PIX Routing blocks http
We are having a strange problem that is only affecting the company owners home network. I will try to be as descriptive as possible. Our office has a single T1 coming in from our ISP from there it goes into our PIX 515e. After the PIX is a Cisco 3750 switch. The owner has a single fractional T1 running to his house, this is a point-to-point from the office only. On the house end there is a cisco 1750 router and on the office end we are using a cisco 2821. Now the owner just a got a new DirectTV system and needs to use the supplied wireless bridge to connect to his network, this is working with no issues. The problem comes in when internet is involved. We use a barracuda webfilter setup in proxy mode. the owner's pc at home cannot browse the web without the proxy being entered into the settings. Any other PC like mine in the office can bypass the proxy using the PIX as the default gate way. I have looked at all of hte rules i can think of that may be blocking http traffic from his house to the office and so far have had no luck. For security reasons we have icmp disabled making it hard to trouble shoot since i am never able to ping google.com for testing no matter how i am connected to the network. I am not sure whether to take this up with cisco or with Barracuda to have the resolution. I think it something in our cisco stack that causing the troubles but am unable to find the root cause. I have checked all of the IP routes and everything looks fine. As i mention i can use the web on my computer at my desk without having any of the proxy settings in place.
ASKER
The barracuda is working for me in the office, i can also browse the web if i bypass the barracuda. the owner is only able to browse if he uses the barracuda. his subnet is 192.168.2.0 mine is 192.168.3.0 i cannot find anything in the pix that is allowing or dissallowing these ipranges.
You may need to setup a static route in the barracuda for 192.168.2.0/24. So it knows which Gateway to use for that address.
That is under the "Basic" tab then "IP Configuration"
Towards the bottom of the page.
Try that and see if it helps.
That is under the "Basic" tab then "IP Configuration"
Towards the bottom of the page.
Try that and see if it helps.
ASKER
Already did that, 192.168.0.0 255.255.0.0 routes to the core switch. I even tried it with each individual subnet we use. I don't think this is the barracuda causing the problems though. The reason i don't believe it is the barracuda is that it is not required to use the internet. I can bring a brand new computer in that has not been joined to the domain and put it on the network and have full internet access. Once the machine is joined to the domain it gets the proxy/webfilter settings. I tried the packet tracer in the pix but it is pretty much worthless if you ask me. It may be the switch or the router because all traces stop with the switch as the last known hop, this may be because we are completely blocking ICMP though since my workstation which as internet access stops at the same place.
Is your Core Switch preforming any routing?
If so, assuming it is a Cisco and you do a Show IP Routes does it know where to route 192.168.2.0/24?
If that address isn't listed as a route and that network isn't on the other side of the Core Switch's default gateway then the switch needs a Static Route for that address.
If so, assuming it is a Cisco and you do a Show IP Routes does it know where to route 192.168.2.0/24?
If that address isn't listed as a route and that network isn't on the other side of the Core Switch's default gateway then the switch needs a Static Route for that address.
ASKER
eigrp and other routing is working because as mentioned the owner can use the proxy from home which means the packets still ahve to get back, he can log into the domain and he can use outlook. There is no IP route statement, i assume because he can authenticate to the domain and browse folders on the files servers and use outlook that it is not needed.
He can use the proxy from home?
I thought you said he doesn't get internet access?
Are you then meaning that you wish to have him be able to get Internet access without using the proxy from home?
I thought you said he doesn't get internet access?
Are you then meaning that you wish to have him be able to get Internet access without using the proxy from home?
ASKER
Here are two traces, one from my machine and one from the owners. The ip i am tracing to are opendns.org servers. You can see i am getting one hop further and getting a response from the .17 address this is the ISP router, i don't believe I have access to make changes to it. what i find strange is that in the trace it is that our pix is not one of the hops.
First is from my workstation
C:\Documents and Settings\admin>tracert 208.68.222.222
Tracing route to 208.68.222.222 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 192.168.3.254
2 1 ms <1 ms <1 ms XXX.XXX.XXX.17 <- External IP
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
Now from the 192.168.2.1 Router at the owner's home
DAN-1750-WAN#trace 208.67.222.222
Type escape sequence to abort.
Tracing the route to 208.67.222.222
1 10.0.1.1 16 msec 12 msec 12 msec
2 192.168.21.254 12 msec 16 msec 12 msec
3 * * *
4 * * *
What the heck and one from the core switch
MFLD-3750-1#trace 208.67.222.222
Type escape sequence to abort.
Tracing the route to resolver1.opendns.com (208.67.222.222)
1 66.84.184.17 0 msec 9 msec 0 msec
2 * * *
3 * * *
So there are the three traces you can see my workstation and the core switch route the same but the router at the owners home does not. I believe the problem lies somewhere in the PIX, Switch, or possibly the ISP router which is also a PIX. I am leaning more into the switch and think i am just missing something small, like the IP route. The router at the owners house routes all traffic to the interface o nthe other side of the T1 naturally. then that router has only 2 ip route lines, one for a client application and then route 0 to the core switch.
First is from my workstation
C:\Documents and Settings\admin>tracert 208.68.222.222
Tracing route to 208.68.222.222 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 192.168.3.254
2 1 ms <1 ms <1 ms XXX.XXX.XXX.17 <- External IP
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
Now from the 192.168.2.1 Router at the owner's home
DAN-1750-WAN#trace 208.67.222.222
Type escape sequence to abort.
Tracing the route to 208.67.222.222
1 10.0.1.1 16 msec 12 msec 12 msec
2 192.168.21.254 12 msec 16 msec 12 msec
3 * * *
4 * * *
What the heck and one from the core switch
MFLD-3750-1#trace 208.67.222.222
Type escape sequence to abort.
Tracing the route to resolver1.opendns.com (208.67.222.222)
1 66.84.184.17 0 msec 9 msec 0 msec
2 * * *
3 * * *
So there are the three traces you can see my workstation and the core switch route the same but the router at the owners home does not. I believe the problem lies somewhere in the PIX, Switch, or possibly the ISP router which is also a PIX. I am leaning more into the switch and think i am just missing something small, like the IP route. The router at the owners house routes all traffic to the interface o nthe other side of the T1 naturally. then that router has only 2 ip route lines, one for a client application and then route 0 to the core switch.
ASKER
he has a new directv receiver with a linksys wga600n network bridge, the directv receiver doesn't have options for proxy addresses. the problem is that he is unable to access the internet unless he uses the proxy. so i need him to be able to access the internet similar to how i do from work. I can change my setting to use or not use the proxy whenever i want, i need this freedom for him as well. since both his wii and directv receiver do not allow for setting a proxy.
ASKER
I turned on ICMP on the PIX to find the next hop is the .17 address which is a router in our building we have a block of IPs from .17-.32 Is it possible that there is a rule in the .17 router that is also a PIX that controls what ips have access to the outside?
What is device 192.168.21.254?
ASKER
the vlan address for the switch same as 192.168.3.254
Yes, Check your NAT access list in that .17 router.
I am thinking his network doesn't have access to the NAT address Pool.
I am thinking his network doesn't have access to the NAT address Pool.
ASKER
OK i will try that it is going to be tough since the documentation here is completely outdated and i have no idea how to get into that box or what its internal Ip address is. I will get back to you once i figure that all out.
ASKER
Here is the running config from the .17 device I am not seeing anything here that would be blocking the address but i am not 100% sure what i am looking at.
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname MFLD-PIX-NLGHT
domain-name XXXXXXXXXXX
clock timezone CST -6
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
fixup protocol h323 h225 500-65535
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list Inbound permit ip any host 192.168.4.2
access-list Inbound permit ip any host 192.168.4.3
access-list Inbound permit ip any host 192.168.4.4
access-list Inbound permit icmp any any
access-list Inbound permit ip any any
access-list capin permit ip any any
access-list ToNetwork permit ip any 172.31.254.0 255.255.255.0
access-list FromNorlight permit ip any any
access-list capout permit ip any any
pager lines 24
logging timestamp
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.4.1 255.255.255.0
ip address inside 192.168.100.201 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.4.3 192.168.100.9 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.4.4 192.168.100.10 netmask 255.255.255.255 0 0
access-group Inbound in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.4.254 1
route inside 172.31.254.0 255.255.255.0 192.168.100.254 1
route inside 192.1.2.0 255.255.255.0 192.168.100.254 1
route inside 192.168.0.0 255.255.0.0 192.168.100.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.0.0 inside
http 172.31.0.0 255.255.0.0 inside
http 192.1.2.0 255.255.255.0 inside
snmp-server host inside 192.1.2.6 poll
snmp-server host inside 192.168.20.12 poll
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXXXXXX
no snmp-server enable traps
floodguard enable
telnet 192.1.2.0 255.255.255.0 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet 172.31.254.0 255.255.255.0 inside
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname MFLD-PIX-NLGHT
domain-name XXXXXXXXXXX
clock timezone CST -6
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
fixup protocol h323 h225 500-65535
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list Inbound permit ip any host 192.168.4.2
access-list Inbound permit ip any host 192.168.4.3
access-list Inbound permit ip any host 192.168.4.4
access-list Inbound permit icmp any any
access-list Inbound permit ip any any
access-list capin permit ip any any
access-list ToNetwork permit ip any 172.31.254.0 255.255.255.0
access-list FromNorlight permit ip any any
access-list capout permit ip any any
pager lines 24
logging timestamp
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.4.1 255.255.255.0
ip address inside 192.168.100.201 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.4.3 192.168.100.9 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.4.4 192.168.100.10 netmask 255.255.255.255 0 0
access-group Inbound in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.4.254 1
route inside 172.31.254.0 255.255.255.0 192.168.100.254 1
route inside 192.1.2.0 255.255.255.0 192.168.100.254 1
route inside 192.168.0.0 255.255.0.0 192.168.100.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.0.0 inside
http 172.31.0.0 255.255.0.0 inside
http 192.1.2.0 255.255.255.0 inside
snmp-server host inside 192.1.2.6 poll
snmp-server host inside 192.168.20.12 poll
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXXXXXX
no snmp-server enable traps
floodguard enable
telnet 192.1.2.0 255.255.255.0 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet 172.31.254.0 255.255.255.0 inside
What device does the NAT translation right before a packet goes to the internet?
That isn't this router is it?
Do you have some sort of DMZ setup?
That isn't this router is it?
Do you have some sort of DMZ setup?
This router looks like it is preforming NAT only for a couple of servers for in a DMZ....
If that is the case it looks to me like everything else would pass through to some router that is perhaps in the .100 network that might actually be doing the NAT for internet access.
If so, what is the config of that router?
If that is the case it looks to me like everything else would pass through to some router that is perhaps in the .100 network that might actually be doing the NAT for internet access.
If so, what is the config of that router?
ASKER
That would be the other PIX .18 on our network. Yes there is a DMZ, all of this was done before i took this job and as mentioned there is no documentation as to what routes where really.
Can you show the config of the PIX .18?
ASKER
The .100 is only used internally for our Cisco VOIP that is a seperate router with three bonded T1 in a IMA loop for long distance back to our carrier.
ASKER
yeah let me pull the .18 and clean it up and i will post it, is there anything specific you are looking for in it, its about 4 pages otherwise because of our VPN tunnels and crypto maps
Take out the VPN stuff...
That should make it shorter.
That should make it shorter.
ASKER
ok i took out some of the crypto and things like that to slim it down let me know if i accidentally cut something out that you might have needed but this i would think should be enough. As a note i did add this route before i posted this
route inside 192.168.2.0 255.255.255.0 192.168.50.3 1 Naybe it was getting traffic out but it was never coming back from the pix, the switches were doing everything through egirp
: Saved
:
PIX Version 7.2(2)
!
hostname mfld-firewall
names
name 192.1.2.100 XXXXXXX
name 192.1.2.2 XXXXXXX
name 66.84.184.20 XXXXXXXXXXX
name 66.84.184.21 XXXXXXXXXXXX
name 66.84.184.22 XXXXXXXXXXXXX
name 66.84.184.23 XXXXXXXXXXXXXXX
name 66.84.184.24 XXXXXXXXXXXXXXXX
name 192.168.20.10 utility
name 192.168.254.13 support-cbo-DMZ
name 192.168.254.11 support-aca-DMZ
name 192.168.254.12 support-hbs-DMZ
name 192.168.254.14 facsweb-client-DMZ
name 192.168.254.15 facsweb-debtor-DMZ
name 66.84.184.19 XXXXXXXXXXXX
!
interface Ethernet0
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet0.256
vlan 256
nameif outside
security-level 0
ip address 66.84.184.18 255.255.255.240 standby 66.84.184.30
ospf cost 10
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0 standby 192.168.50.10
ospf cost 10
!
interface Ethernet2
speed 100
duplex full
nameif DMZ
security-level 10
ip address 192.168.254.1 255.255.255.0 standby 192.168.254.254
ospf cost 10
!
boot system flash:/image.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server alliancedc
domain-name alliance.local
object-group network JRRemote
network-object 192.168.113.0 255.255.255.192
network-object 192.168.113.64 255.255.255.192
object-group network RemoteFull
network-object 192.1.2.0 255.255.255.0
network-object 192.168.0.0 255.255.0.0
network-object 192.168.20.0 255.255.255.0
access-list FromInternet remark --------------------------
access-list FromInternet remark support.alliance-collectio
access-list FromInternet extended permit tcp any host support-aca-outside eq https
access-list FromInternet extended permit tcp any host support-aca-outside eq www
access-list FromInternet remark --------------------------
access-list FromInternet remark support.healthcarebusiness
access-list FromInternet extended permit tcp any host support-hbs-outside eq https
access-list FromInternet extended permit tcp any host support-hbs-outside eq www
access-list FromInternet remark --------------------------
access-list FromInternet remark support.centralbizoffice.c
access-list FromInternet extended permit tcp any host support-cbo-outside eq www
access-list FromInternet extended permit tcp any host support-cbo-outside eq https
access-list FromInternet remark --------------------------
access-list FromInternet remark FACSWeb Client
access-list FromInternet extended permit tcp any host facsweb-client-outside eq www
access-list FromInternet extended permit tcp any host facsweb-client-outside eq https
access-list FromInternet remark --------------------------
access-list FromInternet remark FACSWeb Debtor
access-list FromInternet extended permit tcp any host facsweb-debtor-outside eq www
access-list FromInternet extended permit tcp any host facsweb-debtor-outside eq https
access-list FromInternet remark --------------------------
access-list FromInternet remark Unfiltered SMTP Access for domains other
access-list FromInternet remark than alliance-collections.com AND
access-list FromInternet remark centralbizoffice.com
access-list FromInternet extended permit tcp any host 66.84.184.26 eq smtp
access-list FromInternet extended permit tcp any host exchange eq https
access-list FromInternet extended permit tcp any host exchange eq smtp
access-list FromInternet extended permit icmp any any
access-list SplitPermit remark --------------------------
access-list SplitPermit remark NAT0 Access List (NoNat) For VPN Tunnels
access-list SplitPermit remark --------------------------
access-list SplitPermit remark Aspirus VPN Traffic
access-list SplitPermitDMZ extended permit ip 192.168.254.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list SplitPermitDMZ extended permit ip 192.168.254.0 255.255.255.0 172.31.254.0 255.255.255.0
access-list SplitPermitDMZ extended permit ip host 192.168.254.203 172.31.252.0 255.255.255.0
access-list SplitPermitDMZ extended permit ip 192.168.254.0 255.255.255.0 172.31.252.0 255.255.255.0
access-list SplitPermitDMZ extended permit ip host 192.168.254.201 172.31.252.0 255.255.255.0
access-list SplitPermitDMZ extended permit ip host 192.168.254.202 172.31.252.0 255.255.255.0
access-list SplitPermitDMZ extended permit ip host 192.168.254.204 172.31.252.0 255.255.255.0
access-list FromDMZ extended permit ip 192.168.254.0 255.255.255.0 172.31.254.0 255.255.255.0
access-list FromDMZ extended permit ip 192.168.254.0 255.255.255.0 any
access-list FromDMZ extended permit icmp any any
access-list FromDMZ extended permit ip host 192.168.254.202 172.31.252.0 255.255.255.0
access-list FromDMZ extended permit tcp 192.168.254.0 255.255.255.0 host 192.168.254.198 eq pop3
access-list FromDMZ extended permit tcp 192.168.254.0 255.255.255.0 host 192.168.254.198 eq smtp
access-list FromDMZ extended permit tcp 192.168.254.0 255.255.255.0 host 192.168.254.198 eq ldap
access-list FromDMZ extended permit tcp 192.168.254.0 255.255.255.0 host 192.168.254.198 eq domain
access-list FromDMZ extended permit tcp 192.168.254.0 255.255.255.0 host 192.168.254.199 eq 1972
access-list FromDMZ extended permit tcp 192.168.254.0 255.255.255.0 host 192.168.254.199 eq 1973
access-list SplitVPNClient standard permit 192.1.2.0 255.255.255.0
access-list SplitVPNClient standard permit 172.28.239.0 255.255.255.0
access-list SplitVPNClient standard permit 10.194.254.0 255.255.255.0
access-list SplitVPNClient standard permit 172.28.36.0 255.255.255.0
access-list SplitVPNClient standard permit 172.21.0.0 255.255.0.0
access-list SplitVPNClient standard permit 192.168.0.0 255.255.0.0
access-list SplitVPNClient standard permit 66.84.236.0 255.255.255.0
access-list SplitVPNClient standard permit 66.84.237.0 255.255.255.0
access-list SplitVPNClient standard permit 192.168.20.0 255.255.255.0
access-list SplitVPNClient standard permit 192.1.5.0 255.255.255.0
access-list SplitDMVPN extended permit ip host 192.168.254.203 172.31.252.0 255.255.255.0
access-list SplitDMVPN extended permit ip host 192.168.254.201 172.31.252.0 255.255.255.0
access-list SplitDMVPN extended permit ip host 192.168.254.202 172.31.252.0 255.255.255.0
access-list SplitDMVPN extended permit ip host 192.168.254.204 172.31.252.0 255.255.255.0
access-list FromInternal extended deny ip any 192.168.254.0 255.255.255.0
access-list FromInternal extended permit ip any any
access-list FromVoIP extended permit ip 66.84.236.0 255.255.255.0 host 192.168.4.2
access-list FromVoIP extended permit ip 66.84.237.0 255.255.255.0 host 192.168.4.3
access-list FromVoIP extended permit icmp any any
access-list FromVoIP extended permit ip any any
access-list capin extended permit ip any 192.168.100.0 255.255.255.0
access-list capin extended permit ip any 192.168.101.0 255.255.255.0
access-list capin extended permit ip 192.168.100.0 255.255.255.0 any
access-list capin extended permit ip 192.168.101.0 255.255.255.0 any
access-list capout extended permit ip any host 192.168.4.2
access-list capout extended permit ip any host 192.168.4.3
access-list capout extended permit ip host 192.168.4.3 any
access-list capout extended permit ip host 192.168.4.2 any
access-list ToInternal remark From Norlight VoIP LD
access-list ToInternal extended permit ip 66.84.236.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list ToInternal extended permit ip 66.84.236.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list ToInternal extended permit ip 66.84.236.0 255.255.255.0 192.1.2.0 255.255.255.0
access-list ToInternal extended permit ip 66.84.237.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list ToInternal extended permit ip 66.84.237.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list ToInternal extended permit ip 66.84.237.0 255.255.255.0 192.1.2.0 255.255.255.0
access-list ToInternal remark --------------------------
access-list capinside extended permit ip host 192.168.101.10 any
access-list capinside extended permit ip any host 192.168.101.10
access-list capinside extended permit ip host 192.168.111.100 66.84.236.0 255.255.255.0
access-list capinside extended permit ip host 192.168.111.100 66.84.237.0 255.255.255.0
access-list capinside extended permit ip 66.84.236.0 255.255.255.0 host 192.168.111.100
access-list capinside extended permit ip 66.84.237.0 255.255.255.0 host 192.168.111.100
access-list capoutside extended permit ip any any
access-list capoutside extended permit ip host 192.168.4.2 any
access-list capoutside extended permit ip any host 192.168.4.2
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging trap informational
logging asdm warnings
logging host inside 192.168.20.49
logging host inside 192.168.111.129
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool MFLD 172.31.254.1-172.31.254.25
ip local pool RemoteUser 172.31.253.1-172.31.253.25
ip local pool DMVPN 172.31.252.1-172.31.252.25
failover
no monitor-interface outside
monitor-interface inside
monitor-interface DMZ
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 0 access-list SplitPermit
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list SplitPermitDMZ
nat (DMZ) 1 0.0.0.0 0.0.0.0
access-group FromInternet in interface outside
access-group FromInternal in interface inside
access-group ToInternal out interface inside
access-group FromDMZ in interface DMZ
route outside 0.0.0.0 0.0.0.0 66.84.184.17 1
route inside 192.1.2.0 255.255.255.0 192.168.50.3 75
route inside 172.28.0.0 255.255.0.0 192.168.50.3 75
route inside 172.21.0.0 255.255.0.0 192.168.50.3 75
route inside 10.194.0.0 255.255.0.0 192.168.50.3 75
route inside 192.168.111.0 255.255.255.0 192.168.50.3 1
route inside 192.168.112.0 255.255.255.0 192.168.50.3 1
route inside 192.168.20.0 255.255.255.0 192.168.50.3 1
route inside 192.168.101.0 255.255.255.0 192.168.50.3 1
route inside 192.168.100.0 255.255.255.0 192.168.50.3 1
route inside 66.84.237.0 255.255.255.0 192.168.50.3 1
route inside 66.84.236.0 255.255.255.0 192.168.50.3 1
route inside 192.168.4.0 255.255.255.0 192.168.50.3 1
route inside 192.168.2.0 255.255.255.0 192.168.50.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 206.40.119.206 255.255.255.255 outside
http 192.1.2.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.0 inside
http 192.168.0.0 255.255.0.0 inside
snmp-server host inside 192.1.2.6 poll community NiTtFaGmTcTtAoTc
snmp-server host inside 192.168.111.129 community NiTtFaGmTcTtAoTc
snmp-server host inside aca-utility poll community NiTtFaGmTcTtAoTc
snmp-server host inside 192.168.20.12 poll community NiTtFaGmTcTtAoTc
snmp-server host inside 192.168.20.32 poll community NiTtFaGmTcTtAoTc
no snmp-server location
no snmp-server contact
telnet 192.1.2.0 255.255.255.0 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 60
ssh 206.40.119.206 255.255.255.255 outside
ssh 201.194.184.2 255.255.255.255 outside
ssh 69.8.140.0 255.255.255.0 outside
ssh 192.1.2.0 255.255.255.0 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 20
ssh version 2
console timeout 0
management-access inside
!
class-map class_h323_h225
match port tcp range 500 65535
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_2
inspect ftp
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect sip
!
service-policy global_policy global
ntp server 128.105.39.11 source outside prefer
ntp server 128.105.37.11 source outside
smtp-server 192.1.2.100
prompt hostname context
Cryptochecksum:aabee825951
: end
asdm image flash:/asdm-522.bin
asdm location 192.1.2.0 255.255.255.0 inside
asdm location 192.168.0.0 255.255.255.0 inside
asdm location 192.168.50.0 255.255.255.0 inside
no asdm history enable
route inside 192.168.2.0 255.255.255.0 192.168.50.3 1 Naybe it was getting traffic out but it was never coming back from the pix, the switches were doing everything through egirp
: Saved
:
PIX Version 7.2(2)
!
hostname mfld-firewall
names
name 192.1.2.100 XXXXXXX
name 192.1.2.2 XXXXXXX
name 66.84.184.20 XXXXXXXXXXX
name 66.84.184.21 XXXXXXXXXXXX
name 66.84.184.22 XXXXXXXXXXXXX
name 66.84.184.23 XXXXXXXXXXXXXXX
name 66.84.184.24 XXXXXXXXXXXXXXXX
name 192.168.20.10 utility
name 192.168.254.13 support-cbo-DMZ
name 192.168.254.11 support-aca-DMZ
name 192.168.254.12 support-hbs-DMZ
name 192.168.254.14 facsweb-client-DMZ
name 192.168.254.15 facsweb-debtor-DMZ
name 66.84.184.19 XXXXXXXXXXXX
!
interface Ethernet0
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet0.256
vlan 256
nameif outside
security-level 0
ip address 66.84.184.18 255.255.255.240 standby 66.84.184.30
ospf cost 10
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0 standby 192.168.50.10
ospf cost 10
!
interface Ethernet2
speed 100
duplex full
nameif DMZ
security-level 10
ip address 192.168.254.1 255.255.255.0 standby 192.168.254.254
ospf cost 10
!
boot system flash:/image.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server alliancedc
domain-name alliance.local
object-group network JRRemote
network-object 192.168.113.0 255.255.255.192
network-object 192.168.113.64 255.255.255.192
object-group network RemoteFull
network-object 192.1.2.0 255.255.255.0
network-object 192.168.0.0 255.255.0.0
network-object 192.168.20.0 255.255.255.0
access-list FromInternet remark --------------------------
access-list FromInternet remark support.alliance-collectio
access-list FromInternet extended permit tcp any host support-aca-outside eq https
access-list FromInternet extended permit tcp any host support-aca-outside eq www
access-list FromInternet remark --------------------------
access-list FromInternet remark support.healthcarebusiness
access-list FromInternet extended permit tcp any host support-hbs-outside eq https
access-list FromInternet extended permit tcp any host support-hbs-outside eq www
access-list FromInternet remark --------------------------
access-list FromInternet remark support.centralbizoffice.c
access-list FromInternet extended permit tcp any host support-cbo-outside eq www
access-list FromInternet extended permit tcp any host support-cbo-outside eq https
access-list FromInternet remark --------------------------
access-list FromInternet remark FACSWeb Client
access-list FromInternet extended permit tcp any host facsweb-client-outside eq www
access-list FromInternet extended permit tcp any host facsweb-client-outside eq https
access-list FromInternet remark --------------------------
access-list FromInternet remark FACSWeb Debtor
access-list FromInternet extended permit tcp any host facsweb-debtor-outside eq www
access-list FromInternet extended permit tcp any host facsweb-debtor-outside eq https
access-list FromInternet remark --------------------------
access-list FromInternet remark Unfiltered SMTP Access for domains other
access-list FromInternet remark than alliance-collections.com AND
access-list FromInternet remark centralbizoffice.com
access-list FromInternet extended permit tcp any host 66.84.184.26 eq smtp
access-list FromInternet extended permit tcp any host exchange eq https
access-list FromInternet extended permit tcp any host exchange eq smtp
access-list FromInternet extended permit icmp any any
access-list SplitPermit remark --------------------------
access-list SplitPermit remark NAT0 Access List (NoNat) For VPN Tunnels
access-list SplitPermit remark --------------------------
access-list SplitPermit remark Aspirus VPN Traffic
access-list SplitPermitDMZ extended permit ip 192.168.254.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list SplitPermitDMZ extended permit ip 192.168.254.0 255.255.255.0 172.31.254.0 255.255.255.0
access-list SplitPermitDMZ extended permit ip host 192.168.254.203 172.31.252.0 255.255.255.0
access-list SplitPermitDMZ extended permit ip 192.168.254.0 255.255.255.0 172.31.252.0 255.255.255.0
access-list SplitPermitDMZ extended permit ip host 192.168.254.201 172.31.252.0 255.255.255.0
access-list SplitPermitDMZ extended permit ip host 192.168.254.202 172.31.252.0 255.255.255.0
access-list SplitPermitDMZ extended permit ip host 192.168.254.204 172.31.252.0 255.255.255.0
access-list FromDMZ extended permit ip 192.168.254.0 255.255.255.0 172.31.254.0 255.255.255.0
access-list FromDMZ extended permit ip 192.168.254.0 255.255.255.0 any
access-list FromDMZ extended permit icmp any any
access-list FromDMZ extended permit ip host 192.168.254.202 172.31.252.0 255.255.255.0
access-list FromDMZ extended permit tcp 192.168.254.0 255.255.255.0 host 192.168.254.198 eq pop3
access-list FromDMZ extended permit tcp 192.168.254.0 255.255.255.0 host 192.168.254.198 eq smtp
access-list FromDMZ extended permit tcp 192.168.254.0 255.255.255.0 host 192.168.254.198 eq ldap
access-list FromDMZ extended permit tcp 192.168.254.0 255.255.255.0 host 192.168.254.198 eq domain
access-list FromDMZ extended permit tcp 192.168.254.0 255.255.255.0 host 192.168.254.199 eq 1972
access-list FromDMZ extended permit tcp 192.168.254.0 255.255.255.0 host 192.168.254.199 eq 1973
access-list SplitVPNClient standard permit 192.1.2.0 255.255.255.0
access-list SplitVPNClient standard permit 172.28.239.0 255.255.255.0
access-list SplitVPNClient standard permit 10.194.254.0 255.255.255.0
access-list SplitVPNClient standard permit 172.28.36.0 255.255.255.0
access-list SplitVPNClient standard permit 172.21.0.0 255.255.0.0
access-list SplitVPNClient standard permit 192.168.0.0 255.255.0.0
access-list SplitVPNClient standard permit 66.84.236.0 255.255.255.0
access-list SplitVPNClient standard permit 66.84.237.0 255.255.255.0
access-list SplitVPNClient standard permit 192.168.20.0 255.255.255.0
access-list SplitVPNClient standard permit 192.1.5.0 255.255.255.0
access-list SplitDMVPN extended permit ip host 192.168.254.203 172.31.252.0 255.255.255.0
access-list SplitDMVPN extended permit ip host 192.168.254.201 172.31.252.0 255.255.255.0
access-list SplitDMVPN extended permit ip host 192.168.254.202 172.31.252.0 255.255.255.0
access-list SplitDMVPN extended permit ip host 192.168.254.204 172.31.252.0 255.255.255.0
access-list FromInternal extended deny ip any 192.168.254.0 255.255.255.0
access-list FromInternal extended permit ip any any
access-list FromVoIP extended permit ip 66.84.236.0 255.255.255.0 host 192.168.4.2
access-list FromVoIP extended permit ip 66.84.237.0 255.255.255.0 host 192.168.4.3
access-list FromVoIP extended permit icmp any any
access-list FromVoIP extended permit ip any any
access-list capin extended permit ip any 192.168.100.0 255.255.255.0
access-list capin extended permit ip any 192.168.101.0 255.255.255.0
access-list capin extended permit ip 192.168.100.0 255.255.255.0 any
access-list capin extended permit ip 192.168.101.0 255.255.255.0 any
access-list capout extended permit ip any host 192.168.4.2
access-list capout extended permit ip any host 192.168.4.3
access-list capout extended permit ip host 192.168.4.3 any
access-list capout extended permit ip host 192.168.4.2 any
access-list ToInternal remark From Norlight VoIP LD
access-list ToInternal extended permit ip 66.84.236.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list ToInternal extended permit ip 66.84.236.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list ToInternal extended permit ip 66.84.236.0 255.255.255.0 192.1.2.0 255.255.255.0
access-list ToInternal extended permit ip 66.84.237.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list ToInternal extended permit ip 66.84.237.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list ToInternal extended permit ip 66.84.237.0 255.255.255.0 192.1.2.0 255.255.255.0
access-list ToInternal remark --------------------------
access-list capinside extended permit ip host 192.168.101.10 any
access-list capinside extended permit ip any host 192.168.101.10
access-list capinside extended permit ip host 192.168.111.100 66.84.236.0 255.255.255.0
access-list capinside extended permit ip host 192.168.111.100 66.84.237.0 255.255.255.0
access-list capinside extended permit ip 66.84.236.0 255.255.255.0 host 192.168.111.100
access-list capinside extended permit ip 66.84.237.0 255.255.255.0 host 192.168.111.100
access-list capoutside extended permit ip any any
access-list capoutside extended permit ip host 192.168.4.2 any
access-list capoutside extended permit ip any host 192.168.4.2
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging trap informational
logging asdm warnings
logging host inside 192.168.20.49
logging host inside 192.168.111.129
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool MFLD 172.31.254.1-172.31.254.25
ip local pool RemoteUser 172.31.253.1-172.31.253.25
ip local pool DMVPN 172.31.252.1-172.31.252.25
failover
no monitor-interface outside
monitor-interface inside
monitor-interface DMZ
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 0 access-list SplitPermit
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list SplitPermitDMZ
nat (DMZ) 1 0.0.0.0 0.0.0.0
access-group FromInternet in interface outside
access-group FromInternal in interface inside
access-group ToInternal out interface inside
access-group FromDMZ in interface DMZ
route outside 0.0.0.0 0.0.0.0 66.84.184.17 1
route inside 192.1.2.0 255.255.255.0 192.168.50.3 75
route inside 172.28.0.0 255.255.0.0 192.168.50.3 75
route inside 172.21.0.0 255.255.0.0 192.168.50.3 75
route inside 10.194.0.0 255.255.0.0 192.168.50.3 75
route inside 192.168.111.0 255.255.255.0 192.168.50.3 1
route inside 192.168.112.0 255.255.255.0 192.168.50.3 1
route inside 192.168.20.0 255.255.255.0 192.168.50.3 1
route inside 192.168.101.0 255.255.255.0 192.168.50.3 1
route inside 192.168.100.0 255.255.255.0 192.168.50.3 1
route inside 66.84.237.0 255.255.255.0 192.168.50.3 1
route inside 66.84.236.0 255.255.255.0 192.168.50.3 1
route inside 192.168.4.0 255.255.255.0 192.168.50.3 1
route inside 192.168.2.0 255.255.255.0 192.168.50.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 206.40.119.206 255.255.255.255 outside
http 192.1.2.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.0 inside
http 192.168.0.0 255.255.0.0 inside
snmp-server host inside 192.1.2.6 poll community NiTtFaGmTcTtAoTc
snmp-server host inside 192.168.111.129 community NiTtFaGmTcTtAoTc
snmp-server host inside aca-utility poll community NiTtFaGmTcTtAoTc
snmp-server host inside 192.168.20.12 poll community NiTtFaGmTcTtAoTc
snmp-server host inside 192.168.20.32 poll community NiTtFaGmTcTtAoTc
no snmp-server location
no snmp-server contact
telnet 192.1.2.0 255.255.255.0 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 60
ssh 206.40.119.206 255.255.255.255 outside
ssh 201.194.184.2 255.255.255.255 outside
ssh 69.8.140.0 255.255.255.0 outside
ssh 192.1.2.0 255.255.255.0 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 20
ssh version 2
console timeout 0
management-access inside
!
class-map class_h323_h225
match port tcp range 500 65535
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_2
inspect ftp
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect sip
!
service-policy global_policy global
ntp server 128.105.39.11 source outside prefer
ntp server 128.105.37.11 source outside
smtp-server 192.1.2.100
prompt hostname context
Cryptochecksum:aabee825951
: end
asdm image flash:/asdm-522.bin
asdm location 192.1.2.0 255.255.255.0 inside
asdm location 192.168.0.0 255.255.255.0 inside
asdm location 192.168.50.0 255.255.255.0 inside
no asdm history enable
ASKER
Tracing the route to 4.2.2.2
1 10.0.1.1 12 msec 12 msec 12 msec
2 192.168.21.254 12 msec 12 msec 12 msec
3 * * *
4 * * *
still getting this with the new route in place for the 192.168.2.0 traffic on the pix to send it internal so i don't think that was it
1 10.0.1.1 12 msec 12 msec 12 msec
2 192.168.21.254 12 msec 12 msec 12 msec
3 * * *
4 * * *
still getting this with the new route in place for the 192.168.2.0 traffic on the pix to send it internal so i don't think that was it
You might try this in the .18 router...
access-list SplitPermitDMZ extended permit ip 192.168.2.0 255.255.255.0 172.31.252.0 255.255.255.0
if it doesn't make a differance then remove it with the NO command.
I am still looking at your config... That's quite the setup you got there. :-)
access-list SplitPermitDMZ extended permit ip 192.168.2.0 255.255.255.0 172.31.252.0 255.255.255.0
if it doesn't make a differance then remove it with the NO command.
I am still looking at your config... That's quite the setup you got there. :-)
ASKER
Yeah and the remarks are not very well done so it is a real pain to figure out. I have no idea why there are 172s in there and a few of the other things. Some of this was brought over when the company moved down the road so there very well could be residual stuff in there too.
ASKER
no luck it still doesn't get to the .17 pix
I don't suppose you have some kind of basic visual map of the routers and how they connect together and such?
Even something quickly hand drawn and scanned would help me to better visualize the setup.
Even something quickly hand drawn and scanned would help me to better visualize the setup.
What is 192.168.100.254?
What is 192.168.50.3?
In you could get me the dump of the config for your switch that is doing the VLAN routing I could better come up with a diagram of your network that would help in the troubleshooting of this problem.
I have already buildt a diagram of router .18 and .17 but I don't yet know how they interconnect....
Also why is .17 called .17??? I can't find anything in it's config relating to an address ending in .17?
What is 192.168.50.3?
In you could get me the dump of the config for your switch that is doing the VLAN routing I could better come up with a diagram of your network that would help in the troubleshooting of this problem.
I have already buildt a diagram of router .18 and .17 but I don't yet know how they interconnect....
Also why is .17 called .17??? I can't find anything in it's config relating to an address ending in .17?
ASKER
I masked out external IPs .17 and 18 are the last octet. 50.3 is the vlan address in the 3750 as is the 100.254 here is the vlan section of the switch.
interface Vlan1
ip address 192.1.2.112 255.255.255.0
ip helper-address 192.1.2.100
ip helper-address 192.1.2.116
standby 1 ip 192.1.2.80
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN1
!
interface Vlan5
description Path to iSCSI SAN
ip address 192.1.5.254 255.255.255.0
!
interface Vlan10
ip address 192.168.10.254 255.255.255.0
standby 1 ip 192.168.10.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN10
!
interface Vlan18
ip address 172.18.1.1 255.255.255.0
shutdown
!
interface Vlan20
ip address 192.168.20.254 255.255.255.0
ip helper-address 192.1.2.100
ip pim sparse-dense-mode
standby 1 ip 192.168.20.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN20
!
interface Vlan21
ip address 192.168.21.254 255.255.255.0
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN21
!
interface Vlan30
ip address 192.168.30.254 255.255.255.0
standby 1 ip 192.168.30.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN30
!
interface Vlan50
ip address 192.168.50.254 255.255.255.0
standby 1 ip 192.168.50.3
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN50
!
interface Vlan70
ip address 192.168.70.1 255.255.255.0
ip helper-address 192.1.2.100
ip helper-address 192.1.2.116
!
interface Vlan99
ip address 192.168.99.254 255.255.255.0
ip helper-address 192.1.2.100
ip helper-address 192.1.2.116
standby 1 ip 192.168.99.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN99
!
interface Vlan100
ip address 192.168.100.254 255.255.255.0
ip helper-address 192.1.2.100
ip helper-address 192.1.2.116
standby 1 ip 192.168.100.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN100
!
interface Vlan101
ip address 192.168.101.254 255.255.255.0
ip helper-address 192.1.2.100
ip helper-address 192.1.2.116
standby 1 ip 192.168.101.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN101
!
interface Vlan111
ip address 192.168.111.254 255.255.255.0
ip helper-address 192.1.2.100
standby 1 ip 192.168.111.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN111
!
interface Vlan112
ip address 192.168.112.254 255.255.255.0
ip helper-address 192.1.2.116
ip helper-address 192.1.2.100
standby 1 ip 192.168.112.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN112
!
interface Vlan113
ip address 192.168.113.254 255.255.255.0
ip helper-address 192.1.2.100
ip helper-address 192.1.2.116
shutdown
standby 1 ip 192.168.113.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN113
!
interface Vlan114
ip address 192.168.114.254 255.255.255.0
ip helper-address 192.1.2.100
ip helper-address 192.1.2.116
standby 1 ip 192.168.114.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN114
!
interface Vlan115
ip address 192.168.115.254 255.255.255.0
ip helper-address 192.1.2.100
ip helper-address 192.1.2.116
standby 1 ip 192.168.115.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN115
!
interface Vlan150
ip address 192.168.150.254 255.255.255.0
ip helper-address 192.1.2.100
ip helper-address 192.1.2.116
!
interface Vlan201
ip address 192.168.201.254 255.255.255.0
standby 1 ip 192.168.201.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN201
!
interface Vlan253
ip address 192.168.253.1 255.255.255.0
shutdown
!
interface Vlan1
ip address 192.1.2.112 255.255.255.0
ip helper-address 192.1.2.100
ip helper-address 192.1.2.116
standby 1 ip 192.1.2.80
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN1
!
interface Vlan5
description Path to iSCSI SAN
ip address 192.1.5.254 255.255.255.0
!
interface Vlan10
ip address 192.168.10.254 255.255.255.0
standby 1 ip 192.168.10.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN10
!
interface Vlan18
ip address 172.18.1.1 255.255.255.0
shutdown
!
interface Vlan20
ip address 192.168.20.254 255.255.255.0
ip helper-address 192.1.2.100
ip pim sparse-dense-mode
standby 1 ip 192.168.20.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN20
!
interface Vlan21
ip address 192.168.21.254 255.255.255.0
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN21
!
interface Vlan30
ip address 192.168.30.254 255.255.255.0
standby 1 ip 192.168.30.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN30
!
interface Vlan50
ip address 192.168.50.254 255.255.255.0
standby 1 ip 192.168.50.3
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN50
!
interface Vlan70
ip address 192.168.70.1 255.255.255.0
ip helper-address 192.1.2.100
ip helper-address 192.1.2.116
!
interface Vlan99
ip address 192.168.99.254 255.255.255.0
ip helper-address 192.1.2.100
ip helper-address 192.1.2.116
standby 1 ip 192.168.99.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN99
!
interface Vlan100
ip address 192.168.100.254 255.255.255.0
ip helper-address 192.1.2.100
ip helper-address 192.1.2.116
standby 1 ip 192.168.100.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN100
!
interface Vlan101
ip address 192.168.101.254 255.255.255.0
ip helper-address 192.1.2.100
ip helper-address 192.1.2.116
standby 1 ip 192.168.101.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN101
!
interface Vlan111
ip address 192.168.111.254 255.255.255.0
ip helper-address 192.1.2.100
standby 1 ip 192.168.111.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN111
!
interface Vlan112
ip address 192.168.112.254 255.255.255.0
ip helper-address 192.1.2.116
ip helper-address 192.1.2.100
standby 1 ip 192.168.112.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN112
!
interface Vlan113
ip address 192.168.113.254 255.255.255.0
ip helper-address 192.1.2.100
ip helper-address 192.1.2.116
shutdown
standby 1 ip 192.168.113.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN113
!
interface Vlan114
ip address 192.168.114.254 255.255.255.0
ip helper-address 192.1.2.100
ip helper-address 192.1.2.116
standby 1 ip 192.168.114.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN114
!
interface Vlan115
ip address 192.168.115.254 255.255.255.0
ip helper-address 192.1.2.100
ip helper-address 192.1.2.116
standby 1 ip 192.168.115.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN115
!
interface Vlan150
ip address 192.168.150.254 255.255.255.0
ip helper-address 192.1.2.100
ip helper-address 192.1.2.116
!
interface Vlan201
ip address 192.168.201.254 255.255.255.0
standby 1 ip 192.168.201.1
standby 1 priority 200
standby 1 preempt
standby 1 name VLAN201
!
interface Vlan253
ip address 192.168.253.1 255.255.255.0
shutdown
!
ASKER
we call the .18 mfld-firewall, the .17 is from our provider norlight and named mfld-pix-norlight. hope this helps
I am working on some visio diagrams as we speak to get the PIX ports all mapped as to where they go on the stack. Once i have something more hopefully i can get it posted.
I am working on some visio diagrams as we speak to get the PIX ports all mapped as to where they go on the stack. Once i have something more hopefully i can get it posted.
Can you put the routing information from that Switch up too.
ASKER
ip classless
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
ip route 0.0.0.0 0.0.0.0 192.168.50.1
ip route 10.0.3.0 255.255.255.252 192.168.21.4
ip route 10.1.8.0 255.255.248.0 192.168.20.2
ip route 10.10.0.0 255.255.0.0 192.168.21.6
ip route 10.30.0.0 255.255.0.0 192.168.21.6
ip route 10.100.0.0 255.255.0.0 192.168.20.2
ip route 10.104.60.0 255.255.255.0 192.168.20.2
ip route 10.108.10.0 255.255.255.0 192.168.50.1
ip route 10.130.10.0 255.255.255.0 192.168.50.1
ip route 10.130.100.0 255.255.255.0 192.168.50.1
ip route 10.131.100.0 255.255.255.0 192.168.50.1
ip route 10.138.10.0 255.255.255.0 192.168.50.1
ip route 10.138.100.0 255.255.255.0 192.168.50.1
ip route 10.139.10.0 255.255.255.0 192.168.50.1
ip route 10.139.100.0 255.255.255.0 192.168.50.1
ip route 10.165.10.4 255.255.255.255 192.168.50.1
ip route 10.165.10.5 255.255.255.255 192.168.50.1
ip route 10.165.10.6 255.255.255.255 192.168.50.1
ip route 10.165.10.10 255.255.255.255 192.168.50.1
ip route 10.165.10.11 255.255.255.255 192.168.50.1
ip route 10.165.10.12 255.255.255.255 192.168.50.1
ip route 63.240.14.132 255.255.255.255 192.168.50.1
ip route 66.84.236.0 255.255.255.0 192.168.100.201
ip route 66.84.237.0 255.255.255.0 192.168.100.201
ip route 167.68.25.83 255.255.255.255 192.168.50.1
ip route 172.16.0.0 255.255.0.0 192.168.50.1
ip route 172.18.0.0 255.255.0.0 192.168.50.1
ip route 172.28.239.0 255.255.255.0 192.168.21.5
ip route 172.30.0.0 255.255.0.0 192.168.50.1
ip route 172.31.0.0 255.255.255.0 192.168.50.1
ip route 172.31.248.0 255.255.255.0 192.168.21.7
ip route 172.31.252.0 255.255.255.0 192.168.50.1
ip route 172.31.253.0 255.255.255.0 192.168.50.1
ip route 172.31.254.0 255.255.255.0 192.168.50.1 75
ip route 172.31.254.0 255.255.255.0 192.1.2.248 90
ip route 192.112.251.132 255.255.255.255 192.168.50.1
ip route 192.168.4.0 255.255.255.0 192.168.100.201
ip route 192.168.113.0 255.255.255.0 192.168.50.1
ip route 192.168.170.0 255.255.255.0 192.168.50.1
ip route 192.168.252.0 255.255.255.0 192.168.50.1
ip route 192.168.253.0 255.255.255.0 192.168.20.2
ip route 192.236.18.0 255.255.255.0 192.168.21.7
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
ip route 0.0.0.0 0.0.0.0 192.168.50.1
ip route 10.0.3.0 255.255.255.252 192.168.21.4
ip route 10.1.8.0 255.255.248.0 192.168.20.2
ip route 10.10.0.0 255.255.0.0 192.168.21.6
ip route 10.30.0.0 255.255.0.0 192.168.21.6
ip route 10.100.0.0 255.255.0.0 192.168.20.2
ip route 10.104.60.0 255.255.255.0 192.168.20.2
ip route 10.108.10.0 255.255.255.0 192.168.50.1
ip route 10.130.10.0 255.255.255.0 192.168.50.1
ip route 10.130.100.0 255.255.255.0 192.168.50.1
ip route 10.131.100.0 255.255.255.0 192.168.50.1
ip route 10.138.10.0 255.255.255.0 192.168.50.1
ip route 10.138.100.0 255.255.255.0 192.168.50.1
ip route 10.139.10.0 255.255.255.0 192.168.50.1
ip route 10.139.100.0 255.255.255.0 192.168.50.1
ip route 10.165.10.4 255.255.255.255 192.168.50.1
ip route 10.165.10.5 255.255.255.255 192.168.50.1
ip route 10.165.10.6 255.255.255.255 192.168.50.1
ip route 10.165.10.10 255.255.255.255 192.168.50.1
ip route 10.165.10.11 255.255.255.255 192.168.50.1
ip route 10.165.10.12 255.255.255.255 192.168.50.1
ip route 63.240.14.132 255.255.255.255 192.168.50.1
ip route 66.84.236.0 255.255.255.0 192.168.100.201
ip route 66.84.237.0 255.255.255.0 192.168.100.201
ip route 167.68.25.83 255.255.255.255 192.168.50.1
ip route 172.16.0.0 255.255.0.0 192.168.50.1
ip route 172.18.0.0 255.255.0.0 192.168.50.1
ip route 172.28.239.0 255.255.255.0 192.168.21.5
ip route 172.30.0.0 255.255.0.0 192.168.50.1
ip route 172.31.0.0 255.255.255.0 192.168.50.1
ip route 172.31.248.0 255.255.255.0 192.168.21.7
ip route 172.31.252.0 255.255.255.0 192.168.50.1
ip route 172.31.253.0 255.255.255.0 192.168.50.1
ip route 172.31.254.0 255.255.255.0 192.168.50.1 75
ip route 172.31.254.0 255.255.255.0 192.1.2.248 90
ip route 192.112.251.132 255.255.255.255 192.168.50.1
ip route 192.168.4.0 255.255.255.0 192.168.100.201
ip route 192.168.113.0 255.255.255.0 192.168.50.1
ip route 192.168.170.0 255.255.255.0 192.168.50.1
ip route 192.168.252.0 255.255.255.0 192.168.50.1
ip route 192.168.253.0 255.255.255.0 192.168.20.2
ip route 192.236.18.0 255.255.255.0 192.168.21.7
Your core switch doesn't know the route to get to 192.168.2.0/24
Where does the .2 network attach into your network???
On the .18 Router or .17???
If so what should the IP path be from the core switch to the .2 network?
Where does the .2 network attach into your network???
On the .18 Router or .17???
If so what should the IP path be from the core switch to the .2 network?
Ok... I see it your default route should know how to get there.
What device is 192.168.50.3?
What is it's config?
What device is 192.168.50.3?
What is it's config?
Ok... From the diagram that I have created so far it appears that 192.168.2.0/24 goes through 192.168.50.3 to 192.168.50.1 then out to the internet directly from there.
What is 192.168.50.3??? Is it a router? If so what is it's config?
According to the information I have gathered so far it appears that the traffic comming from 192.168.2.0/24 bound to the internet never goes through the core switch and never goes through the .17 router.
Is your internet attached on the .18 router then?
What is 192.168.50.3??? Is it a router? If so what is it's config?
According to the information I have gathered so far it appears that the traffic comming from 192.168.2.0/24 bound to the internet never goes through the core switch and never goes through the .17 router.
Is your internet attached on the .18 router then?
ASKER
50.3 is the switch, here is a weird one we moved the device to a static ip, 192.168.2.100 and it works fine. The .2 is on the other side of a router comes in through a 2821. He also has a home security system we are working to get up so he can monitor that from the office or anywhere we are going to try that on 192.168.2.101 and see what happens. i am still curious as to why when it was 192.168.2.7 it wouldn't go? Unless it has something to do with the dhcp pool on the 192.168.2.1 router
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
it doesn't respond to pings after changing it, also the route is not included because of egirp it knows how to get traffic there. i would add a route for it into the router on this side but so far all other traffic to the subnet works so i wasn't thinking it was a route
ASKER
when i do trace to the ip 192.168.2.1 it know to send it to the router and then over the multilink connection and i get the response back, that i would like to leave alone if possible since it is working i don't want to affect other traffic
ASKER
Thanks for all of the help somewhere in the changes it started working so i am going to leave it alone.
Sorry... I got pulled away by a problem here at my Job.
Glad to see that you got it all working now.
Glad to see that you got it all working now.
If you loginto the Barracuda Filter and go to "Block/Accept" then Browse Test. Access an allowed page... Can your Barracuda access the internet?