cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
792
Views
0
Helpful
9
Replies

Problem with the firewall

nelba_aldovino
Level 1
Level 1

Hi All,


I have one 3750 and one 2960 switch.

My 3750 act as the core switch.

I configure the 3750 to route to the firewall in order to have internet connection.

But the problem is i can ping the firewall but i can't connect to the internet.

what will be the possible reason and how will i configure that.

9 Replies 9

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Have you configured default route in the switch? If not, please try the following:

Switch#configure terminal

Switch(config)#ip routing

Switch(config)#ip route 0.0.0.0 0.0.0.0

Also, please make sure that the firewall has NAT rules configured for your LAN subnets.

Hope this helps.

Regards,

NT

yes i have configured the ip route on the 3750.

the firewall that i used is the linksys wrt610N.

It has default NAT but i also configure static route on the linksys.

I can ping the LAN ip of the linksys but i can't ping the internet ip of it.

what will i do....

thank you!

Hello,

What is the IP of the Linksys and what is the IP range on your inside LAN?

Regards,

NT

here's the configuration of the linksys:

Internet ip address: 203.177.217.229

subnet mask:         255.255.255.248

Gateway     :          203.177.217.225

DNS:                    203.177.255.10

LAN IP:     172.25.74.71

Subnet:      255.255.255.0

Hello,

Can you please post your switch configuration here?

Regards,

NT

here's the configuration of my switch 3750

ip subnet       
ip routing         
!
!
!
!
no file verify auto                  
!
spanning-tree mode pvst                      
spanning-tree extend system-id                             
spanning-tree vlan 2-6 priority 0                                
!
!
vlan access-map ADMIN 10                       
action forward              
match ip address ADMIN TO_SERVERS GLOBAL                                        
vlan access-map PRODUCTION 10                            
action forward              
match ip address PRODUCTION TO_SERVERS GLOBAL                                             
vlan filter ADMIN vlan-list 4                            
vlan filter PRODUCTION vlan-list 5                                 
vlan internal allocation policy ascending                                        
!
interface GigabitEthernet1/0/1                             
switchport trunk encapsulation dot1q                                    
switchport mode trunk                     
!
interface GigabitEthernet1/0/2                             
!
interface GigabitEthernet1/0/3                             
!
interface GigabitEthernet1/0/4                             
!
interface GigabitEthernet1/0/5                             
!
interface GigabitEthernet1/0/6                             
!
interface GigabitEthernet1/0/7                             
!
interface GigabitEthernet1/0/8                             
!
interface GigabitEthernet1/0/9                             
!
interface GigabitEthernet1/0/10                              
!
interface GigabitEthernet1/0/11                              
!
interface GigabitEthernet1/0/12                              
!
interface Vlan1              
no ip address             
!
interface Vlan2              
ip address 172.25.74.64 255.255.255.0                                     
!
interface Vlan3              
ip address 172.17.3.125 255.255.0.0 secondary                                             
ip address 172.25.72.64 255.255.255.0                                     
!
interface Vlan4              
ip address 172.25.73.64 255.255.255.0                                     
!
interface Vlan5              
ip address 172.25.71.64 255.255.255.0                                     
!
interface Vlan6              
no ip address             
!
ip classless           
ip route 0.0.0.0 0.0.0.0 172.25.74.71                                    
ip http server             
!
ip access-list extended ADMIN                            
permit ip any 172.25.73.0 0.0.0.255                                   
ip access-list extended GLOBAL                             
deny   ip any 172.25.74.0 0.0.0.255                                   
deny   ip any 172.25.73.0 0.0.0.255                                   
deny   ip any 172.25.72.0 0.0.0.255                                   
deny   ip any 172.25.71.0 0.0.0.255                                   
ip access-list extend                   
permit ip any 172.25.74.0 0.0.0.255                                   
ip access-list extended PRODUCTION                                 
permit ip any 172.25.71.0 0.0.0.255                                   
ip access-list extended TO_INTERNETD                                   
permit ip 172.17.0.0 0.0.0.255 host 17.25.74.90                                               
ip access-list extended TO_SERVERS                                 
permit ip any 172.25.72.0 0.0.0.255                                   
permit ip any 172.25.74.0 0.0.0.255                                   
permit ip host 172.25.71.66 host 203.177.217.229                                                
!
radius-server source-ports 1645-1646                                   
!

Hello,

WRT610N (or most of the SOHO routers) are not capable of handling multiple subnets and they do not NAT subnets that are not directly connected to their inside (LAN) interface. Please try changing subnet mask of WRT610n to /16. This will ensure that the WRT610N will view entire LAN behind the 3750 as directly connected to its LAN.

LAN IP: 172.25.74.71

Subnet: 255.255.0.0

Hope this helps.

Regards,

NT

the wrt610N has only 24bit subnets.

It is not possible to set it to 16bit.

Hello,

In that case, you need to either get a different device or you need to change your addressing scheme on the VLANs so that all VLAN's will have 172.25.74.x address.

interface Vlan2

ip address 172.25.74.65 255.255.255.192

!

interface Vlan3

ip address 172.25.74.1 255.255.255.192

!

interface Vlan4

ip address 172.25.74.129 255.255.255.192

!

interface Vlan5

ip address 172.25.71.193 255.255.255.192

This will work as long as you have less than 60 clients in each VLAN. You need to change your DHCP scopes accordingly and also change the access-lists.

Hope this helps.

Regards,

NT

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: