VLAN issue i think...

mattsthe2 · March 2008

I swear this is like my second home...

Anyway so i got a weird problem going on.

A Layer 3 switch (we'll call it Switch1) that has a static route to our DMZ via our Firewall as the next hop.

Thers an server in the DMZ that i can ping on Switch 1.

The WAN Router and Switch router are connected directly together.
I created a static route for the DMZ network and put Switch 1 (VLAN 1's address) as the next hop.

When i try to ping the DMZ network on the WAN router it doesnt ping.
Doing a trace yields Switch 1 as the next hop but it doesnt go any further.

Why is that??

networker050184 · March 2008

Did you allow icmp from the outside ip address to the DMZ?

mattsthe2 · March 2008

well switch 1 and the WAN router are inside.
Switch 1 can ping so anything else on that segment should be able to i would think.

Heres a diagram that might help...

(MPLS Cloud)

WAN Router

Switch 1

Firewall

(DMZ)

dtlokee · March 2008

1. Ensure IP routing is enabled on the switch.
2. Many firewalls do no allow you to ping the interfaces unless you enable it, this may include traceroute and other types of traffic. What model firewall is it? Did you just add the DMZ network? If it's a pix or ASA do you have the necessary NAT rules to allow the traffic through?

Like Jonny5 said "need input"

mattsthe2 · March 2008

dtlokee wrote:

1. Ensure IP routing is enabled on the switch.
2. Many firewalls do no allow you to ping the interfaces unless you enable it, this may include traceroute and other types of traffic. What model firewall is it? Did you just add the DMZ network? If it's a pix or ASA do you have the necessary NAT rules to allow the traffic through?

Like Jonny5 said "need input"

+ IP routing is already enabled.
+ I can ping the inside ip address on Switch 1. However if i ping using "source vlan 1" it fails...

+ I cannot ping the inside ip address of the firewall on WAN Router.
+ The DMZ has been around for a long time
+ The firewall also long time, its a not a Cisco Firewall but an off brand, dont know the details

Basically its a site that we went to add VoIP, so the switches and WAN router are new.

* Note: VLAN 1 is the management VLAN

dtlokee · March 2008

If the ping fails when you source it from a different interface it sounds like the firewall does not have a route back to that subnet or the firewall is not allowing ping from that subnet to it's interfaces.

mattsthe2 · March 2008

i got a post reply from another site on this issue and i think this guy hit the problem on the head...

Likely the sever doesn't have a route back to the WAN router IP address. When you're pinging it from SW1, by default, you'll be pinging from the SW1-FW link IP address. So it seems reasonable to assume the server is aware of that IP space. But perhaps it doesn't know of the WAN-SW1 IP space?

I would imagine the ping from the WAN router would be coming sourced as the management VLAN, in this case VLAN1 - right?

And VLAN was brand new - something that the Firewall does not know of.

Basically there is a webserver behind the DMZ that we are trying to get a webpage from.

mattsthe2 · March 2008

dtlokee wrote:

If the ping fails when you source it from a different interface it sounds like the firewall does not have a route back to that subnet or the firewall is not allowing ping from that subnet to it's interfaces.

DT- Your timing couldnt have been any better....

Both of you get a cookie here.

- I'll let the firewall dude know tomorrow.

VLAN issue i think...

Comments