Can't ping from 6506 to 3750 to another 3750

hustler0002 · ‎08-23-2011

Hi,

I have a pinging problem. I have this cfg.

Webservice PC --> 6506 switch ---> cisco1 3750 --> cisco2 3750 ---> PC1

here the cfgs for each device and I removed some of the extra stuff.

Cfg on cisco 6506 Sup720

Router#sho run

Building configuration...

Current configuration : 13415 bytes

!

upgrade fpd auto

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

service counters max age 5

!

hostname Router

!

boot-start-marker

boot system disk0:s72033-adventerprisek9_wan-mz.122-33.SXH8.bin

boot-end-marker

!

no aaa new-model

firewall module 1 vlan-group 1,

firewall vlan-group 1 20,40,99-102,105,106,110,112,114-117,122,200,220,240

firewall vlan-group 1 260,280,900

call-home

alert-group configuration

alert-group diagnostic

alert-group environment

alert-group inventory

alert-group syslog

ip subnet-zero

!

ipv6 mfib hardware-switching replication-mode ingress

vtp domain casta

vtp mode transparent

no mls acl tcam share-global

mls netflow interface

no mls flow ip

no mls flow ipv6

mls cef error action freeze

!

redundancy

keepalive-enable

mode sso

main-cpu

auto-sync running-config

spanning-tree mode pvst

spanning-tree extend system-id

diagnostic cns publish cisco.cns.device.diag_results

diagnostic cns subscribe cisco.cns.device.diag_commands

fabric timer 15

!

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

interface GigabitEthernet2/1

switchport

switchport access vlan 100

interface GigabitEthernet4/48

switchport

switchport access vlan 20

interface Vlan1

no ip address

shutdown

!

interface Vlan100

ip address 10.94.8.3 255.255.255.0

!

ip classless

!

no ip http server

no ip http secure-server

!

control-plane

!

dial-peer cor custom

!

end

FWSM cfg on 6506

FWSM# sho run

: Saved

:

FWSM Version 4.1(3)

!

hostname FWSM

names

dns-guard

interface Vlan20

nameif outside_intf

security-level 1

ip address 192.10.10.2 255.255.255.0

interface Vlan100

nameif ssr_intf

security-level 85

ip address 10.94.8.2 255.255.255.0

!

ftp mode passive

access-list ssr_acc extended permit icmp any any

access-list outside_acc extended permit icmp any any

access-list outside_acc extended permit tcp 192.4.3.0 255.255.255.0 host 192.4.3.198 eq www

access-list acl_8_72_its extended permit ip host 10.94.8.72 10.17.18.0 255.255.255.0

mtu outside_agencies_intf 1500

no failover

icmp permit any outside_intf

icmp permit any ssr_intf

no asdm history enable

arp timeout 14400

nat-control

static (ssr_intf,outside_intf) 192.4.3.198 access-list acl_8_72_its

access-group outside_acc in interface outside_intf

access-group ssr_acc in interface ssr_intf

route outside_intf 10.17.18.0 255.255.255.0 192.10.10.1 1

route outside_intf 192.4.3.0 255.255.255.0 192.10.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-invite 0:03:00 sip-disconnect 0:02:00

timeout pptp-gre 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service reset no-connection

no service reset connection marked-for-deletion

telnet timeout 25

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect skinny

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:a59e4642acbb0f6088718f17589debcf

: end

Cisco1 3750 cfg

Current configuration : 2674 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Switch3750

!

enable secret 5 $1$DRPb$BBo.k0ObFuw/g//mkiIvo0

enable password 7 1307121B1F1F557C

!

no aaa new-model

switch 1 provision ws-c3750g-12s

system mtu routing 1500

vtp mode transparent

ip subnet-zero

ip routing

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 20

name outside

!

vlan 110

name its

!

interface GigabitEthernet1/0/5

switchport access vlan 20

switchport mode access

!

interface GigabitEthernet1/0/6

switchport access vlan 110

!

interface Vlan20

ip address 192.10.10.1 255.255.255.0

!

interface Vlan110

ip address 192.4.3.2 255.255.255.0

!

ip classless

ip route 10.17.18.0 255.255.255.0 192.4.3.1

ip route 192.4.3.198 255.255.255.255 192.10.10.2

ip http server

!

control-plane

!

line con 0

!

end

Cisco2 3750 cfg

All I know is the port connected to Cisco1 3750 is 192.4.3.1. We do not manage this switch.

I cannot ping 192.4.3.1 on Cisco2 from the FWSM on the 6506. I can ping 192.4.3.2 on Cisco1. I can

ping 192.10.10.2 on the 6506 and 192.4.3.1 on the Cisco2 from Cisco1. I'm not sure why I can ping from

Cisco1 to Cisco2 but not from the 6506 to Cisco2.

Also I can ping 192.4.3.2 on Cisco1 from the 6506.

Can anyone see anything wrong with my configuration? Is the ping being blocked by the fwsm?

It's been a while since I've done this, plus I wan't that great to begin with so Any help would be appreciated.

It's probably something easy I forgot to do or something, but I can't seem to figure it out.

And another side note. I can see the hitcnt for the

access-list outside_agencies_acc line 17 extended permit tcp 192.3.3.0 255.255.255.0 host 192.3.3.198 eq www

going up but they say that PC1 is not getting the data. I'm not sure if the data is not getting getting back to them.

I hook up another switch to simulate PC1 and Cisco2 and I able to access the webservice PC and get the data, but

I still wasn't able to ping 192.4.3.1. I hope this didn't add to the confusion. If I can figure out the ping problem this

might solve this other problem. One step at a time.

TIA

Mike

Reza Sharifi · ‎08-23-2011

Hi Mike,

I am not familiar with FWSM config, but I do not see a default route on the 6506 or the FWSM.

On the 6506 need a default route:

ip route 0.0.0.0 0.0.0.0 10.94.8.2 (the FWSM interface)

on the FWSM you need a default route

route outside 0.0.0.0 0.0.0.0 192.10.10.1 (37501 interface)

and test again

HTH

hustler0002 · ‎08-23-2011

our FWSM has a default ip route already to some other network. It's hard to figure out exactly what's going on when you don't have the configuration of the other Cisco2 3750 switch. if you look below I hooked up a 3550 cisco switch to emulate the Cisco2 3750. But I can't seem to get that configured correctly either.

Jon Marshall · ‎08-23-2011

Mike

I may be missing them but could you provide IPs of the webserver and the PC ?

Jon

hustler0002 · ‎08-23-2011

The Webserver PC in 10.94.8.72 which is nat'd to 192.4.3.198. The PC1 ip address is 10.17.18.103 but I ASSUME it is some how routed to 192.4.3.1. I had set up my own test lab right now and I hooked up a Cisco 3550 where I configured the port.

vlan 110

name its

!

interface FastEthernet0/1

switchport access vlan 110

switchport mode access

no ip address

!

interface FastEthernet0/5

switchport access vlan 100

switchport mode access

no ip address

!

interface Vlan100

ip address 10.17.18.1 255.255.255.0

!

interface Vlan110

ip address 192.4.3.1 255.255.255.0

!

ip classless

ip route 10.17.18.103 255.255.255.255 192.4.3.2

I have no default route which might be the problem.

What I did find out is that with the config i did for the 3550 the PC can't ping the default gateway (10.17.18.1) when I connect the 3550 to the 3750 switch. if I unplug the 3750 from the 3550 I can ping the gateway from the PC. I figure that routing the traffic from 10.17.18.103 to 192.4.3.2 somewhere the path gets lost.

Jon Marshall · ‎08-23-2011

Mike

The web server is only natted to 192.4.3.198 when the destination subnet is 10.18.19.0

access-list acl_8_72_its extended permit ip host 10.94.8.72 10.18.19.0 255.255.255.0

but you said the PC is 10.17.18.103 ???

Jon

hustler0002 · ‎08-23-2011

Sorry about that. I usually double check my ip addresses because they're important. All subnet are 192.10.10.xxx, 10.17.18.xxx, 192.4.3.xxx and 10.94.8.xxx.

Oh and on the 3550 switch I removed the ip route 10.17.18.103 255.255.255.255 192.4.3.2 because i realized that I'm trtrying to access 192.4.3.198 and I don't need to route it. I got confused with routing the ip of the PC instead of the subnet traffic the PC is trying to access.

I also added

access-list outside_acc extended permit tcp 10.17.18.103 255.255.255.255 host 192.4.3.198 eq www

to the FWSM and my test network works.

I've done more testing and I really just need to know why I can't ping from the FWSM to any of the switches connect to the Cisco1 3750 switch. I can ping most devices connected to the Cisco1 3750 from the Cisco1 3750, but I can't ping any of the them from the FWSM. My probelm seems to be between the FWSM and the how traffic gets to the next hop. I can ping 192.4.3.2 on Cisco1 but not 192.4.3.1 on Cisco2. But I can ping 192.4.3.1 on Cisco2 from Cisco1.

Any help would appreciated. Maybe a thought or something to test.