Solved

Cisco 3550 VLAN Problem

Posted on 2006-06-17
61
778 Views
Last Modified: 2008-01-09
Ok I think I missed something on my 3550.  

From the 3550 I can ping to the net and beyond no problem....

when I put a device into a VLAN port and I ensured its assigned to the correct vlan, and the default gateway on the device  is the IP address of the VLAN port.  I cannot get out to the net from the device...
 
I backed up one step and tested my router and it worked fine.  So that means I missed something on my L3 switch....    I can ping all day long from the switch, but when I go to a PC nothing....

checked Layer 3 interface can ping from L3 device to the world.. But when I put a device on the switch it goes no where

HELP!!!
0
Comment
Question by:dtcollins
  • 31
  • 16
  • 12
  • +1
61 Comments
 

Author Comment

by:dtcollins
ID: 16927543
I think i might have answered my own question here:

If you use a Layer 3 device as a endpoint for PCs and setup the ports for individual VLANS do you need to set the default-gateway on the switch as you would on another layer 2 switch?
0
 
LVL 10

Expert Comment

by:naveedb
ID: 16927562
You would need to assing an ip address on each vlan interface, and make this IP Address the default gateway on the connected device.

For example, lets say you have 3 VLANs and your Internet gateway is 11.1.1.1

For VLAN 1 you are using subnet 10.1.1.0, you will assign VLAN1 interface IP address of 10.1.1.1 and all devices connected to it e.g. 10.1.1.17 will have the default gateway 10.1.1.1

On VLAN 2 interface, you can make it 10.1.2.1 serving 10.1.2.0/24 subnet

For VLAN 3 interface, you can make it 10.1.3.1 serving 10.1.3.0/24 subnet

On ther L3 switch itself, you should have a statement (which I think you have as you are able to ping outside) pointing to the Internet Gateway.

If you still need help, please post your running config.
0
 

Author Comment

by:dtcollins
ID: 16928092
Heres my running config...  

Ive done exactly what you said in the above statment earlier today... Why would the device not be able to access the internet?  

Would my statement about needing the default gateway on the Layer 3 be true?  


sh run
Building configuration...

Current configuration : 2741 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname alcore1_3550
!
enable secret 5 $1$GLG9$KUuzGGPUVyo1EggvUbeJb/
!
ip subnet-zero
ip routing
ip name-server 192.168.1.1
!
!
!
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree extend system-id
 --More--         spanning-tree vlan 15 priority 24576
 --More--         spanning-tree vlan 99 priority 24576
spanning-tree vlan 254 priority 24576
spanning-tree vlan 666 priority 24576
!
!
interface FastEthernet0/1
 switchport access vlan 254
 switchport mode access
 no ip address
!
interface FastEthernet0/2
 switchport access vlan 15
 no ip address
!
interface FastEthernet0/3
 switchport access vlan 15
 no ip address
!
interface FastEthernet0/4
 no ip address
!
interface FastEthernet0/5
 no ip address
 --More--         !
 --More--         interface FastEthernet0/6
 no ip address
!
interface FastEthernet0/7
 no ip address
!
interface FastEthernet0/8
 no ip address
!
interface FastEthernet0/9
 no ip address
!
interface FastEthernet0/10
 no ip address
!
interface FastEthernet0/11
 no ip address
!
interface FastEthernet0/12
 no ip address
!
interface FastEthernet0/13
 no ip address
 --More--         !
 --More--         interface FastEthernet0/14
 no ip address
!
interface FastEthernet0/15
 no ip address
!
interface FastEthernet0/16
 no ip address
!
interface FastEthernet0/17
 no ip address
!
interface FastEthernet0/18
 no ip address
!
interface FastEthernet0/19
 no ip address
!
interface FastEthernet0/20
 no ip address
!
interface FastEthernet0/21
 no ip address
 --More--         !
 --More--         interface FastEthernet0/22
 no switchport
 no ip address
 shutdown
!
interface FastEthernet0/23
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no ip address
!
interface FastEthernet0/24
 no switchport
 ip address 192.168.1.152 255.255.255.0
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 15,99,254
 switchport mode trunk
 no ip address
!
interface GigabitEthernet0/2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 15,99,254
 --More--          switchport mode trunk
 --More--          no ip address
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan15
 description vpn
 ip address 10.54.15.2 255.255.255.0
!
interface Vlan99
 description management
 ip address 10.54.99.2 255.255.255.0
!
interface Vlan254
 description users
 ip address 192.168.254.2 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip http server
!
!
 --More--         access-list 101 permit udp any any eq domain
 --More--         access-list 101 permit udp any eq domain any
access-list 102 permit tcp any any eq domain
access-list 102 permit tcp any eq domain any
!
line con 0
 password alliance
 login
line vty 0 4
 login
line vty 5 15
 login
!
ntp peer 192.168.254.100
end

alcore1_3550#
alcore1_3550#
0
 
LVL 1

Expert Comment

by:atifawan
ID: 16928316
The term deafult gateway is normall not associated with a device configured to perform routing. In case of routing devices you use the term default route and after looking at your configuration it is clear that you have a default route already configured pointing to 192.168.1.1 (I am assuming this is your router). Everything seems to be in order on your switch.

I have a feeling as to why this is not working but only you can confirm whether it is true or not. When you ping from the switch everything works fine as the packet is sourced from the 192.168.1.152 ip address of the switch which is a directly connected subnet on your internet router. When you ping from a VLAN the packet is sourced from the host IP (192.168.254.x ... probably) and this will only work if your internet router has a route configured for this subnet pointing to your L3 switch. On the router you should have:

ip route 192.168.154.0 255.255.255.0 192.168.1.152

At this point this is the most probably reason as to why things are not working. Let us know if this is not the case so we can assist you in troubleshooting further.
0
 

Author Comment

by:dtcollins
ID: 16928399
Ok heres what I Have
I have the route stated earlier on my Linksys RV016 and devices still cant get out to net.  BUT L3 Switch can go out to world...

T1-> Tasman -> Linksys RV016 ->3550 L3

T1 Router  
   route 192.168.254.0 255.255.255.0 65.9x.51.1x3 3
   route 192.168.1.0 255.255.255.0 65.9x.51.1x3 3
  route 10.54.99.0 255.255.255.0 65.9x.51.1x3 3
  route 10.54.15.0 255.255.255.0 65.9x.51.1x3 3

Linksys
   route 192.168.254.0 255.255.255.0 192.168.1.152
   route 192.168.1.0 255.255.255.0 192.168.1.152
  route 10.54.99.0 255.255.255.0 192.168.1.152
  route 10.54.15.0 255.255.255.0 192.168.1.152

3550
0.0.0.0 0.0.0.0  ->192.168.1.1
0
 
LVL 1

Assisted Solution

by:atifawan
atifawan earned 50 total points
ID: 16928454
Is 65.9x.51.1x3 the outside interface of your linksys? From a host on a VLAN till what point can you ping? Can you ping the T1 router? Can you explain your infrastructure in a bit more detail please.
0
 
LVL 10

Expert Comment

by:naveedb
ID: 16928534
Why do you have Linksys RV016 router connected between your L3 switch and T1 router?

Have you configured Linksys RV016 for NAT? Does it support NAT for multiple subnets? you are trying to NAT 4 subnets which need to be configured on the Linksys for NAT. Just having routes will not allow you to get to the Internet from inside.

The routes on Linksys router are used if you have another router on the same subnet and want to use it to send traffic for Internal Networks. This allows you to make Linksys router the default gateway.
0
 
LVL 8

Assisted Solution

by:photograffiti
photograffiti earned 150 total points
ID: 16928642
From the host off your Cat 3550, can you ping 192.168.1.152? If you can then that confirms your default gateway on your PC is set up properly at least. Now, can you ping 192.168.1.1? If you can then that confirms that the Linksys router has a route back to the 192.18.254.0 subnet. Now, can you ping the T1 router? This is where you would likely fail. If you fail then (like naveedb mentions) it is likely you don't have NAT setup properly for that subnet. Check that in your Linksys router.
Also, as someone else mentioned, why do you have a Linksys between your switch and Tasman router?
0
 

Author Comment

by:dtcollins
ID: 16929783
From the routers & devices I can ping all the way to 65.91.51.1x1 which is the LAN interface of my T1

I can also ping 65.91.51.1y2 which is the WAN side of my T1

From the switches that are in specific VLANS i can get all the way to .1y2 which is the WAN side of my T1

I use the RV016 as a Load-sharing\Firewall router which is what it is designed for.  It will allow 2 ISPs to be connected in and utilized.  Currnelty It is not being used as that right now, just the T1 Link is installed.
I can ping from all switches and PCs to my farthest inside subnet of .182.

From the 3550 I can ping outside to 4.2.2.2 for example.  

When i get to another switch or PC though I cannot ping outside to the internet.
0
 
LVL 10

Expert Comment

by:naveedb
ID: 16930031
Have you verified NAT on Linksys RV016? pinging from your router will work if it is configured only for one inside Network which is most likely all it can do.

You other option would to do NAT on the switch itself.
0
 

Author Comment

by:dtcollins
ID: 16930168
Im thinking of putting my  back in place my 506e in place with 4 NAT translations directed to  an ip in my stack of 16 static IPs that I have.

This would be after the rv016 but before the switch to provide all NAT.  According to Cisco the 3550 will not do NAT.
 
Why would the 3550 be able to ping all outside networks? its got a private address range it in.  Is it because its directly connected to the linksys router?
0
 
LVL 10

Accepted Solution

by:
naveedb earned 150 total points
ID: 16930358
"
Im thinking of putting my  back in place my 506e in place with 4 NAT translations directed to  an ip in my stack of 16 static IPs that I have.

This would be after the rv016 but before the switch to provide all NAT.  According to Cisco the 3550 will not do NAT.
"

That should work, remove the NAT from RV016 and let the PIX do the translaions.

"
Why would the 3550 be able to ping all outside networks? its got a private address range it in.  Is it because its directly connected to the linksys router?
"

 Most likely the NAT is working for 192.168.1.0/24 subnet only. You should be able to verify this if you do an extended ping.

On the switch, type ping and hit enter.
Select the destiantion address of 4.2.2.2
Select 'y' for extended commands, and in source try your interfaces IPs from switch. First with 192.168.1.152 which should work. And then try extended ping again with source address of 10.54.15.2. This should not work and will confirm that the issue is with NAT.


0
 

Author Comment

by:dtcollins
ID: 16930847
Ok I did the extended Ping test and it did not work with the 10.x.x.x network or 192.168.254.x network
Sounds like so far your right on eht money..
Ive got the pIX and am doing the NAT config on it right now

ip address outside 192.168.2.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 65.9x.51.1x4
nat (inside) 2 10.54.15.0 255.255.255.0 0 0
nat (inside) 3 10.54.99.0 255.255.255.0 0 0
nat (inside) 1 192.168.254.0 255.255.255.0 0 0

I do a global (outside) for each inside?
Should i keep using the .164 range or use separate octets for my differnt networks?


0
 
LVL 10

Expert Comment

by:naveedb
ID: 16931445
You can but you don't have to, unless you want to use a different source address for each subnet /VLAN what NAT occurs.

You can simply do this

global (outside) 1 65.9x.51.1x4
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

This will do NAT for all internal subnets.
0
 

Author Comment

by:dtcollins
ID: 16931757
Ok  I know this may be irrevelant but from the PIX how can I ping all my devices?
 I cannot ping outside the pix right now

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password tizCgsJ0pVBrZQ.P encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname a
domain-name a
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
<--- More --->
name 192.168.2.1 outside_pix_ip
name 192.168.1.1 inside_pix_ip
access-list inside permit icmp any any
access-list outside permit icmp any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any source-quench
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-list inside_access_in permit icmp any any
pager lines 24
icmp permit any echo-reply outside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside outside_pix_ip 255.255.255.0
ip address inside inside_pix_ip 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 6x.9x.51.1x4
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
<--- More --->
access-group inside_access_in in interface inside
rip outside passive version 2
rip inside passive version 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside_pix_ip 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:e26d2eb15533ff00f912eac2c2ac7642
: end
<--- More --->
0
 

Author Comment

by:dtcollins
ID: 16931848
       inside 0.0.0.0 0.0.0.0 255.255.255.0 192 OTHER static
        inside 10.54.15.0 255.255.255.0 192.168.2.50 1 OTHER static
        inside 10.54.99.0 255.255.255.0 192.168.2.50 1 OTHER static
        inside 192.168.0.0 255.255.0.0 192.168.2.50 1 OTHER static
        inside 192.168.1.0 255.255.255.0 inside_pix_ip 1 CONNECT static
        outside 192.168.2.0 255.255.255.0 outside_pix_ip 1 CONNECT static
        inside 192.168.254.0 255.255.255.0 192.168.2.50 1 OTHER static

These are the routes I have in the pix,  Although I dont think I need them if im running RIP
But im confused on the inside and outside routes and where to send what
0
 
LVL 10

Expert Comment

by:naveedb
ID: 16931879
I am little confused.

Your PIX is between the T1 router and Linksys router?

If so, the outside interface should have an ip address 6x.9x.51.1x4

You will also need to have a route statement

route outside 0 0 nexthopipaddress

and also router inside statements for your internal networks.

Have a look at the following document

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094767.shtml


0
 

Author Comment

by:dtcollins
ID: 16931905


No The pix is after the Linksys because the linksys provides load balancing
 --basically acts as gateway\load balancer\ for both DSL and T1 Line..... was doing firewalling but i turned that off

So then would follow the Pix.....          then comes the 3550 L3  device..  

The T1 Lan side has a 161 address and the Wan1 side of the Linksys has a .163 address
The 3550 is a private range has a .152 on the L3 interface

0
 
LVL 10

Expert Comment

by:naveedb
ID: 16933326
Ok, should work. Replace the following route

 inside 0.0.0.0 0.0.0.0 255.255.255.0 192 OTHER static

it should be to the outside, and pointing to the LAN IP address of Linksys router.
0
 

Author Comment

by:dtcollins
ID: 16938910
Invalid next hop addressWARNING: unable to add route to OSPF RIB

What does that error mean?

 route outside 0.0.0.0 0.0.0.0 255.255.255.0 192.168.2.50 OTHER static
0
 
LVL 10

Expert Comment

by:naveedb
ID: 16938978
Syntax error; it should be something like

route outside 0.0.0.0 0.0.0.0 192.168.2.50 1
0
 
LVL 10

Expert Comment

by:naveedb
ID: 16938987
For 0.0.0.0 the ip address should be for the LAN side of Linksys router
for inside routes, the IP address should be the address of L3 switch.
0
 

Author Comment

by:dtcollins
ID: 16939084
heres my current pix config..... what am i doing wrong?  I cant pass ICMP trafic

access-list ACL_inside permit tcp any any eq www
access-list ACL_inside permit icmp any any echo
access-list ACL_inside permit icmp any any echo-reply
access-list ACL_inside permit tcp any any eq https
access-list ACL_inside permit tcp any any
access-list ACL_inside permit gre any any
access-list ACL_outside permit tcp any any eq www
access-list ACL_outside permit icmp any any echo
access-list ACL_outside permit icmp any any echo-reply
access-list ACL_outside permit tcp any any eq https
access-list ACL_outside permit tcp any any
access-list ACL_outside permit gre any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 65.91.51.164
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group ACL_outside in interface outside
access-group ACL_inside in interface inside
route inside 0.0.0.0 0.0.0.0 192.168.1.152 1
route outside 0.0.0.0 0.0.0.0 255.255.255.0 192
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.186.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:efe4429ec53f65ac49008505ec6084be
: end
<--- More --->
0
 
LVL 10

Expert Comment

by:naveedb
ID: 16939207
What is the ip address of linksys router on LAN side?
0
 

Author Comment

by:dtcollins
ID: 16939286
192.168.2.50 Linksys LAN
192.168.2.1 Pixoutside
0
 
LVL 8

Expert Comment

by:photograffiti
ID: 16939322
Your PIX routing is still all messed up.
Go to config mode and type

 no route inside 0.0.0.0 0.0.0.0 192.168.1.152 1
 no route outside 0.0.0.0 0.0.0.0 255.255.255.0 192
 route outside 0.0.0.0 0.0.0.0 192.168.2.50

It seems as if you're trying to put in a subnet mask in the route command and it's messing things up. Try that and let us know.
0
 

Author Comment

by:dtcollins
ID: 16939333
       outside 0.0.0.0 0.0.0.0 192.168.2.50 1 OTHER static
        inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
        outside 192.168.2.0 255.255.255.0 192.168.2.1 1 CONNECT static

those are the routes currently inside the pix
2 of them are static directly connected routes, and one is the other route to 2.50
Cannot ping to any interfaces outside the pix...

0
 
LVL 8

Expert Comment

by:photograffiti
ID: 16939516
So from the PIX you can't even ping 192.168.2.50? Nothing will work if that doesn't. Also, I noticed that your global NAT statement uses an IP address that belongs to the subnet between your Linksys and T1 router. I'm not quite sure how the Linksys router does routing, but I'm pretty sure that's not going to work. Unless I'm don't quite understand how your network is connected.
Also, you might want to contact an admin so you can get that IP address removed or hidden.
0
 

Author Comment

by:dtcollins
ID: 16939529
I am the admin.........

the global nat statement uses one of my public IPs.... that are routable

I cannot get ICMP to work, mainly because Im not sure what ACL is going to make it work.  
I cannot ping from either side of the PIX outside or inside, and by default the PIX blocks all traffic
0
 
LVL 8

Expert Comment

by:photograffiti
ID: 16939592
I know that the global IP is routable but it's an IP address that belongs on the segment between the Tasman and the Linksys. For example, if I were to send a packet to that IP address it would get to the Tasman router. Since that is a subnet sitting off of it's LAN interface it will just drop that packet there for whoever owns that IP address to pick it up. Since the PIX isn't on that segment it will not be able to hear that. Unless the Linksys is doing proxy arp for that IP address, it won't work.
As to pinging, can you ping from the PIX itself? If you can't even ping from the PIX itself then nothing won't work. If you can ping from the PIX then the problem is likely your NAT statement and the IP address you are using. Do this instead.

no global (outside) 1 65.91.51.164
global (outside) 1 interface

That should do it if my theory is right.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:dtcollins
ID: 16939608
I cannot ping from the PIX itself...to test if my NAT is working

 The reason im using the PIX is I have multiple private VLANS and the Linksys router can only NAT one private IP range.  I did a test from naveedb and we confirmed that it was a NAT problem and needed to add the PIX to solve the problem and NAT multiple subnets


0
 
LVL 8

Expert Comment

by:photograffiti
ID: 16939619
Well, I'm not quite sure what tests you guys did but I'm not sure why the PIX would be needed to support multiple subnets. The Catalyst 3550 is routing all those subnets to the Linksys and as long as the Linksys is able to support NAT for multiple subnets then I don't see the issue. Unless the Linksys is unable to do so and that's where the PIX comes into play.
Also, you say you can not ping from the PIX itself... but then you add to test the NAT. I just want to know if you can ping from the PIX at all. This is to test connectivity... not NAT.
0
 
LVL 10

Expert Comment

by:naveedb
ID: 16941587
Do this

no route inside 0.0.0.0 0.0.0.0 192.168.1.152 1
no route outside 0.0.0.0 0.0.0.0 255.255.255.0 192

and then add the route

route outside 0.0.0.0 0.0.0.0 192.168.2.50

post the output from

show route




0
 

Author Comment

by:dtcollins
ID: 16947230
Ok heres the latest..
Changed the cables, reloaded the PIX from 0


Did the route
route outside 0.0.0.0 0.0.0.0 192.168.2.50

changed the NAT
no global (outside) 1 65.91.51.164
global (outside) 1 interface


Now I can ping to world from PIX and directly attached 3550

BUT, my other VLANS cannot ping outside to the internet.  Now from what i learned on SAT this seems to be another NAT problem...

0
 

Author Comment

by:dtcollins
ID: 16947317
Im thinking now I need to put all my static routes on the PIX to point to my internal VLANS
Thats where im headed with this
0
 

Author Comment

by:dtcollins
ID: 16947340
OK... I got the ping to go across inside
Now for the outside problem

no global (outside) 1 65.91.51.164
global (outside) 1 interface

What exactly does that do vs this???

global (outside) 1 65.9x.51.1x4
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
0
 

Author Comment

by:dtcollins
ID: 16947414
OK heres latest....

PCs can ping inside all VLANS cannot get to WORLD



Switches on individual VLANS get can to world !!! pinging 4.2.2.2 and get successful response

0
 
LVL 8

Expert Comment

by:photograffiti
ID: 16947633
Explanation of commands:

! REM What this does is tell the PIX to NAT all instances of the '1' group to that specific IP address
global (outside) 1 65.9x.51.1x4
! REM What this does is specify which traffic is part of NAT group '1' (in this case, all traffic)
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

The problem with the above statement is that the PIX should not be NATing traffic to 65.9x.51.1x4. It does not own that address. That address belongs on the subnet between the Tasman and Linksys routers. That's why you had to change the statement to
! REM This statement tells the PIX to NAT the traffic to the same IP address as it's outside interface
global (outside) 1 interface
0
 
LVL 8

Expert Comment

by:photograffiti
ID: 16947636
Can you clarify how many internal switches you are testing from and how your PCs are connected? You're mentioning a lot of devices so I'm not sure how you have then all interconnected.
0
 
LVL 10

Expert Comment

by:naveedb
ID: 16947691
Did you test with extended ping to test from switch?

Post your running config from the PIX and switch so we can work further. Looks like we are making progress.
0
 

Author Comment

by:dtcollins
ID: 16948080
I did an extended ping test only with IPs, cannot use DNS but machines and switches resolve to 4.2.2.2

I setup a  ip name-server but it doesnt resolve..  Could htis be another hidden problem with NAT?

Does the PIX need DNS opened up? I opened udp port 53 and pointed the 3550 out to an external name server
0
 
LVL 8

Expert Comment

by:photograffiti
ID: 16948097
I think you're getting ahead of yourself. Make sure you have basic connectivity before you worry about applications.
So you can successfully do a an extended ping from any interface on your Catalyst 3550. That means you should be able to ping from a PC connected on that switch. And when I mean ping, I mean ping to just 4.2.2.2, not some DNS name. We'll worry about that later.
Confirm if you can do this ping and then we'll worry about DNS resolution.
0
 

Author Comment

by:dtcollins
ID: 16948110
when I do a extended Ping thru the 3550 why do i get the message:
invalid source? when i try to enter the source ip to ping from?
0
 
LVL 8

Expert Comment

by:photograffiti
ID: 16948147
Is that IP configured on the switch anywhere? You have to use an IP address that is on one of your VLAN interfaces.
0
 

Author Comment

by:dtcollins
ID: 16948172
Target IP address: 4.2.2.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.54.15.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/20 ms
0
 
LVL 8

Expert Comment

by:photograffiti
ID: 16948189
So plug a PC into a port. Designate that port to be in VLAN 15. Give that PC an IP address in the range of 10.54.15.x. Give it a default gateway of 10.54.15.2. Then see if that PC can ping 4.2.2.2.
0
 

Author Comment

by:dtcollins
ID: 16948380
WORKED LIKE A CHARM !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


NOW ONTO TO DNS !!
0
 
LVL 8

Expert Comment

by:photograffiti
ID: 16948419
Well, set the DNS of that PC to 4.2.2.2 and if it works then there is nothing blocking DNS on your network. If you then point the PC's DNS to an internal DNS server and it stops working then get on the DNS server. Can you ping 4.2.2.2 from the DNS server? If not then that's where the problem is.
0
 

Author Comment

by:dtcollins
ID: 16948465
i set DNS on the 3550 to 4.2.2.2


3550#ping yahoo.com
Translating "yahoo.com"...domain server (4.2.2.2)
% Unrecognized host or address, or protocol not running


3550#ping routergod.com
Translating "routergod.com"...domain server (4.2.2.2)
% Unrecognized host or address, or protocol not running
0
 
LVL 8

Expert Comment

by:photograffiti
ID: 16948480
Why are you setting DNS on the switch?
0
 

Author Comment

by:dtcollins
ID: 16951501
just to test lookups..

We have 2 DNS servers but on another network.....  This is a build for our new core

I put IP name-server into the switch and used 4.2.2.2 to test resolution

0
 
LVL 8

Expert Comment

by:photograffiti
ID: 16952275
Try putting that DNS on the PC like I suggested and see how that works.
0
 

Author Comment

by:dtcollins
ID: 16956441
tried putting DNS 4.2.2.2 on the PC doesnt reply with lookups
cannot resolve host names only works with numerical addresses
0
 
LVL 8

Expert Comment

by:photograffiti
ID: 16956702
Make sure you remove any ACLs on the Inside interface. It's weird it would ping but not resolve. Also make sure you don't have any ACLs on the Linksys or Tasman router.
0
 

Author Comment

by:dtcollins
ID: 16956746
i have lots of ACLS on the inside interface of the pIX


access-list ACL_inside permit tcp any any eq www
access-list ACL_inside permit icmp any any echo
access-list ACL_inside permit icmp any any echo-reply
access-list ACL_inside permit tcp any any eq https
access-list ACL_inside permit tcp any any
access-list ACL_inside permit gre any any
access-list ACL_inside permit icmp any any
access-list ACL_outside permit tcp any any eq www
access-list ACL_outside permit icmp any any echo
access-list ACL_outside permit icmp any any echo-reply
access-list ACL_outside permit tcp any any eq https
access-list ACL_outside permit tcp any any
access-list ACL_outside permit gre any any
access-list ACL_outside permit icmp any any
access-list ACL_outside permit udp any any eq isakmp
access-list ACL_outside permit udp any any eq 10000
access-list ACL_outside permit icmp any any unreachable
access-list ACL_outside permit tcp any any eq pptp
access-list ACL_outside permit udp any any eq domain
access-list ACL_outside permit udp any any
pager lines 24
access-group ACL_outside in interface outside
access-group ACL_inside in interface inside
0
 
LVL 8

Expert Comment

by:photograffiti
ID: 16956776
So you either need to take it off or allow DNS to go through. You're blocking the DNS requests right now. There's no point in having an ACL if you're allowing pretty much everything.
0
 

Author Comment

by:dtcollins
ID: 16956848
Right now the ACLs open just for testing since this is a new core... I plan on locking them down once i get all my load balancing and networks to talk successfully to one another

If i wanted to get granular with this

access-list ACL_inside permit udp any any eq 53          

would that work?
0
 
LVL 8

Expert Comment

by:photograffiti
ID: 16956875
Yes, that should work. If it doesn't though, remove the ACL and test it then.
0
 

Author Comment

by:dtcollins
ID: 16977374
Heres the latest problem

Got everything to work with ICMP and web access... Here lies the problem, cannot get mail thru the PIX to the end user station,  can get mail outbound no problem

MX records and NAT translation are done on the DSL router,  then forwarded to mail server. 68.x.x.x block of public IPs  

NOW from DSL router goes into Linksys load balancer then PIX then end client..

Also keep in mind I have T1 going into Load balancer too....  

Whats the best solution to this one?

Also from the DSL line I cannot ping any inside devices and I did put static routes on the router

BUT web browsing and outbound mail work perfectly......  
I dont get it !
0
 

Author Comment

by:dtcollins
ID: 16977387
Also another point Pix AND PCs and 3550 and DSL router and Linksys can ping out

PC can ping all devices
DSL router and Linksys cannot get to ping to PCs
0
 

Author Comment

by:dtcollins
ID: 16977390
heres something interesting I found

Why when I ping 192.168.2.50  do i get this response? from 3.1 ????


Pinging 192.168.2.50 from local address 192.168.3.254 (timer gran. 100 ms)...
      Ping size: 100  Ping Count: 5
ICMP echo reply from 192.168.3.1, 0 ms
ICMP echo reply from 192.168.3.1, 0 ms
ICMP echo reply from 192.168.3.1, 0 ms
ICMP echo reply from 192.168.3.1, 0 ms
ICMP echo reply from 192.168.3.1, 0 ms

--- 192.168.2.50 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Resolve DNS query failed errors for Exchange
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now