05-20-2003 01:59 AM - edited 03-02-2019 07:28 AM
I have some problem.I have L3 WS-C3550-SMI switch doing intervlan routing between 2 segments 192.168.253.0/24 and 192.168.2.0/24.Both segments able to communicate to each other from respective workstation.
My inside PIX IP 192.168.253.10 and all my workstations is pointing to the respective VLAN IP addresses.The problem is my workstations were unable to get to the internet since my gateway is not pointing to the PIX inside interface.
How should I configure?Any routing should I do on the PIX or L3 switches or router?
05-20-2003 03:05 AM
Hi
On the L3 switch you need to configure a default route which points to the
firewall like:
ip route 0.0.0.0 0.0.0.0 192.168.253.10
For the firewall you need also to route your internal networks. Because the
192.168.253.0 network is directly connected you do not need to route this
network. But for the 192.168.2.0/24 Network you have to install a route pointing
to the L3 switch.
Hope that helps
Roger
05-20-2003 08:01 AM
first of all,thks for your response.How should I configure the route inside command in the PIX base on my network
05-20-2003 11:58 AM
Hi
It should look like:
route inside 192.168.2.0 255.255.255.0 192.168.253.X
X means the ip address of the vlan interface on the 3550 where you have
the intervlan routing.
Hope that helps
Roger
05-20-2003 08:42 PM
thks again.for the w/s in vlan 1 they don't have any problem but for those in vlan 2 were unable to access to internet .
My gateway for w/s in vlan2 is pointing to 192.168.2.x(vlan2 IP)
Any more advise.
05-20-2003 10:34 PM
Hi
Is the following assumption correct?
Vlan 1 ==> 192.168.253.0/24 Gateway: 192.168.253.x on 3550
Vlan 2 ==> 192.168.2.0/24 Gateway: 192.168.2.x on 3550
Vlan 1 is also the one between the firewall and the router?
if it is like this you only need a default route on the Cisco 3550 pointing to
the firewall and the two routes on the firewall pointing to the Vlan1 GT Address.
With this the routing is for sure in place.
Do you already have any restrictions on the firewall in place? Or is the NAT on the firewall not correct?
Regards
Roger
05-21-2003 12:41 AM
thks again,first of all,your assumption is correct.
I don't have any restriction on the firewall.My router is doing NAT since I'm using ISDN DHCP connection.The connection between router back to firewall
is using 10.10.10.0/24 which is outside of the network and I don't think is much related since I was able to access to internet thru my VLAN1.
Any more advise as I already in dead end.
05-21-2003 10:07 AM
Hi
Hard to tell from here, but if you have the routing in place as i posted bevor
that should be o.k.
The only thing that i now can think of is that the NAT only translates only the
addresses out of the VLAN1.
So check the nat if you have there an ACL in place which translates only
addresses ot of VLAN 1.
Roger
05-21-2003 05:30 PM
Well anyway thanks for your help and for so many advise.
BTW my router is doing the NAT.This is my router config.
Current configuration : 1500 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Cisco1721
!
enable password 7 14161008
!
memory-size iomem 25
ip subnet-zero
!
!
no ip domain lookup
!
!
isdn switch-type basic-net3
!
!
!
interface BRI0
description connected to Internet
no ip address
ip nat outside
encapsulation ppp
dialer rotary-group 1
dialer-group 1
isdn switch-type basic-net3
no cdp enable
!
interface FastEthernet0
description connected to EthernetLAN
ip address 10.10.10.2 255.255.255.0
ip nat inside
speed auto
!
interface Dialer1
description connected to Internet
ip address negotiated
ip nat outside
encapsulation ppp
no ip split-horizon
dialer in-band
dialer string xxxxx
dialer hold-queue 10
description connected to Internet
no ip address
ip nat outside
encapsulation ppp
dialer rotary-group 1
dialer-group 1
isdn switch-type basic-net3
no cdp enable
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxx
ppp chap password 7 xxxxxx
ppp pap sent-username xxxx password xxxxx
!
router rip
version 2
passive-interface Dialer1
network 10.0.0.0
no auto-summary
!
ip nat inside source list 1 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.253.0 255.255.255.0 10.10.10.1
no ip http server
!
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit any
dialer-list 1 protocol ip permit
no cdp run
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.253.0 255.255.255.0 10.10.10.1
no ip http server
!
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit any
dialer-list 1 protocol ip permit
no cdp run
snmp-server community public RO
snmp-server enable traps tty
!
line con 0
exec-timeout 0 0
password 7 11081B06
login
line aux 0
line vty 0 4
password 7 12180714
login
!
end
05-21-2003 09:59 PM
Hi
Thanks for the config.....
As i see you got the 192.168.253.0/24 Network routed towards 10.0.0.1 and
now just add also the 192.168.2.0/24 Network.
I thought in the very early postings that you implemented the NAT on the Firewall.
So i'm sure after you add the route it will work.
Regards
Roger
05-22-2003 11:22 PM
Hi buddy,millions thanks,You're the man!,I don't notify the missing command as well.
05-22-2003 11:38 PM
Looks like it is working now, glad that i could help you.
Regards
Roger
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide