Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
7
Helpful
5
Replies

unable to reach server from core

Go to solution
suthomas1
Level 6
Level 6

‎07-16-2013 03:16 AM - edited ‎03-07-2019 02:25 PM

Hi,

We have the below network in one of our factories.

Atttached is the visio for it.

Servers 192.168.2.11, 2.15 & 2.21 from third business unit need to access our factory network servers in vlan 101( 192.168.101.1/24).

The factory network has an ASA , a nexus 5k.

Our Cisco ASA is used to terminate the link between our factory & the other business unit. It is actually not that far away , hence fiber is used across both for interconnect using LACP.

The ip addressing is shown in the diagram.

Current State:-

From ASA , we can ping 192.168.62.1 & any of the servers like 192.168.2.11.

From their side, they can reach 192.168.62.2 and any of our servers like 192.168.101.45

However, when we tried to ping the servers 192.168.2.X from our nexus 5k core, they are not pingable.

These are the configuration on the ASA. we have an dual link running between ASA to N5k as portchannel.

ASA :->

interface GigabitEthernet0/6

speed 1000

duplex full

channel-group 1 mode on

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

speed 1000

duplex full

channel-group 1 mode on

no nameif

no security-level

no ip address

interface Port-channel1

no nameif

no security-level

no ip address

interface Port-channel1.200

vlan 200

nameif  LOCAL

security-level 100

ip address 10.10.1.1 255.255.255.248

interface Port-channel18

description Uplink to Business unit

nameif  BU

security-level 0

ip address 192.168.62.1 255.255.255.0

access-list BU_access_in extended permit ip 192.168.2.0 255.255.255.0 192.168.101.0 255.255.255.0

access-group BU_access_in in interface BU

route BU 0.0.0.0 0.0.0.0 192.168.62.1

route LOCAL 192.168.101.0 255.255.255.0 10.10.1.2

On the N5K core :->

ip route 0.0.0.0 0.0.0.0 10.10.1.1

interface port-channel1

  switchport mode trunk

  speed 1000

  duplex full

interface Ethernet1/21

  switchport mode trunk

  speed 1000

  duplex full

  channel-group 1

interface Ethernet1/22

  switchport mode trunk

  speed 1000

  duplex full

  channel-group 1

Please help what could be wrong here. Appreciate all advise on this.

Labels:
15364133-network.vsd.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jan Rolny
Level 3
Level 3
In response to suthomas1

‎07-16-2013 06:33 AM

Hi,

it depends on what is your goal or what do you want to have reachable. Of course this route is not needed because it is pointing to your core switch. I wouldn't want to make my core switc visible from remote side. So if you don't want to reach you core switch from remote side for some reason so this route is not needed on remote router.

Regarding issue of server reachability:

Because remote side(router) is able reach your servers so I dont think there is etherchannel or link problem.

Is there ACL applied on remote side? I think there will be something.

Is it possible to post remote running-config of router and switch where server are connected?

Jan

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jan Rolny
Level 3
Level 3

‎07-16-2013 03:34 AM

Hi,

depends on if your ASA has NAT configured.

Regarding configuration you provided it seems that 3th party BU don't know nothing about 10.10.1.0/30 network. Because when you try to ping remote network from Nexus so probably it will has 10.10.1.2 source IP address if no NAT is applied on your ASA.

Best Regards,

Jan

Go to solution
suthomas1
Level 6
Level 6
In response to Jan Rolny

‎07-16-2013 04:35 AM

ASA has no nat configured.

Third party BU has belo route on their device;

ip route 192.168.101.0 255.255.255.0 192.168.62.2

ASA has route pointing towards 10.10.1.2 for traffic towards 192.168.101.0 /24 servers.

Thanks again!

0 Helpful

Go to solution
Jan Rolny
Level 3
Level 3
In response to suthomas1

‎07-16-2013 05:51 AM

Hi,

is there any oher route on remote side?

I think they are missing this route:

ip route 10.10.1.0 255.255.255.248 192.168.62.2

So remote route wil know your source address of 5k switch which is 10.10.1.2.Then it should work if there are not other thing like ACL on remote side whcich could deny traffci from 10.10.1.0 network.

Best regards,

Jan

Go to solution
suthomas1
Level 6
Level 6
In response to Jan Rolny

‎07-16-2013 06:08 AM

Thanks again.

Is that route needed, as that 10.10.1.0 network is only a routing link between Core & ASA.

If we try to reach BU server 192.168.2.x from within one of our server 192.168.101.x, it is not reachable.

The Core switch has a route pointing the traffic towards ASA for this.

Is there any problems related to the link between ASA & Core, etherchannel or so. or the way trunk operates.

0 Helpful

Go to solution
Jan Rolny
Level 3
Level 3
In response to suthomas1

‎07-16-2013 06:33 AM

Hi,

it depends on what is your goal or what do you want to have reachable. Of course this route is not needed because it is pointing to your core switch. I wouldn't want to make my core switc visible from remote side. So if you don't want to reach you core switch from remote side for some reason so this route is not needed on remote router.

Regarding issue of server reachability:

Because remote side(router) is able reach your servers so I dont think there is etherchannel or link problem.

Is there ACL applied on remote side? I think there will be something.

Is it possible to post remote running-config of router and switch where server are connected?

Jan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card