Cisco C6500 CSM - Real server cannot ping its VIP.
I've been running into an issue with Cisco CSM for a number of years, but always found a way around it. Im attempting to get to the bottom of this to find out once and for all, if this is infact a limitation of the device, or a config issue/work around is possible.
Here is my situation. My CSM's are configured in bridging mode. Traffic works great, traffic bridges across vlans correctly. Everything works and have many instances of smilar configurations running in production. Every once and a while, a client requests that a "real" server (ie LWCMW-021)
cannot ping its VIP address (10.95.88.68). I am assuming this is related to the NAT Server, but not 100% sure. Clients have requested this functionality for some type of application based purpose, but Im unaware if CSM in bridging mode can provide this or not.
Any suggestions?
real LWCMW-021
address 10.95.88.59
inservice
real LWCMW-022
address 10.95.88.60
inservice
serverfarm LWCMW-80
nat server
no nat client
real name LWCMW-021 80
inservice
real name LWCMW-022 80
inservice
probe HTTP-80 (defined elsewhere)
vserver LWCMW-80
virtual 10.95.88.68 tcp WWW
vlan 120
serverfarm LWCMW-80
persistent rebalance
inservice
Sorry for giving false hope. It is only possible in ACE module. In case of CSM I believe we can only use workaround.
In case of ACE we can bind the Virtual IP to mutliple vlan. In that case we see a ARP entry like this.
10.10.10.111 e0.5f.b9.a1.72.2b vlan345 VSERVER LOCAL _ up
10.10.10.111 e0.5f.b9.a1.72.2b vlan346 VSERVER LOCAL _ up
As Virtual IP is not bound to a particular vlan in case of CSM it does not work here, but I can say for sure it is expected behavior.
The logic would be that the server tries to resolve the ARP for Virtual IP and it does not get a response.
In my case virtual ip is 10.10.10.111 before applying policy on ACE you can see that it is exhibiting the same behaviour.
Time | Vmware_b4:72:11 | 10.0.0.0 | 10.10.10.4 |
| | | Broadcast | | 224.0.0.1 | | 224.0.0.22 |
|0.000 | Who has 10.10.10.11 | | | | |ARP: Who has 10.10.10.111? Tell 10.10.10.11
| |(0) ------------------> (0) | | | | |
|0.999 | Who has 10.10.10.11 | | | | |ARP: Who has 10.10.10.111? Tell 10.10.10.11
| |(0) ------------------> (0) | | | | |
| | | | | |(0) ------------------> (0) |
|1.998 | Who has 10.10.10.11 | | | | |ARP: Who has 10.10.10.111? Tell 10.10.10.11
| |(0) ------------------> (0) | | | | |
|3.014 | Who has 10.10.10.11 | | | | |ARP: Who has 10.10.10.111? Tell 10.10.10.11
| |(0) ------------------> (0) | | | | |
|4.014 | Who has 10.10.10.11 | | | | |ARP: Who has 10.10.10.111? Tell 10.10.10.11
| |(0) ------------------> (0) | | | | |
Hope that helps.
Similar Messages
-
I cannot ping any VIP from within the ACE or from rservers
I cannot ping any VIP from within the ACE or from rservers. Is this expected? I have rservers in other serverfarms that need to be able to communicate with the VIP of other serverfarms. Any help is greatly appreciated.
Thanks for you reply. here is the config. I removed other rserver and serverfarm config that does not have to do with this issue.
logging enable
logging fastpath
logging standby
logging console 4
logging timestamp
logging trap 4
logging history 4
logging buffered 4
logging persistent 4
logging monitor 4
logging device-id hostname
logging host 172.26.254.185 udp/514
logging host 172.26.221.25 udp/514
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
access-list INBOUND line 24 extended permit tcp any any
access-list INBOUND line 32 extended permit udp any any
access-list ORADB line 8 extended permit tcp any any
probe http CITRIX
interval 30
passdetect interval 15
passdetect count 6
open 1
probe tcp HYPERION
port 19000
interval 2
faildetect 2
passdetect interval 2
passdetect count 2
receive 2
open 1
probe icmp PROBE_SERVICE_ICMP
interval 5
passdetect interval 5
probe tcp W15SPSWFET001_PROBE
interval 5
passdetect interval 5
connection term forced
open 1
parameter-map type connection TIMEOUT
set timeout inactivity 43200
parameter-map type http test
persistence-rebalance
set header-maxparse-length 2006
rserver host w0bairwatch003
description MDM-SEG
ip address 172.20.60.73
inservice
rserver host w0bairwatch004
description MDM-SEG
ip address 172.20.60.74
inservice
rserver host w0bairwatch005
description MDM-DEVICE
ip address 172.20.60.75
inservice
rserver host w0bairwatch006
description MDM-DEVICE
ip address 172.20.60.76
inservice
rserver host w0bhamobile001
description Lotus Notes Traveler Server
ip address 172.20.60.57
inservice
rserver host w0bhamobile002
description Lotus Notes Traveler Server
ip address 172.20.60.58
inservice
serverfarm host MDMDEVICE
predictor leastconns
probe PROBE_SERVICE_ICMP
rserver w0bairwatch005
inservice
rserver w0bairwatch006
serverfarm host MDMSEG
predictor leastconns
probe PROBE_SERVICE_ICMP
rserver w0bairwatch003
inservice
rserver w0bairwatch004
inservice
serverfarm host TRAVLR
predictor leastconns
probe PROBE_SERVICE_ICMP
rserver w0bhamobile001
inservice
rserver w0bhamobile002
inservice
class-map match-all MDMDEVICE-VIP
2 match virtual-address 172.20.48.35 any
class-map match-all MDMSEG-VIP
2 match virtual-address 172.20.48.33 any
class-map type management match-any REMOTE_ACCESS
description Remote access traffic match
201 match protocol ssh any
202 match protocol telnet any
203 match protocol icmp any
204 match protocol https any
205 match protocol http any
206 match protocol xml-https any
207 match protocol snmp any
class-map match-all TRAVLR-VIP
2 match virtual-address 172.20.48.34 any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match MDMDEVICE
class class-default
serverfarm MDMDEVICE
policy-map type loadbalance first-match MDMSEG
class class-default
serverfarm MDMSEG
policy-map type loadbalance first-match TRAVLR
class class-default
serverfarm TRAVLR
policy-map multi-match CLIENTS-VIPS
class MDMDEVICE-VIP
loadbalance vip inservice
loadbalance policy MDMDEVICE
loadbalance vip icmp-reply active
class MDMSEG-VIP
loadbalance vip inservice
loadbalance policy MDMSEG
loadbalance vip icmp-reply active
class TRAVLR-VIP
loadbalance vip inservice
loadbalance policy TRAVLR
loadbalance vip icmp-reply active
interface vlan 48
ip address 172.20.48.10 255.255.255.0
access-group input INBOUND
access-group output INBOUND
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input CLIENTS-VIPS
no shutdown
interface vlan 60
ip address 172.20.60.10 255.255.255.0
access-group input INBOUND
access-group output INBOUND
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 172.20.48.1 -
Cisco ASA 9.1(1) Cannot Ping Public Server
Cisco ASA 9.1(1) I have defined a public server. Ping from outside fails. Packet Tracer shows the following:
Thank you for responding, Vibhor: Here are the pertinent NAT statements in my running configuration:
object network Grede-Test-Server
host xx.xx.xx.xx (Public IP Address)
description Grede Test Server Menocon
object network Grede-Test-Server-Private
host 10.1.104.21
description Grede-Test Server
nat (Inside-Test,Outside) source static Grede-Test-Server-Private Grede-Test-Server
Cheers,
M. -
I have 3 servers : Main server, and 2 file servers in another country.
My main server can only ping the 2nd file server.
But both of our 2 file servers from another country can ping the main server.
In short, I cannot remote to the first file server.
The settings on both file servers are the same. And I don't have issues in accessing the 2nd file server using the Main server.
Can somebody have the patience to help me figure out the issue?Being able to ping the server does not mean that you remotely access it.
If you are trying to RDP a server then you need to check that RDP is enabled on the server and that traffic to port 3389 is not blocked or filtered. You can use PortQryUI for checking.
For testing, you can temporary disable security software running on the servers and try again. Also, check the filtering done on network equipment in between your servers.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
I have VM servers (Windows 2003, 2008) sitting in same ESX host - 4.0, each of the server has 2 NIC (one is for user access, another is for backup purpose).
Some of the servers backup NIC is not working, they can't ping neighbour and backup server, but some of the servers can. They are in the same VLAN and ESX host.
Any idea?
Regards, Wee YangHi,
Are you using the computer NetBios when you ping? If so, please confirm you have select the TCP IP NetBIOS option and configured the correct WINS server.
The related third party article:
Enable NetBIOS over TCP/IP with Windows
http://ecross.mvps.org/howto/enable-netbios-over-tcp-ip-with-windows.htm
The related KB:
More about WINS server settings
http://technet.microsoft.com/en-us/library/cc771490.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Cannot ping RRAS Client from RRAS server.
I have recently created an RRAS pptp connection for an outside network. The RRAS client connects fine and can ping the RRAS server and every device on the RRAS servers local network. The RRAS server cannot ping the remote pptp client nor can any device on
the RRAS servers local network. RRAS is configured to be within the same subnet as the RRAS servers local network. On connection it pulls from a static IP pool.
Any help is truly appreciatedThe server is behind a nat device and for testing purposes i have disabled the firewall on both devices. Also I am having an issue where the pptp connection just stops accepting and sending data to the rras server but if you look at the active connections
the client never disconnects. I have attached ipconfig information
CLIENT
Windows IP Configuration
Host Name . . . . . . . . . . . . : Fellows-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
PPP adapter Welsh:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Welsh
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.16.128.66(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : BC-5F-F4-75-C5-AD
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5418:aba9:4af2:1e12%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, March 26, 2014 8:35:58 AM
Lease Expires . . . . . . . . . . : Saturday, March 29, 2014 8:35:58 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 247226356
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-C3-16-85-BC-5F-F4-75-C5-AD
DNS Servers . . . . . . . . . . . : 75.75.75.75
75.75.76.76
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{DF8CAC0D-588D-495A-9185-78C9992DC12F}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:1c88:1312:b8c2:97a9(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::1c88:1312:b8c2:97a9%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter isatap.{D8973397-8880-4110-A7F9-4D1F6A1C2E8C}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
SERVER
Windows IP Configuration
Host Name . . . . . . . . . . . . : IMS
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
PPP adapter RAS Server (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.128.65
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS
VBD Client)
Physical Address. . . . . . . . . : 00-10-18-8D-BC-42
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS
VBD Client) #2
Physical Address. . . . . . . . . : 00-10-18-8D-BC-40
Ethernet adapter Local Area Connection 4:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
VBD Client)
Physical Address. . . . . . . . . : 84-2B-2B-68-6A-FA
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
VBD Client) #2
Physical Address. . . . . . . . . : 84-2B-2B-68-6A-F9
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.128.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.128.254
DNS Servers . . . . . . . . . . . : 172.16.128.254
75.75.75.75
NetBIOS over Tcpip. . . . . . . . : Disabled -
Guest VLAN cannot ping gateway
Hi Sir,
I have an issue wherein my guest vlan cannot ping its gateway thus it cant go through the web auth page. I have been given an ip address with corresponding gateway, subnet and dns for the guest vlan. I have allowed all the vlans in the trunk port for wlc and ap connection.
wat do you think is the problem? hope you could help on this.
thanks.
Regards,
NeriHi Neri
The way this should work is that the client connects to the guest network and gets an IP address from DHCP. The DHCP configuration should include the default gateway and must include a DNS address.
When the client opens a web browser the browser tries to connect to the configured home page. This means that a DNS lookup is sent out and the controller intercepts it and forwards it on. Providing there is a response from the DNS server the controller will cause the client browser to re-direct to the web authentication login page.
It is therefore essential that the controller can see the DNS server. Forget the PING for now - DNS is a must. You can prove the rest of the system by ensuring the guest client has an IP address. Open the client browser and try and connect to http://1.1.1.1 (assuming your virtual interface on the controller is 1.1.1.1). If you get re-directed to the web authentication login page then the issue is a DNS issue.
Regards
Roger -
Cannot ping VIP in One-Arm mode
Hello.
I can ping the ip addresses of the vlan and access via management, the real-servers are Active along with the VIP service (ie. show service-policy) but I cannot ping the VIP interface and traces do not show any traffic hitting it because the 6500 the ACE (vc4710ace-mz.A1_8_0a) is connecting to has no ARP entry for the VIP.
It's in One-Arm mode; one gig-link to core, vlan 141.
I've attached the config.
Anyone got any ideas what I'm missing, please?Hi,
the default gateway of your servers is the upstream router.
Have a look at following link: http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example
Nevermind the picture, it should look more like this: http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Using_an_Existing_Chained_Certificate_and_Key_in_One_Arm_Mode_Configuration_Example
HTH,
Dario -
ACE 4710 Probes on other servers than the real server
Hi,
I wanted to know if there is a means to configure a probe that is independent of the real servers.
The aim is to configure a probe a real server but also probe another intermediate server which is not in the server farm.
The objective is to declare the real server down if its probe fails but also the probe to an intermediate server fails as well as a or condition.
From the document, there is no mention of it.
But is there a means to do it.
Thanks.Hi Ashley,
i see it is not mentioned anywhere in document but i think ou should be able to bind two probes with real server of which one probe is actually probing another server.
I would configure one probe let's say TCP based and bind it with serverfarm. Then i would configure another probe TCP based and define IP address in that probe (the other server IP which we need to probe) and bind this probe with same serverfarm. Serverfarm will not have this rserver added. And then i would configure "fail-on-all" and test if that works for you.
i know you can set probe on redirect server/serverfarm which actually probes another real server so logically should work for normal host rserver as well. But i have never tested it myself.
Regards,
Kanwal -
Smartcare cannot ping cimc interface
Hi All
Smartcare applicance can ping everything defauolt route etc but not cimc interface
Not a local route issue ?Duplicate posts. :P
Go here: https://supportforums.cisco.com/discussion/12140361/smartcare-cannot-ping-cimc-interface -
Cannot ping REAL server IP addresses from CSM 6500
I have a dual 6500/CSM routed topology in which the traffic from clients to the server VIP works fine. However, in preparation for some upcoming work, I find that I cannot ping the REAL server IP addresses. This would seem to be an important troubleshooting step. Any ideas why this wouldn't work?
Gilles, followup question. If I understand this, what you outlined above will allow traffic external coming into the 6500/CSM to be forwarded thru to the REAL server IPs. If it wasn't clear, I was trying to ping from the native-mode 6500 that contains the CSM. I've tried regular and extended pings using the CSM-configured server VLAN's IP and alias IP, but get no response back from any of the REAL server IP addresses.
Is what you've indicated required to ping even if I'm on the 6500 which contains the CSM? -
Cannot ping Real IP, but can ping Virtual IP, what is the issue?
Hi
I have load balancing for some servers on CSM, i can ping to VIP but cannot ping to Real IP of servers behind CSM. I need it for some testing and management pupose, Can anyone help to spot the issue? thanx
Topology
MSFC--FWSM--CSM--serversin routed mode, by default, the CSM does not allow client to connect directly to the servers.
To allow this traffic you need to create a vserver for the subnet with a predictor forward serverfarm
ie:
serverfarm route
no nat server
predictor forward
vserver vlanX
vip x.x.x.0 /24 any
serverfarm route
inservice
Gilles. -
Cisco ASA 5505 Cannot ping local traffic and local hosts cannot get out
I have, what I believe to be, a simple issue - I must be missing something.
Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209).
There is a PC (10.51.253.210) plugged into e0/1.
I know the PC is configured correctly with Windows firewall tuned off.
The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue.
Basically, the VPN is up and running but PC 10.51.253.210 cannot get out.
Any ideas? Sanitized Config is below. Thanks !
ASA Version 7.2(4)
hostname *****
domain-name *****
enable password N7FecZuSHJlVZC2P encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif Inside
security-level 100
ip address 10.51.253.209 255.255.255.248
interface Vlan2
nameif Outside
security-level 0
ip address ***** 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
dns server-group DefaultDNS
domain-name *****
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
pager lines 24
mtu Outside 1500
mtu Inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list No_NAT
route Outside 0.0.0.0 0.0.0.0 ***** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set DPS_Set esp-3des esp-md5-hmac
crypto map DPS_Map 10 match address Outside_VPN
crypto map DPS_Map 10 set peer *****
crypto map DPS_Map 10 set transform-set *****
crypto map DPS_Map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
console timeout 0
management-access Inside
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8d0adca63eab6c6c738cc4ab432f609d
: end
1500Hi Martin,
Which way you are trying. Sending traffic via site to site is not working or traffic which you generate to outside world is not working?
But you say ASA connected interface to PC itself is not pinging that is strange. But try setting up the specific rules for the outgoing connection and check. Instead of not having any ACL.
If it is outside world the you may need to check on the NAT rules which is not correct.
If it is site to site then you may need to check few other things.
Please do rate for the helpful posts.
By
Karthik -
Need HELPS! ASA 5505 8.4 Cisco VPN Client cannot ping any internal host
Hi:
Need your great help for my new ASA 5505 (8.4)
I just set a new ASA 5505 with 8.4. However, I cannot ping any host after VPN in with Cisco VPN client. Please see below posted configuration file, thanks for any suggestion.
ASA Version 8.4(3)
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.29.8.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 177.164.222.140 255.255.255.248
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name ABCtech.com
same-security-traffic permit inter-interface
object network obj_any
subnet 172.29.8.0 255.255.255.0
object service RDP
service tcp source eq 3389
object network orange
host 172.29.8.151
object network WAN_173_164_222_138
host 177.164.222.138
object service SMTP
service tcp source eq smtp
object service PPTP
service tcp source eq pptp
object service JT_WWW
service tcp source eq www
object service JT_HTTPS
service tcp source eq https
object network obj_lex
subnet 172.29.88.0 255.255.255.0
description Lexington office network
object network obj_HQ
subnet 172.29.8.0 255.255.255.0
object network guava
host 172.29.8.3
object service L2TP
service udp source eq 1701
access-list VPN_Tunnel_User standard permit 172.29.8.0 255.255.255.0
access-list VPN_Tunnel_User standard permit 172.29.88.0 255.255.255.0
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended deny tcp any any eq 135
access-list inside_access_in extended deny tcp any eq 135 any
access-list inside_access_in extended deny udp any eq 135 any
access-list inside_access_in extended deny udp any any eq 135
access-list inside_access_in extended deny tcp any any eq 1591
access-list inside_access_in extended deny tcp any eq 1591 any
access-list inside_access_in extended deny udp any eq 1591 any
access-list inside_access_in extended deny udp any any eq 1591
access-list inside_access_in extended deny tcp any any eq 1214
access-list inside_access_in extended deny tcp any eq 1214 any
access-list inside_access_in extended deny udp any any eq 1214
access-list inside_access_in extended deny udp any eq 1214 any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any eq www any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq 33
89
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq sm
tp
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq pp
tp
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ww
w
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ht
tps
access-list outside_access_in extended permit gre any host 177.164.222.138
access-list outside_access_in extended permit udp any host 177.164.222.138 eq 17
01
access-list outside_access_in extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit ip any any
access-list outside_cryptomap extended permit ip 172.29.8.0 255.255.255.0 172.29
.88.0 255.255.255.0
access-list inside_in extended permit icmp any any
access-list inside_in extended permit ip any any
access-list inside_in extended permit udp any any eq isakmp
access-list inside_in extended permit udp any eq isakmp any
access-list inside_in extended permit udp any any
access-list inside_in extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ABC_HQVPN_DHCP 172.29.8.210-172.29.8.230 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static orange interface service RDP RDP
nat (inside,outside) source static obj_HQ obj_HQ destination static obj_lex obj_
lex route-lookup
nat (inside,outside) source static guava WAN_173_164_222_138 service JT_WWW JT_W
WW
nat (inside,outside) source static guava WAN_173_164_222_138 service JT_HTTPS JT
_HTTPS
nat (inside,outside) source static guava WAN_173_164_222_138 service RDP RDP
nat (inside,outside) source static guava WAN_173_164_222_138 service SMTP SMTP
nat (inside,outside) source static guava WAN_173_164_222_138 service PPTP PPTP
nat (inside,outside) source static guava WAN_173_164_222_138 service L2TP L2TP
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Guava protocol nt
aaa-server Guava (inside) host 172.29.8.3
timeout 15
nt-auth-domain-controller guava
user-identity default-domain LOCAL
http server enable
http 172.29.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set Remote_VPN_Set esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set Remote_vpn_set esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Remote_VPN_Set
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 173.190.123.138
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ES
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 172.29.8.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside vpnclient-wins-override
dhcprelay server 172.29.8.3 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy ABCtech_VPN internal
group-policy ABCtech_VPN attributes
dns-server value 172.29.8.3
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Tunnel_User
default-domain value ABCtech.local
group-policy GroupPolicy_10.8.8.1 internal
group-policy GroupPolicy_10.8.8.1 attributes
vpn-tunnel-protocol ikev1 ikev2
username who password eicyrfJBrqOaxQvS encrypted
tunnel-group 10.8.8.1 type ipsec-l2l
tunnel-group 10.8.8.1 general-attributes
default-group-policy GroupPolicy_10.8.8.1
tunnel-group 10.8.8.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
tunnel-group ABCtech type remote-access
tunnel-group ABCtech general-attributes
address-pool ABC_HQVPN_DHCP
authentication-server-group Guava
default-group-policy ABCtech_VPN
tunnel-group ABCtech ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 173.190.123.138 type ipsec-l2l
tunnel-group 173.190.123.138 general-attributes
default-group-policy GroupPolicy_10.8.8.1
tunnel-group 173.190.123.138 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect pptp
inspect ftp
inspect netbios
smtp-server 172.29.8.3
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6a26676668b742900360f924b4bc80de
: endHello Wayne,
Can you use a different subnet range than the internal interface, this could cause you a LOT of issues and hours on troubleshooting, so use a dedicated different Ip address range...
I can see that the local Pool range is included into the inside interface Ip address subnet range, change that and the related config ( NAT,etc, ) and let us know what happens,
Regards,
Julio
Security Trainer -
Cisco 1941 Router-on-a-Stick w/ 11VLANs trunked to a Cisco 2960: From the Switch I can Ping a device in another VLAN, that device cannot ping back. Some devices can ping devices in other VLANs and the device in the other VLAN can successfully return the Ping. Have a look at the attached diagram.
Router Config:
show run
Building configuration...
Current configuration : 7224 bytes
! Last configuration change at 09:05:48 EDT Wed Aug 6 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname ROUTER
boot-start-marker
boot-end-marker
no aaa new-model
clock timezone EDT -8 0
ip cef
ip name-server 8.8.8.8
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO1941/K9
object-group network Net_Obj_Group1
description This network group allows all 10.0.0.0 and Email Forwarder server through to the Plt PCs
205.191.0.0 255.255.0.0
10.0.0.0 255.0.0.0
object-group network Net_Obj_Group2
description This Network Group includes the Host IPs allowed through the Plant Router
host 10.194.28.23
host 10.194.28.25
host 10.194.28.26
host 10.194.28.27
host 10.194.28.28
host 10.194.28.29
host 10.194.28.37
host 10.194.28.39
host 10.194.28.40
host 10.194.28.70
host 10.194.28.130
host 10.194.28.131
host 10.194.28.132
host 10.194.28.133
host 10.194.28.134
host 10.194.28.135
host 10.194.28.136
host 10.194.28.137
host 10.194.28.138
host 10.194.28.139
host 10.194.28.140
host 10.194.28.141
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Port Ge0/0 to IT Enterprise network Switch GE1/0/38
ip address 10.194.28.111 255.255.255.0
ip access-group 105 in
ip access-group 106 out
ip nat outside
ip virtual-reassembly in
shutdown
duplex full
speed auto
no mop enabled
interface GigabitEthernet0/1
description Port to Plant PCN-K/L24 Sw1 Port 0/24
no ip address
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1.102
description Port to VLAN 102
encapsulation dot1Q 102
ip address 192.168.102.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.104
description Port to VLAN 104
encapsulation dot1Q 104
ip address 192.168.104.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.105
description Port to VLAN 105
encapsulation dot1Q 105
ip address 192.168.105.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.106
description Port to VLAN 106
encapsulation dot1Q 106
ip address 192.168.106.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.107
description Port to VLAN 107
encapsulation dot1Q 107
ip address 192.168.107.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.111
description Port to VLAN 111
encapsulation dot1Q 111
ip address 192.168.111.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.117
description Port to VLAN 117
encapsulation dot1Q 117
ip address 192.168.117.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.121
description Port to VLAN 121
encapsulation dot1Q 121
ip address 192.168.121.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.125
description Port to VLAN 125
encapsulation dot1Q 125
ip address 192.168.125.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.150
description Port to to VLAN 150
encapsulation dot1Q 150
ip address 192.168.150.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.999
description Port to VLAN 999
encapsulation dot1Q 999
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
no ip http secure-server
ip nat inside source static 192.168.102.201 10.194.28.23
ip nat inside source static 192.168.121.201 10.194.28.25
ip nat inside source static 192.168.106.251 10.194.28.26
ip nat inside source static 192.168.107.245 10.194.28.27
ip nat inside source static 192.168.102.251 10.194.28.28
ip nat inside source static 192.168.150.201 10.194.28.29
ip nat inside source static 192.168.107.179 10.194.28.37
ip nat inside source static 192.168.111.201 10.194.28.39
ip nat inside source static 192.168.105.201 10.194.28.40
ip nat inside source static 192.168.106.21 10.194.28.70
ip nat inside source static 192.168.107.146 10.194.28.130
ip nat inside source static 192.168.107.156 10.194.28.131
ip nat inside source static 192.168.107.161 10.194.28.132
ip nat inside source static 192.168.107.181 10.194.28.133
ip nat inside source static 192.168.107.191 10.194.28.134
ip nat inside source static 192.168.106.202 10.194.28.135
ip nat inside source static 192.168.106.212 10.194.28.136
ip nat inside source static 192.168.117.190 10.194.28.137
ip nat inside source static 192.168.117.100 10.194.28.138
ip nat inside source static 192.168.106.242 10.194.28.139
ip nat inside source static 192.168.125.100 10.194.28.140
ip nat inside source static 192.168.125.99 10.194.28.141
ip nat outside source static 10.194.28.23 10.194.28.23
ip nat outside source static 10.194.28.25 10.194.28.25
ip nat outside source static 10.194.28.26 10.194.28.26
ip nat outside source static 10.194.28.27 10.194.28.27
ip nat outside source static 10.194.28.28 10.194.28.28
ip nat outside source static 10.194.28.29 10.194.28.29
ip nat outside source static 10.194.28.37 10.194.28.37
ip nat outside source static 10.194.28.39 10.194.28.39
ip nat outside source static 10.194.28.40 10.194.28.40
ip nat outside source static 10.194.28.70 10.194.28.70
ip nat outside source static 10.194.28.130 10.194.28.130
ip nat outside source static 10.194.28.131 10.194.28.131
ip nat outside source static 10.194.28.132 10.194.28.132
ip nat outside source static 10.194.28.133 10.194.28.133
ip nat outside source static 10.194.28.134 10.194.28.134
ip nat outside source static 10.194.28.135 10.194.28.135
ip nat outside source static 10.194.28.136 10.194.28.136
ip nat outside source static 10.194.28.137 10.194.28.137
ip nat outside source static 10.194.28.138 10.194.28.138
ip nat outside source static 10.194.28.139 10.194.28.139
ip nat outside source static 10.194.28.140 10.194.28.140
ip nat outside source static 10.194.28.141 10.194.28.141
ip route 0.0.0.0 0.0.0.0 10.194.28.1
access-list 105 permit ip object-group Net_Obj_Group1 object-group Net_Obj_Group2
access-list 106 permit ip object-group Net_Obj_Group2 object-group Net_Obj_Group1
dialer-list 1 protocol ip permit
control-plane
banner login ^CC
Login banner for Plant Router #01^C
banner motd ^CC
MOTD Banner for Plant Router^C
line con 0
password XXXXXXXXX
logging synchronous
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password XXXXXXXXX
logging synchronous
login
transport input all
scheduler allocate 20000 1000
ntp server 10.199.100.92
end
Switch Config:
sh ru
Building configuration...
Current configuration : 6513 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname K24Sw01
boot-start-marker
boot-end-marker
no aaa new-model
clock timezone EDT -5
clock summer-time EDT recurring
udld aggressive
crypto pki trustpoint TP-self-signed-593746944
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-593746944
revocation-check none
rsakeypair TP-self-signed-593746944
4B58BCE9 44
quit
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0
no ip address
interface GigabitEthernet0/1
description Trunk port for vlans 105, 111, 125 and 999 from K24Sw01 port Ge0/1 to P22Sw01 port Ge0/24
switchport trunk allowed vlan 105,111,125,999
switchport mode trunk
interface GigabitEthernet0/2
description Trunk port for vlans 150 and 999 from K24Sw01 port Ge0/2 to N25Sw01 port Ge0/26
switchport trunk allowed vlan 150,999
switchport mode trunk
interface GigabitEthernet0/3
description Trunk port for vlans 102, 104, 106, 107, 117 and 999 from K24Sw01 port Ge0/3 to K28Sw01 port Ge0/26
switchport trunk allowed vlan 102,104,106,107,117,999
switchport mode trunk
interface GigabitEthernet0/4
description Trunk port for vlans 102, 106, 107 and 999 from K24Sw01 port Ge0/4 to H23Sw01 port Ge0/26
switchport trunk allowed vlan 102,106,107,999
switchport mode trunk
interface GigabitEthernet0/5
description Trunk port for vlans 121, 125 and 999 from K24Sw01 port Ge0/5 to M21Sw01 port Ge0/24
switchport trunk allowed vlan 121,125,999
switchport mode trunk
interface GigabitEthernet0/6
description OPEN
spanning-tree portfast
interface GigabitEthernet0/7
description OPEN
spanning-tree portfast
interface GigabitEthernet0/8
description OPEN
spanning-tree portfast
interface GigabitEthernet0/9
description OPEN
spanning-tree portfast
interface GigabitEthernet0/10
description VLan 102 access port
switchport access vlan 102
spanning-tree portfast
interface GigabitEthernet0/11
description - VLan 104 access port
switchport access vlan 104
spanning-tree portfast
interface GigabitEthernet0/12
description - VLan 105 access port
switchport access vlan 105
spanning-tree portfast
interface GigabitEthernet0/13
description - VLan 106 access port
switchport access vlan 106
spanning-tree portfast
interface GigabitEthernet0/14
description - VLan 107 access port
switchport access vlan 107
spanning-tree portfast
interface GigabitEthernet0/15
description - VLan 111 access port
switchport access vlan 111
spanning-tree portfast
interface GigabitEthernet0/16
description - VLan 117 access port
switchport access vlan 117
spanning-tree portfast
interface GigabitEthernet0/17
description - VLan 121 access port
switchport access vlan 121
spanning-tree portfast
interface GigabitEthernet0/18
description - VLan 125 access port
switchport access vlan 125
spanning-tree portfast
interface GigabitEthernet0/19
description - VLan 150 access port
switchport access vlan 150
spanning-tree portfast
interface GigabitEthernet0/20
description - VLan 999 access port
switchport access vlan 999
spanning-tree portfast
interface GigabitEthernet0/21
description OPEN
spanning-tree portfast
interface GigabitEthernet0/22
description OPEN
spanning-tree portfast
interface GigabitEthernet0/23
description OPEN
spanning-tree portfast
interface GigabitEthernet0/24
description From ROUTER Gw ge0/1
switchport trunk allowed vlan 102,104-107,111,117,121,125,150,999
switchport mode trunk
interface GigabitEthernet0/25
interface GigabitEthernet0/26
interface Vlan1
no ip address
no ip route-cache
shutdown
interface Vlan102
ip address 192.168.102.253 255.255.255.0
interface Vlan104
no ip address
no ip route-cache
interface Vlan105
no ip address
no ip route-cache
interface Vlan106
no ip address
no ip route-cache
interface Vlan107
no ip address
no ip route-cache
interface Vlan111
no ip address
no ip route-cache
interface Vlan117
no ip address
no ip route-cache
interface Vlan121
no ip address
no ip route-cache
interface Vlan125
no ip address
no ip route-cache
interface Vlan150
no ip address
no ip route-cache
interface Vlan999
no ip address
no ip route-cache
ip default-gateway 192.168.102.1
ip http server
ip http secure-server
snmp-server engineID local 00000009020000019634C2C0
snmp-server community public RO
snmp-server location
snmp-server contact
banner motd ^CCC ADMIN USE ONLY! ^C
line con 0
session-timeout 10
password xxxxxx
logging synchronous
login
stopbits 1
line vty 0 4
session-timeout 10
password xxxxxxx
login
line vty 5 15
session-timeout 10
password xxxxxxxx
login
ntp server 10.199.100.92
end
K24Sw01#HI Mark,
Here is the my config:
Create sub-interfaces, set 802.1Q trunking protocol and ip address on each sub-interface
Router(config)#interface f0/0
Router(config-if)#no shutdown
(Note: The main interface f0/0 doesn’t need an IP address but it must be turned on)
Router(config)#interface f0/0.10
Router(config-subif)#encapsulation dot1q 10
Router(config-subif)#ip address 192.168.10.1 255.255.255.0
Router(config-subif)#interface f0/0.20
Router(config-subif)#encapsulation dot11 20
Router(config-subif)#ip address 192.168.20.1 255.255.255.0
(Note: In the “encapsulation dot1q 10″ command, 10 is the VLAN ID this interface operates in)
Configure VLAN
Switch(config)#vlan 10
Switch(config-vlan)#name SALES
Switch(config-vlan)#vlan 20
Switch(config-vlan)#name TECH
Set ports to access mode & assign ports to VLAN
Switch(config)#interface range fa0/1
Switch(config-if)#no shutdown
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 15
Switch(config-if)#interface range fa0/3
Switch(config-if)#no shutdown
Switch(config-if)#switchport mode access
Switch(config-if)# switchport access vlan 20
Switch(config-if)#interface range fa0/5
Switch(config-if)#no shutdown
Switch(config-if)#switchport mode trunk
1. Please check all your port are up.
2. Check the config once again.
3. Make sure the swicth and router connection port configured as trunk and it should be up.
This config is working for me,
Regards
Dont forget to rate helpful posts.
Maybe you are looking for
-
Reverse Compatibility with WPA2 in iBooks?
Hello. I own a 1.07 GHz iBook that is about 27 months old, and I bought an AirPort Extreme card with it. I've read that the AirPort Utility version 4.2 adds WPA2 support to AirPort Extreme base stations, but does it do anything for the firmware of Ai
-
Acquis. and production cost account specification for AO90
In AO90, for Dep Area 50 and 51, B/S account determination, we have given Acquision: acquis. and production cost account and Contra account: Acquisition value account same. Is this a remmandable practice? In any case. can you please tell me what shou
-
Help! Accidentally deleted my Windows 8 partition. Can I recover it?
Hi all, I have a bit of a problem. While I was trying deleting/formatting a USB stick connected to my rMBP, I accidentally selected the windows partition on my HDD instead of the USB. I then preceded to rename and click "erase," just before realising
-
Hello, i have got a question regarding to deactivating the update request manually. I have deactivated all our update request servers manually, because of we need a consistent system state. I deactivated the update reuqest server, and now if the user
-
How to group rectangle and textFrames
Hi all, I am trying To group one rectangle And textframe In Indesign Server And executing the below code: Dim mygroup As InDesignServer.Group Dim gparray(1) gparray.SetValue(CaptionFrame, 0) gparray.SetValue(rect, 1) mygroup = IndDoc.Groups.Add(CType