Solved: the reply is U - Page 2

craig.huggins · ‎08-17-2017

See attached for a diagram of the layout of the network. My problem is i require remote access to all of the equipment which i have managed to achieve apart from the L2-SW1 device. Below is what i have found out from troubleshooting;

The gateways of both L2 switches is the same

You can ping the firewall, L3 and L2-SW2 from L2-SW1

You can ping the L2-SW1 from the L3 switches

You can’t ping the L2-SW1 from the firewall;

The config on both L2 switches is the same apart from the below which is in the config for the switch i cant connect to via its public ip address;

'Extended IP access list 122 10 permit ip 192.168.122.0 0.0.0.255 any'

'class-map match-all class122 match access-group 122 ! ! policy-map RATE-LIMIT class class122 police 20000000 800000 exceed-action drop'

I have an access rule to allow my public ip address to connect and i can connect to the other L2 switch and the L3 switch via SSH and ping both public address, just not this last one.

craig.huggins · ‎08-17-2017

the reply is U

cofee · ‎08-17-2017

lol.. that's strange. I just tested in a lab and it worked with all addresses.

Can you do a traceroute to the firewall address 192.168.10.1 from switch and source from 1.1.50.1?

traceroute (hit enter) and then just fill in the blanks

craig.huggins · ‎08-22-2017

Thanks for all of your help @cofee Turns out i could ping the L2-SW1 from ther firewall with one of the vlan subnets which was strangly the first hop from a traceroute from the switch to the firewall.

cofee · ‎08-22-2017

Happy to assist. I am glad that you figured it out.

craig.huggins · ‎08-17-2017

the strange thing is L2-SW2 can get to 192.168.10.1 via any of its interfaces, so why cant L2-SW1

cofee · ‎08-17-2017

Is there any access that might be blocking 1.1.50.1 to ping fw address?

Please run packet tracer on the firewall to check if 1.1.50.1 is allowed to ping fw and share the output:

packet-tracer input inside icmp 1.1.50.1 8 0 192.168.10.1

craig.huggins · ‎08-17-2017

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.10.1 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 43890858, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

craig.huggins · ‎08-17-2017

this is the other way around;

Moorgath-FW01# packet-tracer input inside icmp 192.168.10.1 8 0 1.1.50.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 1.1.50.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

cofee · ‎08-17-2017

That's correct. I thought switch was behind the inside interface. You will need to allow that allow through the firewall because it's being dropped.

craig.huggins · ‎08-17-2017

so need to allow ip 192.168.10.1 1.1.50.1 on outside interface

cofee · ‎08-17-2017

- Please provide nameif for interfaces that are attached to 192.168.10.0 and 1.1.50.0

- Does interface connected to 1.1.50.0 have lower security level than interface connected to 192.168.10.0?

craig.huggins · ‎08-17-2017

Ok so their is just one inside interface (inside) which is attached to 192.168.10.1. The 1.1.50.0 network is on the L2 switches and has an interface on the L3 switch. The security level for the inside interface is 100.

cofee · ‎08-17-2017

You are saying that both networks are behind inside interface?

Please run command below on the firewall and share the output;

sh route 1.1.50.0

craig.huggins · ‎08-17-2017

S 1.1.50.0 255.255.255.0 [1/0] via 192.168.10.3, inside

craig.huggins · ‎08-17-2017

192.168.10.3 is an interface on L3 switch and the DG of both L2 switches

cant ping L2 switch internally