I have a 3com multilayer 3226 switch that has 2 vlans, vlan 1 with network address 192.168.1.0 and a gateway address of 192.168.1.11 and vlan 2 with a network address of 192.168.4.0 and a gateway address of 192.168.4.1. I have a pix that is connected to vlan 1 with the internal interface address of 192.168.1.1. If i plug in a workstation to vlan 1 it can connect to the internet fine but i just cannot get a workstation from vlan 2 to connect to the internet. The workstations between vlan 1 and vlan 2 can ping each other. If i try to ping the inside interface of the pix from both vlans i can see the pix trying to reply to the workstations on both vlans because i have enabled the debug command on the pix. If i try to ping the outside interface of the pix i see the pix trying to reply to vlan 1 but not vlan 2. If i remove the route statement on the pix that is pointing to vlan 2 and try to ping the pix i keep getting a message "no route found". I am just wondering if i am missing something. I am also ataching the pix config. Any help will be greatly appreciated.
I think there's a missing default route in Your 3226
pointing at 192.168.1.1, the configuration of Your Pix looks OK. The reason why Vlan 1 can connect to internet is that by default there's proxy arp on the interface, thats why vlan 1 is ok. It's on the same subnet and the pix responds that it knows the way out. But on vlan 2, different subnet it can't respond
it's the 3226 who should do the routing from vlan 2 to gw(pix).
I did add a default gateway on the switch that points to the pix internal address of 192.168.1.1. Although i added it on vlan1 but i don't think that should make a difference. It seems i just hit a wall. I don't know where to go from here. Any more help would be greatly appreciated.
the pix config seems very straight forward.
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
with this command, the pix will pat all traffic regardless the source address. i believe the issue is more likely with the 3com switch.
I did add this command nat (inside) 1 0.0.0.0 0.0.0.0 0 0 on the pix. I also created a route inside statement on the pix that points to the ip address of the port on the switch that is connected to the pix. On the switch i configured it to use the router inside interface as it's gateway. I talked to 3com tech support and we did some testing on the switch and they told me that it is working fine.
Thanks for all the help guys.
when you try to ping the pix internal interface from vlan2, do you get any response?
to identify the issue, you can replace the pix with your laptop. then try to ping your laptop from vlan2. if it works, then the issue is with pix, otherwise the issue is with 3com switch.
When i ping the pix internal interface from vlan2 i always get a reply. That is why 3com thought that their switch is fine. I am wondering if i have to create access list. When i try to ping the pix outside interface from vlan1 i don't get a reply but i have dubugging enabled on the pix and i can see the pix translating the global address to the workstation address on vlan1. When i do the same thing from a workstation on vlan2 i don't see a translation on the pix. I don't get a reply from either vlan when i try to ping the outside interface because i am not sure how to setup the pix outside interface to reply to pings.
If i connect a workstation to vlan1 i can ping from vlan2 and get a reply and vice versa.
Can you please tell me if this is what i need on the pix to make it work - route inside statement on the pix inside interface that points to the interface of the switch that is directly connected to the pix along with the nat command that you mentioned earlier? Thanks again Jackko.
"When i try to ping the pix outside interface from vlan1 i don't get a reply". it's normal as pix doesn't allow pinging from one segment to another segment interface.
with the pix config, you definitely need the route inside statement.
i suggest you to do the following:
1. do "de ic t" on the pix
2. ping any internet ip from vlan2 pc
3. verify the debug result from the pix
4. ping the vlan2 switch ip from the pix
5. ping the vlan2 pc from the pix
I added the "de ic t" command on the pix and i ping the vlan2 switch ip and the vlan2 pc from the pix and it worked fine. I can get a reply.
I even ping the pix inside interface again from the pc on vlan2 and i can get a reply but when i try to ping www.bline.ca i can't see anything happening on the pix. I can ping this interface on our network which is on another pix. On the pc in vlan2 i get this message "ping request could not find host. Please check the name and try again.
It seems like the pix is not letting any traffic from vlan2 pc get past it's inside interface.
you mentioned "but when i try to ping www.bline.ca i can't see anything happening on the pix".
if you can't see anything from the pix, not even the requeset, that's mean the pix does not receive any packet from the vlan2 pc.
assuming the pix is blocking or dropping the icmp request from the vlan2 pc, you should still see the icmp request from the pix.
i would suggest the the layer3 switch isn't routing properly, as the pix hasn't receive the packet from vlan2 pc.