First, you have to understand that the PIX, out of the box, will not route any
packets. So you have to add static route statements pointing at interfaces so
packets get to their destination. Example:
route inside 10.0.0.0 255.0.0.0 10.1.1.1 1
route outside 1.2.3.4 255.255.255.0 5.6.7.8 1
The PIX probably doesn't know how to get to the other VLAN. What are your
route statements in the PIX?
Darren
At 03:27 PM 03/02/2001 -0500, Rob Cabeca wrote:
>
> Thanks for responding. I may not be understnading something here. If the
> firewall is on the same subnet and it's inside interface is connected to the
> 6506, what type of routing statement would it need?
>
> I am able to ping the inside interface of the firewall when the
> workstation is assigned to vlan 1 and is using 155.102.127.26 as the default
> gateway. once I asign the workstation to another vlan, it can ping everything
> in the 155 network EXCEPT for the firewall.
>
> Obviously I am confused.
>
> Thanks for your help. Any further thoughts would be appreciated.
> rob
>
>>
>> -----Original Message-----
>> From: Darren Crawford [mailto:[EMAIL PROTECTED]]
>> Sent: Friday, March 02, 2001 1211
>> To: Nabil Fares; Rob Cabeca; groupstudy
>> Subject: RE: Help!, because Cisco says they can't. Firewall & Vlan problem.
>>
>> You should be able to Ping the inside interface of your PIX. You can not
>> ping an outside interface. There must be route statements in your PIX so
>> that it knows where to send the reply.
>>
>> At 08:52 AM 03/02/2001 -0500, Nabil Fares wrote:
>> >Rob,
>> >
>> >By default PIX does not allow pings! You can have connectivity though it
>> >but, you can't ping it. You have to create an access list allowing icmp.
>> >Of course thing assuming its not a subnetting issue. Cisco recommends this
>> >access-list be used for testing purposes only, remove when done.
>> >
>> >HTH,
>> >
>> >Nabil
>> >
>> >-----Original Message-----
>> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
>> >Rob Cabeca
>> >Sent: Thursday, March 01, 2001 9:37 PM
>> >To: groupstudy
>> >Subject: Help!, because Cisco says they can't. Firewall & Vlan problem.
>> >
>> >
>> >You guys have always been on target for me. I am hoping you give some
>> >insight to this. (the following addresses have been slightly altered for
>> >obvious reasons but they are true to the real ones).
>> >
>> >Overview.
>> >
>> >I am upgrading a network which has a 155.102.0.0 255.255.0.0 network. It is
>> >flat. I have implemented a new IP Scheme to be used in several VLAN's and
>> >am trying to migrate to it. IP range is 10.25.192.0 - 10.25.223.254 broken
>> >up into several /24's. There are 600 devices. Now to the nitty gritty.
>> >
>> >Network Description
>> >
>> >The 6506 has seven VLAN's configured as follows:
>> >VLAN 1 - 10.25.223.2 /24 Primary & 155.102.127.26 /16 secondary.
>> >VLAN 2 - 10.25.215.254 /24
>> >VLAN 3 - 10.25.216.254 /24
>> >to -
>> >VLAN 7 - 10.25.220.254 /24
>> >
>> >There are 2 2600's which are routing to an ASP. Their addresses are router
>> >A - 10.25.223.3 & B - .4 with .5 as HSRP.
>> >There is a Pix 515 using address 155.102.18.191 Nating to the internet.
>> >The 2600's have an extended access list on them which directs Port 80
>> >traffic from the 159.102.x.x network between the ASP WAN and the internet.
>> >They are also doing NAT from the ASP to the 155.102.x.x network. 1 class C
>> >NAT pool for each router. A- 10.25.213.0 /24, B - 10.25.214.0 /24.
>> >
>> >Problem
>> >
>> >I cannot ping the firewall interface from the MFSC or the 6506 or from any
>> >workstation that is using ANY of the VLAN default gateways. I have full
>> >connectivity to the asp wan. I have full connectivity to the other VLAN's.
>> >When devices use the 2600's HSRP address as default gateway, they have
>> >access to the firewall, the asp and the VLAN's. I have no access to the
>> >2600's as they do not belong to us.
>> >
>> >I spoke with the Cisco TAC a few times. They gave up and wouldn't escalate
>> >it because they could not find our service contract that we purchased. They
>> >were anxious to close the case.
>> >
>> >The trick to this migration is to maintain connectivity to all devices as
>> >they are being migrated to the new IP scheme.
>> >
>> >I will be very grateful to any serious replies to this situation.
>> >
>> >Thanks for your expertise!
>> >Rob
>> >
>> >
>> >_________________________________
>> >FAQ, list archives, and subscription info:
>> >http://www.groupstudy.com/list/cisco.html
>> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>> >
>> >_________________________________
>> >FAQ, list archives, and subscription info:
>> >http://www.groupstudy.com/list/cisco.html
>> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>>
>> Darren S. Crawford - CCNA
>> Lucent Technologies Worldwide Services
>> 2377 Gold Meadow Way Phone: (916) 859-5200 x310
>> Suite 230 Fax: (916) 859-5201
>> Sacramento, CA 95670 Pager: (800) 467-1467
>> Email: [EMAIL PROTECTED] Epager: [EMAIL PROTECTED]
>> <http://www.lucent.com>http://www.lucent.com Network Systems
>> Consultant
>
>
>
> Darren S. Crawford - CCNA
> Lucent Technologies Worldwide Services
> 2377 Gold Meadow Way Phone: (916) 859-5200 x310
> Suite 230 Fax: (916) 859-5201
> Sacramento, CA 95670 Pager: (800) 467-1467
> Email: [EMAIL PROTECTED] Epager: [EMAIL PROTECTED]
> <http://www.lucent.com>http://www.lucent.com Network Systems
> Consultant
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
