StephenL Posted October 27, 2012 Share Posted October 27, 2012 (edited) I have a cisco 877w and ive setup two ssids on it each with different vlans (I intend to use the zone based firewall to lock down the guest zone later) Ive made a quick diagram of my network its a single server with 2 NIC's one for the internal lan and another for the external network (direct connection to the router)The server hosts 3 virtualized servers with the ecternal nic only shared with the tmg 2010 server.So my problem is that when I connect to the 10.0.1.1 network as 10.0.1.2 I can only ping the internal network however the internal network is incapable of responding (pinging back) giving destination host unreachable. I know I need some kind of routing but im not sure where to apply it on the TMG server with the next hop as 10.0.0.10 or on the router.The guest wifi is intended to bypass the network firewall and not allow access to the internal network.I've enabled ip routing on the cisco router and attached the config below. If anyone can suggest what to do next id appreciate it.Current configuration : 11103 bytes!! Last configuration change at 08:03:46 UTC Mon Oct 22 2012 by LocalAdmin!version 15.0no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug uptimeservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice sequence-numbers!hostname Cisco877W!boot-start-markerboot-end-marker!security authentication failure rate 3 logsecurity passwords min-length 6logging buffered 51200logging console criticalenable secret !aaa new-model!!aaa group server radius rad_eap server 10.0.0.3 auth-port 1645 acct-port 1646!aaa group server radius sdm-vpn-server-group-1 server 10.0.0.3 auth-port 1645 acct-port 1646!aaa group server radius rad_mac server 10.0.0.3 auth-port 1645 acct-port 1646!aaa group server radius rad_acct server 10.0.0.3 auth-port 1645 acct-port 1646!aaa group server radius rad_admin server 10.0.0.3 auth-port 1645 acct-port 1646!aaa group server radius rad_pmip server 10.0.0.3 auth-port 1645 acct-port 1646!aaa group server radius dummy!aaa authentication login default group radius localaaa authentication login local_authen localaaa authentication login eap_methods group rad_eapaaa authentication login mac_methods localaaa authorization exec local_author local aaa accounting network acct_methods action-type start-stop group rad_acct!!!!!!aaa session-id common!!!! !dot11 ssid Guest Wifi vlan 2 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa accounting acct_methods mbssid guest-mode!dot11 ssid InternalDomain.com vlan 1 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa accounting acct_methods mbssid guest-mode!no ip source-route!!ip dhcp smart-relayip dhcp relay information trust-all!!ip cefno ip bootp serverip domain name InternalDomain.comip name-server 8.8.8.8ip name-server 8.8.4.4ip dhcp-server 10.0.0.1no ipv6 cef!multilink bundle-name authenticated!!!username LocalAdmin privilege 15 secret !!ip tcp synwait-time 10ip ssh time-out 60ip ssh authentication-retries 2ip ssh version 2!! !!bridge irb!!!interface Null0 no ip unreachables!interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress no atm ilmi-keepalive !!interface ATM0.1 point-to-point no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress snmp trap link-status pvc 8/35 pppoe-client dial-pool-number 1 !!interface FastEthernet0 description TMG Firewall Port switchport access vlan 10 spanning-tree portfast !!interface FastEthernet1 description Internal Network Port switchport access vlan 11 spanning-tree portfast !!interface FastEthernet2 switchport access vlan 12 shutdown spanning-tree portfast !!interface FastEthernet3 shutdown spanning-tree portfast !!interface Dot11Radio0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress beacon period 50 beacon dtim-period 50 ! encryption vlan 1 mode ciphers aes-ccm ! encryption vlan 2 mode ciphers aes-ccm ! ssid Guest Wifi ! ssid InternalDomain.com ! mbssid speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 packet retries 100 fragment-threshold 2307 station-role root access-point rts threshold 2306 rts retries 100 world-mode dot11d country IE indoor !!interface Dot11Radio0.1 description Internal Network Radio encapsulation dot1Q 1 native ip address 10.0.1.1 255.255.255.0 ip helper-address 10.0.0.1 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip virtual-reassembly!interface Dot11Radio0.2 description Guest WiFi Radio encapsulation dot1Q 2 ip address 10.0.2.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip virtual-reassembly!interface Vlan1 description VLAN For Internal Wireless Network ip dhcp relay information trusted no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip tcp adjust-mss 1452 !!interface Vlan2 description VLAN For Guest Wireless Network ip dhcp relay information trusted no ip address ip helper-address 10.0.0.1 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip tcp adjust-mss 1452 !!interface Vlan10 description VLAN For TMG Network ip address 10.0.3.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 !!interface Vlan11 description VLAN For Internal Network ip address 10.0.0.10 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 !!interface Dialer0 description ADSL Connection ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip flow ingress ip flow egress ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname ppp chap password !!ip forward-protocol ndip http serverip http authentication localip http secure-serverip http timeout-policy idle 600 life 86400 requests 10000!ip flow-export version 9ip flow-export destination 10.0.0.1 2055ip flow-top-talkers top 10 sort-by bytes!ip nat inside source list 1 interface Dialer0 overloadip route profileip route 0.0.0.0 0.0.0.0 Dialer0!ip access-list extended Guest-ACL permit ip any any!logging trap debugginglogging 10.0.0.1access-list 1 remark SDM_ACL Category=2access-list 1 permit 10.0.0.0 0.0.0.255access-list 1 permit 10.0.1.0 0.0.0.255access-list 1 permit 10.0.2.0 0.0.0.255access-list 1 permit 10.0.3.0 0.0.0.255dialer-list 1 protocol ip permitno cdp run!!!! radius-server local nas 10.0.0.3 key 7 !radius-server host 10.0.0.3 auth-port 1645 acct-port 1646 !control-plane !!!line con 0 login authentication local_authen no modem enableline aux 0 login authentication local_authenline vty 0 4 privilege level 15 transport input ssh!scheduler max-task-time 5000scheduler allocate 4000 1000scheduler interval 500ntp server 10.0.0.2 source FastEthernet1end Edited October 27, 2012 by StephenL Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now