Subnet changed on Pix 515 Version 6.3 from /24 to /23

Answered Question
Jul 7th, 2008

Hi Experts,


We have the following topoly => 1 Cisco Pix 515 Version 6.3 and 3 switches C3500XL.


OLD Ip address scheme:


Outside: 172.16.4.1 /24

inside: 172.16.1.1 /24

Dmz1: 172.16.2.1 /24

Dmz2: 172.16.3.1 /24

Dmz3: 172.16.5.1 /24

Dmz4: 172.16.6.1 /24



We needed more hosts on the DMZ1 172.16.2.1 so we changed the subnet to /23 instead of /24.

172.16.2.0 255.255.254 (Valid ips from 172.16.2.1 172.16.3.254)

--> We changed DMZ2 to 172.16.8.0


NEW Ip address scheme:


Outside: 172.16.4.1 /24

inside: 172.16.1.1 /24

Dmz1: 172.16.2.1 /23

Dmz2: 172.16.8.1 /24

Dmz3: 172.16.5.1 /24

Dmz4: 172.16.6.1 /24


Problem


1- If I add a new host on the DMZ1 segment with the ip address of 172.16.3.X it is UNreachable.

2- I can't ping it from any machine on the same network segment. There are NO vlans in place.

3- From the Pix I can ping all machines, even if it has an ip address of 172.16.3.X

4- If I take HOST_A and put ip address 172.16.3.5 I can't ping any server, and servers can't ping HOST_A either.

But if I change HOST_A ip address to 172.16.2.5 instead of 3.5 everything works perfectly.


Troubleshooting

1- I already rebooted the PIX and the switches

2- I disabled spanning-tree portfast on the switches that were connecting to another switch, spanning-tree portfast

is only enabled on the ports connecting to workstations

3- All Machines have the gateway of 172.16.2.1 (DMZ1 in Pix) with 172.16.2.0 /23 as subnet mask.


4- **Every so often, pings will start responding on some machines of the 172.16.2.0 /23 with ip address of 172.16.3.X (Dmz1)


Somebody please help!! I attached configs



Correct Answer by JORGE RODRIGUEZ about 8 years 7 months ago

Randal, have you resolved your problem? if not you could do two things.


1- You indicated no vlans involved in the switch so I assume the switch is using default vlan1, for sake of testing an resolve the issue could you create a unique vlan for Dmz1 say vlan2 and place all connections on vlan2 including Dmz1 firewall interface.


2- Also when pinging from the .2 to the .3 hosts from within the same network do a low level icmp debug in the firewall at least to observe the ICMP traffic in the event no replies go through, debug messages output will help in deciphering what could be the problem.


pix(config)#logging monitor 7

pix(config)#terminal monitor

pix(config)#debug icmp trace


disable debug after finished

pix(config)#no debug all




Rgds

Jorge


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Tue, 07/08/2008 - 07:24

"2- I can't ping it from any machine on the same network segment. There are NO vlans in place."



It is assumed you have created respective VLAN in your switch corresponding to 172.16.2.0/23 network and that each of the machines whether its IP be under 172.16.3.x or 172.16.2.x are on the same VLAN on the switch and that fw DMZ1 interface is also on that same VLAN, other than this I do not yet see another reason for your problem, Im bringing this thread to top, you may get any other comments from other netpros participants.



-Rgds

Jorge


ranbeckycr Tue, 07/08/2008 - 12:08

I appreciate your help on this matter. It is really strange behavior. Same network segment, all hosts are connected on the switches that connect to the firewall DMZ1.


Can't seem to find any reason why it is not working.


Best regards,

Randall

Correct Answer
JORGE RODRIGUEZ Wed, 07/09/2008 - 08:24

Randal, have you resolved your problem? if not you could do two things.


1- You indicated no vlans involved in the switch so I assume the switch is using default vlan1, for sake of testing an resolve the issue could you create a unique vlan for Dmz1 say vlan2 and place all connections on vlan2 including Dmz1 firewall interface.


2- Also when pinging from the .2 to the .3 hosts from within the same network do a low level icmp debug in the firewall at least to observe the ICMP traffic in the event no replies go through, debug messages output will help in deciphering what could be the problem.


pix(config)#logging monitor 7

pix(config)#terminal monitor

pix(config)#debug icmp trace


disable debug after finished

pix(config)#no debug all




Rgds

Jorge


ranbeckycr Wed, 07/09/2008 - 09:47

Jorge,


I stayed up all night yesterday figuring this out and I was finally able to find the solution. This is very odd and hopefully it will be usefull for you at some point. Make sure you send a donation for the tip LOL....


After indepth troubleshooting I found out that someone had added a cisco 1841 router in the 172.16.2.0 network a long time ago and everybody forgot about it. This router was connected with a 172.16.2.X ip and it had a Subnet mask of /24

I changed the Subnet Mask to /23 and Buuummmm everything started working.


This little sucker was loosing my connections, and that is why everything worked fine under the 172.16.2.x

I appreciate your help.


Best regards,

Randall

JORGE RODRIGUEZ Wed, 07/09/2008 - 10:09

Randall, that is great to hear you have solved it and indeed it helps to post the solution for all to quary and reference. One never knows when an issue like this is presented.


I did simulated your topology in my lab for DMZ1 using /23 and worked on a asa 5505, and I indeed I was puzzlled why yours would not work but now we know.


Best Rgds

-Jorge

ray_stone Wed, 07/09/2008 - 10:48

Did u use the clear xlate command after changing in configuraion if not then do it nd i m sure it will work. Thanks

Actions

This Discussion