot11d country IE indoor
!
!
interface Dot11Radio0.1
description Internal Network Radio
encapsulation dot1Q 1 native
ip address 10.0.1.1 255.255.255.0
ip helper-address 10.0.0.1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
interface Dot11Radio0.2
description Guest WiFi Radio
encapsulation dot1Q 2
ip address 10.0.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
interface Vlan1
description VLAN For Internal Wireless Network
ip dhcp relay information trusted
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip tcp adjust-mss 1452
!
!
interface Vlan2
description VLAN For Guest Wireless Network
ip dhcp relay information trusted
no ip address
ip helper-address 10.0.0.1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip tcp adjust-mss 1452
!
!
interface Vlan10
description VLAN For TMG Network
ip address 10.0.3.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
interface Vlan11
description VLAN For Internal Network
ip address 10.0.0.10 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
interface Dialer0
description ADSL Connection
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
!
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip flow-export version 9
ip flow-export destination 10.0.0.1 2055
ip flow-top-talkers
top 10
sort-by bytes
!
ip nat inside source list 1 interface Dialer0 overload
ip route profile
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended Guest-ACL
permit ip any any
!
logging trap debugging
logging 10.0.0.1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 1 permit 10.0.2.0 0.0.0.255
access-list 1 permit 10.0.3.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
radius-server local
nas 10.0.0.3 key 7
!
radius-server host 10.0.0.3 auth-port 1645 acct-port 1646
!
control-plane
!
!
!
line con 0
login authentication local_authen
no modem enable
line aux 0
login authentication local_authen
line vty 0 4
privilege level 15
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 10.0.0.2 source FastEthernet1
end

Edited by StephenL, 27 October 2012 - 09:13 AM.



How to remove advertisement from MSFN



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN