Routing from border router to internal lan ?

[StephenL]

I have a cisco 877w and ive setup two ssids on it each with different vlans (I intend to use the zone based firewall to lock down the guest zone later)

Ive made a quick diagram of my network its a single server with 2 NIC's one for the internal lan and another for the external network (direct connection to the router)

The server hosts 3 virtualized servers with the ecternal nic only shared with the tmg 2010 server.

So my problem is that when I connect to the 10.0.1.1 network as 10.0.1.2 I can only ping the internal network however the internal network is incapable of responding (pinging back) giving destination host unreachable. I know I need some kind of routing but im not sure where to apply it on the TMG server with the next hop as 10.0.0.10 or on the router.

The guest wifi is intended to bypass the network firewall and not allow access to the internal network.

I've enabled ip routing on the cisco router and attached the config below. If anyone can suggest what to do next id appreciate it.

Current configuration : 11103 bytes

!

! Last configuration change at 08:03:46 UTC Mon Oct 22 2012 by LocalAdmin

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug uptime

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Cisco877W

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret

!

aaa new-model

!

!

aaa group server radius rad_eap

server 10.0.0.3 auth-port 1645 acct-port 1646

!

aaa group server radius sdm-vpn-server-group-1

server 10.0.0.3 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

server 10.0.0.3 auth-port 1645 acct-port 1646

!

aaa group server radius rad_acct

server 10.0.0.3 auth-port 1645 acct-port 1646

!

aaa group server radius rad_admin

server 10.0.0.3 auth-port 1645 acct-port 1646

!

aaa group server radius rad_pmip

server 10.0.0.3 auth-port 1645 acct-port 1646

!

aaa group server radius dummy

!

aaa authentication login default group radius local

aaa authentication login local_authen local

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec local_author local

aaa accounting network acct_methods

action-type start-stop

group rad_acct

!

!

!

!

!

!

aaa session-id common

!

!

!

!

!

dot11 ssid Guest Wifi

vlan 2

authentication open eap eap_methods

authentication network-eap eap_methods

authentication key-management wpa

accounting acct_methods

mbssid guest-mode

!

dot11 ssid InternalDomain.com

vlan 1

authentication open eap eap_methods

authentication network-eap eap_methods

authentication key-management wpa

accounting acct_methods

mbssid guest-mode

!

no ip source-route

!

!

ip dhcp smart-relay

ip dhcp relay information trust-all

!

!

ip cef

no ip bootp server

ip domain name InternalDomain.com

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip dhcp-server 10.0.0.1

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

username LocalAdmin privilege 15 secret !

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

!

!

!

!

bridge irb

!

!

!

interface Null0

no ip unreachables

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

no atm ilmi-keepalive

!

!

interface ATM0.1 point-to-point

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

snmp trap link-status

pvc 8/35

pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

description TMG Firewall Port

switchport access vlan 10

spanning-tree portfast

!

!

interface FastEthernet1

description Internal Network Port

switchport access vlan 11

spanning-tree portfast

!

!

interface FastEthernet2

switchport access vlan 12

shutdown

spanning-tree portfast

!

!

interface FastEthernet3

shutdown

spanning-tree portfast

!

!

interface Dot11Radio0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

beacon period 50

beacon dtim-period 50

!

encryption vlan 1 mode ciphers aes-ccm

!

encryption vlan 2 mode ciphers aes-ccm

!

ssid Guest Wifi

!

ssid InternalDomain.com

!

mbssid

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

packet retries 100

fragment-threshold 2307

station-role root access-point

rts threshold 2306

rts retries 100

world-mode dot11d country IE indoor

!

!

interface Dot11Radio0.1

description Internal Network Radio

encapsulation dot1Q 1 native

ip address 10.0.1.1 255.255.255.0

ip helper-address 10.0.0.1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

!

interface Dot11Radio0.2

description Guest WiFi Radio

encapsulation dot1Q 2

ip address 10.0.2.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

!

interface Vlan1

description VLAN For Internal Wireless Network

ip dhcp relay information trusted

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip tcp adjust-mss 1452

!

!

interface Vlan2

description VLAN For Guest Wireless Network

ip dhcp relay information trusted

no ip address

ip helper-address 10.0.0.1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip tcp adjust-mss 1452

!

!

interface Vlan10

description VLAN For TMG Network

ip address 10.0.3.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

!

interface Vlan11

description VLAN For Internal Network

ip address 10.0.0.10 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

!

interface Dialer0

description ADSL Connection

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname

ppp chap password

!

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

!

ip flow-export version 9

ip flow-export destination 10.0.0.1 2055

ip flow-top-talkers

top 10

sort-by bytes

!

ip nat inside source list 1 interface Dialer0 overload

ip route profile

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip access-list extended Guest-ACL

permit ip any any

!

logging trap debugging

logging 10.0.0.1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 1 permit 10.0.1.0 0.0.0.255

access-list 1 permit 10.0.2.0 0.0.0.255

access-list 1 permit 10.0.3.0 0.0.0.255

dialer-list 1 protocol ip permit

no cdp run

!

!

!

!

radius-server local

nas 10.0.0.3 key 7

!

radius-server host 10.0.0.3 auth-port 1645 acct-port 1646

!

control-plane

!

!

!

line con 0

login authentication local_authen

no modem enable

line aux 0

login authentication local_authen

line vty 0 4

privilege level 15

transport input ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

ntp server 10.0.0.2 source FastEthernet1

end

Edited October 27, 2012 by StephenL