Internet access denied on L2 switch

Posted on 2009-04-28
Medium Priority
Last Modified: 2012-05-06
Hi Expert
Please help!

Unable to ping public IP or ASA inside IP on Catalyst 2950 switch as an access level

My network topology is very simple.
Internet == Cisco 877 == Cisco ASA 5505 == Cat3750 == Cat2950

In L3 switch Cat3750 using console, I can ASA 5505 inside IP. In L2 switch Cat2950 using console, I CANNOT ping it.

ASA running with only default configuration and default access-list, no 1-to-1 NAT, no password is set. Already ICMP enabled in outside interface.
Cat3750 routed port is
Cat3750 trunk with Cat2950

Is anyone encounter? What is wrong?

Question by:chekfu
  • 2
LVL 21

Expert Comment

ID: 24251087
do you have a gateway set on 2950?
does asa has an ip route to 2950 (if 2950 is connected via a routed port, then asa should have a static route to subnet)

Author Comment

ID: 24251251
Cat3750 running IP in vlan20 as a management vlan
Cat2950 running IP in vlan20, default-gateway is

I tried one WinXP machine conneccted to Cat2950's port 5 as vlan100. VLAN100 interface IP
WinXP IP parameter I manually configured: IP-, SM-, GW-, DNS-own ISP DNS. Using telnet in this machine, I can ping gateway which is Ping management vlan IPs or OK. Ping routed port OK. But ping (ASA inside IP) failed.

What do you by Static route? What must I configure in my ASA? My ASA has only one static route which is  in outside interface.
LVL 21

Accepted Solution

from_exp earned 2000 total points
ID: 24257452
I suppose your ASA should have static route to cisco 3750

I'm not very clearly understand your IP addressing, but if it is like this:

<ASA[]>----<[]c3750[]>----<2950>---<PC with an IP of and GW to>

then static route for ASA would look like:
ip route

so we effectively tell ASA, that there is one more subnet within our network, which is located behind c3750.

In fact you can have several subnets behind c3750 and if you want all of them to be visible from ASA, then you should add static routes to all those networks.

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering cloud tradeoffs and determining the right mix for your organization.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question