VLAN issue i think...

I swear this is like my second home...

Anyway so i got a weird problem going on.

A Layer 3 switch (we'll call it Switch1) that has a static route to our DMZ via our Firewall as the next hop.

Thers an server in the DMZ that i can ping on Switch 1.

The WAN Router and Switch router are connected directly together.
I created a static route for the DMZ network and put Switch 1 (VLAN 1's address) as the next hop.

When i try to ping the DMZ network on the WAN router it doesnt ping.
Doing a trace yields Switch 1 as the next hop but it doesnt go any further.

Why is that??

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

networker050184

Did you allow icmp from the outside ip address to the DMZ?

mattsthe2

well switch 1 and the WAN router are inside.
Switch 1 can ping so anything else on that segment should be able to i would think.

Heres a diagram that might help...

(MPLS Cloud)

WAN Router

Switch 1

Firewall

(DMZ)

dtlokee

1. Ensure IP routing is enabled on the switch.
2. Many firewalls do no allow you to ping the interfaces unless you enable it, this may include traceroute and other types of traffic. What model firewall is it? Did you just add the DMZ network? If it's a pix or ASA do you have the necessary NAT rules to allow the traffic through?

Like Jonny5 said "need input"

mattsthe2

dtlokee wrote:

1. Ensure IP routing is enabled on the switch.
2. Many firewalls do no allow you to ping the interfaces unless you enable it, this may include traceroute and other types of traffic. What model firewall is it? Did you just add the DMZ network? If it's a pix or ASA do you have the necessary NAT rules to allow the traffic through?

Like Jonny5 said "need input"

+ IP routing is already enabled.
+ I can ping the inside ip address on Switch 1. However if i ping using "source vlan 1" it fails...

+ I cannot ping the inside ip address of the firewall on WAN Router.
+ The DMZ has been around for a long time
+ The firewall also long time, its a not a Cisco Firewall but an off brand, dont know the details

Basically its a site that we went to add VoIP, so the switches and WAN router are new.

* Note: VLAN 1 is the management VLAN

dtlokee

If the ping fails when you source it from a different interface it sounds like the firewall does not have a route back to that subnet or the firewall is not allowing ping from that subnet to it's interfaces.

mattsthe2

i got a post reply from another site on this issue and i think this guy hit the problem on the head...

Likely the sever doesn't have a route back to the WAN router IP address. When you're pinging it from SW1, by default, you'll be pinging from the SW1-FW link IP address. So it seems reasonable to assume the server is aware of that IP space. But perhaps it doesn't know of the WAN-SW1 IP space?

I would imagine the ping from the WAN router would be coming sourced as the management VLAN, in this case VLAN1 - right?

And VLAN was brand new - something that the Firewall does not know of.

Basically there is a webserver behind the DMZ that we are trying to get a webpage from.

mattsthe2

dtlokee wrote:

If the ping fails when you source it from a different interface it sounds like the firewall does not have a route back to that subnet or the firewall is not allowing ping from that subnet to it's interfaces.

DT- Your timing couldnt have been any better....

Both of you get a cookie here.

- I'll let the firewall dude know tomorrow.