Update: I know that the Firewall does not know that the 10.25.192.0 /19 exists. I tried to put in a route statement on the pix but it would not accept it. This was the command: "route inside 10.25.192.0 255.255.224.0 10.25.223.2 1" When I put in a route to the secondary Address of VLAN 1, it accepted it, but I still could not ping anything in the 10 network from the firewall. This was the command:"route inside 155.102.0.0 255.255.0.0 155.102.127.26 1" I am completely stumped! These were some of the previous comments I received and my original statement is below. Thank you for amy insight you ma have on this! Rob comment: "It sounds like your PIX doesn't know about 10.25.192.0/19 subnets. It knows about the directly-connected 155 subnet, but not any past the 6506. It seems like you'll need some routes on the PIX (but I'm not really familiar with those boxes). Your PIX is probably defaulting to its outside interface. You need a route for 10.25.192.0/19 to 155.102.127.26 (if that is the 6506) on the PIX." comment: "First, you have to understand that the PIX, out of the box, will not route any packets. So you have to add static route statements pointing at interfaces so packets get to their destination. Example: route inside 10.0.0.0 255.0.0.0 10.1.1.1 1 route outside 1.2.3.4 255.255.255.0 5.6.7.8 1 The PIX probably doesn't know how to get to the other VLAN. What are your route statements in the PIX?" Original: Overview. I am upgrading a network which has a 155.102.0.0 255.255.0.0 network. It is flat. I have implemented a new IP Scheme to be used in several VLAN's and am trying to migrate to it. IP range is 10.25.192.0 - 10.25.223.254 broken up into several /24's. There are 600 devices. Now to the nitty gritty. Network Description The 6506 has seven VLAN's configured as follows: VLAN 1 - 10.25.223.2 /24 Primary & 155.102.127.26 /16 secondary. VLAN 2 - 10.25.215.254 /24 VLAN 3 - 10.25.216.254 /24 to - VLAN 7 - 10.25.220.254 /24 There are 2 2600's which are routing to an ASP. Their addresses are router A - 10.25.223.3 & B - .4 with .5 as HSRP. There is a Pix 515 using address 155.102.18.191 Nating to the internet. The 2600's have an extended access list on them which directs Port 80 traffic from the 159.102.x.x network between the ASP WAN and the internet. They are also doing NAT from the ASP to the 155.102.x.x network. 1 class C NAT pool for each router. A- 10.25.213.0 /24, B - 10.25.214.0 /24. Problem I cannot ping the firewall interface from the MFSC or the 6506 or from any workstation that is using ANY of the VLAN default gateways. I have full connectivity to the asp wan. I have full connectivity to the other VLAN's. When devices use the 2600's HSRP address as default gateway, they have access to the firewall, the asp and the VLAN's. I have no access to the 2600's as they do not belong to us. I spoke with the Cisco TAC a few times. They gave up and wouldn't escalate it because they could not find our service contract that we purchased. They were anxious to close the case. The trick to this migration is to maintain connectivity to all devices as they are being migrated to the new IP scheme. I will be very grateful to any serious replies to this situation. Thanks for your expertise! Rob _________________________________ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
