Routing issue between Cisco device and Virtual machine

Hi Guys,
We have two local subnets in a virtualized environment, subnet 1 has a VM operating as a firewall, we would like all traffic for subnet 2 to go via VM on subnet 1, this will police traffic on subnet 2 and then reroute.  
The infrastructure involved comprises,
Internet Edge Switch -> ASA -> Core Switch -> IBM Flex chassis
The Internet edge switch is directly connected between the ISP routers and the Cisco ASA firewall pair (A/S). The ASA is then connected to the Core switch. Connected from the core switch is an IBM Flex chassis, via a port channel (all vlans allowed)
The local subnets in question are as follows:
Vlan 101 (
Vlan 102 (
The VM in question has two NIC cards having IP address of both subnets.
NIC 1:
NIC 2:
We would like packets destined for to land on IP address. At the moment traffic for each vlan routes from the outside to their respective local subnets successfully, what we are having difficulty with is directing traffic for subnet 2 via subnet 1 VM firewall.
At the moment we have tried adding a static route on the core switch but it didn’t work
ip route
I will appreciate if you could share your knowledge and guide me how to achieve this goal.
Thanks in advance :-)

I think for this to work you need a transit vlan between the VMs and the core switch. So, if you have 2 vlans on the VM (101 and 102) you use the VM switch to route between the vlans and in order to go outside the local vlans you would use the core switch.  In this scenario you would not have an SVI (layer-3) interface on the core.  The only thing that core will have is the layer-2 vlans (101 and102).  You would than need a static route on the core switch to point to the transit vlan on the VM side.
so, for example, if the transit vlan is vlan 110 and the ip is
on the core you have static routes:
ip route (VM side)
ip route (VM side)
You also need an SVI for vlan 110 with ip address on the core.
on the VM you need a default route to point to the core (
Is this what you are trying to do?

Similar Messages

  • Routing issue between Cisco Nexus and Cisco 4510 R+E Chassis

    We have configured Cisco Nexus 7K9 as core and Cisco 4510 R+E as access switches for Server connectivity.
    We are experiencing problem in terms of ARP learning and Ping issues between Cisco Nexus and end hosts.

    So you have N7k acting as L3 with servers connected to 4510?.
    Do you see the MAC associated with failing ARP in 4510?. Is it happening with all or few servers?. Just to verify if it is connectivity issue between N7k and 4510, you can configure an SVI on 4510 and assign address from same raneg (server/core range) and perform a ping.
    This will help narrow down if issue is between server to 4510 or 4510 to N7k.

  • Connectivity issues between Cisco 2901 and Cisco SG300-52

    I am having some serious connectivity issues between the hosts in my LAN.
    My LAN is based on a Cisco 2901 router and a Cisco SG300-52 port switch.
    The issue that has been happening is that connections between hosts on the LAN (remote desktop, extended ping, etc) is very unstable, at some point I can see a 35% lost packets on an extended ping. This happens at any time of the day and from any host.
    All hosts are on the same Vlan(default Vlan) and on the same subnet. Some hosts have fixed IP addresses (servers and network equipment) and others obtain their IP address trough a DHCP reservation  established on the router (reserved with the MAC address of every host).
    I can provide further details if needed, because this issue is very serious and I would really appreciate any insight or support.
    Many thanks in advanced.
    Sair Amer
    EDIT:  After doing every test we could think of, we finally found the reason behind this problem.
    It turns out that the switch has problems handling communications between clients at different speeds, because most of the hosts connected were working at 100 Mbps but the servers were working at 1000 Mbps (and the communication between host and servers wasn't stable).
    After manually setting the speed on all ports to 100 Mbps the problems have stopped.
    Many thanks for you help on this issue. 

    Building configuration...
    Current configuration : 4123 bytes
    ! Last configuration change at 12:06:16 PCTime Sat Jul 19 2014 by ccp
    version 15.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname Foninsa
    no logging buffered
    enable secret 5 $1$BDbJ$HN3VP8nmywrGB55RCxPd30
    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local 
    aaa session-id common
    clock timezone PCTime -4 0
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 12 2003 12:00
    no ip cef
    ip dhcp excluded-address
    ip dhcp excluded-address
    ip dhcp pool FONINSA
    ip dhcp pool Laptop-Sporta-Wifi
    ip name-server
    ip name-server
    no ipv6 cef
    multilink bundle-name authenticated
    crypto pki trustpoint TP-self-signed-213585710
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-213585710
     revocation-check none
     rsakeypair TP-self-signed-213585710
    crypto pki certificate chain TP-self-signed-213585710
     certificate self-signed 01
      30820229 30820192
    license udi pid CISCO2901/K9 sn
    license boot module c2900 technology-package securityk9
    username ccp privilege 15 password
    interface Embedded-Service-Engine0/0
     no ip address
    interface GigabitEthernet0/0
     ip address
     ip nat outside
     ip virtual-reassembly in
     duplex auto
     speed auto
    interface GigabitEthernet0/1
     ip address
     ip nat inside
     ip virtual-reassembly in
     duplex auto
     speed auto
    no ip forward-protocol nd
    ip http server
    ip http authentication local
    ip http secure-server
    ip nat inside source list 1 interface GigabitEthernet0/0 overload
    ip nat inside source static tcp 21 21 extendable
    ip nat inside source static tcp 80 80 extendable
    ip nat inside source static udp 1194 1194 extendable
    ip nat inside source static tcp 3389 3389 extendable
    ip nat inside source static tcp 3389 10000 extendable
    ip nat inside source static tcp 3389 20000 extendable
    ip route
    access-list 1 permit
    line con 0
     password $
    line aux 0
    line 2
     no activation-character
     no exec
     transport preferred none
     transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
     stopbits 1
    line vty 0 5
     access-class 23 in
     privilege level 15
     password #
     transport input telnet ssh
    no scheduler allocate

  • 3945 Router Issue between WAAS Module and IOS Firewall

    I have a new 3945 router with a SM-SRE-900 module for WAAS. The 3945 also has IP inspection configured. When IP inspection and WCCP redirection running at the same time, user connections to data center were all lost. If just IP inspection or WCC Rredirection but not both, user connections were good.
    I'm feeling the problem is IP inspection not WAAS aware. I tried "ip inpsect waas enable", but the command was not available. The 3945 router, SM-SRE module, and the IOS code, are all newest versions. So I was wondering if anyone has seen the similar issues and had experience of enabling WAAS through IP inspection on those new products.
    Here is the configuration info:
    3945 G2 ISR: IOS 15.1(1)T1;
    SM-SRE-900: WAAS 4.2.3 build7;
    3945 LAN interface: ip inspection in and ip wccp 61 redirect in
    3945 WAN interface: ip wccp 62 redirect in
    3945 SM 1/0 interface: internal connection to SM-SRE module
    Between 3945 and SM-SRE module: WCCP GRE redirection and IP Forwarding return.
    If you are aware of any 15.1(1)T1 bugs that may be related, please let me know too.
    Thanks for any help.

       This is in general for IOS / ISR. On CCO we have a very good document for ZBFW and WAAS intigration, see below
    If you still need to run CBAC, then recommended solution in my first post should work for you.
    If the router is in the middle of TCP optamization path, then depending upon optamization product you need to configure the firewall feature like anyother firewall. for Cisco WAAS we have "ip inspect WAAS enable".
    Hope this has answer your question. Thanks.
    Ahsan Khan

  • Account Lockout issue between Apple devices and Exchange 2003

    I have been having an ongoing issue for a couple of months with a few different users Apple devices locking out their accounts in AD when they try to authenticate to ActiveSync.  This doesn't happen every time they authenticate, it seems to be random,
    while the rest of the time they have access to their email.  It might occasionally happen with an Android, but not on a repetitive basis like this.
    Primarily this has been four different iPads, running different versions of iOS, and an iPhone running the latest release of iOS 7.  Other iPhones and iPads function without having the problem, including iPhones on iOS 7.  
    The user accounts in question are set to never have their passwords expire, but again, they aren't the only users that are set like this, and those other users, even with Apple devices are not having the same problem.
    I used NetWrix to trace out the source machine, which is my Exchange 2003 server and times, and I've checked the W3SVC1 log file, and come up with the following as an example with identification details masked:
    <internal IP>, <Domain\Username>, 4/30/2014, 8:10:04, W3SVC1, <ServerName>, <internal IP>, 15, 329, 3367926, 200, 0, GET, /exchange-oma/<[email protected]>/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/iPad/ApplV50462*****/eb53cd5d5b9fcf40****************-20ef44,
    As I was typing this, the owner of the iPad from the log file above came by my desk, so I asked a couple more questions.  He's never had another iPad, it's a gen 1, and he's never updated the iOS on it.  I know one of the other iPads in question
    has the most up to date iOS, and the other one is brand new, replacing one that was broken, but the owner of that one had the same issue on a 3 year old iOS.  
    There is nothing special about the user accounts, no special privileges or restrictions.
    Has anyone encountered this before?  Exchange 2003, Server 2003 in a 2008 domain.  Promotion to the 2008 domain was 2 years ago.

    Hi Brian,
    I am so sorry for the delay.
    Do you have any progress by now?
    Since there are lots of devices which use user accounts to log on, failed logon attempts on these devices could be the cause for account lockout.
    If this issue persists, I suggest you refer to these troubleshooting articles below:
    Troubleshooting account lockout the PSS way
    Troubleshooting Account Lockout
    In addition, you can also get efficient support at Active Sync forum below:
    Best Regards,

  • The difference of the IEEE802.1x Auth between Cisco Routers and Catalyst switches

    I am investigating the difference of the IEEE802.1x Auth between Routers and Switches.
    Basically dot1x auth is availlable on Catalyst Switches. however if I want to check to
    PortBased Multi-Auth , MAC address Auth and any certification Auth with this feature,
    Is it possible to integrate into Cisco Router such as Cisco 891F ?
    In my opinion Cisco891F is also available to use basic IEEE802.1x but if it compares with Catalyst switches such as Cat3560X
    I think there might be any unsupported feature on Cisco 891F.
    I appreciate any information. thank you very much in advance.
    Best Regards,
    Masanobu Hiyoshi

    Many time in interviews asked comaprison between cisco  routers and switches that i was answerless bcoz i dont have much knowledge about that.Can anyone provide me the compariosin sheet of the are the cisco devices differ with each other how much Bandwidth each routres support and Etc...
    Ummmm ... The most common question I get is "what is the difference between a router and a switch".
    However, if you get a question like this, then my impression to this line of questioning are:
    1.  The candidate they are looking for has in-depth knowledge of routers and switches.  And I mean IN-DEPTH!;
    2.  They are not looking for a candidate.  They just want to stroke their ego.  There is not alot of people who can give you the "names and numbers" of routers and switches at a snap of a finger.  And if you do happen to know the answer, then and there, then expect a tougher follow-up question. 

  • GRE IPSec between Cisco 2811 and FortiGate 110C

    Does anybody know if it is possible to configure GRE IPSec tunnel between Cisco 2811 router and FortiGate 110C firewall? I know that FortiGate supports IPSec and GRE tunnels, but maybe somebody succeeded in establishing an IPSec GRE between those routers? Could you also give a link to the appropriate documentation if it is possible?

    You can configure the GRE tunnel on the 2811.
    I'm aware that you can configure sort of a GRE tunnel on the Fortinet as well, but I have not seen a GRE tunnel between a Cisco and other vendor.
    I've only seen GRE tunnels between Cisco devices (however I have not tried it to assure you that it will not work :-()

  • "USB device not recognized." "The connection between your device and the desktop could not be established. Please check your setup and try again." Tungsten E2, Outlook 2007

    I am running XP SP 2, on a Dell Vostro 1000, Palm OS Garnet v5.4.7 on a Tungsten E2. I have worked though issues relating to synchronization, Outlook 2007, Docs to Go, etc., in the past.  Thank you board members! 
    Once I worked thru all the initial problems, my Tungsten E2 was sync' ing beautifully to my laptop until a few days ago.  There have been no changes (I know of) to the configuration, but now I receive  "The connection between your device and the desktop could not be established.  Please check your setup and try again."  On the laptop I sometimes get  "USB device not recognized."  I am unclear why I get the PC message sometimes and not others.   
    I have tried the following: (not necc exactly in this order)
    Double checked Hot Sync Mgr settings: Local USB (ver. 6.0.1)
    Reset the Palm (multiple times)
    Rebooted the laptop  (multiple times before and after the Palm resets)
    Went to Support Libraries including,/?St=57,E=0000000001060189973,K=9550,Sxi=3,Case=Obj(3695...)
    Followed the steps in "Start Here" found at 
    Moved Backup directory as per a post on this forum
    Looked for a deleted a file called "Graffiti_ShortCuts_____________" per a post on this forum
    Followed the steps in HotSync troubleshooter guide you can run through located on
    Went into Device Manager - found it shows no yellow ! 's
    Followed Device Mgr Troubleshooter - went all the way thru with no solution 
    Tried all four USB ports - the PC's bell-like tone does not sound when I disconnect or reconnect the Plam's cradle like it does when I conn/disconnect other USB devices -I think that is a clue.    ...? 
    Cleaned the Palm's contacts (and cradle's contacts with a old, dry toothbrush)
    Read all the posts under "USB device not recognized." 
    OK, I'm at a loss, can anyone help me?  Many thanks in advance! 
    Post relates to: Tungsten E2

    Using a cradle with the Tungsten E2?  Tried bypassing the cradle and just use the hotsync cable?  Tried a different computer yet?  Somehow, the PC is having problems getting a signal from the device.  I assume you have the laptop charger plugged into the laptop during this?  Not going through a docking station or port-replicator.
    One crazy thing you can try is unplug the charger from your laptop, remove the battery from the laptop and leave it out for like 10mins and put it back in and reboot the laptop.  This should not cause side effects but still contact your OEM to make sure that nothing else is needed after leaving the battery out for extended period of time.  Keep me posted.
    Post relates to: Treo 650 (Unlocked GSM)

  • 2008r2 RDS Copy / Paste issue between remote app and client

    I am running a 2008r2 Remote App server with Win7/XP(sp3) clients.  All devices are up to date on current service packs and patches.  I can open RDWeb applications and paste between other RDWeb applications, but cannot paste from RDWeb to local
    applications.  I can also paste between various locally running applications, but not from a local application to an RDWeb application.  Each machine is maintaining it's own paste buffer, but not exchanging between the server and local machine.
    I have tried using different applications on both local and remote app, with the same results (Word, excel, notepad).
    I have verified the client and server settings are set to allow printer and clipboard resources, and have verified that there are no GPO's applied to either the server or client.
    I have tried to include as much relative information as I can, please feel free to ask any questions and I will do my best to get back to you as quickly as possible.
    Any help resolving this is most appreciated!

    Hi Sean,
    I wish most of the posters would be as detailed as you are. Good troubleshooting! :)
    Two things to try:
    1) when you connect DIRECTLY to the server via MSTSC and set a checkbox in the OPTIONS/Local Resources - to share Clipboard - do you then get the Copy paste working?
    IF SO
    2) Then please make sure that the Published applications - RemoteApp - have an additional line (Custom RDP settings) in properties (you miht need to recreate the RemoteApp's
     then it should work.
    Virtualization Conference “PubForum 2011 Dublin”,
    The Bible of Remote Desktop Services! , Microsoft Virtualization Solutions Day Dublin!

  • Oracle VM 3.1.1: Using iSCSI LUN's as Device-Backed Virtual Machine Disks?

    Will Oracle VM Manager 3.1.1 support the use of iSCSI LUN's as device-backed virtual machine disks? i.e., Can iSCSI LUN's be treated like directly-attached storage (DAS) and used as virtual machine disks?
    Eric Pretorious
    Truckee, CA

    user12273962 wrote:
    I don't personally use ISCSI. BUT, I don't see why you can't create physical pass through attachments to virtual guests using ISCSI LUNS. It is no different than FC or direct attach storage. Worst case scenerio... you can create a repo on the ISCSI LUN and then create virtual disks.
    Oracle VM Getting Started Guide for Release 3.1.1Chapter 7. Create a Storage Repository
    A storage repository is where Oracle VM resources may reside... Resources include virtual machines, templates for virtual machine creation, virtual machine assemblies, ISO files (DVD image files), shared virtual disks, and so on. This would have the effect of using file-backed virtual machine disks but at least they'd be centrally-located on shared storage (and, therefore, the virtual machine could run as an HA guest)
    budachst wrote:
    I have kicked this idea around as well, but I decided do it slightly different, by providing the storage repo via multipathed iSCSI and use iSCSI within my guests if needed for better speed or lower disk latency.
    If you want to use iSCSI as the virtual devices for your guests in a clustered server pool, you'd have to grant access to all of your iSCSI targets to any VM server and I was not feeling comfortable with that. I rather grant only the guest directly access to "its" iSCSI target. So I will keep all of my guests system images on the clustered server pool - and additionally also the virtual disks that don't need a high performance and have the really heavy-duty vdisks as separate iSCSI targets.That seems logical, Budy:
    <li>Use a multipathed iSCSI repository for hosting the virtual machine's disk image, and then;
    <li>Utilize iSCSI LUN's for "more performant" parts of the guest's file system (e.g., /var).
    I'm still puzzled about that image, though. +i.e., the fourth image from the bottom of Chapter 7.7, "Creating a Virtual Machine" ("To add a physical disk:...") where it's clear that the exising "physical" disks are actually iSCSI LUN's that are attached to the OVM server.+
    I suppose that I'll have to configure some iSCSI LUN's and try it out to be certain. Just another tool that I don't have +but will need to add to my toolbox+.

  • I am having one application which i am going to install on my ipad and i am having one external device having USB interface. I want to have communication in between  my device and ipad over USB/BT. is it possible

    My external device is having male USB connector. The cable available in market are having can be plugged to the device having female connector.I will need converter in between as my device is having male connector. Can i get such cable? If yes can i establish communication in between my app and device over these cables.I am not passing any audio/video data or photos.I am sending data frames. My device is having firmware and it sends data frames in firmware understandable format. Let me know can i have two way communication in between over USB/BT?
    Right now i am connecting my device with host PC and i want to replace my host PC with ipad.

    will it be possible to establish communication in between my device and app. Because camera conection kit only transfers photos and videos and my device doesnt have any audio/video data.
    If yes, should i add photo header to my frames and will send as corrupted photo file or what needs to implement so that i can have sound communication in between.

  • My 1st Generation time capsule won't connect to the internet thru a new motorola sb6121 - get continuously flashing yellow light. Using a router in between the modem and capsule yields good but slower connection to internet. Any thoughts?

    My 1st Generation time capsule won't connect to the internet thru a new motorola sb6121 - get continuously flashing yellow light. Using a router in between the modem and capsule yields good but slower connection to internet. Any thoughts?

    Thanks for your response
    Let me give the history - I started with an Apple Express being fed thru a D-Link  EBTR 2310 cable Router from an RCA DCM315 Modem (Pure). Comcast service all the way.
    Got the 1st generation TC in 2008 and merely replaced the Airport Express with the TC. Worked ok
    A year or two ago I did try removing the modem and feeding the TC directly from the modem. Resulted in the same condition I have now - Continuous flashing amber on the TC. So I put the router back in the chain.
    Some time later, at the recommendation of a Comcast rep, I replaced the router with (a Belkin F5D 5231) to see if speed and dropout problems would be improved. I thought it helped some at the time but now I am not so sure.
    Last week I decided to see if a new modem would help with download speeds. So I got another pure cable modem (Motorola SB 6121- high on the Comcast recommended list).
    Got up and running easily with Comcast help and with the modem connected directly to a computer.
    Next I put the TC in the link and again could not get past the TC continuing to flash amber. Although I did get connected to the internet with this configuration I lost connection two both of my printers - one connected by USB and the other wirelessly to the TC. Again everything works fine when I put the Belkin router back in the system.
    However with the router in there, the modem shows the downstream connection to be 10/100 ethernet speed. (Modem light changes color for indicating speeds.}
    I have gone thru all of the combinations of powering down/ up, but all stays the same.
    I can live with what I have but something still doesn’t seem right.
    Thanks again

  • What's the difference between time capsule and time machine?

    What is the difference between time capsule and time machine?

    See Using Time Machine with a Time Capsule.

  • How can i troubleshoot a "software conflict between a device and something in my original user account"

    my canon video camera (HV20) wasnt being recognised by iMovie (error system report was "Unable to list FireWire devices".)
    in researching a solution i came across some firewire advice in which suggests there may be a "software conflict between the device and something in your original user account."
    i changed to another account on my iMac and my camera connected immediately.
    is anybody able to explain how i go about fixing this "software conflict".
    many thanks

    With the quit and using the Finder, go to Home > Library > Mail > Mailboxes > Outbox.mbox.
    The Outbox.mbox represents "Out" in the mailboxes drawer and is shared by all accounts.
    Delete the Outbox.mbox and empty the Trash.
    Launch Mail and a new Outbox.mbox will be created automatically by Mail within the Mailboxes folder and this should resolve the problem.

  • How to enable diagnostics in cloud services and virtual machine

    Hi All,
    I need to enable diagnostics  for cloud services and virtual machine in our
    cloud environment. I referred the below link.
    Installed azure SDK 2.5 and cloud services instance is not displayed for cloud services in Visual studio 2013. Please provide the steps to enable at run time. 
    1) How to enable this diagnostics at run time.
    2) How to enable event logs for cloud and Virtual machine
    3) How to get the event log data's from REST API.
    Please help to resolve this.

    hi Rathidevi,
    In addition, you could enable diagnostics feature on VM from this blog:
    Please refer to it.
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    HERE to participate the survey.

Maybe you are looking for