Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
710
Views
0
Helpful
4
Replies

Problems with Routing and a 3560 Switch configured as a router

allenferdinand
Level 1
Level 1

‎11-28-2011 05:07 PM - edited ‎03-04-2019 02:26 PM

I have a cisco 3560 switch set up as my edge router.  It is working as my external demarc switch and edge router.  It is sitting between the ISP's switch and my ASA firewall.  It's a very basic configuration with port 1 set up with a fixed ip and switchport turned off which is connected to the ISP switch.  VLAN2 is configured with an IP address and 3 ports, two of which go to different firewalls.

I found that I cannot ping a specific address from the inside interface (VLAN2), but I can from the outside interface Gig0/1.  I have a few deny commands in an access list, but they don't apply to the network i'm trying to access, and I haven't had any other inaccessible networks otherwise. 

Here's my config minus passwords and full IP ranges.  There are two ranges, one with xxx and one with xx.  The xxx is set as secondary, but is the one we really use.

Current configuration : 4808 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname my-rtr-ext
!
boot-start-marker
boot-end-marker
!
enable secret 5
!

!
!
no aaa new-model
system mtu routing 1500
ip routing
!        
!
!
!
crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
enrollment selfsigned
serial-number
revocation-check none
rsakeypair HTTPS_SS_CERT_KEYPAIR
!
!
crypto pki certificate chain HTTPS_SS_CERT_KEYPAIR
certificate self-signed 01
 
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
shutdown
!
interface GigabitEthernet0/1
no switchport
ip address 12.xxx.xx.94 255.255.255.252
speed 100
duplex full
!
interface GigabitEthernet0/2
switchport access vlan 2
!
interface GigabitEthernet0/3
switchport access vlan 2
switchport mode access
speed 100
duplex full
!
interface GigabitEthernet0/4
switchport access vlan 2
switchport mode access
!
nterface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 12.xxx.xxx.1 255.255.255.0 secondary
ip address 12.xx.xx.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 12.xxx.xx.93
!
ip http server
ip http secure-server
!
ip access-list standard snmp-access
permit 12.xxx.xxx.9 log
!        
ip access-list extended inet-inbound
deny   ip 12.xx.xx.0 0.0.0.255 any log
deny   ip 192.168.0.0 0.0.255.255 any log
deny   ip 172.16.0.0 0.15.255.255 any log
deny   ip any host 12.xxx.xxx.0 log
deny   ip any host 12.xxx.xxx.255 log
deny   ip any host 12.xx.xx.0 log
deny   ip any host 12.xx.xx.255 log
permit icmp any any echo-reply log
permit icmp any host 12.xx.xx.10
permit icmp any host 12.xxx.xxx.1
permit icmp any host 12.xx.xx.1
deny   icmp any any log
permit ip any 12.xxx.xxx.0 0.0.0.255
permit ip any 12.xx.xx.0 0.0.0.255
deny   ip 12.xxx.xxx.0 0.0.0.255 any log
deny   ip 10.0.0.0 0.255.255.255 any log
ip access-list extended site-inbound
permit ip 12.xx.xx.0 0.0.0.255 any
permit ip 12.xx.xx.0 0.0.0.255 any
deny   ip any any log
!
ip sla enable reaction-alerts
no cdp advertise-v2
!
!
!
line con 0
login local
line vty 0 4
password 7 xxx
no login
line vty 5 15
password 7 xxx
no login
!
end

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎11-28-2011 08:34 PM

Allen

You have hidden so much of the detail that it is difficult to figure out what is going on in your question. The IP address that you give for int Gig0/1 ip address 12.xxx.xx.94 255.255.255.252 would appear to overlap with the address of VLAN 2 ip address 12.xxx.xxx.1 255.255.255.0 secondary. I doubt that it really overlaps but you give us no way to be sure.

Also you show several access lists configured but do not show us that any of the access lists are applied to anything. An access list that is not applied does not affect any behavior. So I am very uncertain whether the access list is really doing something that you have hidden or whether it is doing nothing at all.

You tell us that you can ping a specific address from the outside interface but not from the inside interface. But you give us no clue about the address involved so we have no way to determine what might be involved.

If you give us better information to work with we might be able to give you better suggestions about the problem. As it is I have no helpful suggestions to make.

HTH

Rick

HTH

Rick
0 Helpful

allenferdinand
Level 1
Level 1
In response to Richard Burts

‎11-28-2011 09:04 PM

I inherited this and some other problems that need fixing.  This thing is open to telnet and not locked down very well.  I noticed that the acls aren't applied to any interface and will fix that issue tomorrow as well as adding exclusions on the firewall.

The primary and secondary are 12.107.xxx.xxx and 12.41.xxx.xxx.  The Gig0/1 interface is 12.248.xx.xx.  I'm trying to get to 12.139.66.22.

Nothing overlaps and the only things left out now are password related.  This is such a simple config that I'm obviously missing something.

Sitting on the router, i start a ping to the 12.139 address with the source being the inside interface and I get no return, but if I use the outside interface as the source it works.  Even adding a static route doesn't help.  I haven't done routers in a couple years, and this is my first time that i've used a switch instead of a router.

thanks for the help.

Allen

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to allenferdinand

‎11-28-2011 09:22 PM

Allen

This additional information is helpful. Based on this I believe that the switch believes that it has 2 subnets connected inside 12.107 and 12.41. If you attempt to access destination address 12.139.66.22 then the switch will use its default route and send the traffic to the ISP next hop address 12.248.x.93.

If you start a ping to that destination and the source is the outside interface you get a response - which verifies that the ISP has routing to the outside subnet. If you start a ping to that destination and the source is one of the inside addresses then you get no response. This suggests that the ISP does not route these subnets with your switch address as the next hop. This might be a question to ask the ISP.

HTH

Rick

HTH

Rick
0 Helpful

allenferdinand
Level 1
Level 1
In response to Richard Burts

‎11-28-2011 09:36 PM

Rick, thanks for your time and patience. 

It has 12.41.xxx.1/24 as the primary address and 12.107.xxx.1 as the secondary address on VLAN2.  I've done all the testing from 12.107.xxx.1 and hadn't tried 12.41.  It seems to work for everything but the address that i'm trying to get to.  Google?  No problem.  Same with everything else.  I'll try ping from the primary IP tomorrow and if that doesn't work, i'll start bugging AT&T.

thanks again

Allen

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card