Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Traffic on logical interface travels on physical interface

Hi,

I am experiencing a weird problem on my PIX525. I defined a logical interface on one of my physical interfaces (see below):

-------------------------------

interface ethernet5 auto

interface ethernet5 vlan201 physical

interface ethernet5 vlan301 logical

nameif ethernet5 xprod1 security89

nameif vlan301 xe2estg1 security49

ip address xprod1 10.172.16.254 255.255.254.0

ip address xe2estg1 10.172.24.254 255.255.254.0

-------------------------------

We have remote VPN users (10.10.100.0; using Cisco VPN client) that needs to access servers in the 10.172.16.0 segment.

Whenever we performed ICMP echo from the remote users, I noticed that traffic from 10.172.16.0 was actually returning on the 10.172.24.0 interface!

This forced me to add a NAT rule on the 10.172.24.0 interface to allow remote users to ping devices on the 10.172.16.0 segment (see below)

-------------------------------

access-list nonatxe2estg1 permit ip 10.172.16.0 255.255.254.0 10.10.100.0 255.255.255.0

access-list nonatxe2estg1 permit ip 10.172.24.0 255.255.254.0 10.10.100.0 255.255.255.0

nat (xe2estg1) 0 access-list nonatxe2estg1

-------------------------------

Does anyone know why this is happening?

Need help urgently, thank you!!!!!

Joe

2 REPLIES

Re: Traffic on logical interface travels on physical interface

have you added the command ?

Enables access to an internal management interface on the firewall.

[no] management-access mgmt_if

show management-access

Syntax Description

mgmt_if

The name of the firewall interface to be used as the internal management interface.

Defaults

None.

Command Modes

The management-access mgmt_if command is available in configuration mode.

The show management-access is available in privileged mode.

Usage Guidelines

The management-access mgmt_if command enables you to define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The firewall interface names are defined by the nameif command and displayed in quotes, " ", in the show interface output.)

In PIX Firewall software Version 6.3, this command is supported for the following through an IPSec VPN tunnel only, and only one management interface can be defined globally:

•SNMP polls to the mgmt_if

•HTTPS requests to the mgmt_if

•PDM access to the mgmt_if

•Telnet access to the mgmt_if

•SSH access to the mgmt_if

•Ping to the mgmt_if

The show management-access command displays the firewall management access configuration.

Examples

The following example shows how to configure a firewall interface named "inside" as the management access interface:

pixfirewall(config)# management-access inside

pixfirewall(config)# show management-access

management-access inside

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ab.html#wp1137951

sincerely

Patrick

New Member

Re: Traffic on logical interface travels on physical interface

Umm...doesn't sound related to my question, but thanks for the info anyway :)

106
Views
0
Helpful
2
Replies
CreatePlease to create content