Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
346
Views
0
Helpful
2
Replies

Can browse internet but no ping replies

willy moronta
Level 1
Level 1

‎09-24-2013 11:46 AM - last edited on ‎03-25-2019 03:40 PM by Community Manager

Hi guys,

I recently made changes to my network and I can get out to the internet but when I try google.com I can't browse to it, and I noticed that I also can not ping the sites I do browse to, I'm figuring its a return traffic problem wondering if anyone can point me in the right direction.

Note we have multiple networks on our L3 switch, because of circumstances I created route maps on the SVI of the switch so that it routes traffic properly.

Layer 3 3750 config looks like this:

so vlan 100 for example has

ip acces-list extended ACL-100-WEB

permit 192.168.1.64 0.0.0.31 any eq www ftp

ip acces-list extended ACL-100-PEERS

permit 192.168.1.64 0.0.0.31 192.168.0.0 0.0.255.255

route-map RM-VLAN-100 sequence 10

match ip address ACL-100-WEB

set ip next-hop 192.168.1.3  (inside interface of the ASA)

route-map RM-VLAN-100 sequence 20

match ip addres ACL-100-PEERS

set ip next-hop 192.168.1.1 (inside interface of router that links to other remote sites that use network 192.168.0.0/16

=============================

Note the L3 has a default gateway that I'm attempting to bypass as its the DG for all the live traffic on this network- sadly I dont have another switch to completely separate everything.

the DG for the switch is 10.1.1.2  which services the production network 10.1.1.0/24

I need traffic on 192.168.1.0 to be able to move to 192.168.2.0 for example among others on that range

I also need this traffic to reach the internet (which it does but the return traffic is odd)

============================

Is it return traffic on the ASA or on the switch that I should be looking at?

Any thoughts or suggestions appreciated.

Labels:
0 Helpful
2 Replies 2

Jeff Van Houten
Level 5
Level 5

‎09-24-2013 07:40 PM

I think I'd start with acl-100-web. It clearly says only www and FTP art allowed.

Sent from Cisco Technical Support iPad App

0 Helpful

ramon.yu.jr
Level 1
Level 1

‎09-26-2013 02:59 AM

you need to allow icmp any on acl-100-web.  i assume it is permit ip for acl-100-peers so that is ok.  re-do your route-map such that your sequence 20 now will become sequence 10.  so that for ping/tracert between 192.168.x.x will match first and  routed to 192.168.1.1 and for the "any" (ie. ping to web) will route to your ASA 192.168.1.3.  i dont think it is return traffic issue since you can browse the internet.  i assume you are using traceroute to check return traffic but see it odd because icmp is not in route-map and routed to your default gateway.

hope this helps. cheers!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card