VLAN issue i think...
I swear this is like my second home...
Anyway so i got a weird problem going on.
A Layer 3 switch (we'll call it Switch1) that has a static route to our DMZ via our Firewall as the next hop.
Thers an server in the DMZ that i can ping on Switch 1.
The WAN Router and Switch router are connected directly together.
I created a static route for the DMZ network and put Switch 1 (VLAN 1's address) as the next hop.
When i try to ping the DMZ network on the WAN router it doesnt ping.
Doing a trace yields Switch 1 as the next hop but it doesnt go any further.
Why is that??
Anyway so i got a weird problem going on.
A Layer 3 switch (we'll call it Switch1) that has a static route to our DMZ via our Firewall as the next hop.
Thers an server in the DMZ that i can ping on Switch 1.
The WAN Router and Switch router are connected directly together.
I created a static route for the DMZ network and put Switch 1 (VLAN 1's address) as the next hop.
When i try to ping the DMZ network on the WAN router it doesnt ping.
Doing a trace yields Switch 1 as the next hop but it doesnt go any further.
Why is that??
Comments
-
networker050184 Mod Posts: 11,962 ModDid you allow icmp from the outside ip address to the DMZ?An expert is a man who has made all the mistakes which can be made.
-
mattsthe2 Member Posts: 304well switch 1 and the WAN router are inside.
Switch 1 can ping so anything else on that segment should be able to i would think.
Heres a diagram that might help...
(MPLS Cloud)
WAN Router
Switch 1
Firewall
(DMZ) -
dtlokee Member Posts: 2,378 ■■■■□□□□□□1. Ensure IP routing is enabled on the switch.
2. Many firewalls do no allow you to ping the interfaces unless you enable it, this may include traceroute and other types of traffic. What model firewall is it? Did you just add the DMZ network? If it's a pix or ASA do you have the necessary NAT rules to allow the traffic through?
Like Jonny5 said "need input"The only easy day was yesterday! -
mattsthe2 Member Posts: 304dtlokee wrote:1. Ensure IP routing is enabled on the switch.
2. Many firewalls do no allow you to ping the interfaces unless you enable it, this may include traceroute and other types of traffic. What model firewall is it? Did you just add the DMZ network? If it's a pix or ASA do you have the necessary NAT rules to allow the traffic through?
Like Jonny5 said "need input"
+ IP routing is already enabled.
+ I can ping the inside ip address on Switch 1. However if i ping using "source vlan 1" it fails...
+ I cannot ping the inside ip address of the firewall on WAN Router.
+ The DMZ has been around for a long time
+ The firewall also long time, its a not a Cisco Firewall but an off brand, dont know the details
Basically its a site that we went to add VoIP, so the switches and WAN router are new.
* Note: VLAN 1 is the management VLAN -
dtlokee Member Posts: 2,378 ■■■■□□□□□□If the ping fails when you source it from a different interface it sounds like the firewall does not have a route back to that subnet or the firewall is not allowing ping from that subnet to it's interfaces.The only easy day was yesterday!
-
mattsthe2 Member Posts: 304i got a post reply from another site on this issue and i think this guy hit the problem on the head...
Likely the sever doesn't have a route back to the WAN router IP address. When you're pinging it from SW1, by default, you'll be pinging from the SW1-FW link IP address. So it seems reasonable to assume the server is aware of that IP space. But perhaps it doesn't know of the WAN-SW1 IP space?
I would imagine the ping from the WAN router would be coming sourced as the management VLAN, in this case VLAN1 - right?
And VLAN was brand new - something that the Firewall does not know of.
Basically there is a webserver behind the DMZ that we are trying to get a webpage from. -
mattsthe2 Member Posts: 304dtlokee wrote:If the ping fails when you source it from a different interface it sounds like the firewall does not have a route back to that subnet or the firewall is not allowing ping from that subnet to it's interfaces.
DT- Your timing couldnt have been any better....
Both of you get a cookie here.
- I'll let the firewall dude know tomorrow.