09-24-2013 11:46 AM - last edited on 03-25-2019 03:40 PM by ciscomoderator
Hi guys,
I recently made changes to my network and I can get out to the internet but when I try google.com I can't browse to it, and I noticed that I also can not ping the sites I do browse to, I'm figuring its a return traffic problem wondering if anyone can point me in the right direction.
Note we have multiple networks on our L3 switch, because of circumstances I created route maps on the SVI of the switch so that it routes traffic properly.
Layer 3 3750 config looks like this:
so vlan 100 for example has
ip acces-list extended ACL-100-WEB
permit 192.168.1.64 0.0.0.31 any eq www ftp
ip acces-list extended ACL-100-PEERS
permit 192.168.1.64 0.0.0.31 192.168.0.0 0.0.255.255
route-map RM-VLAN-100 sequence 10
match ip address ACL-100-WEB
set ip next-hop 192.168.1.3 (inside interface of the ASA)
route-map RM-VLAN-100 sequence 20
match ip addres ACL-100-PEERS
set ip next-hop 192.168.1.1 (inside interface of router that links to other remote sites that use network 192.168.0.0/16
=============================
Note the L3 has a default gateway that I'm attempting to bypass as its the DG for all the live traffic on this network- sadly I dont have another switch to completely separate everything.
the DG for the switch is 10.1.1.2 which services the production network 10.1.1.0/24
I need traffic on 192.168.1.0 to be able to move to 192.168.2.0 for example among others on that range
I also need this traffic to reach the internet (which it does but the return traffic is odd)
============================
Is it return traffic on the ASA or on the switch that I should be looking at?
Any thoughts or suggestions appreciated.
09-24-2013 07:40 PM
I think I'd start with acl-100-web. It clearly says only www and FTP art allowed.
Sent from Cisco Technical Support iPad App
09-26-2013 02:59 AM
you need to allow icmp any on acl-100-web. i assume it is permit ip for acl-100-peers so that is ok. re-do your route-map such that your sequence 20 now will become sequence 10. so that for ping/tracert between 192.168.x.x will match first and routed to 192.168.1.1 and for the "any" (ie. ping to web) will route to your ASA 192.168.1.3. i dont think it is return traffic issue since you can browse the internet. i assume you are using traceroute to check return traffic but see it odd because icmp is not in route-map and routed to your default gateway.
hope this helps. cheers!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide