03-10-2003 10:27 AM - edited 03-09-2019 02:26 AM
Hello - I have a 3640 that is segmenting 2 internal lans. There are 2 fastethernet ports on the box. I cant ping one network from the other and vice versa. Even with all icmp access allowed in both directions. I can ping as far as the router on both sides though. The router can ping all clients on either side.
When I do a sh ip route , it shows both networks directly connected although it doesnt show 2 subnets subnetted. Also with various debug commands I see that packets are being droppped. Errors are no ip route, no source udp port, ip address is our interface, there is even an error saying wrong cable type.
Here is a copy of the config.
!
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname 3640GW
!
enable
!
ip source-route
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
!
no ip inspect audit-trail
ip inspect tcp synwait-time 30
ip inspect tcp finwait-time 5
ip inspect tcp idle-time 3600
ip inspect udp idle-time 30
ip inspect dns-timeout 5
ip inspect one-minute low 900
ip inspect one-minute high 1100
ip inspect max-incomplete low 900
ip inspect max-incomplete high 1100
ip inspect tcp max-incomplete host 50 block-time 0
!
interface fa 0/0
no shutdown
description connected to wireless
ip address 192.208.127.199 255.255.255.0
ip access-group 101 in
keepalive 10
!
interface fa 0/1
no shutdown
description connected to CORP
ip address 192.208.126.199 255.255.255.0
ip access-group 100 in
keepalive 10
!
! Access Control List 100
!
no access-list 100
access-list 100 deny ip 192.208.127.0 0.0.0.255 any
access-list 100 permit udp any eq rip any eq rip
access-list 100 permit icmp any 192.208.127.0 0.0.0.255
!
! Access Control List 101
!
no access-list 101
access-list 101 deny ip 192.208.126.0 0.0.0.255 any
access-list 101 permit udp any eq rip any eq rip
access-list 101 permit icmp any 192.208.126.0 0.0.0.255
!
router rip
version 2
network 192.208.127.0
network 192.208.126.0
no auto-summary
!
!
ip classless
no ip http server
!
Any help is appreciated.
Gavin.
Solved! Go to Solution.
03-10-2003 04:36 PM
What exactly are you trying to allow here? In an ACL, "ip" includes "icmp", so the first line in your ACL's 100 and 101 are denying the ICMP packets. The next two lines probably aren't doing anything since both UDP/RIP and ICMP are, as I mentioned, included in the "deny IP" on the first line.
In fact, your lst line in each ACL is saying allow packets into the interface with a destination IP address of the other interface, this will never happen.
Actually, the more I look at this, it looks like you have the wrong ACL applied to each interface. If you apply ACL 100 to fa0/0 and 101 to fa0/1 then this'll probably do what you it to do.
03-10-2003 04:36 PM
What exactly are you trying to allow here? In an ACL, "ip" includes "icmp", so the first line in your ACL's 100 and 101 are denying the ICMP packets. The next two lines probably aren't doing anything since both UDP/RIP and ICMP are, as I mentioned, included in the "deny IP" on the first line.
In fact, your lst line in each ACL is saying allow packets into the interface with a destination IP address of the other interface, this will never happen.
Actually, the more I look at this, it looks like you have the wrong ACL applied to each interface. If you apply ACL 100 to fa0/0 and 101 to fa0/1 then this'll probably do what you it to do.
03-11-2003 08:26 AM
Hi - Just read this now. Had to install the router on site yesterday. You were right about the acl's. I had just put them in to test basic routing and connectivity. There was also one other problem, a bad port on the switch that I had used in the test lab.
Thanks for your reply. I appreciate your response.
Thanks and regards,
Gavin.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: