Can't access switch that's in trunk mode

Unanswered Question
Jul 10th, 2008
User Badges:

Hi,


I have a Cisco ASA firewall, trunked off this I have a Cisco 3750 (128.101.10.52/16) which I can access via telnet from my PC.


Now off the 3750 I have trunked a 3560 (172.24.0.249/16) which I can't access from my PC although I can access it via a telnet session from the 3750.


I have tried adding the "ip route" to the 3750 or ASA's IP but I still can't access.


What do you need from me fo your tom be able to help?


The IP route on the 3750 is 0.0.0.0 0.0.0.0 128.101.10.71 which is our core LAN switch. The 3750 can ping this, I assume the the 3560 needs to ping this too which it can't, it's like the 3750 is not passing the traffic through. I know it is because I have lots of servers on the 3560 which I can access.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Andy,


Physically - on the 3750, which port is connected to the ASA? Which port is connected to the 3560?


Layer 2 config- on the 3750 I can only see one trunk port configured 1/0/1?


layer 3 config on both looks OK - any specific reason why for vlan 6 you are using a /16? I would probably go down to a /24


HTH.

whiteford Thu, 07/10/2008 - 07:15
User Badges:

Hi,


3750 to ASA (trunk) = interface FastEthernet1/0/1

3750 to 3560 (trunk) = interface FastEthernet1/0/2


Yeah, i've been meaning to chage it to /24 it's more tidy, plus is it better for broadcasts?


whiteford Thu, 07/10/2008 - 07:58
User Badges:

Little confused...sorry


Can you explain again,


3750 to ASA (trunk) = 3750 interface FastEthernet1/0/1

3750 to 3560 (trunk) = 3750 interface FastEthernet1/0/2


FastEthernet1/0/2 on the 3750 plugs into FastEthernet0/1 on the 3560.

Sorry - I confused myself on which device was connected to which port. Can you try the following on the 3560:-


Paste in this order.....


ip default-gateway 172.24.0.250

no ip routing



Can you also post you asa config - sanitised of course, remove anyt password's, external IP addresses etc?

whiteford Fri, 07/11/2008 - 04:24
User Badges:

Tried:


ip default-gateway 172.24.0.250

no ip routing


But no luck. If it helps the server that are patched into the 3560 I can get onto from my PC and access their C$ and remote desktop them, it's just managing the 3560 via SSH or telnet.


The ASA config is so huge can I just ask what part you may ned to help you?


Port 2 on the ASA is the trunk port to the 3750, so I have many virtual VLANS i suppose (not sure of the proper word), here is the config for the trunk:


interface GigabitEthernet0/2.6

vlan 6

security-level 10

ip address 172.24.0.100 255.255.0.0 standby 172.24.0.249

ospf cost 10


Although I didn't configure msot of this ASA I see the standby address is the same as this switch! I did remove it but stil no luck.


whiteford Fri, 07/11/2008 - 04:52
User Badges:

I can't ping the firewalls inside address of 128.101.10.50 but I can ping 172.24.0.100 which is the VLAN gateway on the firewall.


Just added an IP any any each way and still nothing.


Tried Packet tracer on the ASA and it beleives it can get through to the 3560:


192.168.90.5 is me


"packet-tracer input inside tcp 192.168.90.5 172.24.0.248 telnet"


whiteford Fri, 07/11/2008 - 05:08
User Badges:

Strange thing is, I have just logged onto the ASA via telnet then type ping 172.24.0.249:



ping 172.24.0.249


Sending 5, 100-byte ICMP Echos to 172.24.0.249, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms


whiteford Fri, 07/11/2008 - 05:41
User Badges:

I have a NAT exempt from my PC's IP to 172.24.0.0 /24 and ACE's from my IP (inside) to 172.24.0.0.24 which is totally open and the opposite rule so 172.24.0.0/24 (on the DMZ_webservers interface) to my IP on any port.


I can get to the servers on 172.24.0.0/24 from my PC so I know the rules are working, but van't telnet to 172.24.0.249.


I can only telnet to the 3560 fromthe 3750 (128.101.10.52) and any 172.24.0.0/24 client in that the 3560 switch.

In all honesty it should work, don't see why it does not if you say the ASA is not filtering anything.


The only other thing I could suggest - is reboot the 3560, in the past I have issues with switches not being able to reach ip addresses....and a re-load fixes all, but my switches are 3548XL's - so not really a straight comparision :o(


HTH.

Actions

This Discussion