11-05-2012 01:09 PM - edited 03-11-2019 05:19 PM
I have a 3700 series router and a PIX 525 with unlimited licensing.
PIX:
int e0 DHCP to WAN, that works fine
int e1 (admin shutdown for testing)
int e2 up/up, 192.168.100.1/24, speed 100, duplex full, sec-level 100, nameif=INSIDE2
3745:
int fa1/0, up/up, 192.168.100.2/24, speed 100, duplex full, no shutdown
The devices are connectd with a known good (tested) crossover cable.
The ip route on each side shows the network directly configured
I can NOT ping from the pix to the router, or from the router to the pix.
I CAN ping each interface from each device (router can ping it's own ip, 192,168,100.2, pix can ping it's own ip 192.168.100.1)
I've setup a capture on the pix, no packets captured at all even while pinging.
It's probably something very stupid that I overlooked, but it is driving me crazy. Ultimately I'd like to put a catalyst behind the router, but would like to get connectivity established here first.
Any thoughts/suggestions/ideas to point me in the right direction would be very much appreciated. Thanks in advance!
11-05-2012 03:08 PM
Hello Ronan,
Can you share the
show interface xx from both interfaces ( PIX and switch side)
11-06-2012 10:24 AM
Thank you for your response, here is the show interfaces on both devices for the interfaces in question:
c3745:
FastEthernet1/0 is up, line protocol is up
Hardware is AmdFE, address is 0011.bba2.f1c1 (bia 0011.bba2.f1c1)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 21:10:08, output 00:00:04, output hang never
Last clearing of "show interface" counters 00:00:13
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
1 packets output, 60 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
1 unknown protocol drops
17 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
PIX 525:
Interface Ethernet2 "INSIDE2", is up, line protocol is up
Hardware is i82559, BW 100 Mbps, DLY 100 usec
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Description: to fa0/1 on c3745
MAC address 0005.5d18.4364, MTU 1500
IP address 192.168.100.1, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
6 packets output, 384 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/1) software (0/1)
Traffic Statistics for "INSIDE2":
0 packets input, 0 bytes
6 packets output, 168 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
I hope this helps. Thanks again.
11-06-2012 10:53 AM
Hello Ronan
Do the following:
On the c3745:
FastEthernet1/0
duplex full
Then give it a try
Regards,
11-06-2012 11:32 AM
Thanks for the suggestions, I tried that, as well as auto/auto on both ends and still same result. When I do a s ip arp on the c3745, I get:
Protocol Address Age (min) Hardware Addr Type Interface
Internet 96.56.78.170 - 0011.bba2.f1b1 ARPA FastEthernet0/1
Internet 172.16.0.1 7 0011.bb5b.1e00 ARPA FastEthernet0/0
Internet 172.16.0.2 1 000c.291a.e587 ARPA FastEthernet0/0
Internet 172.16.0.4 15 000c.296f.8a52 ARPA FastEthernet0/0
Internet 172.16.0.254 - 0011.bba2.f1b0 ARPA FastEthernet0/0
which is fine, everything there works.
On the PIX side doing the sam I get:
OUTSIDE 24.185.247.176 204e.7fc5.4f53 10024
OUTSIDE 24.185.245.248 0013.c45c.de51 10054
OUTSIDE 69.121.30.195 0005.00e2.5931 10054
inside 192.168.0.2 0011.bb5b.1e00 10235
Which is also correct.
Still can not ping from one to the other or vice versa.
11-06-2012 12:15 PM
Also here are the ip route from each device:
c3745:
Gateway of last resort is not set
C 192.168.72.0/24 is directly connected, Loopback1
S 192.168.110.0/24 [1/0] via 172.16.0.1
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, FastEthernet0/0
C 192.168.100.0/24 is directly connected, FastEthernet1/0
PIX525
S 192.168.110.0 255.255.255.0 [1/0] via 192.168.0.2, inside
S 172.16.0.0 255.255.255.0 [1/0] via 192.168.0.2, inside
C 24.185.244.0 255.255.252.0 is directly connected, OUTSIDE
C 192.168.0.0 255.255.255.0 is directly connected, inside
C 192.168.100.0 255.255.255.0 is directly connected, INSIDE2
S* 0.0.0.0 0.0.0.0 [1/0] via 69.121.30.195, OUTSIDE
All the route statements in the PIX are:
route OUTSIDE 0.0.0.0 0.0.0.0 64.xxx.xxx.195 1
route inside 172.16.0.0 255.255.255.0 192.168.0.2 1
route inside 192.168.110.0 255.255.255.0 192.168.0.2 1
192.168.0.2 is VLAN INT ip address on a Catalyst 3550 Layer 3 switch. One switchport is assigned to it and the PIX is directly connected to the 3550 that way. The 3550 handles the other vlans as well. Also, one interface on the router will be connected to the switch in a VLAN. I'm trying to get the router behind the PIX to have it function as a CUBE for CallManager. I need to be able to send SIP trafic out my routable IP address and receive it into the router on udp/5060.
If more info is necessary, I'll be happy to supply it. Thanks again in advance.
11-07-2012 09:47 AM
Hello Ronan,
Share:
show run interface FastEthernet1/0 ( on switch)
11-07-2012 11:17 AM
Thanks again for the response, there is no fa1/0 on the switch, but hopefully this post clarifies some things
Currently internet traffic goes like such:
Internet -> PIX (e0, OUTSIDE) -> PIX (e1, INSIDE) -> CATALYST-3550 (vlan900/fa0/48) -> END HOST
I want to add the c3745 between the Catalyst 3550 and the switch so traffic goes like such:
Internet -> PIX (e0, OUTSIDE) -> PIX (e2, INSIDE2, 192.168.100.1) -> c3745 (int fa1/0, 192.168.100.2) -> c3745 (fa0/1,192.168.101.1) -> CATALYST-3550 (vlan901 - 192.168.101.2,fa0/47 -> END HOST
I'm not 100% sure how to do this. I also need to have a third interface on the router (0/1) connected to a switchport that is part of vlan200 for CUCM so the router can function as a voice gw and CUBE. I think this will allow me to do what I need, which is to have the vlans on the 3550 have internet access, as well as use the c3745 as a voice gw, and send SIP traffic out to the internet from the c3745 but through the PIX so the routable IP used. My SIP provider uses an ACL in which to allow SIP traffic, thus my outbound SIP traffic needs to come from 24.xxx.xxx.122. I also need to be able to accept udp/5060 through the PIX to the c3745 and where it needs to go from there. That network by the way is 172.16.0.0/24, thus the reason for a 172.16.0.254 ip address on the c3745 fa0/0 which connects to a switchport on the 3550 in that vlan.
Anyway, here are my s run interfaces for the relevant interfaces:
interface FastEthernet0/48
description 192.168.0.2/24, to PIX-e1
switchport access vlan 900
switchport mode access
This interface is the only one assigned to vlan900, the ip address of the vlan interface is 192.168.0.2, the interface on the PIX, e1 is configured at 192.168.0.1.
-------------------------
CATALYST-3550, int fa0/47:
interface FastEthernet0/47
description 192.168.101.2/24, to c3745 0/1
switchport access vlan 901
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
---------------------------------
c3745, int fa0/1
interface FastEthernet0/1
description 192.168.100.2, to PIX-e2
ip address 192.168.101.1 255.255.255.0
no ip unreachables
ip virtual-reassembly
speed 100
full-duplex
no mop enabled
----------------------------------
c3745, int fa1/0
interface FastEthernet1/0
ip address 192.168.100.2 255.255.255.0
speed 100
full-duplex
--------------------------------
PIX, int e1, inside
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
-------------------------------
PIX, int e2, INSIDE2
interface Ethernet2
description to fa0/1 on c3745
speed 100
duplex full
nameif INSIDE2
security-level 100
ip address 192.168.100.1 255.255.255.0
-----------------------------
Sorry about the long post, but I hope this helps
11-07-2012 11:09 AM
Hey Ronan,
Have you tried a debug arp?
What do you get?
Also what would happen if you use a different port of the PIX to try the same kind of connection?
I understand that you applied a capture, was it an Ether-type capture for ARP?
11-07-2012 11:19 AM
Thatnks for the reply, I HAVE tried this exact config with different interfaces on the PIX (there are 9 total lol). Same results. I have not tried a debug arp yet, that is still new to me. Also, I am still new to captures, so I'm going to say that no, it was not an Ether-type capture for ARP. Could you explain how to do this please?
Thanks again.
11-07-2012 11:45 AM
Sure,
For the debug ARP I would recommend you to try it meanwhile trying to ping from one device to the other (PIX to RTR and viceversa).
To disable the debug just issue "und deb arp" or "und all"
Here is the capture you can try:
capture arp ethernet-type arp interface INSIDE2
Please let me know if you can see any packet hitting that interface during the ARP discovery process and if the PIX is actually getting a reply when sends the "who is" packets.
If you could provide some of those captures output that would be great.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c1.html#wp2129312
11-08-2012 04:53 PM
Upon running arp debug, I can see arp is trying to happen, just not succesfully completing. Here is the output:
c3745:
006319: *Jun 28 15:08:44.074 EDT: IP ARP: rcvd req src 192.168.100.1 0005.5d18.4364, dst 192.168.100.2 FastEthernet1/0
006320: *Jun 28 15:08:44.074 EDT: IP ARP: sent rep src 192.168.100.2 0011.bba2.f1c1,
dst 192.168.100.1 0005.5d18.4364 FastEthernet1/0
PIX:
arp-send: arp request built from 192.168.100.1 0005.5d18.4364 for 192.168.100.2 at 260012470
?arp-req: generating request for 192.168.100.2 at interface INSIDE2
arp-req: request for 192.168.100.2 still pending
----------------------------
Not sure what is causing the problem though. Any additional insight would be excellent, thank you all.
11-08-2012 08:17 PM
Really weird, it seems the Router is indeed sending its MAC address to the PIX.
For some reason this PIX is not receiving or processing this message.
Have you tried setting up a static ARP entry on the PIX?
Something like:
INSIDE2 192.168.100.2 0011.bba2.f1c1
Also, could you get the capture on the INSIDE2 interface of the PIX to confirm that the PIX is receiving the following packet?
006320: *Jun 28 15:08:44.074 EDT: IP ARP: sent rep src 192.168.100.2 0011.bba2.f1c1, dst 192.168.100.1 0005.5d18.4364 FastEthernet1/0
Also Which OS code are you running on this PIX?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide