Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
398
Views
0
Helpful
3
Replies

VLAN inter communication - almost there!

Go to solution
clintonplubliclibrary2013
Level 1
Level 1

‎03-29-2013 12:28 PM - edited ‎03-11-2019 06:21 PM

I have been working on this for a few days.  Im almost there!

I want my Management Vlan to be able to ping Computers in the DMZ vlan.   Im not sure if its NAT issue or ACL issue.

Specifically im ping from 192.168.0.5(management comp) to 10.10.10.5(DMZ comp)

Packet tracer shows no errors and says it should be working.

I pick up a weird error in the log that says: Routing failed to locate next hop for ICMP from Management:192.168.0.5/256 to inside:10.10.10.5/0

Why is it saying the 10.10.10.5 is on the inside, when its on the DMZ?

name 10.10.10.0 DMZ description Public Computers

name 192.168.10.0 Inside description CPL Staff Network

name 192.168.0.0 Management description Cisco equipment  Access only

name 192.168.1.0 default description Not in use

name 192.168.10.2 CPLServer description win3k server

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport trunk allowed vlan 11-13

switchport mode trunk

!

interface Ethernet0/2

switchport access vlan 11

!

interface Ethernet0/3

switchport access vlan 12

!

interface Ethernet0/4

switchport access vlan 13

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

shutdown

nameif default

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan11

description Inside

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan12

description DMZ

nameif DMZ

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface Vlan13

description Management

nameif Management

security-level 100

ip address 192.168.0.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name CPL

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network obj-10.0.1.0

object-group network obj-10.0.2.0

access-list DMZtoInside extended permit ip host DMZ host CPLServer

access-list InsidetoDMZ extended permit ip Inside 255.255.255.0 host DMZ

access-list ManagementtoDMZ extended permit ip Management 255.255.255.0 DMZ 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging asdm-buffer-size 512

logging buffered debugging

logging asdm debugging

mtu default 1500

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu Management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any DMZ

icmp permit any Management

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (inside) 1 interface

global (DMZ) 1 interface

global (Management) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,Management) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

static (inside,DMZ) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http Management 255.255.255.240 Management

http Management 255.255.255.0 Management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎03-29-2013 12:42 PM

Hi,

I think the problem most likely is the NAT configuration.

Is there a specific reason you are using Dynamic PAT from one interface to another ("nat" and "global" between local interfaces)? If this is not required I would suggest a different type of configuration for the whole NAT if you want to try it out. This would involve removing some of the existing configurations and will naturally effect the network operation while you do it.

Removing old ones

no global (inside) 1 interface

no global (DMZ) 1 interface

no global (Management) 1 interface

no static (inside,Management) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

no static (inside,DMZ) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

Adding new configurations

Existing ones

!global (outside) 1 interface

!nat (inside) 1 0.0.0.0 0.0.0.0

access-list INSIDE-NAT0 remark NO NAT between Local Networks

access-list INSIDE-NAT0 permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

access-list DMZ-NAT0 remark NO NAT between Local Networks

access-list DMZ-NAT0 permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list DMZ-NAT0 permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (DMZ) 0 access-list DMZ-NAT0

access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks

access-list MANAGEMENT-NAT0 permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list MANAGEMENT-NAT0 permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (Management) 0 access-list MANAGEMENT-NAT0

And naturally attach ACLs to interfaces to control traffic if needed

Hope this helps

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎03-29-2013 12:42 PM

Hi,

I think the problem most likely is the NAT configuration.

Is there a specific reason you are using Dynamic PAT from one interface to another ("nat" and "global" between local interfaces)? If this is not required I would suggest a different type of configuration for the whole NAT if you want to try it out. This would involve removing some of the existing configurations and will naturally effect the network operation while you do it.

Removing old ones

no global (inside) 1 interface

no global (DMZ) 1 interface

no global (Management) 1 interface

no static (inside,Management) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

no static (inside,DMZ) 0.0.0.0 0.0.0.0 netmask 0.0.0.0

Adding new configurations

Existing ones

!global (outside) 1 interface

!nat (inside) 1 0.0.0.0 0.0.0.0

access-list INSIDE-NAT0 remark NO NAT between Local Networks

access-list INSIDE-NAT0 permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

access-list DMZ-NAT0 remark NO NAT between Local Networks

access-list DMZ-NAT0 permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list DMZ-NAT0 permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (DMZ) 0 access-list DMZ-NAT0

access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks

access-list MANAGEMENT-NAT0 permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list MANAGEMENT-NAT0 permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (Management) 0 access-list MANAGEMENT-NAT0

And naturally attach ACLs to interfaces to control traffic if needed

Hope this helps

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎03-29-2013 12:50 PM

Also,

I notice that your original NAT configuration has no "nat" statement for your DMZ and Management interfaces to be able to access the "outside" and networks behind it.

Wether if this is the intention I dont know.

For those the NAT configurations needed would naturally be

nat (DMZ) 1 10.10.10.0 255.255.255.0

nat (Management) 1 192.168.0.0 255.255.255.0

- Jouni

0 Helpful

Go to solution
clintonplubliclibrary2013
Level 1
Level 1

‎03-29-2013 12:57 PM

Wow  Absolutly fixed what I was doing,  and showed me another way to aproach the problem!  Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card