ACL Ping route Problem.

Answered Question
Aug 11th, 2010

Hello Evreybody,


I have this problem:


I have 4 VLAN in the 3500 Switch, Also DHCP Server, The route between VLAN's are OK.


A PC in the VLAN40 get a valid IP Address, 10.0.40.x/24, my Default Gateway for Internet is the ASA that have 10.0.10.3/24, I configured a static route in my 3500


3500:

   10.0.0.0/24  is subnetted, 4 subnets

C  10.0.40.0  is directly connected, Vlan 40

C  10.0.10.0  is directly connected, FastEthernet 0/1  --> (10.0.10.2)

S* 0.0.0.0/0  [1/0] via 10.0.10.3


In my ASA I configured a static route for


ASA:

S  10.0.40.0/24 [1/0] via 10.0.10.2



I have a DNS server on 10.0.10.5/24


I can ping from VLan40 (10.0.40.x) to 10.0.10.2 (3500 Interface), I can ping from PC in Vlan 40 10.0.40.x to 10.0.10.1 (Default Gateway), I can ping from Vlan40 to 72.163.4.161 (Cisco Website IP addres), I can NO ping from VLan 40 to www.cisco.com, I can NO ping from Vlan 40 to 10.0.10.5 (DNS Server).


Thank you.

Correct Answer by Jon Marshall about 6 years 6 months ago

NT


I was actually wondering if the DNS server is connected to the switch and that the problem is that the fa0/1 port is a routed port and so the rest of the 10.0.10.x network is "closed off" on the switch.


If so i was going to suggest simply -


int fa0/1

no ip address

switchport access vlan


int vlan

ip address


Edit - actuallty scratch this as the PC wouldn't be getting an IP if it was setup as above, my mistake.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jon Marshall Wed, 08/11/2010 - 08:55

goransh_pc wrote:


Hello Evreybody,


I have this problem:


I have 4 VLAN in the 3500 Switch, Also DHCP Server, The route between VLAN's are OK.


A PC in the VLAN40 get a valid IP Address, 10.0.40.x/24, my Default Gateway for Internet is the ASA that have 10.0.10.3/24, I configured a static route in my 3500


3500:

   10.0.0.0/24  is subnetted, 4 subnets

C  10.0.40.0  is directly connected, Vlan 40

C  10.0.10.0  is directly connected, FastEthernet 0/1  --> (10.0.10.2)

S* 0.0.0.0/0  [1/0] via 10.0.10.3


In my ASA I configured a static route for


ASA:

S  10.0.40.0/24 [1/0] via 10.0.10.2



I have a DNS server on 10.0.10.5/24


I can ping from VLan40 (10.0.40.x) to 10.0.10.2 (3500 Interface), I can ping from PC in Vlan 40 10.0.40.x to 10.0.10.1 (Default Gateway), I can ping from Vlan40 to 72.163.4.161 (Cisco Website IP addres), I can NO ping from VLan 40 to www.cisco.com, I can NO ping from Vlan 40 to 10.0.10.5 (DNS Server).


Thank you.


Where is the DNS server connected and which vlan is the DNS server supposed to be in ?


Can you post config of fa0/1 on the 3550 switch ?


Jon

goransh_pc Wed, 08/11/2010 - 09:10

Hello Jon,


This is my fa0/1 in the 3550 Switch


show interface fa0/1


FastEthernet0/1 is up, line protocol is up (connected)
  Hardware is Fast Ethernet, address is 0013.0379.1900 (bia 0013.0379.1900)
  Internet address is 10.0.10.2/24
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, media type is unknown media type
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 14000 bits/sec, 24 packets/sec
  5 minute output rate 2000 bits/sec, 3 packets/sec
     74056 packets input, 6529404 bytes, 0 no buffer
     Received 71170 broadcasts (18 IP multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 36202 multicast, 0 pause input
     0 input packets with dribble condition detected

     3761 packets output, 360259 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out


I configured this interface with


3550:

interface fa0/1

no switchport

ip address 10.0.10.2 255.255.255.0

no shutdown



The DNS server is on the network 10.0.10.0/24 this network is in the Vlan 10 for Servers.


The ASA is in the same network and has 10.0.10.3 IP address, DNS 10.0.10.5, 3550 Switch 10.0.10.2.

Nagaraja Thanthry Wed, 08/11/2010 - 08:59

Hello,


I am assuming that you are using ASA5505 and the DNS server is connected to

one of the ports on ASA. Can you set the default gateway of the DNS server

to 10.0.10.2 instead of 10.0.10.3? Also, who is 10.0.10.1 (default gateway)?

Did you mean to say 10.0.10.3?


Changing the default gateway of the DNS server to 10.0.10.2 (3500 IP) will

ensure that the firewall does not interfere with intervlan traffic.


Hope this helps.


Regards,


NT

Correct Answer
Jon Marshall Wed, 08/11/2010 - 09:02

NT


I was actually wondering if the DNS server is connected to the switch and that the problem is that the fa0/1 port is a routed port and so the rest of the 10.0.10.x network is "closed off" on the switch.


If so i was going to suggest simply -


int fa0/1

no ip address

switchport access vlan


int vlan

ip address


Edit - actuallty scratch this as the PC wouldn't be getting an IP if it was setup as above, my mistake.


Jon

goransh_pc Wed, 08/11/2010 - 09:12

Hello Jon,


This is my fa0/1 in the 3550 Switch


show interface fa0/1


FastEthernet0/1 is up, line protocol is up (connected)
  Hardware is Fast Ethernet, address is 0013.0379.1900 (bia 0013.0379.1900)
  Internet address is 10.0.10.2/24
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, media type is unknown media type
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 14000 bits/sec, 24 packets/sec
  5 minute output rate 2000 bits/sec, 3 packets/sec
     74056 packets input, 6529404 bytes, 0 no buffer
     Received 71170 broadcasts (18 IP multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 36202 multicast, 0 pause input
     0 input packets with dribble condition detected

     3761 packets output, 360259 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out


I configured this interface with


3550:

interface fa0/1

no switchport

ip address 10.0.10.2 255.255.255.0

no shutdown



The DNS server is on the network 10.0.10.0/24 this network is in the Vlan 10 for Servers.


The ASA is in the same network and has 10.0.10.3 IP address, DNS 10.0.10.5, 3550 Switch 10.0.10.2.

goransh_pc Wed, 08/11/2010 - 09:16

Hello NT,


For the 10.0.10.1 (Default Gateway) it was my Bad, I was mean 10.0.10.3 sorry about that.


My DNS server has the default gateway for 10.0.10.3 (ASA) and The ASA is connect to the L2 Switch and from this Switch to the another Servers.


Thank you.

Jon Marshall Wed, 08/11/2010 - 09:20

But where physically is the DNS server located ie. what device is it connected to ? Is it the 3550, the ASA or another switch. If another switch how is that connected to the ASA/3550 ?


Jon

goransh_pc Wed, 08/11/2010 - 09:25

Hello Jon,


The ASA go to the L2 Switch, From the L2 Switch go to the DNS and go to the 3550.


Thank you.

goransh_pc Wed, 08/11/2010 - 09:30

Thank Jon and NT.


The problem is that I have in my DNS server default gateway for 10.0.10.3 (ASA) and I should have the 3550 IP 10.0.10.2.


Thank you again !!!!!!!!!!

Jon Marshall Wed, 08/11/2010 - 09:31

goransh_pc wrote:


Hello Jon,


The ASA go to the L2 Switch, From the L2 Switch go to the DNS and go to the 3550.


Thank you.


So you have


ASA (vlan 10) -> L2 switch -> (fa0/1) 3550


where the fa0/1 interface has an IP from vlan 10 subnet and the DNS server is connected to the L2 switch ?


Jon

Actions

This Discussion