We are able to ping the firewall interface when the default gateway is set
to the ASP routers and users have access to the internet. The subnetting is
also correct as far as I have been able to determine. We just cannot get to
the firewall through the MSFC.
Any furhter thoughts would be helpful.
Thanks
Rob
-----Original Message-----
From: Nabil Fares [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 02, 2001 0853
To: Rob Cabeca; groupstudy
Subject: RE: Help!, because Cisco says they can't. Firewall & Vlan
problem.
Rob,
By default PIX does not allow pings! You can have connectivity though it
but, you can't ping it. You have to create an access list allowing icmp.
Of course thing assuming its not a subnetting issue. Cisco recommends this
access-list be used for testing purposes only, remove when done.
HTH,
Nabil
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Rob Cabeca
Sent: Thursday, March 01, 2001 9:37 PM
To: groupstudy
Subject: Help!, because Cisco says they can't. Firewall & Vlan problem.
You guys have always been on target for me. I am hoping you give some
insight to this. (the following addresses have been slightly altered for
obvious reasons but they are true to the real ones).
Overview.
I am upgrading a network which has a 155.102.0.0 255.255.0.0 network. It is
flat. I have implemented a new IP Scheme to be used in several VLAN's and
am trying to migrate to it. IP range is 10.25.192.0 - 10.25.223.254 broken
up into several /24's. There are 600 devices. Now to the nitty gritty.
Network Description
The 6506 has seven VLAN's configured as follows:
VLAN 1 - 10.25.223.2 /24 Primary & 155.102.127.26 /16 secondary.
VLAN 2 - 10.25.215.254 /24
VLAN 3 - 10.25.216.254 /24
to -
VLAN 7 - 10.25.220.254 /24
There are 2 2600's which are routing to an ASP. Their addresses are router
A - 10.25.223.3 & B - .4 with .5 as HSRP.
There is a Pix 515 using address 155.102.18.191 Nating to the internet.
The 2600's have an extended access list on them which directs Port 80
traffic from the 159.102.x.x network between the ASP WAN and the internet.
They are also doing NAT from the ASP to the 155.102.x.x network. 1 class C
NAT pool for each router. A- 10.25.213.0 /24, B - 10.25.214.0 /24.
Problem
I cannot ping the firewall interface from the MFSC or the 6506 or from any
workstation that is using ANY of the VLAN default gateways. I have full
connectivity to the asp wan. I have full connectivity to the other VLAN's.
When devices use the 2600's HSRP address as default gateway, they have
access to the firewall, the asp and the VLAN's. I have no access to the
2600's as they do not belong to us.
I spoke with the Cisco TAC a few times. They gave up and wouldn't escalate
it because they could not find our service contract that we purchased. They
were anxious to close the case.
The trick to this migration is to maintain connectivity to all devices as
they are being migrated to the new IP scheme.
I will be very grateful to any serious replies to this situation.
Thanks for your expertise!
Rob
_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
