The subnet masks on the pix and secondary address of the msfc is
255.255.0.0. Since the ASP routers are using an access list to direct
traffic to and from the internet, it may be filtering the route from the
msfc. Then we would be sol. I like your idea af switching the primary and
secondary ip's on the msfc. Also, there is no gateway of last resort. my
default gateway is pointing to the asp routers, and we are using the same
eigrp ##.
Thanks for your insight. Any further thoughts will be appreciated.
Rob
-----Original Message-----
From: Moe Tavakoli [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 02, 2001 0043
To: Rob Cabeca; groupstudy
Subject: Re: Help!, because Cisco says they can't. Firewall & Vlan
problem.
Back to basics:
Check your subnet mask on the interfaces connecting
the MSFC and the PIX (on the 155.102/16 net) If you
can;t ping the inside address of the PIX then your SOL
(make sure nothing is filtering the ping) once you
have this established (also check wirring and the such
and maybe even go to the extent of making your
secondary address the primary on the MSFC)
After that you should look into the routing table of
your MSFC. Make sure the gateway of last reort (0 0
route) is point to the inside interface of the PIX,
and the selective route for the subnet pointing to the
ASP routers.
Be the packet know your source and destination and
follow it at every hop and make sure it can find out
wehre to go and how to get back (i.e. an internal
route on the PIX for the internal range to the MSFC.)
Moe.
--- Rob Cabeca <[EMAIL PROTECTED]> wrote:
> You guys have always been on target for me. I am
> hoping you give some
> insight to this. (the following addresses have been
> slightly altered for
> obvious reasons but they are true to the real ones).
>
> Overview.
>
> I am upgrading a network which has a 155.102.0.0
> 255.255.0.0 network. It is
> flat. I have implemented a new IP Scheme to be used
> in several VLAN's and
> am trying to migrate to it. IP range is 10.25.192.0
> - 10.25.223.254 broken
> up into several /24's. There are 600 devices. Now to
> the nitty gritty.
>
> Network Description
>
> The 6506 has seven VLAN's configured as follows:
> VLAN 1 - 10.25.223.2 /24 Primary & 155.102.127.26
> /16 secondary.
> VLAN 2 - 10.25.215.254 /24
> VLAN 3 - 10.25.216.254 /24
> to -
> VLAN 7 - 10.25.220.254 /24
>
> There are 2 2600's which are routing to an ASP.
> Their addresses are router
> A - 10.25.223.3 & B - .4 with .5 as HSRP.
> There is a Pix 515 using address 155.102.18.191
> Nating to the internet.
> The 2600's have an extended access list on them
> which directs Port 80
> traffic from the 159.102.x.x network between the ASP
> WAN and the internet.
> They are also doing NAT from the ASP to the
> 155.102.x.x network. 1 class C
> NAT pool for each router. A- 10.25.213.0 /24, B -
> 10.25.214.0 /24.
>
> Problem
>
> I cannot ping the firewall interface from the MFSC
> or the 6506 or from any
> workstation that is using ANY of the VLAN default
> gateways. I have full
> connectivity to the asp wan. I have full
> connectivity to the other VLAN's.
> When devices use the 2600's HSRP address as default
> gateway, they have
> access to the firewall, the asp and the VLAN's. I
> have no access to the
> 2600's as they do not belong to us.
>
> I spoke with the Cisco TAC a few times. They gave up
> and wouldn't escalate
> it because they could not find our service contract
> that we purchased. They
> were anxious to close the case.
>
> The trick to this migration is to maintain
> connectivity to all devices as
> they are being migrated to the new IP scheme.
>
> I will be very grateful to any serious replies to
> this situation.
>
> Thanks for your expertise!
> Rob
>
>
> _________________________________
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
=====
_____________________________________________
Moe Tavakoli
__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
