10-22-2017 02:52 PM - edited 03-08-2019 12:27 PM
Hi there,
Wondering if any of you folks can help me. I was recently working in the virtual space with Vyatta routers and wanted to move to a hardware solution using a 3550/3650 switch. I have an isue where I cannot connect to any of the networks setup on my switch. Pings to certain networks return
From 192.168.101.254 icmp_seq=36 Packet filtered
From 192.168.101.254 icmp_seq=38 Packet filtered
From 192.168.101.254 icmp_seq=43 Packet filtered
From 192.168.101.254 icmp_seq=48 Packet filtered
From 192.168.101.254 icmp_seq=53 Packet filtered
Pings to the 20.20.20.x network return network unreachable and the same for the 30.30.30.x
I cannnot access any of the services on 20.20.20.x or 30.30.30.x
Any help is appreciated
The following is my current config
hostname switch ! ! ip subnet-zero ip routing ! spanning-tree extend system-id ! ! interface FastEthernet0/1 switchport access vlan 101 switchport mode access no ip address exit ! interface FastEthernet0/2 switchport access vlan 102 switchport mode access no ip address exit ! interface FastEthernet0/3 switchport access vlan 103 switchport mode access no ip address exit ! interface FastEthernet0/4 switchport access vlan 104 switchport mode access no ip address exit ! interface FastEthernet0/5 switchport access vlan 105 switchport mode access no ip address exit ! interface FastEthernet0/6 switchport access vlan 106 switchport mode access no ip address exit ! interface FastEthernet0/7 switchport access vlan 107 switchport mode access no ip address exit ! interface FastEthernet0/8 switchport access vlan 108 switchport mode access no ip address exit ! interface FastEthernet0/9 switchport access vlan 109 switchport mode access no ip address exit ! interface FastEthernet0/10 switchport access vlan 110 switchport mode access no ip address exit ! interface FastEthernet0/11 switchport access vlan 111 switchport mode access no ip address exit ! interface FastEthernet0/12 switchport access vlan 112 switchport mode access no ip address exit ! interface FastEthernet0/13 switchport access vlan 113 switchport mode access no ip address exit ! interface FastEthernet0/14 switchport access vlan 114 switchport mode access no ip address exit ! interface FastEthernet0/15 switchport access vlan 115 switchport mode access no ip address exit ! interface FastEthernet0/16 switchport access vlan 116 switchport mode access no ip address exit ! interface FastEthernet0/17 switchport access vlan 117 switchport mode access no ip address exit ! interface FastEthernet0/18 switchport access vlan 118 switchport mode access no ip address exit ! interface FastEthernet0/19 no ip address ! interface FastEthernet0/20 no ip address ! interface FastEthernet0/21 switchport access vlan 200 switchport mode access no ip address exit ! interface FastEthernet0/22 switchport access vlan 200 switchport mode access no ip address exit ! interface FastEthernet0/23 switchport access vlan 200 switchport mode access no ip address exit ! interface FastEthernet0/24 switchport access vlan 200 switchport mode access no ip address exit ! interface FastEthernet0/25 no ip address ! interface FastEthernet0/26 no ip address exit ! interface FastEthernet0/27 switchport access vlan 300 switchport mode access no ip address exit ! interface FastEthernet0/28 switchport access vlan 300 switchport mode access no ip address exit ! interface FastEthernet0/29 switchport access vlan 300 switchport mode access no ip address exit ! interface FastEthernet0/30 switchport access vlan 300 switchport mode access no ip address exit ! interface FastEthernet0/31 no ip address ! interface FastEthernet0/32 no ip address ! interface FastEthernet0/33 switchport access vlan 400 switchport mode access no ip address exit ! interface FastEthernet0/34 switchport access vlan 400 switchport mode access no ip address exit ! interface FastEthernet0/35 switchport access vlan 400 switchport mode access no ip address exit ! interface FastEthernet0/36 switchport access vlan 400 switchport mode access no ip address exit ! interface FastEthernet0/37 no ip address ! interface FastEthernet0/38 no ip address ! interface FastEthernet0/39 switchport access vlan 500 switchport mode access no ip address exit ! interface FastEthernet0/40 switchport access vlan 500 switchport mode access no ip address exit ! interface FastEthernet0/41 switchport access vlan 500 switchport mode access no ip address exit ! interface FastEthernet0/42 switchport access vlan 500 switchport mode access no ip address exit ! interface FastEthernet0/43 switchport access vlan 500 switchport mode access no ip address exit ! interface FastEthernet0/44 switchport access vlan 500 switchport mode access no ip address exit ! interface FastEthernet0/45 no ip address ! interface FastEthernet0/46 no ip address ! interface FastEthernet0/47 no ip address ! interface FastEthernet0/48 no ip address ! interface GigabitEthernet0/1 no ip address ! interface GigabitEthernet0/2 no ip address ! interface Vlan1 no ip address shutdown ! interface range FastEthernet0/1 - 20 no shut exit ! interface range FastEthernet0/21 - 24 no shut exit ! interface range FastEthernet0/25 - 48 no shut exit ! interface Vlan101 ip address 192.168.101.254 255.255.255.0 ip access-group p1 in exit ! interface Vlan102 ip address 192.168.102.254 255.255.255.0 ip access-group p2 in ! interface Vlan103 ip address 192.168.103.254 255.255.255.0 ip access-group p3 in exit ! interface Vlan104 ip address 192.168.104.254 255.255.255.0 ip access-group p4 in ! interface Vlan105 ip address 192.168.105.254 255.255.255.0 ip access-group p5 in exit ! interface Vlan106 ip address 192.168.106.254 255.255.255.0 ip access-group p6 in ! interface Vlan107 ip address 192.168.107.254 255.255.255.0 ip access-group p7 in exit ! interface Vlan108 ip address 192.168.108.254 255.255.255.0 ip access-group p8 in ! interface Vlan109 ip address 192.168.109.254 255.255.255.0 ip access-group p9 in exit ! interface Vlan110 ip address 192.168.110.254 255.255.255.0 ip access-group p10 in exit ! interface Vlan111 ip address 192.168.111.254 255.255.255.0 ip access-group p11 in exit ! interface Vlan112 ip address 192.168.112.254 255.255.255.0 ip access-group p12 in exit ! interface Vlan113 ip address 192.168.113.254 255.255.255.0 ip access-group p13 in exit ! interface Vlan114 ip address 192.168.114.254 255.255.255.0 ip access-group p14 in exit ! interface Vlan115 ip address 192.168.115.254 255.255.255.0 ip access-group p15 in exit ! interface Vlan116 ip address 192.168.116.254 255.255.255.0 ip access-group p16 in exit ! interface Vlan117 ip address 192.168.117.254 255.255.255.0 ip access-group p17 in exit ! interface Vlan118 ip address 192.168.118.254 255.255.255.0 ip access-group p8 in exit ! interface Vlan200 ip address 20.20.20.254 255.255.255.0 exit ! interface Vlan300 ip address 30.30.30.254 255.255.255.0 exit ! interface Vlan400 ip address 40.40.40.254 255.255.255.0 exit ! interface Vlan500 ip address 11.11.11.254 255.255.255.0 exit ! ip classless ip http server ! ip access-list extended p1 permit tcp 20.20.20.0 0.0.0.255 192.168.101.0 0.0.0.255 eq www permit tcp 20.20.20.0 0.0.0.255 192.168.101.0 0.0.0.255 eq 8080 established permit tcp 20.20.20.0 0.0.0.255 192.168.101.0 0.0.0.255 eq 443 permit tcp 192.168.101.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080 permit ip 30.30.30.0 0.0.0.255 192.168.101.0 0.0.0.255 permit ip 192.168.101.0 0.0.0.255 30.30.30.0 0.0.0.255 deny ip any any exit ip access-list extended p2 permit tcp 20.20.20.0 0.0.0.255 192.168.102.0 0.0.0.255 eq www permit tcp 20.20.20.0 0.0.0.255 192.168.102.0 0.0.0.255 eq 8080 established permit tcp 20.20.20.0 0.0.0.255 192.168.102.0 0.0.0.255 eq 443 permit tcp 192.168.102.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080 permit ip 30.30.30.0 0.0.0.255 192.168.102.0 0.0.0.255 permit ip 192.168.102.0 0.0.0.255 30.30.30.0 0.0.0.255 deny ip any any exit ip access-list extended p3 permit tcp 20.20.20.0 0.0.0.255 192.168.103.0 0.0.0.255 eq www permit tcp 20.20.20.0 0.0.0.255 192.168.103.0 0.0.0.255 eq 8080 established permit tcp 20.20.20.0 0.0.0.255 192.168.103.0 0.0.0.255 eq 443 permit tcp 192.168.103.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080 permit ip 30.30.30.0 0.0.0.255 192.168.103.0 0.0.0.255 permit ip 192.168.103.0 0.0.0.255 30.30.30.0 0.0.0.255 deny ip any any exit ip access-list extended p4 permit tcp 20.20.20.0 0.0.0.255 192.168.104.0 0.0.0.255 eq www permit tcp 20.20.20.0 0.0.0.255 192.168.104.0 0.0.0.255 eq 8080 established permit tcp 20.20.20.0 0.0.0.255 192.168.104.0 0.0.0.255 eq 443 permit tcp 192.168.104.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080 permit ip 30.30.30.0 0.0.0.255 192.168.104.0 0.0.0.255 permit ip 192.168.104.0 0.0.0.255 30.30.30.0 0.0.0.255 deny ip any any exit ip access-list extended p5 permit tcp 20.20.20.0 0.0.0.255 192.168.105.0 0.0.0.255 eq www permit tcp 20.20.20.0 0.0.0.255 192.168.105.0 0.0.0.255 eq 8080 established permit tcp 20.20.20.0 0.0.0.255 192.168.105.0 0.0.0.255 eq 443 permit tcp 192.168.105.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080 permit ip 30.30.30.0 0.0.0.255 192.168.105.0 0.0.0.255 permit ip 192.168.105.0 0.0.0.255 30.30.30.0 0.0.0.255 deny ip any any exit ip access-list extended p6 permit tcp 20.20.20.0 0.0.0.255 192.168.106.0 0.0.0.255 eq www permit tcp 20.20.20.0 0.0.0.255 192.168.106.0 0.0.0.255 eq 8080 established permit tcp 20.20.20.0 0.0.0.255 192.168.106.0 0.0.0.255 eq 443 permit tcp 192.168.106.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080 permit ip 30.30.30.0 0.0.0.255 192.168.106.0 0.0.0.255 permit ip 192.168.106.0 0.0.0.255 30.30.30.0 0.0.0.255 deny ip any any exit ip access-list extended p7 permit tcp 20.20.20.0 0.0.0.255 192.168.107.0 0.0.0.255 eq www permit tcp 20.20.20.0 0.0.0.255 192.168.107.0 0.0.0.255 eq 8080 established permit tcp 20.20.20.0 0.0.0.255 192.168.107.0 0.0.0.255 eq 443 permit tcp 192.168.107.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080 permit ip 30.30.30.0 0.0.0.255 192.168.107.0 0.0.0.255 permit ip 192.168.107.0 0.0.0.255 30.30.30.0 0.0.0.255 deny ip any any exit ip access-list extended p8 permit tcp 20.20.20.0 0.0.0.255 192.168.108.0 0.0.0.255 eq www permit tcp 20.20.20.0 0.0.0.255 192.168.108.0 0.0.0.255 eq 8080 established permit tcp 20.20.20.0 0.0.0.255 192.168.108.0 0.0.0.255 eq 443 permit tcp 192.168.108.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080 permit ip 30.30.30.0 0.0.0.255 192.168.108.0 0.0.0.255 permit ip 192.168.108.0 0.0.0.255 30.30.30.0 0.0.0.255 deny ip any any exit ip access-list extended p9 permit tcp 20.20.20.0 0.0.0.255 192.168.109.0 0.0.0.255 eq www permit tcp 20.20.20.0 0.0.0.255 192.168.109.0 0.0.0.255 eq 8080 established permit tcp 20.20.20.0 0.0.0.255 192.168.109.0 0.0.0.255 eq 443 permit tcp 192.168.109.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080 permit ip 30.30.30.0 0.0.0.255 192.168.109.0 0.0.0.255 permit ip 192.168.109.0 0.0.0.255 30.30.30.0 0.0.0.255 deny ip any any exit ip access-list extended p10 permit tcp 20.20.20.0 0.0.0.255 192.168.110.0 0.0.0.255 eq www permit tcp 20.20.20.0 0.0.0.255 192.168.110.0 0.0.0.255 eq 8080 established permit tcp 20.20.20.0 0.0.0.255 192.168.110.0 0.0.0.255 eq 443 permit tcp 192.168.110.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080 permit ip 30.30.30.0 0.0.0.255 192.168.110.0 0.0.0.255 permit ip 192.168.110.0 0.0.0.255 30.30.30.0 0.0.0.255 deny ip any any exit ip access-list extended p11 permit tcp 20.20.20.0 0.0.0.255 192.168.111.0 0.0.0.255 eq www permit tcp 20.20.20.0 0.0.0.255 192.168.111.0 0.0.0.255 eq 8080 established permit tcp 20.20.20.0 0.0.0.255 192.168.111.0 0.0.0.255 eq 443 permit tcp 192.168.111.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080 permit ip 30.30.30.0 0.0.0.255 192.168.111.0 0.0.0.255 permit ip 192.168.111.0 0.0.0.255 30.30.30.0 0.0.0.255 deny ip any any exit ip access-list extended p12 permit tcp 20.20.20.0 0.0.0.255 192.168.112.0 0.0.0.255 eq www permit tcp 20.20.20.0 0.0.0.255 192.168.112.0 0.0.0.255 eq 8080 established permit tcp 20.20.20.0 0.0.0.255 192.168.112.0 0.0.0.255 eq 443 permit tcp 192.168.112.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080 permit ip 30.30.30.0 0.0.0.255 192.168.112.0 0.0.0.255 permit ip 192.168.112.0 0.0.0.255 30.30.30.0 0.0.0.255 deny ip any any exit ip access-list extended p13 permit tcp 20.20.20.0 0.0.0.255 192.168.113.0 0.0.0.255 eq www permit tcp 20.20.20.0 0.0.0.255 192.168.113.0 0.0.0.255 eq 8080 established permit tcp 20.20.20.0 0.0.0.255 192.168.113.0 0.0.0.255 eq 443 permit tcp 192.168.113.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080 permit ip 30.30.30.0 0.0.0.255 192.168.113.0 0.0.0.255 permit ip 192.168.113.0 0.0.0.255 30.30.30.0 0.0.0.255 deny ip any any exit ip access-list extended p14 permit tcp 20.20.20.0 0.0.0.255 192.168.114.0 0.0.0.255 eq www permit tcp 20.20.20.0 0.0.0.255 192.168.114.0 0.0.0.255 eq 8080 established permit tcp 20.20.20.0 0.0.0.255 192.168.114.0 0.0.0.255 eq 443 permit tcp 192.168.114.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080 permit ip 30.30.30.0 0.0.0.255 192.168.114.0 0.0.0.255 permit ip 192.168.114.0 0.0.0.255 30.30.30.0 0.0.0.255 deny ip any any exit ip access-list extended p15 permit tcp 20.20.20.0 0.0.0.255 192.168.115.0 0.0.0.255 eq www permit tcp 20.20.20.0 0.0.0.255 192.168.115.0 0.0.0.255 eq 8080 established permit tcp 20.20.20.0 0.0.0.255 192.168.115.0 0.0.0.255 eq 443 permit tcp 192.168.115.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080 permit ip 30.30.30.0 0.0.0.255 192.168.115.0 0.0.0.255 permit ip 192.168.115.0 0.0.0.255 30.30.30.0 0.0.0.255 deny ip any any exit ip access-list extended p16 permit tcp 20.20.20.0 0.0.0.255 192.168.116.0 0.0.0.255 eq www permit tcp 20.20.20.0 0.0.0.255 192.168.116.0 0.0.0.255 eq 8080 established permit tcp 20.20.20.0 0.0.0.255 192.168.116.0 0.0.0.255 eq 443 permit tcp 192.168.116.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080 permit ip 30.30.30.0 0.0.0.255 192.168.116.0 0.0.0.255 permit ip 192.168.116.0 0.0.0.255 30.30.30.0 0.0.0.255 deny ip any any exit ip access-list extended p17 permit tcp 20.20.20.0 0.0.0.255 192.168.117.0 0.0.0.255 eq www permit tcp 20.20.20.0 0.0.0.255 192.168.117.0 0.0.0.255 eq 8080 established permit tcp 20.20.20.0 0.0.0.255 192.168.117.0 0.0.0.255 eq 443 permit tcp 192.168.117.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080 permit ip 30.30.30.0 0.0.0.255 192.168.117.0 0.0.0.255 permit ip 192.168.117.0 0.0.0.255 30.30.30.0 0.0.0.255 deny ip any any exit ip access-list extended p18 permit tcp 20.20.20.0 0.0.0.255 192.168.118.0 0.0.0.255 eq www permit tcp 20.20.20.0 0.0.0.255 192.168.118.0 0.0.0.255 eq 8080 established permit tcp 20.20.20.0 0.0.0.255 192.168.118.0 0.0.0.255 eq 443 permit tcp 192.168.118.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080 permit ip 30.30.30.0 0.0.0.255 192.168.118.0 0.0.0.255 permit ip 192.168.118.0 0.0.0.255 30.30.30.0 0.0.0.255 deny ip any any exit ! ! access-list 120 permit tcp 20.20.20.0 0.0.0.255 30.30.30.0 0.0.0.255 eq 8181 established access-list 130 permit tcp 30.30.30.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8181 access-list 140 permit tcp any any eq 8080 access-list 140 permit tcp any any eq www no cdp advertise-v2 ! ! line con 0 line vty 5 15 ! ! monitor session 1 source vlan 1 - 500 rx monitor session 1 destination interface Fa0/47 monitor session 2 source vlan 1 - 500 rx monitor session 2 destination interface Fa0/48 end
10-22-2017 03:54 PM - edited 10-22-2017 09:17 PM
Hi,
Your Ping to 192.168.100.254 failed because it is filtered by ACL. Either you need to ping from addresses allowed in the ACL (address space 30.30.30.0/24), or modify the ACL as follows:
ip access-list extended p1
permit tcp 20.20.20.0 0.0.0.255 192.168.101.0 0.0.0.255 eq www
permit tcp 20.20.20.0 0.0.0.255 192.168.101.0 0.0.0.255 eq 8080 established
permit tcp 20.20.20.0 0.0.0.255 192.168.101.0 0.0.0.255 eq 443
permit tcp 192.168.101.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
permit ip 30.30.30.0 0.0.0.255 192.168.101.0 0.0.0.255
permit ip 192.168.101.0 0.0.0.255 30.30.30.0 0.0.0.255
permit icmp any any
deny ip any any
exit
You need to modify the other ACLs as well if you want to run PING.
For 20.20.20.x and 30.30.30.x, could you check if you have routes in the routing table?
HTH,
Meheretab
10-31-2017 02:13 AM
10-23-2017 08:03 AM - edited 10-23-2017 08:05 AM
Hi Spockles,
Your ACL configuration is incorrect.
Can you please tell me the exact source and destination to which you want to allow traffic?
After that we can modify the ACL then you can test.
Please also make sure the gateway configured on the servers is correct.
10-31-2017 02:18 AM
10-31-2017 02:42 AM - edited 10-31-2017 02:43 AM
Hello
I haven't checked each individual acl but It seems at first glance of this config your acl's are assigned in the wrong direction.
SVI RACLS have a logic of:
IN = From within the vlan to Outside
OUT= from Outside into vlan
Lastly ACLs 120/130/140 are not assigned to anything if this is the case Id removed them for clarity
res
Paul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: