cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1190
Views
0
Helpful
7
Replies

I need to all icmp through the ACE to servers behind the ACE

shday
Level 1
Level 1

I have been trying to figure this out and I've made several attempts at a configuration that will work, but I just don't get it.  Here's what I have configured.  I'm trying to ping from a server outside of the ACE to a server on vlan 308.  I send my ICMP it should ingress through vlan 302 and hit the server on vlan 308.  Instead I get nothing and I see no traffic hits on my policy or from the show icmp statistics.  I am able to ping the IP addresses on vlan 302 but nothing on the inside.

access-list icmp line 10 extended permit icmp any any

class-map match-all icmp-allow-inspect

  2 match access-list icmp

policy-map multi-match icmp-allow-inspect-mmpl

  class icmp-allow-inspect

    inspect icmp error

interface vlan 302 --------- public facing VIPs- ingress

  ip address 71.113.93.37 255.255.255.224

  alias 71.113.93.36 255.255.255.224

  peer ip address 71.113.93.38 255.255.255.224

  service-policy input mgmt

  service-policy input icmp-allow-inspect-mmpl

  no shutdown

interface vlan 308 ---------- server - L2

  ip address 10.60.22.130 255.255.255.192

  alias 10.60.22.129 255.255.255.192

  peer ip address 10.60.22.131 255.255.255.192

  service-policy input icmp-allow-inspect-mmpl

  no shutdown

7 Replies 7

jsirstin
Level 1
Level 1

If this ICMP traffic is just being routed by the ACE could you try appling an access-list to each interface that allows ICMP

traffic?

Sample:

access-list anyone extended permit ip any any

Interface vlan 308

access-group input anyone

interface vlan 302

access-group input anyone

Regards

Jim

I tried that already, that was my original configuration

I have a few additional questions.

Do you have a layer 3 interface other than the ACE on vlan 302?

If you do not have any other layer 3 interface do you have a route pointing to the ACE on vlan 308 as the next hop to get to the server?

What gateway does the server you are trying to ping on vlan 302 use?

Jim

question 1 - not from the outside.  All other vlans are layer 2

question 2 - I do have a route on my upstream router to vlan 308 via the alias address on vlan 302.

question 3 - the gateway on all the servers on vlan 302 is the alias address.

I also tried to ping the ip address on int vlan 308 and I can't ping that either.

If you have the proper routing to get traffic to the client side of the ACE, and the servers use the server vlan as the default gateway all you should need is the following to allow a ping to route through the ACE.

An ACL allowing traffic into the interfaces, and a default route so the ACE knows how to forward the reply traffic back to the client.

If you have the ACL applied and a default gateway can you get a sniff to confirm that the pings are arriving at the ACE alias?

Thank you

Jim

I ran a capture and I see the traffic hit the ingress interface of the ACE, but it never gets passed to the backend server vlan.  The icmp is recieved and the connection is closed, but then I get 4 more packets marked PKT_XMT then the packet is dropped.  The capture was done on the ingress vlan.  If I do a capture on the server side vlan I get nothng at all in the capture.

0001: msg_type: PKT_RCV

ace_id: 6809            action_flag: 0x13

src_addr: 74.113.193.34            src_port: 53575

dst_addr: 10.62.222.136            dst_port: 2048

l3_protocol: 0          l4_protocol: 1

0002: msg_type: CON_CLOSE

con_id: 1345505684       out_con_id: 271763861

src_addr: 74.113.193.34            src_port: 53575

dst_addr: 10.62.222.136            dst_port: 2048

l3_protocol: 0          l4_protocol: 1

0003: msg_type: PKT_XMT

con_id: 1345505684              other_con_id: 0

0011: msg_type: PKT_XMT

con_id: 1345505684              other_con_id: 0

0019: msg_type: PKT_XMT

con_id: 1345505684              other_con_id: 0

0029: msg_type: PKT_XMT

con_id: 1345505684              other_con_id: 0

0037: msg_type: PKT_DROP

con_id: 1345505684           reason: 0

src_addr: 74.113.193.34            src_port: 53575

dst_addr: 10.62.222.136            dst_port: 2048

l3_protocol: 0          l4_protocol: 1

This is my access list and its applied globally with the access-group input ALL command.  I also have my default gateway pointing back to my upstream router and there are no other routes on the ACE.  I can ping the ingress interface from my upstream router and I can ping my gateway from the ACE.  I can ping my backend server from the ACE, but not from anything outside the ACE.  I can not ping anything behind my ACE module.

access-list ALL line 12 extended permit icmp any any

access-list ALL line 18 extended permit ip any any

Sharon,

I see you opened a TAC case on this issue. I am looking at the capture icmp.pcap. Can you confirm who owns the mac address 00.0b.fc.fe.1b.14 and 00.24.e8.5f.9a.20 and what were you spanning when you took the capture? If it is the ACE that owns the mac 00.0b.fc.fe.1b.14 then it looks like the packets are being passed through and I would suggest setting up a capture directly on the server interface to verify if it is receiving them.

Thank you

Jim

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: