Pls see attached diagram. This is the setup.
From the PC Vlan (vlan 200) able to ping other server on Vlan 300 except this server 172.19.100.101 & 172.19.100.102.
I don't know why can't ping this 2 server. I suspect because of this firewall but i don't about the configuration.
Please help me to verify
Below is the config of PIX
klccPix# sh run
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password fgDKmzUvSvGTzykR encrypted
passwd fgDKmzUvSvGTzykR encrypted
clock timezone MYT 8
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
name 172.19.100.23 Linux_File_Srv
name 172.19.0.0 IsetanKLCC_LAN
name 22.214.171.124 NECSAP_Admin
name 172.19.100.11 Database_Srv
name 172.29.0.0 isetanKLCC_LAN2
name 126.96.36.199 NECSAP_DB
name 188.8.131.52 NECSG
name 184.108.40.206 necare
name 220.127.116.11 OU_Mgmt
access-list inside_access_in permit tcp host Linux_File_Srv any
access-list inside_access_in permit tcp host Linux_File_Srv any eq domain
access-list inside_access_in permit udp host Linux_File_Srv any eq domain
access-list inside_access_in permit icmp host Linux_File_Srv any
access-list inside_access_in permit icmp host Database_Srv any echo-reply
access-list inside_access_in permit tcp host Database_Srv any object-group DB_ac
access-list inside_access_in permit tcp any any object-group Email_Services
access-list inside_access_in permit tcp any any eq domain
access-list inside_access_in permit udp any any eq domain
access-list inside_access_in permit icmp any any
access-list inside_access_in permit tcp any any object-group Linux_Services
access-list inside_access_in permit tcp host 172.19.100.64 any
access-list outside_access_in permit tcp host NECSAP_Admin host 18.104.22.168 o
access-list outside_access_in permit tcp any host 22.214.171.124 eq https
access-list outside_access_in permit tcp any host 126.96.36.199 object-group ss
access-list outside_access_in permit icmp host NECSG host 188.8.131.52 log
access-list outside_access_in permit tcp host NECSG host 184.108.40.206 object-g
roup DB_access log
access-list outside_access_in permit icmp host 220.127.116.11 host 18.104.22.168
access-list outside_access_in permit tcp host 22.214.171.124 host 126.96.36.199
object-group DB_access log
access-list outside_access_in permit tcp object-group NEC_ASIA host 203.115.205.
28 object-group ssh_defined
access-list outside_access_in permit ip 172.19.100.96 255.255.255.240 interface
access-list outside_access_in permit tcp any host 188.8.131.52 object-group RD
access-list outside_access_in permit tcp any host 184.108.40.206 object-group RD
access-list outside_access_in permit tcp any host 172.19.100.20 eq https
access-list inside_outbound_nat0_acl permit ip any 172.19.100.96 255.255.255.240
access-list inside_outbound_nat0_acl permit ip any host 220.127.116.11
access-list outside_cryptomap_dyn_20 permit ip any 172.19.100.96 255.255.255.240
logging trap warnings
logging facility 22
logging device-id string pixfirewall
logging host inside Linux_File_Srv
icmp permit host necare outside
icmp permit host 18.104.22.168 outside
icmp permit IsetanKLCC_LAN 255.255.0.0 inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 22.214.171.124 255.255.255.248
ip address inside 172.19.100.20 255.0.0.0
no ip address intf2
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool klccippool 172.19.100.96-172.19.100.99
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 126.96.36.199 Linux_File_Srv netmask 255.255.255.255 0
static (inside,outside) 188.8.131.52 Database_Srv netmask 255.255.255.255 0 0
static (inside,outside) 184.108.40.206 172.19.100.17 netmask 255.255.255.255 0 0
static (inside,outside) 220.127.116.11 172.19.100.64 netmask 255.255.255.255 0 0
static (inside,outside) 172.19.100.20 172.19.100.20 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 18.104.22.168 1
route inside 172.19.100.64 255.255.255.255 172.19.100.20 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 172.19.100.64 255.255.255.255 inside
It seems there's no problem on your switch, As you are using Router-on-Stick for inter-vlan routing, problem might have occurred on 2811 router (as shinepothen said).
it helps if i can see your 2811 Isetan configuration.
Something else; You have not full connectivity with servers or just ping does not work?
I checked both of your switch and router. All of your ACLs, trunks and sub-interfaces look fine or at least i could not find faulty point.
Consider that running debug on ACLs and couple of show commands will be helpful.
Check firewall rules on your servers,
keep informing us.
That what i thought also..config of router and switch just fine.
The server firewall is fine also, as other server from 172.19.100.x able to ping and connect to the 172.19.100.101 & 102.
That why i suspect the firewall config might have to do with it....but im not really sure if it is correct or not
Really i couldn't figured out why i can't ping this specific IP address.
Is there any configuration at the router that prevent it?
check if you have some thing in the server which is blocking the things.
try to turn off your anti virus
turn off any proxy setting if you have any
turn off windows firewall
check all possibility from the server end to see if any thing is blocking.
hi, it would not be the (antivirus, proxy, windows firewall) because from VLAN 300 (PC, Server) able to ping to this specific host.
Only that from VLAN 200 it can't be ping though.
it just a staging server, normal..
Thanks providing the information.
now what I can suggest is
try to remove the current IP address from the server and try assigning a different IP from the same subnet.
put the servers IP address to some other machine or test machine and see if the communication is still working or not.
because we see the configuration is correct and them what is that stopping the communication from this host.
i can try that..but it is live environment server, i'll need to find time for downtime...
if it is not the router, not the switch, it could be the PIX that prevent the ping
From your diagram we can understand that the intervlan Routing is done by the router (Router on Stick).
Since you are trying to access the server's from with your network i do not think we need to check with the firewall configuration.
your switch provided in the diagram is L2 switch (access layer switch)
inorder to help you please post the configuration of your router
Configuration of Router
IOS and make and model number
Configuration of Switch
make,model number and IOS used.