cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1022
Views
15
Helpful
10
Replies

Unable to connect to DMZ and WAN via LAN

HadiBeheshti
Level 1
Level 1

Hi, I have a 3750 switch and three 2960 switches and a Kerio firewall.
IP range of 2960 switches: 10.10.31.0/24, 10.10.32.0/24, 10.10.41.0/24
DMZ IP Range: 10.10.10.0/24
LAN IP Range: 10.10.12.0/24
WAN IP Range: 180.140.32.0/24
IP Kerio: 10.10.10.2
Computers on the LAN can see each other. But they do not have access to the server. And do not see DMZ and WAN.
I defined a VLan for DMZ and a separate VLan for LAN.And a VLan for each of the 2960 switches that give devices IP through DHCP.
Thanks for pointing me to how I can modify the code.
I attached the code I used below.

3750 :

enable
configure terminal
hostname SW-Core
ip default-gateway 10.10.10.2
ip domain-name ********
vtp mode server
vtp domain ********
vtp version 2
vtp pruning
enable secret ********
line vty 0 15
password ********
login
exit
line console 0
password ********
login
exit
VLan 10
name DMZ
exit
VLan 12
name CORE
exit
VLan 31
name F3N
exit
VLan 32
name F3S
exit
VLan 41
name F4N
exit
interface vlan 10
ip address 10.10.10.11 255.255.255.0
no shutdown
exit
interface vlan 12
ip address 10.10.12.1 255.255.255.0
no shutdown
exit
interface vlan 31
ip address 10.10.31.1 255.255.255.0
no shutdown
exit
interface vlan 32
ip address 10.10.32.1 255.255.255.0
no shutdown
exit
interface vlan 41
ip address 10.10.41.1 255.255.255.0
no shutdown
interface range gigabitEthernet 1/0/1-6
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1-99
no shutdown
exit
interface range gigabitEthernet 1/0/7-9
switchport mode access
switchport access vlan 10
no shutdown
exit
interface range gigabitEthernet 1/0/10-12
switchport mode access
switchport access vlan 12
no shutdown
exit
interface range gigabitEthernet 1/0/13-28
shutdown
exit
ip dhcp pool DMZ
network 10.10.10.0 255.255.255.0
default-router 10.10.10.11
dns-server 10.10.10.2
lease 8
exit
ip dhcp pool CORE
network 10.10.12.0 255.255.255.0
default-router 10.10.12.1
dns-server 10.10.10.10
lease 8
exit
ip dhcp pool F3N
network 10.10.31.0 255.255.255.0
default-router 10.10.31.1
dns-server 10.10.10.10
lease 8
exit
ip dhcp pool F3S
network 10.10.32.0 255.255.255.0
default-router 10.10.32.1
dns-server 10.10.10.10
lease 8
exit
ip dhcp pool F4N
network 10.10.41.0 255.255.255.0
default-router 10.10.41.1
dns-server 10.10.10.10
lease 8
exit
ip routing
ip dhcp excluded-address 10.10.10.1 10.10.10.12
ip dhcp excluded-address 10.10.12.1 10.10.12.10
ip dhcp excluded-address 10.10.31.1 10.10.31.10
ip dhcp excluded-address 10.10.32.1 10.10.32.10
ip dhcp excluded-address 10.10.41.1 10.10.41.10
exit
write

2960 :

enable
configure terminal
hostname SW-F3N
vtp mode client
vtp domain ********
ip default-gateway 10.10.31.1
enable secret ********
line vty 0 15
password ********
login
exit
line console 0
password ********
login
exit
interface gigabitEthernet 0/24
switchport mode trunk
no shutdown
exit
interface range gigabitEthernet 0/21-23
shutdown
exit
interface range gigabitEthernet 0/1-20
switchport mode access
switchport access vlan 31
no shutdown
exit
interface vlan 1
no ip address
shutdown
exit
interface vlan 31
ip address 10.10.31.2 255.255.255.0
no shutdown
exit
exit
write
10 Replies 10

Hello, 

 

the configs look good. The only thing that needs to be removed is:

 

hostname SW-Core
--> no ip default-gateway 10.10.10.2

 

Are the Vlan interfaces up/up ? Post the output of:

 

sh ip int brief

 

from the core switch.

Thanks for your answer, I executed the command you said and now I can ping LAN computers through Kerio, but I can't ping DMZ servers and even Kerio through LAN computers. Do I have to write a specific route? I ordered
ip route 0.0.0.0 0.0.0.0 VLan 10 10.10.10.2
I did it in 3750 but it didn't work.
I added the result of the Tracert command in two ranges: DMZ, WAN and the command you mentioned

SW-Core#sh ip int brief

Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  unassigned      YES unset  up                    up
Vlan10                 10.10.10.11     YES manual up                    up
Vlan12                 10.10.12.1      YES manual up                    up
Vlan31                 10.10.31.1      YES manual up                    up
Vlan32                 10.10.32.1      YES manual up                    up
Vlan41                 10.10.41.1      YES manual up                    up
Vlan42                 10.10.42.1      YES manual up                    up
Vlan51                 10.10.51.1      YES manual up                    up
Vlan52                 10.10.52.1      YES manual up                    up
GigabitEthernet1/0/1   unassigned      YES unset  up                    up
GigabitEthernet1/0/2   unassigned      YES unset  down                  down
GigabitEthernet1/0/3   unassigned      YES unset  down                  down
GigabitEthernet1/0/4   unassigned      YES unset  down                  down
GigabitEthernet1/0/5   unassigned      YES unset  down                  down
GigabitEthernet1/0/6   unassigned      YES unset  down                  down
GigabitEthernet1/0/7   unassigned      YES unset  down                  down
GigabitEthernet1/0/8   unassigned      YES unset  down                  down
GigabitEthernet1/0/9   unassigned      YES unset  up                    up
GigabitEthernet1/0/10  unassigned      YES unset  down                  down
GigabitEthernet1/0/11  unassigned      YES unset  down                  down
GigabitEthernet1/0/12  unassigned      YES unset  up                    up
GigabitEthernet1/0/13  unassigned      YES unset  administratively down down
GigabitEthernet1/0/14  unassigned      YES unset  administratively down down
GigabitEthernet1/0/15  unassigned      YES unset  administratively down down
GigabitEthernet1/0/16  unassigned      YES unset  administratively down down
GigabitEthernet1/0/17  unassigned      YES unset  administratively down down
GigabitEthernet1/0/18  unassigned      YES unset  administratively down down
GigabitEthernet1/0/19  unassigned      YES unset  administratively down down
GigabitEthernet1/0/20  unassigned      YES unset  administratively down down
GigabitEthernet1/0/21  unassigned      YES unset  administratively down down
GigabitEthernet1/0/22  unassigned      YES unset  administratively down down
GigabitEthernet1/0/23  unassigned      YES unset  administratively down down
GigabitEthernet1/0/24  unassigned      YES unset  administratively down down
GigabitEthernet1/0/25  unassigned      YES unset  administratively down down
GigabitEthernet1/0/26  unassigned      YES unset  administratively down down
GigabitEthernet1/0/27  unassigned      YES unset  administratively down down
GigabitEthernet1/0/28  unassigned      YES unset  administratively down down

tracert 10.10.10.2(Firewall)

Tracing route to 10.10.10.2 over a maximum of 5 hops

  1    <1 ms    <1 ms    <1 ms  10.10.31.1 
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
Trace complete.

tracert 172.80.10.1(WAN)

Tracing route to 172.20.1.1 over a maximum of 5 hops

  1    <1 ms    <1 ms    <1 ms  10.10.31.1 
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.

Trace complete.

Hello,

 

at this point it gets confusing what works and what does not work. Post a drawing of your topology including all devices and IP addresses, and how they are connected.

I posted 

HadiBeheshti
Level 1
Level 1

Sorry for bad drawing

Drawing1.png

ā€ƒKerio Routing Table :

F86159C9-3E0B-479F-81D1-A9922D055B7F.jpeg

ā€ƒ

Hello,

 

the drawing is very good actually !

 

Make sure all Vlans actually exist on the Core switch. When you issue the command 'sh vlan' , all Vlans should be listed. If they are not there, you might have to manually create them, e.g.:

 

SW-Core#conf t

SW-Core(config)#vlan 10

 

Also, make sure that both the PC and the Kerio use the IP address of the respective SVI of the core switch as the default gateway:

 

Kerio default gateway

--> 10.10.10.11

 

PC default gateway
--> 10.10.31.1

This is exactly the problem. Kerio uses the wan address as its gateway. Other servers use kerio dmz ip as gateway (10.10.10.2). But vlan10 has its own gateway (10.10.10.11) and vlan12 has its own gateway (10.10.12.1).
Now computers connected to a 2960 switch and then 2960 switch connected to the core switch via a trunk cannot see the dmz.

In core switch, the ports are as follows

Ports 1 to 6: Trunk for connecting 2960 switches. With own DHCP and gateway

(10.10.31.1,10.10.32.1,10.10.41.1)

Port 7-9: Intended for use by DMZ with Gateway 10.10.10.11

Port 10-12: Intended for LAN.

On the server

Nic0: LAN

Nic1,2: DMZ

Nic3: WAN

In ESXi

Server installed on ESXi were used vlan10 IP range manually, but with Kerio Gateway (10.10.10.2)

HadiBeheshti
Level 1
Level 1

May someone help me 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco

Ā