Here you go. The 3750 is fine, it's 3560's.

Andy,

Physically - on the 3750, which port is connected to the ASA? Which port is connected to the 3560?

Layer 2 config- on the 3750 I can only see one trunk port configured 1/0/1?

layer 3 config on both looks OK - any specific reason why for vlan 6 you are using a /16? I would probably go down to a /24

HTH.

Hi,

3750 to ASA (trunk) = interface FastEthernet1/0/1

3750 to 3560 (trunk) = interface FastEthernet1/0/2

Yeah, i've been meaning to chage it to /24 it's more tidy, plus is it better for broadcasts?

In the 3750 - int fa 1/0/2 change from switchport to trunk port.

Yep - and it gives you 255 address back for something else!

As long as the 3750 connects onto port 1/0/2 on the other switch?

Little confused...sorry

Can you explain again,

3750 to ASA (trunk) = 3750 interface FastEthernet1/0/1

3750 to 3560 (trunk) = 3750 interface FastEthernet1/0/2

FastEthernet1/0/2 on the 3750 plugs into FastEthernet0/1 on the 3560.

Sorry - I confused myself on which device was connected to which port. Can you try the following on the 3560:-

Paste in this order.....

ip default-gateway 172.24.0.250

no ip routing

Can you also post you asa config - sanitised of course, remove anyt password's, external IP addresses etc?

Tried:

ip default-gateway 172.24.0.250

no ip routing

But no luck. If it helps the server that are patched into the 3560 I can get onto from my PC and access their C$ and remote desktop them, it's just managing the 3560 via SSH or telnet.

The ASA config is so huge can I just ask what part you may ned to help you?

Port 2 on the ASA is the trunk port to the 3750, so I have many virtual VLANS i suppose (not sure of the proper word), here is the config for the trunk:

interface GigabitEthernet0/2.6

vlan 6

security-level 10

ip address 172.24.0.100 255.255.0.0 standby 172.24.0.249

ospf cost 10

Although I didn't configure msot of this ASA I see the standby address is the same as this switch! I did remove it but stil no luck.

Can you ping from the 3560 to the ASA??

Have you any acl's on the ASA that would block you from getting to the 3560?

I can't ping the firewalls inside address of 128.101.10.50 but I can ping 172.24.0.100 which is the VLAN gateway on the firewall.

Just added an IP any any each way and still nothing.

Tried Packet tracer on the ASA and it beleives it can get through to the 3560:

192.168.90.5 is me

"packet-tracer input inside tcp 192.168.90.5 172.24.0.248 telnet"

Strange thing is, I have just logged onto the ASA via telnet then type ping 172.24.0.249:

ping 172.24.0.249

Sending 5, 100-byte ICMP Echos to 172.24.0.249, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Double check your NAT and all your acl's that filter!!

I have a NAT exempt from my PC's IP to 172.24.0.0 /24 and ACE's from my IP (inside) to 172.24.0.0.24 which is totally open and the opposite rule so 172.24.0.0/24 (on the DMZ_webservers interface) to my IP on any port.

I can get to the servers on 172.24.0.0/24 from my PC so I know the rules are working, but van't telnet to 172.24.0.249.

I can only telnet to the 3560 fromthe 3750 (128.101.10.52) and any 172.24.0.0/24 client in that the 3560 switch.