Solved: this is the logs for L2-SW1 -

craig.huggins · ‎08-17-2017

See attached for a diagram of the layout of the network. My problem is i require remote access to all of the equipment which i have managed to achieve apart from the L2-SW1 device. Below is what i have found out from troubleshooting;

The gateways of both L2 switches is the same

You can ping the firewall, L3 and L2-SW2 from L2-SW1

You can ping the L2-SW1 from the L3 switches

You can’t ping the L2-SW1 from the firewall;

The config on both L2 switches is the same apart from the below which is in the config for the switch i cant connect to via its public ip address;

'Extended IP access list 122 10 permit ip 192.168.122.0 0.0.0.255 any'

'class-map match-all class122 match access-group 122 ! ! policy-map RATE-LIMIT class class122 police 20000000 800000 exceed-action drop'

I have an access rule to allow my public ip address to connect and i can connect to the other L2 switch and the L3 switch via SSH and ping both public address, just not this last one.

cofee · ‎08-17-2017

lol.. that's strange. I just tested in a lab and it worked with all addresses.

Can you do a traceroute to the firewall address 192.168.10.1 from switch and source from 1.1.50.1?

traceroute (hit enter) and then just fill in the blanks

View solution in original post

Julio E. Moisa · ‎08-17-2017

Hi

Are you able to ping between L2 switches?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

craig.huggins · ‎08-17-2017

yes i can ping between the 2 L2 switches and telnet to one another. As mentioned from the L2-SW1 i can ping/telnet the L2-SW2/L3-SW/FW and from the L3 switch i can ping everything. From the FW i can ping everything apart from the L2-SW1.

cofee · ‎08-17-2017

That's kind of odd that you can ping from A to B, but not vice versa. I would suggest to create an access list sourcing from firewall interface pointing towards the L2-SW1 and destination ip address of L2-SW1 and then debug it on L2-SW1. This will tell you if the icmp packet makes it to the switch and then what the switch is doing with it.

Below configuration is for L2-SW1:

ip access-list 101 permit ip host "firewall address" host "L2-SW1" log

ip access-list 101 permit ip host "L2-SW1" host "firewall address" log

debug ip packet 101

craig.huggins · ‎08-17-2017

This is what i got from the logs;

Aug 17 10:01:00.705: IP: s=192.168.10.1 (Vlan50), d=1.1.50.1, len 100, rcvd 1

Aug 17 10:01:02.710: IP: s=192.168.10.1 (Vlan50), d=1.1.50.1, len 100, input feature, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALS

cofee · ‎08-17-2017

We can see in the logs that icmp packets are reaching the switch, but there is nothing in the logs that shows switch replying back to firewall.

Did you add this acl:

ip access-list 101 permit ip host "L2-SW1" host "firewall address" log

craig.huggins · ‎08-17-2017

this is the logs for L2-SW1 - FW;

Aug 17 11:23:57.300: IP: s=1.1.50.1 (local), d=192.168.10.1, len 100, local feature, RCLI(7), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Aug 17 11:23:57.300: IP: s=1.1.50.1 (local), d=192.168.10.1, len 100, local feature, Local Clustering(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Aug 17 11:23:57.300: IP: tableid=0, s=1.1.50.1 (local), d=192.168.10.1 (Vlan105), routed via RIB

cofee · ‎08-17-2017

Please try pinging from sw 1:

ping 192.168.10.1 source 1.1.50.1

craig.huggins · ‎08-17-2017

that was unsuccessful with 'U'

craig.huggins · ‎08-17-2017

however if i do from sw 2

ping 192.168.10.1 source 1.1.50.2

it works.

cofee · ‎08-17-2017

In your original post you mentioned that you are able to ping the firewall from sw1, but not vice versa. That means when you are pinging from sw1 without specifying the source address it's sourcing from some other address on sw1.

On ASA can you run this command:

icmp permit host 1.1.50.1 inside (change inside to nameif tied with 192.168.10.1)

craig.huggins · ‎08-17-2017

I have just tried to ping the FW using every source address on sw1 and found the one that works which is vlan 105 - 192.168.105.1

cofee · ‎08-17-2017

Does that resolve the issue for you? or you need to ping it from 1.1.50.1, if that's the case then you will either need to allow through an acl on the firewall or use the solution that I suggested in my previous post.

craig.huggins · ‎08-17-2017

well my original issue was that i couldnt get a NAT mapping to work so that i can access the L2-SW1 remotely. I tried icmp permit host 1.1.50.1 inside (change inside to nameif tied with 192.168.10.1) and i couldnt ping the firewall from L2-SW1.

cofee · ‎08-17-2017

You mentioned you added the command below and you still wasn't able to ping:

e

icmp permit host 1.1.50.1 inside

After adding this on the firewall ping from the switch like this:

ping 192.168.10.1 source 1.1.50.1

cant ping L2 switch internally