Hi Peter,

10.100.100.2 is an UTM device. Neither from there nor from the router a result for ping is there. All LED are lit up

*Jul 12 10:33:42.253: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
*Jul 12 10:33:45.265: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to up

#sh ip int brie
Interface                  IP-Address      OK? Method Status                Protocol
ATM0                       unassigned      YES NVRAM  up                    up  
Dialer1                    cc.ccc.cc.ccc   YES IPCP   up                    up  
Ethernet0                  unassigned      YES NVRAM  down                  down
FastEthernet0              unassigned      YES unset  up                    up  
FastEthernet1              unassigned      YES unset  up                    up  
FastEthernet2              unassigned      YES unset  down                  down
FastEthernet3              unassigned      YES unset  up                    down
NVI0                       unassigned      YES unset  administratively down down
Virtual-Access1            unassigned      YES unset  up                    up  
Vlan1                      10.100.100.1    YES NVRAM  up                    up  
Wlan-GigabitEthernet0      unassigned      YES unset  up                    up  
wlan-ap0                   unassigned      YES NVRAM  up                    up  

Hi Jobin,

Okay, and how about show mac address-table (or the older show mac-address-table) command? Can you see any MAC addresses learned on the FastEthernet ports? In addition, after pinging 10.100.100.2 from the router, what does the show ip arp say about 10.100.100.2?

Finally, if you have physical access to the device, if you connected another device to a free FastEthernet port and assigned it some unused IP in 10.100.100.0/29, would that device be able to ping things?

Best regards,
Peter

I especially like the suggestions to check the arp table and the mac address table. These will show whether there is communication with the device. If these tables have no entry for the device then we should be looking for layer 1 or layer 2 problems. If there are entries in these tables then we should be looking for layer 3 or higher problems.

HTH

Rick

These are certain outputs I received. I had my laptop on Fa3,  the UTM devices are on High-Availability connected to Fa0 and Fa1.

show mac-address-table
Destination Address  Address Type  VLAN  Destination Port
-------------------  ------------  ----  --------------------
0021.9bdc.8731          Dynamic       1     FastEthernet3
0090.fb48.74b8          Dynamic       1     FastEthernet1
00e0.2011.08fd          Dynamic       1     FastEthernet0
6c41.6a5a.a3f0          Self          1     Vlan1
6c41.6a5a.a3fe          Dynamic       1     Wlan-GigabitEthernet0

sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.100.100.1            -   6c41.6a5a.a3f0  ARPA   Vlan1
Internet  10.100.100.2            0   00e0.2011.08fd  ARPA   Vlan1
Internet  10.100.100.4            0   0021.9bdc.8731  ARPA   Vlan1

console> ping 10.100.100.1
PING 10.100.100.1 (10.100.100.1): 56 data bytes
64 bytes from 10.100.100.1: seq=0 ttl=255 time=0.810 ms
64 bytes from 10.100.100.1: seq=1 ttl=255 time=1.038 ms
64 bytes from 10.100.100.1: seq=2 ttl=255 time=0.796 ms
64 bytes from 10.100.100.1: seq=3 ttl=255 time=0.893 ms
64 bytes from 10.100.100.1: seq=4 ttl=255 time=1.062 ms
64 bytes from 10.100.100.1: seq=5 ttl=255 time=0.816 ms
64 bytes from 10.100.100.1: seq=6 ttl=255 time=0.771 ms

I am getting a ping from the UTM now, but the router does not ping any device.

ping 10.100.100.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ping 10.100.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

I did change the access-list 

ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit 10.100.100.0 0.0.0.7

Hi Jobin,

Okay, let's see - I've got a series of comments and questions so I'll just post them all here without any particular order. Please be so kind to answer or comment each one of them.

1. What exactly does the 'UTM' acronym stand for?
2. What do you mean by saying that the UTM devices are connected for high availability to Fa0 and Fa1? What kind of high availability is that? Does it require some specific configuration on the side of the router? This may be important.
3. Notice that the MAC address table is being populated and the ARP table shows entries that are very fresh - their age is "0 minutes", meaning less than 60 seconds. That proves that the ARP works just fine and so the basic Layer2 connectivity to the devices is working.
4. The fact that the router is unable to ping the UTM devices does not necessarily indicate that there is a problem in communication but rather that the devices are not willing to respond to ping requests. Many devices, especially security devices, behave in the same way, and it is kind of expected, even though unsettling at first.
5. The fact that you were not able to ping your laptop (it was the 10.100.100.4, right?) is because all recent Windows versions (assuming you're running Windows) block incoming pings unless the network is configured as a home network or a trusted workplace network. You'd need to disable your Windows firewall temporarily to be absolutely certain that it's not causing troubles. Can you try it and do the ping again?
6. So far, we have focused on the inability to ping the UTM devices from the router. However, I suppose that the UTM devices, or the networks behind them, want to communicate with internet. Is this communication successful, i.e., can the UTMs or networks behind them (if there are any) access internet successfully? If yes then there is nothing wrong with your config at all.
7. Replacing the extended ACL with a standard ACL did not, in my opinion, have any impact - but it did not hurt, either.

Looking forward to hearing from you.

Best regards,
Peter

I agree with Peter that the outputs are encouraging. They show that layers 1 and 2 are working just fine. The router knows the MAC addresses and the ARP relationship of the UTM device. So we need to be looking at upper layers of the protocol stack for explanation of this issue.

You showed attempts to ping from the router to 10.100.100.4 which failed. And I believe that there is merit in Peter's explanation for this. What I would like to know is whether 10.100.100.4 can ping the router address?

I also wonder if some communication from your laptop other than ping to the UTM might be successful. Would the UTM respond to an attempt to connect using HTTP or HTTPS or SSH?

HTH

Rick 

As of now HTTP, HTTPS all work fine from laptop and UTM. The curious thing is that I cant ping from router to the device.

1. UTM (Unified Threat Management) - A firewall. We are using a device called Cyberoam.

2. There are 2 UTM of the same spec, connected to each other by a cross over cable. Once a device fails the other becomes Master or Primary. Both are connected to the Similar ports on each UTM. A Cisco 887-K9 on ver 15.0 running another DSL communicates fine. This is a  Cisco C887VA-W-E-K9 running ver 15.2.

6. Yes, the devices can access Internet.

7. I donno about this, cos prior I had no ping. Now there is a one way ping.

If HTTP and/or HTTPS are working with the UTM device then I believe that things are working and there is not any real problem. Knowing that this is a firewall device makes me comfortable that the issue with ping is a security setting or policy on the firewall. Firewalls are well known for being very restrictive about the kind of traffic to which they will respond.

HTH

Rick