Solved

Not able to ping DMZ port on Firewall from the switch.

Posted on 2016-07-15
11
46 Views
Last Modified: 2016-07-17
On firewall, the DMZ2 port connects to ColoC3750X switch on Gi2/0/21 while the LAN port to Winston-3750sw switch Gi1/0/1, as shown on the attached diagram and the config files. There is a trunking connection between the two switches.

The big big issue is, from the ColoC3750X switch, we are NOT able to ping the DMZ2 port IP 10.10.2.1. (But from Winton-3750sw, we are able to ping both 10.10.2.1 and 10.10.2.2.)

Can you please figure what I missed out?
Thanks.
Cannot-ping-FW.jpg
coloc3750x-confg
winston-3750sw-confg
0
Comment
Question by:Castlewood
  • 4
  • 2
  • 2
  • +2
11 Comments
 
LVL 3

Expert Comment

by:mrworta
Comment Utility
What does "show interface vlan 102" show?
Maybe you didn't create the vlan in the vlan-database and the interface is down?
0
 

Author Comment

by:Castlewood
Comment Utility
vlan102 should be up. See the result:

ColoC3750X#sh interface vlan 102
Vlan102 is up, line protocol is up
  Hardware is EtherSVI, address is 4403.a749.b345 (bia 4403.a749.b345)
  Internet address is 10.10.2.2/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:57, output 00:12:56, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     16993 packets input, 2604456 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     675 packets output, 45418 bytes, 0 underruns
     0 output errors, 1 interface resets
     0 output buffer failures, 0 output buffers swapped out
0
 
LVL 3

Assisted Solution

by:mrworta
mrworta earned 125 total points
Comment Utility
Does the firewall show up in the arp table of the colo switch? (sw ip arp)
Maybe the Firewall is set not to answer ping on the DMZ interface...?
0
 

Author Comment

by:Castlewood
Comment Utility
As earlier mentioned, the other switch (Winston-3750sw) is able to ping the DMZ interface without a problem.
Here is the result for sh ip arp: (10.10.2.1 is the DMZ interface ip. Is everything ok?)

ColoC3750X#sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.10.2.2               -   4403.a749.b345  ARPA   Vlan102
Internet  10.2.6.14               -   4403.a749.b343  ARPA   Vlan60
Internet  10.2.4.14               -   4403.a749.b341  ARPA   Vlan40
Internet  10.10.2.1              36   001e.c9b2.788b  ARPA   Vlan102
Internet  10.2.5.14               -   4403.a749.b342  ARPA   Vlan50
Internet  10.2.0.1               73   0022.91b8.5bc8  ARPA   Vlan100
Internet  10.2.5.20             184   0cc4.7a53.9ec9  ARPA   Vlan50
Internet  10.2.5.18               1   0cc4.7a1f.30ec  ARPA   Vlan50
Internet  10.0.6.57               2   0022.91b8.5bc8  ARPA   Vlan100
Internet  10.10.2.141           138   0015.5d02.f609  ARPA   Vlan102
Internet  10.2.0.199              -   4403.a749.b344  ARPA   Vlan100
0
 
LVL 9

Expert Comment

by:Cheever000
Comment Utility
I do not see an arp for 10.10.2.1 when you do the ping did you try sourcing it from VLAN102 you shouldn't have too, but worth a try.  

As for why the other switch can ping the IP Address by the diagram it is going through the firewall to do so, not via the other switch since 102 is not carried on the trunk and it doesn't have an interface in that vlan.

on the ColoC3750X

can you also do a show VLAN
and sho arp dyn int g2/0/21

Thanks
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:Castlewood
Comment Utility
"I do not see an arp for 10.10.2.1" ?  Didn't you see it listed? The fourth from the top. Isn't it for 10.10.2.1?

How to ping with sourcing from VLAN102?

Here is the result of sh vlan:
ColoC3750X#sh vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active
10   VLAN0010                         active
20   VLAN0020                         active
30   VLAN0030                         active    Gi1/0/20, Gi1/0/21, Gi1/0/22, Gi2/0/20, Gi2/0/22
40   VLAN0040                         active    Gi1/0/15, Gi1/0/16, Gi1/0/17, Gi1/0/18, Gi1/0/19, Gi2/0/15, Gi2/0/16, Gi2/0/17, Gi2/0/18, Gi2/0/19
50   VLAN0050                         active    Gi1/0/1, Gi1/0/2, Gi2/0/1, Gi2/0/2
60   VLAN0060                         active    Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14, Gi2/0/5, Gi2/0/6, Gi2/0/7, Gi2/0/8, Gi2/0/9, Gi2/0/10, Gi2/0/11
                                                Gi2/0/12, Gi2/0/13, Gi2/0/14
100  VLAN0100                         active
101  VLAN0101                         active
102  Vlan102                          active    Gi1/0/3, Gi1/0/4, Gi2/0/3, Gi2/0/4, Gi2/0/21
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
10   enet  100010     1500  -      -      -        -    -        0      0
20   enet  100020     1500  -      -      -        -    -        0      0
30   enet  100030     1500  -      -      -        -    -        0      0
40   enet  100040     1500  -      -      -        -    -        0      0
50   enet  100050     1500  -      -      -        -    -        0      0
60   enet  100060     1500  -      -      -        -    -        0      0
100  enet  100100     1500  -      -      -        -    -        0      0
101  enet  100101     1500  -      -      -        -    -        0      0
102  enet  100102     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    srb      0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

"sho arp dyn int g2/0/21" is not a valid command.
0
 
LVL 9

Expert Comment

by:Cheever000
Comment Utility
#1 you are correct I am blind
#2 ping x.x.x.x source vlan 102
#3 sorry again thinking to fast it is sho mac add dyna int g2/0/21
0
 
LVL 13

Assisted Solution

by:SIM50
SIM50 earned 125 total points
Comment Utility
Check your firewall logs if it is dropping your pings from the colo switch.
0
 
LVL 26

Accepted Solution

by:
Predrag Jovic earned 250 total points
Comment Utility
Internet  10.10.2.1              36   001e.c9b2.788b  ARPA   Vlan102
If you are not able to ping it from the ColoC3750X that simply means that Firewall is set not to respond to pings as Sim50 already wrote. You have basic connectivity (what is security level on firewall set on that interface?).
If you are trying to ping DMZ from devices that are placed in other VLANs and you are using ColoC3750X  as default gateway - you do not have routing enabled. Since it is directly connected interface from switch ColoC3750X you should be able to ping ip address 10.10.2.1, especially since you have mac address in CAM table.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
Comment Utility
Also, any particular reason for this?
hostname ColoC3750X

!
interface Vlan40
 ip address 10.2.4.14 255.255.255.0
!
interface Vlan50
 ip address 10.2.5.14 255.255.255.0
!
interface Vlan60
 ip address 10.2.6.14 255.255.255.0
!
interface Vlan100
 ip address 10.2.0.199 255.255.255.0

hostname Winston-3750sw

!
interface Vlan40
 ip address 10.2.4.1 255.255.255.0
!
interface Vlan50
 ip address 10.2.5.1 255.255.255.0
!
interface Vlan60
 ip address 10.2.6.1 255.255.255.0
!
interface Vlan100
 ip address 10.2.0.1 255.255.255.0
I mean, except wasting few IP addresses?
If hosts are not configured to use both SVIs as default gateway (distribute traffic load between switches or whatever) it just creates confusion.
0
 

Author Closing Comment

by:Castlewood
Comment Utility
The DMZ2 interface on firewall was newly created so no rules at all. As the result, no incoming traffic allowed. That is why.
Thanks you guys.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now