Ping across networks on same interface

Don Brack · ‎03-19-2013

I'm having a issue where I cannot ping across networks configured on the same interface....If you look at the ping request I was able to ping device. 10.201.235.50. When I use the ping cmd I try and ping the same address on a differnet VLAN and the fails....Am I missing a cmd to allow icmp acrow networks?

Thanks for any assistance....

access-list ALL line 8 extended permit ip any any
access-list inbound line 8 extended permit ip any any
access-list inbound line 16 extended permit icmp any any
access-list outbound line 8 extended permit icmp any any

class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any

interface vlan 1232
description 10.201.232.x
ip address 10.201.232.10 255.255.255.0
no normalization
mac-sticky enable
no icmp-guard
access-group input inbound
nat-pool 1 10.201.232.245 10.201.232.250 netmask 255.255.255.0 pat
service-policy input remote-mgmt
no shutdown
interface vlan 1233
description 10.201.233.x
ip address 10.201.233.10 255.255.255.0
no normalization
mac-sticky enable
no icmp-guard
access-group input inbound
nat-pool 1 10.201.233.245 10.201.233.250 netmask 255.255.255.0 pat
service-policy input remote-mgmt
no shutdown
interface vlan 1234
description 10.201.234.x
ip address 10.201.234.10 255.255.255.0
no normalization
mac-sticky enable
no icmp-guard
access-group input inbound
nat-pool 1 10.201.234.245 10.201.234.250 netmask 255.255.255.0 pat
service-policy input remote-mgmt
no shutdown
interface vlan 1235
description 10.201.235.x
ip address 10.201.235.10 255.255.255.0
no normalization
mac-sticky enable
no icmp-guard
access-group input inbound
nat-pool 1 10.201.235.245 10.201.235.250 netmask 255.255.255.0 pat
service-policy input remote-mgmt
no shutdown

--------------------------------------------------------------------------------------

cacamc/Apps# ping 10.201.235.50
Pinging 10.201.235.50 with timeout = 2, count = 5, size = 100 ....

Response from 10.201.235.50 : seq 1 time 1.042 ms
Response from 10.201.235.50 : seq 2 time 1.288 ms
Response from 10.201.235.50 : seq 3 time 0.290 ms
Response from 10.201.235.50 : seq 4 time 0.334 ms
Response from 10.201.235.50 : seq 5 time 0.279 ms
5 packet sent, 5 responses received, 0% packet loss

cacamc/Apps# ping
Target IP address: 10.201.235.50
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.201.235.10
Time To Live [128]:
Set DF bit in IP header [n]:
Pinging 10.201.235.50 with timeout = 2, count = 5, size = 100 ....

Response from 10.201.235.50 : seq 1 time 0.000 ms
Response from 10.201.235.50 : seq 2 time 0.000 ms
Response from 10.201.235.50 : seq 3 time 1.307 ms
Response from 10.201.235.50 : seq 4 time 0.000 ms
Response from 10.201.235.50 : seq 5 time 0.320 ms
5 packet sent, 5 responses received, 0% packet loss

cacamc/Apps# ping
Target IP address: 10.201.235.50
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Source address or interface: 10.201.232.10
Time To Live [128]:
Set DF bit in IP header [n]:
Pinging 10.201.235.50 with timeout = 2, count = 5, size = 100 ....

No response received from 10.201.235.50 within last 2 sec
No response received from 10.201.235.50 within last 2 sec
No response received from 10.201.235.50 within last 2 sec
No response received from 10.201.235.50 within last 2 sec
No response received from 10.201.235.50 within last 2 sec
5 packet sent, 0 responses received, 100% packet loss
cacamc/Apps#

Jorge Bejarano · ‎03-19-2013

Don,

You may want to read this.

https://supportforums.cisco.com/thread/133615

Jorge

Don Brack · ‎03-20-2013

I tried this and still no response..

access-list icmp_traffic line 10 extended permit icmp any any

!

class-map match-any ICMP_traffic

description ip inspect ICMP

2 match access-list icmp_traffic

!

policy-map multi-match client-vips

class epichtoccp-443

loadbalance vip inservice

loadbalance policy epichtoccp-443-policy

loadbalance vip icmp-reply active

class ICMP_traffic

inspect icmp error access-list icmp_traffic line 10 extended permit icmp any any

Don Brack · ‎03-20-2013

access-list icmp_traffic line 10 extended permit icmp any any

!

class-map match-any ICMP_traffic

description ip inspect ICMP

2 match access-list icmp_traffic

!

policy-map multi-match client-vips

class epichtoccp-443

loadbalance vip inservice

loadbalance policy epichtoccp-443-policy

loadbalance vip icmp-reply active

class ICMP_traffic

inspect icmp error

Cesar Roque · ‎03-20-2013

Hi Don,

This sounds like an expected behavior. From documentation:

For security reasons, the ACE does not allow pings from an interface on a VLAN on one side of the ACE through the ACE to an interface on a different VLAN on the other side of the ACE. For example, a host can ping the ACE address that is on the IP subnet using the same VLAN as the host, but cannot ping IP addresses configured on other VLANs on the ACE

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

Don Brack · ‎03-21-2013

These networks are on the same interface.