12-08-2008 03:06 AM - edited 03-06-2019 02:51 AM
Hello everyone,
I have a small problem I am hoping someone can offer some assistance with.
I have set up a test network using a pix 515e, and a 3750g switch. I have 1 interface on the pix in the 10.10.1.1 network, which is my internal lan. I have another interface on the pix with IP address 10.10.2.1, which is my DMZ network.
Both interfaces patch into the 3750g, the internal pix interface into port 1/0/1, and the DMZ interface into 1/0/15. Vlan 1 on the switch has IP address 10.10.1.250.
I also have 2 servers in vlan99 (dmz vlan) on the switch, which 1/0/15 is also a member of. Vlan 99 has IP address 10.10.2.250. The 2 servers have a default gateway of 10.10.2.1 (dmz interface on the pix). These 2 servers cannot ping the default gateway, but I can ping the servers from the switch.
There is only 1 route on the switch which is the default route to 10.10.1.1.
Does anyone know why I cannot reach the DMZ interface on the pix from the switch? ICMP is allowed on the pix interface.
Any assistance would be greatly appreciated.
Thanks
n
12-08-2008 04:56 AM
All of the first 4 points are correct.
The mac addresses do not appear in the arp cache on either of the servers or the firewall.
I cannot ping anything on the inside interface of the pix.
I have verified nothing is reaching the pix by the observing the input/output counters as I send data.
DMZ interface is up/up.
12-08-2008 05:02 AM
Christopher
Can you try pinging the server from the pix ?
Can you post output of
"ipconfig /all" from the server you are using to test.
Can you post a "sh ip int brief" from the 3750 ?
Sorry to ask for all this info but it is needed.
Jon
12-08-2008 05:14 AM
I can't ping the server from the pix.
I can ping one server from another in the dmz, which goes through the 3750, but I can't ping the 3750 from the servers, on either the vlan 1 ip address, or the vlan 99 ip address (i have given vlan 99 an ip address in the 10.10.2.x range again). I can't ping the servers from the switch either.
IPconfig/all on server 1 reads:
ip address: 10.10.2.100
subnet mask: 255.255.255.0
default gateway: 10.10.2.1
primary dns: 10.10.1.50
secondary dns: 10.10.1.51
I can ping server 2 on address 10.10.2.101
12-08-2008 05:39 AM
Can you post the FULL config for the 3750g switch.
Jon
12-08-2008 05:48 AM
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname switch2
!
enable secret 5 $1$rMLz$axMm2ss8kb3k3f1
!
no aaa new-model
switch 1 provision ws-c3750g-48ts
system mtu routing 1500
vtp mode transparent
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
!
vlan internal allocation policy ascending
!
vlan 5
name vMotion
!
vlan 29
name Colo Network
!
vlan 77
name Management
!
vlan 99
name DMZ
!
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
switchport access vlan 77
switchport mode access
!
interface GigabitEthernet1/0/18
switchport access vlan 77
!
interface GigabitEthernet1/0/19
switchport access vlan 77
!
interface GigabitEthernet1/0/20
switchport access vlan 77
!
interface GigabitEthernet1/0/21
switchport access vlan 77
!
interface GigabitEthernet1/0/22
switchport access vlan 77
!
interface GigabitEthernet1/0/23
switchport access vlan 77
!
interface GigabitEthernet1/0/24
switchport access vlan 77
!
interface GigabitEthernet1/0/25
switchport access vlan 77
!
interface GigabitEthernet1/0/26
switchport access vlan 77
!
interface GigabitEthernet1/0/27
switchport access vlan 77
!
interface GigabitEthernet1/0/28
switchport access vlan 5
!
interface GigabitEthernet1/0/29
switchport access vlan 5
!
interface GigabitEthernet1/0/30
switchport access vlan 5
!
interface GigabitEthernet1/0/31
switchport access vlan 5
!
interface GigabitEthernet1/0/32
switchport access vlan 5
!
interface GigabitEthernet1/0/33
!
interface GigabitEthernet1/0/34
!
interface GigabitEthernet1/0/35
!
interface GigabitEthernet1/0/36
!
interface GigabitEthernet1/0/37
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
switchport access vlan 29
!
interface GigabitEthernet1/0/40
switchport access vlan 29
!
interface GigabitEthernet1/0/41
switchport access vlan 29
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
switchport access vlan 99
!
interface GigabitEthernet1/0/44
switchport access vlan 99
!
interface GigabitEthernet1/0/45
switchport access vlan 99
!
interface GigabitEthernet1/0/46
switchport access vlan 99
!
interface GigabitEthernet1/0/47
!
interface GigabitEthernet1/0/48
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
ip address 10.10.1.250 255.255.255.0
!
interface Vlan5
no ip address
!
interface Vlan77
no ip address
!
interface Vlan99
ip address 10.10.2.250 255.255.255.0
!
ip default-gateway 10.10.1.1
ip classless
no ip http server
!
!
!
control-plane
!
!
line con 0
password 7 121E551510075F
login
line vty 0 4
password 7 045C5B040D2D1F
login
line vty 5 15
login
!
end
12-08-2008 05:53 AM
Just to rule out a switch issue can you
1) remove "ip default-gateway 10.10.1.1"
2) add "ip route 0.0.0.0 0.0.0.0 10.10.1.1
3) enable ip routing on the 3750 eg "ip routing" and then retest ping from server in vlan 99 to vlan 99 interface on switch.
Jon
12-08-2008 06:25 AM
I have done all of the above.
I can now ping the switch from the servers, and the servers from the switch, but I still cannot ping the dmz interface from either the switch or the servers, or vice versa.
I also still cannot ping hosts on the internal network from the dmz servers.
Thanks
12-08-2008 06:36 AM
If you want to try and ping inside servers from DMZ
1) add this to pix config "static (inside,dmz) 10.10.1.0 10.10.1.0 netmask 255.255.255.0
2) Shutdown the vlan 99 interface on your switch.
Jon
12-08-2008 07:11 AM
I unfortunately cannot do that right now.
I have just noticed one other thing though..
When I add the port on the 3750 that the pix dmz interface patches into to the dmz vlan it drops the entry from the cam table, but it still has an entry for the mac address associated with another port that connects to a management switch.
To clarify, port 43 on the switch is added to vlan 99 and instantly it loses that association in the cam table. There is another entry in the cam table to the dmz int mac-address via int 17 on the switch which connects to a management network.
12-08-2008 07:24 AM
Okay, that's not right. Are you sure the cables are connected in correctly. It may be time to go back to basics. What happens if you allocate int 17 to vlan 99 ?
Jon
12-08-2008 05:15 AM
switch2#sh ip int b
Interface IP-Address OK? Method Status Protocol
Vlan1 10.10.1.250 YES NVRAM up up
Vlan5 unassigned YES NVRAM up up
Vlan77 unassigned YES NVRAM up up
Vlan99 10.10.2.250 YES manual up up
GigabitEthernet1/0/1 unassigned YES unset up up
GigabitEthernet1/0/2 unassigned YES unset up up
GigabitEthernet1/0/3 unassigned YES unset up up
<
GigabitEthernet1/0/15 unassigned YES unset up up
GigabitEthernet1/0/16 unassigned YES unset up up
GigabitEthernet1/0/17 unassigned YES unset up up
GigabitEthernet1/0/18 unassigned YES unset up up
GigabitEthernet1/0/19 unassigned YES unset up up
GigabitEthernet1/0/20 unassigned YES unset up up
GigabitEthernet1/0/21 unassigned YES unset up up
GigabitEthernet1/0/22 unassigned YES unset up up
GigabitEthernet1/0/23 unassigned YES unset up up
GigabitEthernet1/0/24 unassigned YES unset up up
GigabitEthernet1/0/25 unassigned YES unset up up
GigabitEthernet1/0/26 unassigned YES unset up up
GigabitEthernet1/0/27 unassigned YES unset up up
GigabitEthernet1/0/28 unassigned YES unset up up
GigabitEthernet1/0/29 unassigned YES unset up up
GigabitEthernet1/0/30 unassigned YES unset up up
GigabitEthernet1/0/31 unassigned YES unset up up
GigabitEthernet1/0/32 unassigned YES unset up up
GigabitEthernet1/0/33 unassigned YES unset up up
GigabitEthernet1/0/34 unassigned YES unset up up
GigabitEthernet1/0/35 unassigned YES unset up up
GigabitEthernet1/0/36 unassigned YES unset down down
GigabitEthernet1/0/37 unassigned YES unset down down
GigabitEthernet1/0/38 unassigned YES unset down down
GigabitEthernet1/0/39 unassigned YES unset up up
GigabitEthernet1/0/40 unassigned YES unset up up
GigabitEthernet1/0/41 unassigned YES unset up up
GigabitEthernet1/0/42 unassigned YES unset down down
GigabitEthernet1/0/43 unassigned YES unset up up
GigabitEthernet1/0/44 unassigned YES unset up up
GigabitEthernet1/0/45 unassigned YES unset up up
GigabitEthernet1/0/46 unassigned YES unset up up
GigabitEthernet1/0/47 unassigned YES unset down down
GigabitEthernet1/0/48 unassigned YES unset down down
GigabitEthernet1/0/49 unassigned YES unset down down
GigabitEthernet1/0/50 unassigned YES unset down down
GigabitEthernet1/0/51 unassigned YES unset down down
GigabitEthernet1/0/52 unassigned YES unset down down
12-08-2008 05:52 AM
One other thing..
The pix knows that the 10.10.2.0 network is directly connected to it out of it's dmz interface, but I can't ping 10.10.2.250 (dmz vlan ip address on the switch) from the pix.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: