Hello Cisco Gurus,
Im not much of this device, I am seeking help with regards to my simple issue and hopefully someone will get to help. Basically I have a LAN IP of 192.168.2.0/23 from our network. Since I am the System Admin of the company, I have created Application control rules to be restricted for the end users specifically connected to LAN port 2 and I have created my own port on LAN 4 of the device configured as DMZ with an IP pool of 192.168.100.0/23. Now, my problem is I cannot reach these 2.0/23 subnet devices not either on Ping command. I badly need to access this for my monitoring and configuring purposes. I am not so sure of these will fall under NAT routing, ACL list or whatsoever. Please ask question if you need more clarification on our network scenario. Hope to find answers on this forum.
Thanks in advance,
Where is this deployed? on a Cisco ASA?
We need more details where this is deployed
Though initially, kindly refer to the follow queries:
1. Verify if you have configure your policies to allow .100.0/23 to .2.0/23 Network
2. Is this deployed on a Cisco ASA? Note that the ASA is very strict with ICMP
3. Assuming query no 2, are your services working e.g., can you visit your web service on .2.0/23 Network from your PC?
-You can also try doing RDP(Remote Desktop) to one of your computers/servers on .2.0/23 from your PC
Sorry for late reply, This is deployed on Small Business ISA500 Series device. Please see below answers:
1. Verify if you have configure your policies to allow .100.0/23 to .2.0/23 Network --- Nope, not much idea on how to do it.
2. Is this deployed on a Cisco ASA? Note that the ASA is very strict with ICMP --- Cisco ISA500 device
3. Assuming query no 2, are your services working e.g., can you visit your web service on .2.0/23 Network from your PC? ---- I can only visit the Main router/firewall 192.,168.2.1 which is the ISA500 from my Laptop on 100.0 subnet. Other that that, devices like 2.3.. 2.4.. etc cannot reached.
I am actually confused where all these stuffs are configured below
a. ACL RULES under Firewall
b. NAT ROUTING/port forwarding
c. STATIC ROUTING under ROUTING TABLE/POLICY BASED ROUTING
Appreciate your reply! Thanks
It would really be best that you have background knowledge on how ACLs work since it will really be hard to troubleshoot
Anyway, Cisco ISA is GUI based, access the ISA Management and look at Firewall -> then policies,
Verify if you have a policy to allow .100.0/23 to .2.0/23 and if desired the other way around as well
Firstly, thanks for the prompt response. Yes this is where my confusion begins. I have attached the screenshot of the ACL and I did tried option below but unfortunately did not worked. Please correct me if I am wrong,
From Zone: since I was sitting on the DMZ subnet, I select it. Or.. should I select LAN because Im under at the LAN subnet of the DMZ? Sorry for this.
To Zone: First selected LAN because of thinking that from DMZ subnet (100.0) would like to access those who are sitting in the LAN subnet (2.0)
and the rest options remains to ANY.
MATCH ACTION: PERMIT
Thanks in advance!
So Basically, you have an 'any' to 'any' policy in your firewall PS: THat is not actually not recommended, basically you just converted it to unsecure
Anyway, for troubleshooting purposes, can you set your action to allow?
Also, put that policy at the top most of your policy since policies are read from top to bottom. You may havve deny statements on the middle. so for again, troubleshooting purposes, put that 'any' to 'any' policy action 'permit' at the top of your policy
Yes the policy I've created automatically went to top of all the policies and it was on permit selection. But still cannot ping/access those 2.0 subnet.
FYI.. 1st config:
From Zone: DMZ
To Zone: LAN
----SAVED AND NO LUCK------
From Zone: LAN
To Zone: WAN
----SAVED AND NO LUCK STILL------ :(
There might be other factors affecting that connection, Factors like NAT, PBR are most likely conflicting with that
Im guessing you are not that technical, i really suggest contacting your vendor for support with that device
The problem is the device is out of warranty already so I cant get support from the vendor anymore. I was a turned-over IT of the company. The previous guy suddenly resigned from work so here I am scratching my head and getting into basics. (trial and error scenario) :( So I'm here now looking for luck here at Cisco support forums.
Do it like this
1. To be sure ICMP really goes to our computers
-Disable the Firewall (Im assumign its windows) on one computer in .2.0/23 subnet and your computer w/c is in the .100.0/23 network
2. Verify your TCP/IP settings on the computers
-Make sure their IP does not conflict with anyone, their subnetmask is correct w/c is /23 and their gateway is set
-im assuming the ISA of yours is handling 2.1 and 100.1 correct? w/c is the gateway of the computers
3. Do a traceroute:
-On the .2.0/23 computer do a "tracert -d <IP OF YOUR .100.0/23 COMPUTER>"
-On your .100.0/23 computer do a "tracert -d <IP OF .2.0/23 COMPUTER>"
4. Lastly on both computers do a "ipconfig /all"
Please attached the traeroute and ipcofig results
Before attaching my screenshots, I would just like you to know that I was able to ping and tracert both computers without any issues from their terminals after turning of the firewall. However, I still cant access switch devices on subnet 2.0 from 100.0 via web and ping which I was trying to achieved. So weird... Does the issue below matters?
Ive set my DMZ network as:
dhcp pool from 192.168.100.2-254
(while Router's IP and LAN has a default gateway of 192.168.2.1) because if I put that IP gateway to the DMZ gateway, it will prompt me error: IP not in range issues.
The issue is NOT on the Firewall them but on your end-points
Always take note that the OS firewall will affect ICMP packets
For security purposes, enable the computers firewall back and simply configure it to allow ICMP(Ping)
Considering the .100.0 computer can already reach a device on .2.0 and based on the policy we configured, there really should not be issues on reaching that switch. Probably the switch has no gateway or has a management ACL configured.
Please check the switch configuration on your side and please do basic troubleshooting
Ping and traceroute are the most helpful tool on this matter since they allow you to trace where your packets are going
PS: I am guessing you are new to the IT industry
Rate or mark as answer helpful posts
Sorry LJ, But really can't get to my devices. These are:
Ruckus ZD: 192.168.2.4
Not even ping nor via web access. it's already frustrating cause I have not set any rules or ACL's on above devices. (just set them to static IP and already PnP)
Actually Im not new to IT Industry in terms with different specialization. But in networking, yes I am probably a novice. :(
Check those devices gateways, most of your issues are on the end-point device itself e.g, just like you unable to ping, it seems like the OS firewall is not allowing ICMP,
Please check the configuration on your switches, make sure they are set to the correct gateway.
Of course, computers on the same subnet as the switches are able to ping each other because they do not need a gateway
Do some basic troubleshooting, that is what you are missing
Can you do a traceroute from your computer, to the desired computer in the .2 network
PS: Make sure as well that the computers allow ICMP through their WIndows Firewall