02-16-2013 10:43 AM - edited 03-07-2019 11:44 AM
Greetings,
We have two Cisco 5505 firewalls connecting to two ISP's . The two internal LAN's on the firewalls are 192.168.184.0/24 &
192.168.186.0/24. We also have a Cisco C3560x layer3 switch with vlan interfaces 184.3 & 186.3. We have two DGS-3100 Dlink layer 2 switches connecting our users to the Layer 3. Ip routing is enabled for intervlan communication & I can reach the Switch interfaces & firewall gateways from machines on both on the vlans.
We have pbr enabled on the 3560 & users only on the .186 network can get to the internet. The switch is running the ipservices license & the sdm template is "desktop routing" .
Here is the problem,
Users on the .184 cannot access the internet but we can ping the layer3 interface & the firewall gateway. Please Help!!
Here is the switch configuration,
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xyz
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip routing
!
!
!
!
!
crypto pki trustpoint TP-self-signed-325924480
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-325924480
revocation-check none
rsakeypair TP-self-signed-325924480
!
!
license boot level ipservices
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
!
interface GigabitEthernet0/1
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/7
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/11
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/12
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/13
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/14
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/15
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/16
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/17
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/18
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/19
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/20
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/21
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/22
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/23
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
no ip address
!
interface Vlan184
description "184 Vlan"
ip address 192.168.184.3 255.255.255.0
!
interface Vlan186
description "186 Vlan"
ip address 192.168.186.3 255.255.255.0
!
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.184.1
ip route 0.0.0.0 0.0.0.0 192.168.186.1
!
access-list 160 permit ip 192.168.184.0 0.0.0.255 any
access-list 170 permit ip 192.168.186.0 0.0.0.255 any
!
route-map Tata permit 160
match ip address 160
set ip default next-hop 192.168.184.1
!
route-map Aircell permit 170
match ip address 170
set ip default next-hop 192.168.186.1
!
!
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
end
Solved! Go to Solution.
02-19-2013 12:20 AM
Post your Recent Config With Access List that i Told u.
Show Running
02-19-2013 12:36 AM
!
boot-start-marker
boot-end-marker
!
!
enable password
!
no aaa new-model
system mtu routing 1500
ip routing
!
!
!
!
!
crypto pki trustpoint TP-self-signed-325924480
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-325924480
revocation-check none
rsakeypair TP-self-signed-325924480
!
!
crypto pki certificate chain TP-self-signed-325924480
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323539 32343438 30301E17 0D313130 33333030 31323932
345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3332 35393234
34383030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
D4C48D5E 2C3D980F DF4F3DB7 EB83CCC3 7A51121C 83822967 77D52E53 8F64EDF1
25FEB722 095A4A98 FC9C0692 0A98E98A 627E1289 8AC85AAC 9F107752 0F62755A
887ED39E 301532AD 49744F23 8219CDF1 1049A6DB D530C742 348417D7 319642C7
89D4BBAB CB1771DB FAAD371B 84D61E20 D0D9BAF8 9E03B37F 8F453ECF D5AAE34B
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014E8 A9D3F70D 73505887 E9E4FAC3 2B0E8126 5A1D3830 1D060355
1D0E0416 0414E8A9 D3F70D73 505887E9 E4FAC32B 0E81265A 1D38300D 06092A86
4886F70D 01010505 00038181 00B750DA 2026034E 6D9C8D84 A9ADB562 7F6BE8C2
A797AD04 7DA18B3F ECDCC82A D9AB48B3 15BDBFD9 884D5FDF 0099D987 0EF9C960
BF632509 B21B2D96 6D6A5673 2157C65F E430BEB8 9659CF19 AE6DD04E E63C833D
0338E381 B2A1EA6D 4E46E962 5B7A8549 13656597 F221BFA2 21939FB6 9B276FDE
9EE1CBCC 57E08DAC 70BB0AE8 8A
quit
license boot level ipservices
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
!
interface GigabitEthernet0/1
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/7
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/11
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/12
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/13
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/14
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/15
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/16
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/17
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/18
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/19
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/20
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/21
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/22
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/23
switchport access vlan 187
switchport mode access
!
interface GigabitEthernet0/24
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
no ip address
!
interface Vlan184
ip address 192.168.184.3 255.255.255.0
no ip route-cache
ip policy route-map Tata
!
interface Vlan186
ip address 192.168.186.3 255.255.255.0
no ip route-cache
ip policy route-map Aircell
!
interface Vlan187
ip address 192.168.187.3 255.255.255.0
!
!
ip http server
ip http secure-server
!
!
access-list 190 deny ip 192.168.184.0 0.0.0.255 192.168.186.0 0.0.0.255
access-list 190 deny ip 192.168.184.0 0.0.0.255 host 192.168.184.3
access-list 190 permit ip 192.168.184.0 0.0.0.255 any
access-list 180 deny ip 192.168.186.0 0.0.0.255 192.168.184.0 0.0.0.255
access-list 180 deny ip 192.168.186.0 0.0.0.255 host 192.168.186.3
access-list 180 permit ip 192.168.186.0 0.0.0.255 any
!
route-map Tata permit 190
set ip next-hop 192.168.184.1
!
route-map Aircell permit 180
set ip next-hop 192.168.186.1
!
!
!
!
line con 0
line vty 0 4
password
login
line vty 5 15
login
!
end
02-19-2013 01:05 AM
Hi,
I never configiured a PBR on this platform.
Just guessing:
Why is there
interface Vlan184
no ip route-cache
configured?
I'd enable it and even try
ip route-cache policy
possibly?
It's also recommended:
Do not enter an ACL with a deny ACE or an ACL that permits a packet destined for a local address.
for details.
What does show ip policy
commad display on your switch?
HTH,
Milan
02-19-2013 01:05 AM
access-list 190 deny ip 192.168.184.0 0.0.0.255 192.168.186.0 0.0.0.255
access-list 190 deny ip 192.168.184.0 0.0.0.255 host 192.168.184.3
access-list 190 permit ip 192.168.184.0 0.0.0.255 any
access-list 180 deny ip 192.168.186.0 0.0.0.255 192.168.184.0 0.0.0.255
access-list 180 deny ip 192.168.186.0 0.0.0.255 host 192.168.186.3
access-list 180 permit ip 192.168.186.0 0.0.0.255 any
!
route-map Tata permit 190
match ip address 190
set ip next-hop 192.168.184.1
!
route-map Aircell permit 180
match ip address 180
set ip next-hop 192.168.186.1
02-19-2013 01:19 AM
U hav'nt called access list in your route map
Check with above configurations
02-20-2013 12:30 AM
Mr.Jawad, that was amazing. We have it working now. Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide