Thanks for responding. I may not be understnading something here. If the
firewall is on the same subnet and it's inside interface is connected to the
6506, what type of routing statement would it need?
I am able to ping the inside interface of the firewall when the
workstation is assigned to vlan 1 and is using 155.102.127.26 as the default
gateway. once I asign the workstation to another vlan, it can ping
everything in the 155 network EXCEPT for the firewall.
Obviously I am confused.
Thanks for your help. Any further thoughts would be appreciated.
rob
-----Original Message-----
From: Darren Crawford [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 02, 2001 1211
To: Nabil Fares; Rob Cabeca; groupstudy
Subject: RE: Help!, because Cisco says they can't. Firewall & Vlan
problem.
You should be able to Ping the inside interface of your PIX. You can not
ping an outside interface. There must be route statements in your PIX so
that it knows where to send the reply.
At 08:52 AM 03/02/2001 -0500, Nabil Fares wrote:
>Rob,
>
>By default PIX does not allow pings! You can have connectivity though it
>but, you can't ping it. You have to create an access list allowing icmp.
>Of course thing assuming its not a subnetting issue. Cisco recommends
this
>access-list be used for testing purposes only, remove when done.
>
>HTH,
>
>Nabil
>
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
>Rob Cabeca
>Sent: Thursday, March 01, 2001 9:37 PM
>To: groupstudy
>Subject: Help!, because Cisco says they can't. Firewall & Vlan problem.
>
>
>You guys have always been on target for me. I am hoping you give some
>insight to this. (the following addresses have been slightly altered for
>obvious reasons but they are true to the real ones).
>
>Overview.
>
>I am upgrading a network which has a 155.102.0.0 255.255.0.0 network. It
is
>flat. I have implemented a new IP Scheme to be used in several VLAN's
and
>am trying to migrate to it. IP range is 10.25.192.0 - 10.25.223.254
broken
>up into several /24's. There are 600 devices. Now to the nitty gritty.
>
>Network Description
>
>The 6506 has seven VLAN's configured as follows:
>VLAN 1 - 10.25.223.2 /24 Primary & 155.102.127.26 /16 secondary.
>VLAN 2 - 10.25.215.254 /24
>VLAN 3 - 10.25.216.254 /24
>to -
>VLAN 7 - 10.25.220.254 /24
>
>There are 2 2600's which are routing to an ASP. Their addresses are
router
>A - 10.25.223.3 & B - .4 with .5 as HSRP.
>There is a Pix 515 using address 155.102.18.191 Nating to the internet.
>The 2600's have an extended access list on them which directs Port 80
>traffic from the 159.102.x.x network between the ASP WAN and the
internet.
>They are also doing NAT from the ASP to the 155.102.x.x network. 1 class
C
>NAT pool for each router. A- 10.25.213.0 /24, B - 10.25.214.0 /24.
>
>Problem
>
>I cannot ping the firewall interface from the MFSC or the 6506 or from
any
>workstation that is using ANY of the VLAN default gateways. I have full
>connectivity to the asp wan. I have full connectivity to the other
VLAN's.
>When devices use the 2600's HSRP address as default gateway, they have
>access to the firewall, the asp and the VLAN's. I have no access to the
>2600's as they do not belong to us.
>
>I spoke with the Cisco TAC a few times. They gave up and wouldn't
escalate
>it because they could not find our service contract that we purchased.
They
>were anxious to close the case.
>
>The trick to this migration is to maintain connectivity to all devices as
>they are being migrated to the new IP scheme.
>
>I will be very grateful to any serious replies to this situation.
>
>Thanks for your expertise!
>Rob
>
>
>_________________________________
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>_________________________________
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Darren S. Crawford - CCNA
Lucent Technologies Worldwide Services
2377 Gold Meadow Way Phone: (916) 859-5200 x310
Suite 230 Fax: (916) 859-5201
Sacramento, CA 95670 Pager: (800) 467-1467
Email: [EMAIL PROTECTED] Epager: [EMAIL PROTECTED]
http://www.lucent.com Network Systems Consultant
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
