Solved

Trunk between Juniper NetScreen FW and Cisco Switch

Posted on 2012-03-30
13
698 Views
Last Modified: 2012-06-21
Hi,

Client ( 10.25.20.0/24)
   |
Core RouterX
   |
Access RouterA --->AGG Sw1---->JFW----DMZ
                                   |
                                   |
                              ToR Sw1
                          |                 |
                      |                         |
                  Srv1                       Srv2
   (172.20.36.0/24)

172.20.36.36 is NATd with 3.3.3.3 in the FW, client is using the NAT IP to reach Srv1.

Looks like traffic is not hitting the FW at all. I can see trace from client reach up to RouterX and 3.3.3.x network is hostedon RoutrA.

Any help would be great.!!!!

genseek
0
Comment
Question by:genseek
  • 8
  • 5
13 Comments
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37787231
Can you post your configs?
0
 

Author Comment

by:genseek
ID: 37787294
what configs are you seeking?
0
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37787400
Hold on...

If client and the server in the same network, that is behind the firewall and not on two sides of the firewall then i am pretty sure you can not access the server using the nated ip. (with in the same network)

If i am not wrong, your router will drop the packet as it wouldnt be knowing where to find 3.3.3.3 unless you specifically tell the router to forward the packet to fw.
0
 

Author Comment

by:genseek
ID: 37787438
chesperito,

client and server are NOT in same network, plz see the topology diagram above.

Client is outside the FW and server is in DMZ network.
0
 

Author Comment

by:genseek
ID: 37787523
172.20.36.36  belongs to vlan 106,

There are 2 port channels between FW and AGG switch, Po10 and Po16

From the AGG side, i see Po10 has vlan 100 allowed and Po16 does not have vlan 106 allowed.


i want to check if vlan106 is allowed in the trunk between FW and AGG switch.

How can i see from the juniper FW side? what is the cmd?
0
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37787634
I am still trying to understand your network topology.

1 . When you say client is outside your network, is it located beyond your outside interface(like internet) or with in the network (inside)?

2. Can you access the server using its original ip (172.20.36.36)?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:genseek
ID: 37787671
The client is outside the fW outside interface but is a remore internal network.


We are able to ping the server from Access Router A. Also, the server vlan is in VRF.
0
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37787767
Do you have a site to site ipsec tunnel between two locations?
If yes the tunnel is between two routers or Core Router X and JFW?

Through which you are able to ping the server(from access router a)
from client machine can you ping the server using the original ip (172.20.36.36)
0
 

Author Comment

by:genseek
ID: 37787917
There is NO Ipsec tunnel involved here.
0
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37787933
Through which ip you are able to ping the server(from access router a)
from client machine can you ping the server using the original ip (172.20.36.36)
0
 

Author Comment

by:genseek
ID: 37787980
172.20.36.36  belongs to vlan 106 which has VRF.

I'm able to ping from this VRF which belongs to the same vlan the destination server is in.

I'm not able to ping the server using original IP.
0
 

Accepted Solution

by:
genseek earned 0 total points
ID: 37789880
Am closing this question as i got the resolution.
0
 

Author Closing Comment

by:genseek
ID: 37805223
Am closing this question as i got the resolution.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Squid Connection Pools 3 43
Cisco universal IOS upgrade from ipbase to ipservices 4 55
DHCP Server 14 60
2 Gateways (bandwidth) - One domain 7 44
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

937 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

1 Experts available now in Live!

Get 1:1 Help Now