?
Solved

Internet access denied on L2 switch

Posted on 2009-04-28
3
Medium Priority
?
586 Views
Last Modified: 2012-05-06
Hi Expert
Please help!

Unable to ping public IP or ASA inside IP on Catalyst 2950 switch as an access level

My network topology is very simple.
Internet == Cisco 877 == Cisco ASA 5505 == Cat3750 == Cat2950

In L3 switch Cat3750 using console, I can ASA 5505 inside IP. In L2 switch Cat2950 using console, I CANNOT ping it.

ASA running 192.168.10.2 with only default configuration and default access-list, no 1-to-1 NAT, no password is set. Already ICMP enabled in outside interface.
Cat3750 routed port is 192.168.10.1
Cat3750 trunk with Cat2950

Is anyone encounter? What is wrong?

0
Comment
Question by:chekfu
  • 2
3 Comments
 
LVL 21

Expert Comment

by:from_exp
ID: 24251087
do you have a gateway set on 2950?
does asa has an ip route to 2950 (if 2950 is connected via a routed port, then asa should have a static route to 192.168.10.0/24 subnet)
0
 
LVL 1

Author Comment

by:chekfu
ID: 24251251
Cat3750 running IP 192.168.20.1 in vlan20 as a management vlan
Cat2950 running IP 192.168.20.2 in vlan20, default-gateway is 192.168.20.1.

I tried one WinXP machine conneccted to Cat2950's port 5 as vlan100. VLAN100 interface IP 192.168.100.1.
WinXP IP parameter I manually configured: IP-192.168.100.100, SM-255.255.255.0, GW-192.168.100.1, DNS-own ISP DNS. Using telnet in this machine, I can ping gateway which is 192.168.100.1. Ping management vlan IPs 192.168.20.1 or 192.168.20.2 OK. Ping routed port 192.168.10.1 OK. But ping 192.168.10.2 (ASA inside IP) failed.

What do you by Static route? What must I configure in my ASA? My ASA has only one static route which is 0.0.0.0 0.0.0.0  in outside interface.
0
 
LVL 21

Accepted Solution

by:
from_exp earned 2000 total points
ID: 24257452
I suppose your ASA should have static route to cisco 3750

I'm not very clearly understand your IP addressing, but if it is like this:

<ASA[10.1.1.1/24]>----<[10.1.1.2/24]c3750[10.1.2.1/24]>----<2950>---<PC with an IP of 10.1.2.10/24 and GW to 10.1.2.1>

then static route for ASA would look like:
ip route 10.1.2.0 255.255.255.0 10.1.1.2

so we effectively tell ASA, that there is one more subnet within our network, which is located behind c3750.

In fact you can have several subnets behind c3750 and if you want all of them to be visible from ASA, then you should add static routes to all those networks.
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering cloud tradeoffs and determining the right mix for your organization.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question