Hmmm.  Would that stop me from being able to ping?

Regenerating ssh keys did not work.  

If I am understanding correctly the issue is that you do have access from a device that is in the same subnet as the internal switch but do not have access from other subnets. That suggests an issue with default gateway on the internal switch. Depending on whether ip routing is enabled or not it could be ip default-gateway or it could be a default route. It is tempting to say show us the switch config, but perhaps the next step should be to post the output of show ip route, and perhaps of show ip protocol from the internal switch.

What's crazy is that if i plug the old switch back, i can access it with no issues.  Same config, nothing changes on the internal.  (one note, I obviously need to clear the arp).  

Default-gateway is the FW in the DMZ.  The routed port has an IP on the internal vlan.

Hello

so you have ip routing disabled on the switch correct?

Also you state you have a routed port - Is that on the switch?- If so what’s the reason as the switch is basically a host switch if an SVI is applied then all its interfaces would be assigned to the same SVI of the fw subnet

Can you post the config of the new switch?

Hello @MarioMescino99182 ,

>> Default-gateway is the FW in the DMZ. The routed port has an IP on the internal vlan.

Having a routed port would mean to be able to do routing so your switch should have :

a)   ip routing

b)   ip route 0.0.0.0.0 0.0.0.0 <DMZ-FW-IPaddress>

c)  a routed port in an internal VLAN / IP subnet

At this point communications from hosts in the internal VLAN/IP subnet and the switch will not go via the FW and they work.

Then you say that with the old switch you could reach the internal IP address from devices in different internal subnets like the solarwinds server.

In order to have this working you would need in addition to points a) - c) listed above an additional command on the switch:

d)  ip route 10.100.0.0 255.255.0.0    <Def-GW-Internal-VLAN>

here 10.100/16 represents all the internal IP subnets

otherwise how could the return path to the internal IP address be successful ?

The switch would answer back via the <FW DMZ address> being the only way to reach not directly attached subnets.

The only difference between new and old switch are the MAC addresses used. These should not be a problem if the ARP tables are cleared as you have noted.

However, the FW should be configured to :

1) accept on DMZ interface a packet sourced from an internal VLAN (the routed port)  with a destination that is another internal IP address belonging to a different  internal IP subnet.

From a security point of view the DMZ switch should not have an internal IP address and you should enable internal management systems to reach it via the FW on the DMZ address.

However, if you want to have an internal leg on the DMZ switch you would need condiitons a)  to d) as described above.

Hope to help

Giuseppe

We have had a number of suggestions. What we need at this point is clarification from the original poster about what the switch is doing, please post the current running config.

Hello

So can you confirm you have ip routing disabled on the switch- The reason being even if you have specified a default- gateway and ip routing is still enabled then the switch won’t use the gateway so if you want to use a default-gateway then disable ip routing or give the switch a default route.