Re: VLAN question - Page 3

sonitadmin · ‎03-17-2009

Have a Cisco 3560 switch with multiple VLAN's. Have a vendor that connects to teh Pix 505 with PPTP and gets IP from server on VLAN1. They then need to connect to a PC for RDP session on VLAN2. I am unable to get that connection working. Can ping all PC's on that VLAN but can't RDP. Is there a ACL I can add to grant this access?

sonitadmin · ‎03-18-2009

Switch config

John Blakley · ‎03-18-2009

My final suggestion would be to remove your acl from both svis and see if you can get across. If you can't, it has something to do with your pix. You can post the pix config if you want, but in reality it should be seeing the traffic between switchports and only involve the pix if traffic isn't local (although that depends on your topology).

John

HTH, John *** Please rate all useful posts ***

sonitadmin · ‎03-18-2009

Nothing in the switch config jumps out at you as being incorrect?

John Blakley · ‎03-18-2009

Not blatantly, no. The pix svi is 10.1.0.254, and the default route is .253. What's .253?

HTH, John *** Please rate all useful posts ***

sonitadmin · ‎03-18-2009

Pix config shows 10.1.0.253 as the inside interface.

John Blakley · ‎03-18-2009

Please post the following from the pix:

route statements

access-group statements

access-lists

Take out any public addresses.

HTH, John *** Please rate all useful posts ***

sonitadmin · ‎03-18-2009

I've attached the route statements. I don't see any access-group statements and I only see one access-list statement that I'm not even sure belongs in there.

access-list 108 permit ip 10.10.0.0 255.255.0.0 172.16.1.0 255.255.255.0

I see a lot of conduit permit statements.

John Blakley · ‎03-18-2009

If you do a "show access-group", you should see something. Did you remove your acl from the svi and test it?

HTH, John *** Please rate all useful posts ***

lamav · ‎03-18-2009

Sonit:

Forget about RDP, can you even PING the device in vlan 8 from the device in vlan 10. Is it even reachable?

sonitadmin · ‎03-18-2009

I am not in front of the switch or pix right now and have no access to it. I have another tech that is working with it.

We have not removed the ACL yet. I'll get the show access-group results shortly.

Thanks for all the help!

lamav · ‎03-18-2009

Sonit:

Forget about RDP, can you even PING the device in vlan 8 from the device in vlan 10. Is it even reachable?

sonitadmin · ‎03-18-2009

Yes, with my Vista laptop ip address 10.10.0.240 I can ping the client PC at 10.70.0.61 that I want to RDP to. Same result from server at 10.10.0.3.

With my laptop connected to 10.70.0.0 network I am able to RDP into 10.70.0.61 machine. Just not from 10.10.0.0 network.

sonitadmin · ‎03-18-2009

John,

The show access-group command brings back nothing. Show access-list brings back the ACL that I showed you earlier.

John Blakley · ‎03-18-2009

The access-list isn't applied then. You may not be using access-lists if you're using conduits. The only other test that you can do is to remove the acl from both svis (have the other tech do it) and then see if you can get to it.

HTH, John *** Please rate all useful posts ***

sonitadmin · ‎03-18-2009

My guess is that when I remove both of those ACL's that its going to cause some issues so I might not be able to test it during hours.