Solved

Trunk between Juniper NetScreen FW and Cisco Switch

Posted on 2012-03-30
13
709 Views
Last Modified: 2012-06-21
Hi,

Client ( 10.25.20.0/24)
   |
Core RouterX
   |
Access RouterA --->AGG Sw1---->JFW----DMZ
                                   |
                                   |
                              ToR Sw1
                          |                 |
                      |                         |
                  Srv1                       Srv2
   (172.20.36.0/24)

172.20.36.36 is NATd with 3.3.3.3 in the FW, client is using the NAT IP to reach Srv1.

Looks like traffic is not hitting the FW at all. I can see trace from client reach up to RouterX and 3.3.3.x network is hostedon RoutrA.

Any help would be great.!!!!

genseek
0
Comment
Question by:genseek
  • 8
  • 5
13 Comments
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37787231
Can you post your configs?
0
 

Author Comment

by:genseek
ID: 37787294
what configs are you seeking?
0
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37787400
Hold on...

If client and the server in the same network, that is behind the firewall and not on two sides of the firewall then i am pretty sure you can not access the server using the nated ip. (with in the same network)

If i am not wrong, your router will drop the packet as it wouldnt be knowing where to find 3.3.3.3 unless you specifically tell the router to forward the packet to fw.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:genseek
ID: 37787438
chesperito,

client and server are NOT in same network, plz see the topology diagram above.

Client is outside the FW and server is in DMZ network.
0
 

Author Comment

by:genseek
ID: 37787523
172.20.36.36  belongs to vlan 106,

There are 2 port channels between FW and AGG switch, Po10 and Po16

From the AGG side, i see Po10 has vlan 100 allowed and Po16 does not have vlan 106 allowed.


i want to check if vlan106 is allowed in the trunk between FW and AGG switch.

How can i see from the juniper FW side? what is the cmd?
0
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37787634
I am still trying to understand your network topology.

1 . When you say client is outside your network, is it located beyond your outside interface(like internet) or with in the network (inside)?

2. Can you access the server using its original ip (172.20.36.36)?
0
 

Author Comment

by:genseek
ID: 37787671
The client is outside the fW outside interface but is a remore internal network.


We are able to ping the server from Access Router A. Also, the server vlan is in VRF.
0
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37787767
Do you have a site to site ipsec tunnel between two locations?
If yes the tunnel is between two routers or Core Router X and JFW?

Through which you are able to ping the server(from access router a)
from client machine can you ping the server using the original ip (172.20.36.36)
0
 

Author Comment

by:genseek
ID: 37787917
There is NO Ipsec tunnel involved here.
0
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37787933
Through which ip you are able to ping the server(from access router a)
from client machine can you ping the server using the original ip (172.20.36.36)
0
 

Author Comment

by:genseek
ID: 37787980
172.20.36.36  belongs to vlan 106 which has VRF.

I'm able to ping from this VRF which belongs to the same vlan the destination server is in.

I'm not able to ping the server using original IP.
0
 

Accepted Solution

by:
genseek earned 0 total points
ID: 37789880
Am closing this question as i got the resolution.
0
 

Author Closing Comment

by:genseek
ID: 37805223
Am closing this question as i got the resolution.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question