10-03-2012 11:48 AM - edited 03-11-2019 05:03 PM
Hello, I tried to depict my problem in below diagram.
I'm trying to allow communication between VLANs 333 and 444.
VLANs 333 and 444 Gateways are configured in Firewall using virtual interfaces.
Applied the access-list at IP level from source VLAN 333 host to VLAN 444 host on access-group of G0/2.333 interface
I could not ping to VLAN 444 host.
configured same same-security-traffic permit inter-interface but no luck.
What Im missing here?
Thanks in Advance!
Solved! Go to Solution.
10-03-2012 11:54 AM
"same-security-traffic permit inter-interface" is only needed if both interfaces have the same security-level. But have you enables ICMP-inspection?
policy-map global_policy
class inspection_default
inspect icmp
And your switch shouldn't have an IP in the VLN444 if that traffic has to be processed by the firewall.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-03-2012 12:15 PM
If the inspect icmp doesn't fix it, try to run a packet tracer and take captures:
packet in interface_name icmp source_IP 8 0 destination_IP
capture test interface interface_name match icmp host source_IP host destination_IP
show cap test
Let us know how it goes.
Felipe.
10-03-2012 11:54 AM
"same-security-traffic permit inter-interface" is only needed if both interfaces have the same security-level. But have you enables ICMP-inspection?
policy-map global_policy
class inspection_default
inspect icmp
And your switch shouldn't have an IP in the VLN444 if that traffic has to be processed by the firewall.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-03-2012 12:07 PM
Thanks Karsten,
Switch IP Address is in use for ssh, but this is not the correct way of doing, but some how this is in place already.
I will try enabling ICM inspection. I have not tried it out.
10-06-2012 02:12 AM
Thanks Karsten,
Inspect ICMP worked.
10-03-2012 12:15 PM
If the inspect icmp doesn't fix it, try to run a packet tracer and take captures:
packet in interface_name icmp source_IP 8 0 destination_IP
capture test interface interface_name match icmp host source_IP host destination_IP
show cap test
Let us know how it goes.
Felipe.
10-06-2012 02:11 AM
Thanks Icambron for your reply.
Based on the packet tracer, i have re-created a ACL and it is now working,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide