Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
279
Views
0
Helpful
3
Replies

Failing communication b/w networks

S891
Level 2
Level 2

‎05-13-2015 06:27 AM - edited ‎03-11-2019 10:55 PM

I am facing an issue with connectivity between two networks. It seems simple but user is complaining that servers between the VLANs are not communicating (only ICMP is working but nothing else).

I cannot seem to find any issue with the below config. May be anyone can see anything missing. There is no NATTING configured. There are 6 networks that need to communicate with each other except for ICMP. I am showing just two here but it is the same for all. 

 

interface Vlan360
 nameif PUB-SERVERS
 security-level 40
 ip address 100.1.38.97 255.255.255.224 standby 100.1.38.98 
!
interface Vlan361
 nameif PUB-USERS
 security-level 30
 ip address 100.1.40.225 255.255.255.224 standby 100.1.40.226

object-group network NETWORKS
  network-object 100.1.40.224 255.255.255.224
 network-object 100.1.38.96 255.255.255.224

object-group network NETWORKS2
network-object 100.1.40.224 255.255.255.224
network-object 100.1.38.96 255.255.255.224

access-list PUB-SERVERS_IN extended permit ip object-group NETWORKS object-group NETWORKS2 
access-list PUB-SERVERS_IN extended permit icmp object-group NETWORKS object-group NETWORKS2 
access-list PUB-USERS_IN extended permit ip object-group NETWORKS object-group NETWORKS2 
access-list PUB-USERS_IN extended permit icmp object-group NETWORKS object-group NETWORKS2

access-group PUB-SERVERS_IN in interface PUB-SERVERS
access-group PUB-USERS_IN in interface PUB-USERS

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Labels:
0 Helpful
3 Replies 3

fatalXerror
Level 5
Level 5

‎05-13-2015 08:25 AM

hi fawad,

can you post the whole config for us to assess further?

thanks.

0 Helpful

S891
Level 2
Level 2
In response to fatalXerror

‎05-13-2015 12:07 PM

This is pretty much all I have for these two networks. Now does it matter that I have same subnets listed in the object groups for source and destination. Actually I have six subnets that all need to talk to each other. I created two object-group and put all six networks in them but named these object groups differently. I did not see any error message when applying ACL so i assume this was valid. 

There is nothing else I have on firewall  relevant to these networks. The firewall is working fine otherwise with no issues. 

0 Helpful

Henrik Grankvist
Level 4
Level 4

‎05-13-2015 12:43 PM

Hi

Why do you have both networks in both object-groups? I don't know if it would create a problem, but it doesn't make sence. What you should do instead:

object network PUB-SERVERS
subnet 100.1.38.96 255.255.255.224

object network PUB-USERS
subnet 100.1.40.224 255.255.255.224

access-list PUB-SERVERS_IN permit ip object PUB-SERVERS object PUB-USERS
access-list PUB-SERVERS_IN permit icmp object PUB-SERVERS object PUB-USERS

access-list PUB-USERS_IN permit ip object PUB-USERS object PUB-SERVERS
access-list PUB-USERS_IN permit icmp object PUB-USERS object PUB-SERVERS

access-group PUB-SERVERS_IN in interface PUB-SERVERS
access-group PUB-USERS_IN in interface PUB-USERS

When you have changed that, and it still doesn't work, try packet-tracer:

packet-tracer input PUB-USERS tcp 100.1.40.226 45644 100.1.38.96 45
packet-tracer input PUB-SERVERS tcp 100.1.38.96 45644 100.1.40.226 45

And then post the output here.

 

 

 

 


 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card