UC520 and ESW520 connectivity

arphilyaw · ‎01-29-2010

We have this setup currently - internet into Cisco PIX firewall. From the PIX to an HP switch, the UC520 is also connected to the HP switch (the UC also has our Cisco IP phones and PC's attached in its switch ports). We now have an ESW520 switch that I want to use to replace the HP switch. Initially I connected the LAN interface of the PIX into the switch (tried the uplink port and a regular switch port), connected the expansion port of the UC to the uplink port of the ESW and connected a PC to the ESW. No internet access. I can ping both the PIX and the switch from the PC but no internet. I've also tried PIX out to the WAN port of the UC, then to the ESW, also no internet.

I'm really at a loss here...I'm just not sure how to get this configuration to work and am getting very frustrated! I'd appreciate any help that can be offered and will gladly provide whatever details are needed. Thanks.

Steven Smith · ‎01-29-2010

Did you change any of the smart port roles? I agree, inserting the switch should not cause all of this hassle.

Maulik Shah · ‎01-29-2010

There maybe a DHCP server conflict here - if you connect as below:

Internet -- PIX inside -- uplink1--ESW--uplink2----expansion UC500

+---PC

Things you need to check:

- Is the inside interface of the PIX in VLAN1?

- Is the UC500 data VLAN DHCP pool in the same IP subnet as the PIX inside interface?

- Is the PIX acting as DHCP server for the data VLAN (vlan 1). If so you should delete the DHCP pool for the data VLAN on UC500 (using CCA)

- If the UC500 is the DHCP server, make sure the default gateway in the DHCP pool for data VLAN on UC500 points to PIX inside interface

- You may also need to add a static route on the UC500 directing all traffic to the PIX inside interface

Info on doing the above via CCA is at admin guide below

https://www.cisco.com/en/US/docs/net_mgmt/cisco_configuration_assistant/version2_2_1/administration_guide/cca_221_sbcs_admin_guide.pdf

arphilyaw · ‎01-29-2010

Maulik,

Thanks for the reply...going to address your issues as best I can...or with more questions!

When you ask if the inside interface of the PIX is on VLAN1...where do I look for this? I'm pretty sure the answer to your question is yes, it is...but I do want to be sure. The VLAN1 IP address 10.1.6.1 with a mask of 255.255.248.0. PIX internal IP is 10.1.1.1, so hopefully that info will help answer that question.

I'm thinking the above info will address your second item...but let me know if I need to send anything further.

The PIX is not acting as a DHCP server. PC's on the data VLAN get DHCP from a Windows server on the LAN.

The UC520 isn't doing DHCP either, however there is a DHCP pool setup on the UC520 for both the data and voice VLANs. For the data VLAN everything is in a 192.168.x.x range which we don't use internally on our network. Could this be causing problems?

Can you give me an example of what that static route would look like on the UC520 to direct traffic to the PIX interface? I worked with the TAC on some routing issues with the PIX and the UC so I believe that statement already exists but I'd like to confirm this.

Thanks in advance for your help.

Maulik Shah · ‎01-29-2010

Clears this up a bit - hope we can nail this by the below:

From what you mentioned:

PIX inside is 10.1.1.1 255.255.248.0

DHCP server is on the 10.1.x.x subnet with the mask of 255.255.248.0 (/21)

UC520 VLAN1 IP address is 10.1.6.1 255.255.248.0

- Not a PIX guru, but was asking if you had any VLANs setup on the PIX at all - something like the below:

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1113437

If so would need to match the VLANs on the ESW. If not then VLAN1 is what is used and no changes required

- Is the PC getting an IP address in the 10.1.x.x network - what is the default gateway for the PC? You can view this by doing Start > Run > cmd and then type ipconfig on a Windows PC. If the default gateway is 10.1.1.1, then you should be ok and the PIX should route the traffic out as long as the PIX is not using any VLANs on the inside interface.

- Please disable the DHCP server for VLAN1 on the UC520 but I do not think it will have an impact if your VLAN1 address on the UC500 is 10.1.6.1

- To create a static route on the UC520 - go to CCA and connect to UC520. Go to Configure > Routing > Static Routing, Add static route and enter the below:

Destination/ Network IP field 0.0.0.0
Network Mask 0.0.0.0
Gateway IP or Outgoing Interface 10.1.1.1

arphilyaw · ‎02-03-2010

Maulik,

Thanks for the response. In response to your questions -

There are no VLAN's setup on the PIX. VLAN 1 is the VLAN being used.

Yes, all PC's are getting addresses on the 10.1.x.x network. PC's are using 10.1.10.x, servers are using 10.1.2.x. The default gateway is set to 10.1.6.1, this was suggested by the TAC after they made some routing changes on the UC520 using CLI.

I have deleted the DHCP pool for VLAN1 on the UC520, so it should now be disabled. If there is something else I need to do to disable it, please advise.

The static route you described has been added.

I'll be testing this later today and will let you know the results. Thank you.

Maulik Shah · ‎02-03-2010

Not sure why the PC's default gateway should be 10.1.6.1 (UC520) - rather than the PIX (10.1.1.1). Can you change that on the DHCP server to point to the PIX so the PCs directly go to the PIX

arphilyaw · ‎02-03-2010

Yes, I can change it...but that was a suggestion from the TAC that they be changed.

I also had an issue with the original configuration of the UC520 by another employee here that made it difficult to interface with the UC520 so the TAC assisted in getting that taken care of. In the course of that work, it was suggested to change the gateway to use the UC520 instead of the PIX. I'll make the change since it's not a big deal to change back if necessary. Thanks.

arphilyaw · ‎02-05-2010

Maulik,

Here's where I stand as of this morning. I tested after making the config changes suggested and still no luck getting out to the internet. Just to refresh...internet from outside comes into the PIX --->PIX to uplink port on ESW 520 switch--->expansion port on UC520 to uplink port on ESW520 switch--->PC to switch port on the ESW 520.

With that configuration, I get no internet access. I can ping the ESW switch and the PIX from the PC. Tried to ping an external IP address, no luck. Tried to ping our domain controller on the LAN...no luck.

Here's where it gets interesting (and if you ask me, downright weird). The ESW 520 was brought in to replace an HP switch we've been using here forever. We want to have everything Cisco so we can use the CCA to manage everything (UC520, ESW520) from one management tool and just to streamline our network setup. If I connect the ESW to the HP switch, my internet access comes back, I'm able to ping internal LAN addresses, everyone's happy. It just doesn't make sense to me at all. Is there some sort of route in the PIX that references that HP switch (it's a managed switch and does have an IP address...no VLAN's setup on it that I'm aware of), I'm just really at wit's end here and need to get this working.

Thanks again for all the help...looking forward to hearing back from you.

Maulik Shah · ‎02-07-2010

So to recap - your setup is (UC500 does not matter in this case):

PC -- VLAN1 -- ESW -- uplink port -- inside -- PIX -- outside -- internet

- The PC is in the same IP subnet as the inside interface of the PIX and the PIX has no VLANs configured on it other than default.

- PC gets an IP address from a Windows DHCP server on the same VLAN and default gateway is set to PIX inside interface

Lets take this one by one:

- From PC can you ping the inside of the PIX? I think this is a yes

- From PC can you ping the outside of the PIX?

- From PC can you ping your ISP gateway (PIX should be pointing to this)

- From PC can you ping 4.2.2.2 (its a NTP server on the internet)

If you put the HP in this works - but the HP is a Layer 3 switch it appears as opposed to L2 switch like ESW. Is there a route on the PIX that points 10.x.x.x network to the old HP switch IP address? Am no PIX expert but can look at the config to see what is setup there. One other thing to check is if the PIX does the NAT for the internal subnet.

Also, when you do a Start > Run > ipconfig on the PC when its connected to the ESW - may help to check what the PC is setup for via DHCP

May help going the TAC case route as well as looking at this in real time will probably solve this faster.