Solved

Trunk between Juniper NetScreen FW and Cisco Switch

Posted on 2012-03-30
13
695 Views
Last Modified: 2012-06-21
Hi,

Client ( 10.25.20.0/24)
   |
Core RouterX
   |
Access RouterA --->AGG Sw1---->JFW----DMZ
                                   |
                                   |
                              ToR Sw1
                          |                 |
                      |                         |
                  Srv1                       Srv2
   (172.20.36.0/24)

172.20.36.36 is NATd with 3.3.3.3 in the FW, client is using the NAT IP to reach Srv1.

Looks like traffic is not hitting the FW at all. I can see trace from client reach up to RouterX and 3.3.3.x network is hostedon RoutrA.

Any help would be great.!!!!

genseek
0
Comment
Question by:genseek
  • 8
  • 5
13 Comments
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37787231
Can you post your configs?
0
 

Author Comment

by:genseek
ID: 37787294
what configs are you seeking?
0
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37787400
Hold on...

If client and the server in the same network, that is behind the firewall and not on two sides of the firewall then i am pretty sure you can not access the server using the nated ip. (with in the same network)

If i am not wrong, your router will drop the packet as it wouldnt be knowing where to find 3.3.3.3 unless you specifically tell the router to forward the packet to fw.
0
 

Author Comment

by:genseek
ID: 37787438
chesperito,

client and server are NOT in same network, plz see the topology diagram above.

Client is outside the FW and server is in DMZ network.
0
 

Author Comment

by:genseek
ID: 37787523
172.20.36.36  belongs to vlan 106,

There are 2 port channels between FW and AGG switch, Po10 and Po16

From the AGG side, i see Po10 has vlan 100 allowed and Po16 does not have vlan 106 allowed.


i want to check if vlan106 is allowed in the trunk between FW and AGG switch.

How can i see from the juniper FW side? what is the cmd?
0
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37787634
I am still trying to understand your network topology.

1 . When you say client is outside your network, is it located beyond your outside interface(like internet) or with in the network (inside)?

2. Can you access the server using its original ip (172.20.36.36)?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:genseek
ID: 37787671
The client is outside the fW outside interface but is a remore internal network.


We are able to ping the server from Access Router A. Also, the server vlan is in VRF.
0
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37787767
Do you have a site to site ipsec tunnel between two locations?
If yes the tunnel is between two routers or Core Router X and JFW?

Through which you are able to ping the server(from access router a)
from client machine can you ping the server using the original ip (172.20.36.36)
0
 

Author Comment

by:genseek
ID: 37787917
There is NO Ipsec tunnel involved here.
0
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37787933
Through which ip you are able to ping the server(from access router a)
from client machine can you ping the server using the original ip (172.20.36.36)
0
 

Author Comment

by:genseek
ID: 37787980
172.20.36.36  belongs to vlan 106 which has VRF.

I'm able to ping from this VRF which belongs to the same vlan the destination server is in.

I'm not able to ping the server using original IP.
0
 

Accepted Solution

by:
genseek earned 0 total points
ID: 37789880
Am closing this question as i got the resolution.
0
 

Author Closing Comment

by:genseek
ID: 37805223
Am closing this question as i got the resolution.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now