Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
600
Views
0
Helpful
10
Replies

Diff segment

ney25
Level 2
Level 2

‎09-06-2004 08:21 PM - edited ‎03-02-2019 06:16 PM

Hi NetPro,

Currently,i am in vlan 30 (10.30.30.x) and my server farm is segment 200 (10.200.200.x), and from the segment 200 running dhcp pool which is 10.210.210.x .

i got no problem to ping and access from segment 30 to segment 200. and i did the routing from segment 210 was able to access and ping to segment 30. and i did it the same thing in the segment 30 . but, it wasnt allow me to access and ping from segment 30 to segment 210. which is 1 way ticket from segment210 to segment30 .

so, how do i make it 2 way access and ping ?

thank you in advance,

Regards,

Jack

Labels:
0 Helpful
10 Replies 10

Kevin Dorrell
Level 10
Level 10

‎09-06-2004 08:35 PM

Do I understand right: you can ping from 210 to 30, but not from 30 to 210?

It cannot be a routing problem, because a successful ping (210 to 30) requires correct routing in both directions.

Is there perhaps a firewall or access-lists between 210 and 30?

Kevin Dorrell

Luxembourg

0 Helpful

ney25
Level 2
Level 2
In response to Kevin Dorrell

‎09-06-2004 09:01 PM

Hi Kevin ,

yes , u are right . i am able to ping from 210 to 30 , but cant from 30 to 210 .

but, i already checked the access-list . looks like nothing being block .

p/s: segment 210 is pool from segment 200.

here stated with standard and extended access-list as below :

-------------------------------------------

Standard IP access list STD_ACL_200

10 permit 10.200.200.10

20 permit 10.200.200.11 (15806 matches)

30 permit 10.200.200.14 (358 matches)

40 permit 10.200.200.12

50 permit 10.200.200.13

Extended IP access list 146

10 permit ip any host 10.200.200.10

20 permit ip any host 10.200.200.11 (3260 matches)

30 permit ip any host 10.200.200.12

40 permit ip any host 10.200.200.13

50 permit ip any host 10.200.200.14

60 permit ip host 10.200.200.10 any

70 permit ip host 10.200.200.11 any (3058 matches)

80 permit ip host 10.200.200.12 any

90 permit ip host 10.200.200.13 any

100 permit ip host 10.200.200.14 any

110 deny ip any any

-----------------------------------------------------

so, any idea ?

Regards,

Jack

0 Helpful

Kevin Dorrell
Level 10
Level 10
In response to ney25

‎09-06-2004 10:24 PM

I don't see the 210 addresses anywhere in your access lists?

Kevin Dorrell

Luxembourg

0 Helpful

ney25
Level 2
Level 2
In response to Kevin Dorrell

‎09-06-2004 10:49 PM

Hi Kevin ,

Coz,210 was poolled from 200 segment . actually, 210 is client , 200 is the dhcp server(non cisco). .. now, i am able to ping and access from 210 to 30 , but, cant get from 30 to 210.

thank you in advance,

Regards,

Jack

0 Helpful

Kevin Dorrell
Level 10
Level 10
In response to ney25

‎09-06-2004 11:46 PM

The 210 address may be in the 200 segment, and may have come from a DHCP server on the 200 subnet, but you still need the 210 address in the access list if you want to ping the 210 address. The access list refers to addresses, not to which segment they reside on. As the address comes from a DHCP, you don't know the actual address, so you will have to add it as a subnet with wildcard bits.

Is there something I am not understanding correctly.

Kevin Dorrell

Luxembourg.

0 Helpful

ney25
Level 2
Level 2
In response to Kevin Dorrell

‎09-07-2004 12:26 AM

Hi Kevin ,

Really appriciate for ur info.and advice. but i am not understand about how come i didnt add the 210 subnet into the access-list , and i can access share folder and ping from 210 to 30 subnet.

Thank you in advance,

Regards,

Jack

0 Helpful

Kevin Dorrell
Level 10
Level 10
In response to ney25

‎09-07-2004 12:51 AM

Jack,

Which access list do you have on which segment, and are they input or output? (By default the ACL controls outgoing packets only.) I'm a bit puzzled because your access list 146 shows matches both to and from 10.200.200.11. That means access-list 146 must be installed in two places. That's fine, because the access-list itself controls traffic in both directions. But which interface is it on, the 200 or the 30, or both?

The share folder that you can access - is it on the 210 network then? If it is on one of the 200 servers, then the ACLs will allow it.

Kevin Dorrell

Luxembourg

0 Helpful

ney25
Level 2
Level 2
In response to Kevin Dorrell

‎09-07-2004 01:24 AM

Hi Kelvin , Thanks for replied.

i want the segment 10.200.200.x and 10.30.30.x are able to interactive. currently i am only able from vlan210 (10.210.210.x) to vlan30 (10.30.30.x) . actually, i want it both . which is 10.210.210.x to 10.30.30.x and from 10.30.30.x to 10.210.210.x .

p/s : 210 is poolled by vlan 200.and vlan 200 is one of the dhcp server . it pool from 10.210.210.1 --> 10.210.210.254.

now, i am from 10.210.210.1 can ping and access share folder to 10.30.30.16.but, i failed from 10.30.30.16 to 10.210.210.1

Thank you in advance

Regards,

Jack

0 Helpful

Kevin Dorrell
Level 10
Level 10
In response to ney25

‎09-07-2004 01:30 AM

OK Jack, but which segments are your access lists on, and are they configured as input filters or output?

Kevin

0 Helpful

ney25
Level 2
Level 2
In response to Kevin Dorrell

‎09-07-2004 01:52 AM

Hi Kelvin , happy to hear from you .

from segment200 is "ip access-group FE_VLAN200 in".

ip access-list extended FE_VLAN200

permit esp any any

permit ip 10.200.200.0 0.0.0.255 any

permit ip 10.210.210.0 0.0.0.255 any

permit ip 10.30.30.0 0.0.0.255 any

deny ip any any log

but,VLAN30 is pool by DHCP.

Regards,

Jack

0 Helpful
Customers Also Viewed These Support Documents