07-10-2008 04:24 AM - edited 03-06-2019 12:07 AM
Hi,
I have a Cisco ASA firewall, trunked off this I have a Cisco 3750 (128.101.10.52/16) which I can access via telnet from my PC.
Now off the 3750 I have trunked a 3560 (172.24.0.249/16) which I can't access from my PC although I can access it via a telnet session from the 3750.
I have tried adding the "ip route" to the 3750 or ASA's IP but I still can't access.
What do you need from me fo your tom be able to help?
The IP route on the 3750 is 0.0.0.0 0.0.0.0 128.101.10.71 which is our core LAN switch. The 3750 can ping this, I assume the the 3560 needs to ping this too which it can't, it's like the 3750 is not passing the traffic through. I know it is because I have lots of servers on the 3560 which I can access.
Thanks
07-10-2008 05:10 AM
Andy,
Can you supply the config of both switches? that would be a good start.
07-10-2008 06:59 AM
07-10-2008 07:07 AM
Andy,
Physically - on the 3750, which port is connected to the ASA? Which port is connected to the 3560?
Layer 2 config- on the 3750 I can only see one trunk port configured 1/0/1?
layer 3 config on both looks OK - any specific reason why for vlan 6 you are using a /16? I would probably go down to a /24
HTH.
07-10-2008 07:15 AM
Hi,
3750 to ASA (trunk) = interface FastEthernet1/0/1
3750 to 3560 (trunk) = interface FastEthernet1/0/2
Yeah, i've been meaning to chage it to /24 it's more tidy, plus is it better for broadcasts?
07-10-2008 07:19 AM
In the 3750 - int fa 1/0/2 change from switchport to trunk port.
Yep - and it gives you 255 address back for something else!
07-10-2008 07:21 AM
As long as the 3750 connects onto port 1/0/2 on the other switch?
07-10-2008 07:58 AM
Little confused...sorry
Can you explain again,
3750 to ASA (trunk) = 3750 interface FastEthernet1/0/1
3750 to 3560 (trunk) = 3750 interface FastEthernet1/0/2
FastEthernet1/0/2 on the 3750 plugs into FastEthernet0/1 on the 3560.
07-10-2008 10:49 AM
Sorry - I confused myself on which device was connected to which port. Can you try the following on the 3560:-
Paste in this order.....
ip default-gateway 172.24.0.250
no ip routing
Can you also post you asa config - sanitised of course, remove anyt password's, external IP addresses etc?
07-11-2008 04:24 AM
Tried:
ip default-gateway 172.24.0.250
no ip routing
But no luck. If it helps the server that are patched into the 3560 I can get onto from my PC and access their C$ and remote desktop them, it's just managing the 3560 via SSH or telnet.
The ASA config is so huge can I just ask what part you may ned to help you?
Port 2 on the ASA is the trunk port to the 3750, so I have many virtual VLANS i suppose (not sure of the proper word), here is the config for the trunk:
interface GigabitEthernet0/2.6
vlan 6
security-level 10
ip address 172.24.0.100 255.255.0.0 standby 172.24.0.249
ospf cost 10
Although I didn't configure msot of this ASA I see the standby address is the same as this switch! I did remove it but stil no luck.
07-11-2008 04:33 AM
Can you ping from the 3560 to the ASA??
Have you any acl's on the ASA that would block you from getting to the 3560?
07-11-2008 04:52 AM
I can't ping the firewalls inside address of 128.101.10.50 but I can ping 172.24.0.100 which is the VLAN gateway on the firewall.
Just added an IP any any each way and still nothing.
Tried Packet tracer on the ASA and it beleives it can get through to the 3560:
192.168.90.5 is me
"packet-tracer input inside tcp 192.168.90.5 172.24.0.248 telnet"
07-11-2008 05:08 AM
Strange thing is, I have just logged onto the ASA via telnet then type ping 172.24.0.249:
ping 172.24.0.249
Sending 5, 100-byte ICMP Echos to 172.24.0.249, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
07-11-2008 05:27 AM
Double check your NAT and all your acl's that filter!!
07-11-2008 05:41 AM
I have a NAT exempt from my PC's IP to 172.24.0.0 /24 and ACE's from my IP (inside) to 172.24.0.0.24 which is totally open and the opposite rule so 172.24.0.0/24 (on the DMZ_webservers interface) to my IP on any port.
I can get to the servers on 172.24.0.0/24 from my PC so I know the rules are working, but van't telnet to 172.24.0.249.
I can only telnet to the 3560 fromthe 3750 (128.101.10.52) and any 172.24.0.0/24 client in that the 3560 switch.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: