Sure thing

we have a virtual cluster

and currently a single esx host connected to a

physical cisco switch then from the switch to the firewall.

the firewall has 3 interfaces for 3 different networks

10.0.20.0/24, 10.0.30.0/24 and 10.0.40.0/24

which are going to simulate INT, EXT, and DMZ

the switch has the routing disabled and configured

on trunk port from the vm environment and the 3 ports

with the different vlan for the 3 different networks.

either I can ping everything with ICMP being permitted

or I can't ping anything with it being blocked.

vlan's have an ip of .1 firewall interfaces have an ip of .2

and each test system has an ip of .3. I am trying to get a basic

firewall config to allow all outbound from INT to pass and DMZ to gout but not in

and nothing to come in from EXT. Also can anyone explain to me why a switch needs a default gateway when ip routing is disabled?

Eduardo,

ip default-gateway is used to manage switch, it's not there for routing of packets.

Can you attach "show run" from ASA and enable logging on informational level to buffer, do the test and extract "show logg" output?

----------

logg on

logg buffered info

logg buffer-size 1000000

----------

If the output of "show logg" is too big you can tailor it by doing "show logg | i IP_ADDR"

Marcin

ok

I'll work on getting you the config and the buffer/log info

And what do you mean its for managing switch.

because i am being told that it directing traffic

on the gateway

Hello,

Regular packets from a host going to the internet are not going to be routed using that default gateway. That default gateway will be used if you are doing telnet to the switch from a subnet that is not the same as the switch is located, the telnet replies to the default gateway address.

Will be waiting for the config and the logs.

Cheers

Mike