Unable to ping from mz to virtual interface of asa
Dear All,
one of my SNMP server 10.242.103.42 sits in MZ zone,and ACE 4710 is connected to core switch,coreswitch is connected to firewall asa.
Now iam trying to ping from MZ zone SNMP server to loadbalancer ip 10.242.105.1,iam unable to ping my LB interface to discover SLB on my SNMP server.
plese help me
srinivas
Is your device seeing the mac-address of the ASA in order to send the packets? What do the logs show on the firewall itself? Can you see the ARP entry on the ASA firewall for that host?
Mike
Similar Messages
-
CSS- traffic orignating from real server + Virtual interface
Hi all,
I am designing a solution at the moment, in which I shall have 2 servers behind a pair of CSS & their default gateway will be the Virtual Interface ip address of CSS.
Is there any problem forseen in traffic getting initiated from the server to any other subnet in the network and the return traffic to the server.
Servers shall connect to a pair of 3750 being used as L2 in stack .
The Stacked 3750's shall be placed below the CSS pair & the CSS pair shall further connects to a single 6509 upstream....
Each 3750-L2 connects single port to each CSS
(3750-L2-1 to CSS1 &
3750-L2-2 to CSS 2)
Both CSS connect to the SINGLE 6509 on diff blades. for better redundency.
The CSS shall not be connected to each other directly.
Both 3750-L2 connect to each other as well
IIS-1---L2_Sw1---CSS1---6509---Othr_Subent
IIS-1---L2_Sw2---CSS2---6509---Othr_Subent
Note: I shall have VIP/Virtual Interface config on my CSS's.
Appreciate validation and recomendations on this design.
Many Thanks,
gaganHi Gilles,
Many thanks for the confirmation.
Request verification on the below as well~
1. With the above scenario; I do not require any group (NAT) configuration, either for my servers initiating traffic for going out or for clients hitting the VIP to reach servers. The client & server shall be in diff VLAN?s of course.
2. With VIP & Virtual Interface configuration & couple of server VLAN's below on server side, I should be able to use both the gigabit interfaces on the 11503 to connect up and down stream as TRUNK. I mean to ask Virtual intf. & VIP has no problems working on the same TRUNK interface?
3. I understand that Fate sharing and critical service helps full failover (client & server side).
As an upstream router or L3 switch fails or the upstream connecting gigabit interface on CSS fails, the failover happens.
Will the same be applicable to downstream L2 switch & CSS interface failure? If any of these on the downstream fails will the CSS failover to the standby unit.
I think this above should work, just need confirmation coz I have not done this before.
Thanks a lot again,
Gagan -
Dear All,
I have got new cisco ASA 5580 running 7.2(4) on it when i am trying to configured Virtual interface on vlan 400 in Gi0/0.400 to LBASE.now the problem is
from my MZ zone 10.242.107.17 to Lbase virtual interface 10.242.103.1 iam not able to ping.
Please suggest.
Many Thanks
SriniHi Varun,
Thanks for reply
iam configuring SNMP on my serverload balancer and my SLB v-lan is 400 and igiven virtual interface ip 10.242.105.1 on my ASA.
In my asa my snmp server is 10.242.103.42 now iam unable to ping from my snmp server to ace virtual ip 10.242.105.1 to discover ace on my snmp server.
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
interface Management0/1
description LAN Failover Interface
management-only
interface GigabitEthernet3/0
nameif OUTSIDE
security-level 0
ip address 223.27.122.19 255.255.255.240 standby 223.27.122.20
interface GigabitEthernet3/1
nameif DMZ
security-level 50
ip address 10.242.104.1 255.255.255.0 standby 10.242.104.2
interface GigabitEthernet3/2
nameif INSIDE
security-level 0
no ip address
interface GigabitEthernet3/2.200
vlan 200
nameif MZ
security-level 80
ip address 10.242.103.1 255.255.255.0 standby 10.242.103.2
interface GigabitEthernet3/2.300
vlan 300
nameif NOC
security-level 79
ip address 10.242.101.100 255.255.255.0 standby 10.242.101.101
interface GigabitEthernet3/2.310
vlan 310
nameif DB-NETW-1
security-level 75
ip address 10.242.110.1 255.255.255.0
interface GigabitEthernet3/2.400
vlan 400
nameif LBACE
security-level 90
ip address 10.242.105.1 255.255.255.0 standby 10.242.105.2
interface GigabitEthernet3/2.500
vlan 500
nameif DC-USERS
security-level 60
ip address 10.242.109.1 255.255.255.0
interface GigabitEthernet3/2.800
vlan 800
nameif DMZ-ACC
security-level 48
ip address 10.242.107.1 255.255.255.0 standby 10.242.107.2
interface GigabitEthernet3/2.900
vlan 900
nameif MZ-ACC
security-level 49
ip address 10.242.108.1 255.255.255.0 standby 10.242.108.2
interface GigabitEthernet3/3
shutdown
no nameif
no security-level
no ip address
2) ACE conf:
snmp-server community nglsnmp group Network-Monitor
snmp-server host 10.242.103.42 traps version 2c nglsnmp
snmp-server host 10.242.103.43 traps version 2c nglsnmp
snmp-server host 10.242.103.44 traps version 2c nglsnmp
snmp-server host 10.242.103.45 traps version 2c nglsnmp
snmp-server enable traps slb serverfarm
snmp-server enable traps snmp coldstart
snmp-server enable traps slb vserver
snmp-server enable traps slb real
snmp-server enable traps syslog
snmp-server enable traps snmp authentication
snmp-server enable traps snmp linkup
snmp-server enable traps snmp linkdown
please help me
srini -
Unable to ping to the internet
if you do an nslookup then a server 8.8.8.8 what do you see?
Hey guys,
I have a weird issue. I am unable to ping out from the LAN. Pinging 8.8.8.8 goes nowhere and other sites as well.
SonicWall shows all internal to external services are allowed.
Internally everything is pingable.
I am also unable to ping from within the SonicWall Diagnostics tool. It just says IP address not responding.
NSA3500.
This topic first appeared in the Spiceworks Community -
How do I block pings from the outside to the ASA 5505 outside interface?
I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall. I found a post that said to enter "icmp deny any outside", however that does not do it.
I created an ACL to try and do the trick, also to no avail:
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in in interface outside
access-group outside_in in interface outside
Anyone have a clue what I'm doing wrong? I'm not the firewall guy as you can tell. :/
Thanks in advance...
Block / Deny ICMP Echo (Ping) on Cisco ASA Outside Interface
Most networks that you protect with a Cisco ASA device, will probably want to deny ICMP (maybe not all ICMP types, but a lot of network admins will want to block ICMP Echo, etc.) on the outside interface. This will make the network harder to find through external enumeration, but not impossible.
ASA5505(config)#icmp deny any outside
You will deny ICMP on the outside interface, but if you include ICMP as a protocol in the default global policy map, you can ping from the inside to any host on the outside, and it will be permitted back through the ASA, as it knows about the previous ICMP “connectionYou are allowing echo-reply, thus it will reply to a ping
try this ACL:
icmp deny any echo-reply outside
From:
https://supportforums.cisco.com/thread/223769
Eric -
Unable to ping IP address from SG300 -10p switch
i have two core switches, we have configured the vlan 70 in both core switch
sh run int vlan 70 --ip address: 182.94.177.34/28
configured the HSRP in both routers.
we have configured port in vlan 77 in access switch 4507R-E , we are able to ping the ip address.
again we have installed on Cisco SG300 10p switch case cading to Cisco 4507R-E access switch.
we have give below commands
switch manangement IP :
switch38cbaf(config)int vlan1
switch38cbaf(config-if)#ip address 124.4.67.47 255.255.255.0
switch38cbaf(config)#vlan database
switch38cbaf(config-if)vlan 70
switch38cbaf(config)#int gigabitethernet1
switch38cbaf(config-if)#switchport mode access
switch38cbaf(config-if)#switch access vlan 77
Trunk Configuration
switch38cbaf(config)#int gigabitEthernet9
switch38cbaf(config-if)#description << Trunk | connected to access switch 4507R-E | Fa4/1 >>
switch38cbaf(config-if)#swtichport mode trunk
switch38cbaf(config-if)#switchport trunk allowed vlan 77
problem:
i am assigned the ip address 182.94.177.44 to our desktop and connected to port Gi1
I am able to ping 182.94.177.33, 34 and 35 Ip Address but unable to ping 182.94.177.44Some things to check/verify -
a) is there a typo in your configuration above ie. you have created vlan 70 according to your configuration but the actual vlan you are using is vlan 77
b) does the trunk link between the access 4500 and the core switch allow vlan 77
c) try pinging from the client and not to it as there may be a firewall on the PC.
Jon -
SMTP Error 5.7.1 Unable to relay - from webmail interface
Hi,
This is some strange problem i faced for the first time.
Below Messaging Version on Solaris 10 which is working fine.
Sun Java(tm) System Messaging Server 6.2-7.05 (built Sep 5 2006)
libimta.so 6.2-7.05 (built 12:18:44, Sep 5 2006)
Sometimes (very rarely), users getting "relaying problem" even they try to send from webmail (using browser) interface.
Part of log written to "http" file under <msg-hime>/log directory:
[24/Jun/2007:15:42:34 -0400] webmail httpd[23377]: General Warning: saveSmtp failed: SMTP Error 5.7.1 Unable to relay for [email protected]
Any help highly appreciated
TIA
PrvnHi shane,
All incoming mails (incl. sent self mails using webmail interface) seem to be looped. Not able to receive any mail.
The logs written in mail.log_current below: (when sent self mails using webmail)
when service.http.smtphost = 127.0.0.1 :
26-Jun-2007 05:36:32.09 tcp_intranet tcp_scan E 2 [email protected] rfc822;[email protected] @tcp_scan-daemon:[email protected] mailgw ([192.168.1.49])
26-Jun-2007 05:36:32.19 tcp_scan D 2 [email protected] rfc822;[email protected] @tcp_scan-daemon:[email protected] [192.168.1.49] dns;[192.168.1.49] (TCP|192.168.1.41|43340|192.168.1.49|10026) (mailgw Symantec Mail Security Tue, 26 Jun 2007 05:36:22 -0700 ) smtp;250 2.1.5 [email protected]
26-Jun-2007 05:36:36.10 tcp_intranet tcp_scan E 3 [email protected] rfc822;[email protected] @tcp_scan-daemon:[email protected] mailgw ([192.168.1.49])
26-Jun-2007 05:36:36.20 tcp_scan D 3 [email protected] rfc822;[email protected] @tcp_scan-daemon:[email protected] [192.168.1.49] dns;[192.168.1.49] (TCP|192.168.1.41|43411|192.168.1.49|10026) (mailgw Symantec Mail Security Tue, 26 Jun 2007 05:36:26 -0700 ) smtp;250 2.1.5 [email protected]
26-Jun-2007 05:36:40.09 tcp_intranet tcp_scan E 3 [email protected] rfc822;[email protected] @tcp_scan-daemon:[email protected] mailgw ([192.168.1.49])
26-Jun-2007 05:36:40.19 tcp_scan D 3 [email protected] rfc822;[email protected] @tcp_scan-daemon:[email protected] [192.168.1.49] dns;[192.168.1.49] (TCP|192.168.1.41|43414|192.168.1.49|10026) (mailgw Symantec Mail Security Tue, 26 Jun 2007 05:36:30 -0700 ) smtp;250 2.1.5 [email protected]
26-Jun-2007 05:36:44.13 tcp_intranet tcp_scan E 4 [email protected] rfc822;[email protected] @tcp_scan-daemon:[email protected] mailgw ([192.168.1.49])
when service.http.smtphost = 192.168.1.41:
26-Jun-2007 05:20:45.93 tcp_intranet tcp_scan E 5 [email protected] rfc822;[email protected]
@tcp_scan-daemon:[email protected] mailgw ([192.168.1.49])
26-Jun-2007 05:20:46.00 tcp_scan D 5 [email protected] rfc822;[email protected]
@tcp_scan-daemon:[email protected] [192.168.1.49] dns;[192.168.1.49] (TCP|192.168.1.41|36905|192.168.1.49|10026) (mailgw
Symantec Mail Security Tue, 26 Jun 2007 05:20:36 -0700 ) smtp;250 2.1.5 [email protected]
26-Jun-2007 05:20:46.17 tcp_intranet tcp_scan E 9 [email protected] rfc822;[email protected]
@tcp_scan-daemon:[email protected] mailgw ([192.168.1.49])
26-Jun-2007 05:20:46.27 tcp_scan D 9 [email protected] rfc822;[email protected]
@tcp_scan-daemon:[email protected] [192.168.1.49] dns;[192.168.1.49] (TCP|192.168.1.41|36906|192.168.1.49|10026)
(mailgw Symantec Mail Security Tue, 26 Jun 2007 05:20:36 -0700 ) smtp;250 2.1.5 [email protected]
26-Jun-2007 05:20:46.32 tcp_intranet tcp_scan E 5 [email protected] rfc822;[email protected]
@tcp_scan-daemon:[email protected] mailgw ([192.168.1.49])
26-Jun-2007 05:20:46.40 tcp_scan D 5 [email protected] rfc822;[email protected]
@tcp_scan-daemon:[email protected] [192.168.1.49] dns;[192.168.1.49] (TCP|192.168.1.41|36907|192.168.1.49|10026) (mailgw
Symantec Mail Security Tue, 26 Jun 2007 05:20:37 -0700 ) smtp;250 2.1.5 [email protected]
26-Jun-2007 05:20:46.58 tcp_intranet tcp_scan E 10 [email protected] rfc822;[email protected]
@tcp_scan-daemon:[email protected] mailgw ([192.168.1.49])
26-Jun-2007 05:20:46.67 tcp_scan D 10 [email protected] rfc822;[email protected]
@tcp_scan-daemon:[email protected] [192.168.1.49] dns;[192.168.1.49] (TCP|192.168.1.41|36908|192.168.1.49|10026)
(mailgw Symantec Mail Security Tue, 26 Jun 2007 05:20:37 -0700 ) smtp;250 2.1.5 [email protected]
26-Jun-2007 05:20:46.72 tcp_intranet tcp_scan E 6 [email protected] rfc822;[email protected]
@tcp_scan-daemon:[email protected] mailgw ([192.168.1.49])
26-Jun-2007 05:20:46.79 tcp_scan D 6 [email protected] rfc822;[email protected]
@tcp_scan-daemon:[email protected] [192.168.1.49] dns;[192.168.1.49] (TCP|192.168.1.41|36909|192.168.1.49|10026) (mailgw
Symantec Mail Security Tue, 26 Jun 2007 05:20:37 -0700 ) smtp;250 2.1.5 [email protected]
26-Jun-2007 05:20:46.97 tcp_intranet tcp_scan E 10 [email protected] rfc822;[email protected]
@tcp_scan-daemon:[email protected] mailgw ([192.168.1.49])
Regards,
Prvn -
Ping from lower security interface to a higher
Hello,
I have a Cisco 5520 ASA firewall with a direct connection to a Checkpoint firewall. On the inside network of my ASA i have a server that needs to ping a server on the dmz on the Checkpoint and vice versa. So i have the correct routing and firewall rules on both devices.
I can successfully ping from my server on the INSIDE interface on the cisco asa to the server on the DMZ on Checkpoint but i cant ping in the other direction.
Q Is this because i am trying to go from a lower security interface on the asa to a higher one?
I cant be sure if the error is on my asa or the checkpoint because neither is showing anything in the logs?
Everything else on both firewalls is fine.
regards,
KevinHi,
Its hard to tell what the actual problem is at the moment.
With regards to the "security-level" value, the situation is if the interface doesn't have an ACL configured on it then traffic sourced from networks behind it will be allowed to networks located behind interfaces of lower "security-level". If the source interface for the direction that is not working doesnt hold an ACL and has lower "security-level" than the destination interface then you will have to configure an interface ACL to allow this traffic.
Then again, the problem might be as simple as the server simply rejecting the ICMP Echo but allowing itself to ICMP Echo some remote destination and receive an Echo Reply for that. In other words, the server can ICMP remote hosts but wont accept ICMP Echo from remote hosts. It might reply to hosts on the directly connected network. So if there is no clear reason for the traffic to not go through I would consider checking the server software firewall.
It might also be that the working direction has been configured with Dynamic PAT and there is no correct translation for the other direction to enable sending ICMP to the server.
You can easily test the ASA configuration with the "packet-tracer" so that would be the first natural step to determening the reason of the problem or atleast narrowing it down.
packet-tracer input icmp 8 0
In the above command you would use the interface nameif behind which the ICMP Echo is coming from (8 0 = ICMP Echo). The source IP address is obvious. The destination IP address should be the NAT IP address of the server IF there is NAT being performed. If NO NAT is done for the destination then you naturally use the real IP address.
Hope this helps
- Jouni -
Hello,
I have a new setup I'm trying to build with a WLC2106 and 4 1142n's (currently just trying to get 1 working). I have the WLC running 7.0.98.0. I built a new VLAN on our core network (3560g) and have the ap-manager, management interfaces ip'ed in that vlan. I also have the AP plugged into the PoE port on port 8 and it ip'ed in the same VLAN. The AP associates to the WLC, i am able to configure it from the WLC, but i cannot ping it, from the WLC or from anywhere. I cannot ping anything from console on the AP either.
My assumption is once, i get ip connectivity established, the AP will be able to communicate to our network DHCP server and issue out IP's. I just can't figure out what is wrong with the network setup. I have the trunk configured properly on the core switch from the WLC, i can ping other hosts on the other vlans that are allowed.
Interfaces on WLC:
Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
ap-manager 1 5 10.108.5.3 Static Yes No
management 1 5 10.108.5.2 Static No No
office-vlan-2 1 2 10.108.111.96 Dynamic No No
virtual N/A N/A 1.1.1.1 Static No No
AP Config:
infraspawap2#show capwap ip config
LWAPP Static IP Configuration
IP Address 10.108.5.5
IP netmask 255.255.255.240
Default Gateway 10.108.5.1
I've been staring at this for days and just can't figure it out (so it's probably just something simple i've missed). Any help is greatly appreciated.
Thanks,
BenSo i may have solved this, or at least provided a work-around. I made the new Vlan for MGMT and AP interfaces native on the switch and changed the config on the WLC to untagged. I also disabled DHCP proxy. This allowed clients to retrieve DHCP from our network server and get connected to the LAN, however i was still unable to ping the AP.
I then moved everyhting into a different VLAN (already existing) and had the same results. I then moved the AP off of the WLC and used a power brick to connect it directly to the backbone switch. This rectified the issue. I am now able to ping accross all vlans to/from the AP. My only question really is why not from the switch on the WLC? what was/ wasn't i doing that prevented this when directly connected to the WLC? -
I'm trying to configure PPPoE between two routers ...PPPoE is establishing , but unable to ping
Server
username R4 password 0 CISCO
bba-group pppoe CISCO
virtual-template 1
interface Virtual-Template1
ip address 19.19.34.3 255.255.255.0
peer default ip address pool pool
ppp authentication chap
ip local pool pool 19.19.34.4
interface FastEthernet0/1
pppoe enable group global
pppoe-client dial-pool-number 1
interface Dialer1
mtu 1492
ip address negotiated
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
ppp authentication chap callin
ppp chap hostname R4
ppp chap password 0 CISCO
no cdp enable
*Feb 10 18:32:04.595: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Feb 10 18:32:04.599: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Feb 10 18:32:04.599: Vi2 PPP: Sending cstate UP notification
*Feb 10 18:32:04.599: Vi2 PPP: Processing CstateUp message
*Feb 10 18:32:04.603: PPP: Alloc Context [49B191F8]
*Feb 10 18:32:04.603: ppp13 PPP: Phase is ESTABLISHING
*Feb 10 18:32:04.603: Vi2 PPP: Using dialer call direction
*Feb 10 18:32:04.603: Vi2 PPP: Treating connection as a callout
*Feb 10 18:32:04.603: Vi2 PPP: Session handle[DE00000E] Session id[13]
*Feb 10 18:32:04.603: Vi2 LCP: Event[OPEN] State[Initial to Starting]
*Feb 10 18:32:04.603: Vi2 PPP: No remote authentication for call-out
*Feb 10 18:32:04.603: Vi2 LCP: O CONFREQ [Starting] id 1 len 14
*Feb 10 18:32:04.603: Vi2 LCP: MRU 1492 (0x010405D4)
*Feb 10 18:32:04.603: Vi2 LCP: MagicNumber 0x19869166 (0x050619869166)
*Feb 10 18:32:04.603: Vi2 LCP: Event[UP] State[Starting to REQsent]
R4#Feb 10 18:32:04.607: Vi2 LCP: I CONFREQ [REQsent] id 1 len 19
*Feb 10 18:32:04.607: Vi2 LCP: MRU 1492 (0x010405D4)
*Feb 10 18:32:04.607: Vi2 LCP: AuthProto CHAP (0x0305C22305)
*Feb 10 18:32:04.607: Vi2 LCP: MagicNumber 0x177669A8 (0x0506177669A8)
*Feb 10 18:32:04.607: Vi2 LCP: O CONFACK [REQsent] id 1 len 19
*Feb 10 18:32:04.607: Vi2 LCP: MRU 1492 (0x010405D4)
*Feb 10 18:32:04.607: Vi2 LCP: AuthProto CHAP (0x0305C22305)
*Feb 10 18:32:04.607: Vi2 LCP: MagicNumber 0x177669A8 (0x0506177669A8)
*Feb 10 18:32:04.607: Vi2 LCP: Event[Receive ConfReq+] State[REQsent to ACKsent]
*Feb 10 18:32:04.607: Vi2 LCP: I CONFACK [ACKsent] id 1 len 14
*Feb 10 18:32:04.607: Vi2 LCP: MRU 1492 (0x010405D4)
*Feb 10 18:32:04.607: Vi2 LCP: MagicNumber 0x19869166 (0x050619869166)
*Feb 10 18:32:04.607: Vi2 LCP: Event[Receive ConfAck] State[ACKsent to Open]
*Feb 10 18:32:04.607: Vi2 PPP: Queue CHAP code[1] id[1]
*Feb 10 18:32:04.619: Vi2 PPP: Phase is AUTHENTICATING, by the peer
*Feb 10 18:32:04.619: Vi2 CHAP: Redirect packet to Vi2
*Feb 10 18:32:04.619: Vi2 CHAP: I CHALLENGE id 1 len 23 from "R3"
*Feb 10 18:32:04.619: Vi2 LCP: State is Open
*Feb 10 18:32:04.619: Vi2 CHAP: Using hostname from interface CHAP
*Feb 10 18:32:04.619: Vi2 CHAP: Using password from interface CHAP
*Feb 10 18:32:04.619: Vi2 CHAP: O RESPONSE id 1 len 23 from "R4"
*Feb 10 18:32:04.631: Vi2 CHAP: I SUCCESS id 1 len 4
*Feb 10 18:32:04.631: Vi2 PPP: Phase is FORWARDING, Attempting Forward
*Feb 10 18:32:04.631: Vi2 PPP: Queue IPCP code[1] id[1]
*Feb 10 18:32:04.635: Vi2 PPP: Phase is ESTABLISHING, Finish LCP
*Feb 10 18:32:04.635: Vi2 PPP: Phase is UP
*Feb 10 18:32:04.635: Vi2 IPCP: Protocol configured, start CP. state[Initial]
*Feb 10 18:32:04.635: Vi2 IPCP: Event[OPEN] State[Initial to Starting]
*Feb 10 18:32:04.635: Vi2 IPCP: O CONFREQ [Starting] id 1 len 10
*Feb 10 18:32:04.635: Vi2 IPCP: Address 0.0.0.0 (0x030600000000)
*Feb 10 18:32:04.635: Vi2 IPCP: Event[UP] State[Starting to REQsent]
*Feb 10 18:32:04.635: Vi2 PPP: Process pending ncp packets
*Feb 10 18:32:04.635: Vi2 IPCP: Redirect packet to Vi2
*Feb 10 18:32:04.635: Vi2 IPCP: I CONFREQ [REQsent] id 1 len 10
*Feb 10 18:32:04.635: Vi2 IPCP: Address 19.19.34.3 (0x030613132203)
*Feb 10 18:32:04.635: Vi2 IPCP: O CONFACK [REQsent] id 1 len 10
*Feb 10 18:32:04.639: Vi2 IPCP: Address 19.19.34.3 (0x030613132203)
*Feb 10 18:32:04.639: Vi2 IPCP: Event[Receive ConfReq+] State[REQsent to ACKsent]
*Feb 10 18:32:04.639: Vi2 IPCP: I CONFNAK [ACKsent] id 1 len 10
*Feb 10 18:32:04.639: Vi2 IPCP: Address 19.19.34.4 (0x030613132204)
*Feb 10 18:32:04.639: Vi2 IPCP: O CONFREQ [ACKsent] id 2 len 10
*Feb 10 18:32:04.639: Vi2 IPCP: Address 19.19.34.4 (0x030613132204)
*Feb 10 18:32:04.639: Vi2 IPCP: Event[Receive ConfNak/Rej] State[ACKsent to ACKsent]
*Feb 10 18:32:04.639: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
*Feb 10 18:32:04.643: Vi2 IPCP: I CONFACK [ACKsent] id 2 len 10
*Feb 10 18:32:04.643: Vi2 IPCP: Address 19.19.34.4 (0x030613132204)
*Feb 10 18:32:04.643: Vi2 IPCP: Event[Receive ConfAck] State[ACKsent to Open]
*Feb 10 18:32:04.651: Vi2 IPCP: State is Open
*Feb 10 18:32:04.651: Di1 IPCP: Install negotiated IP interface address 19.19.34.4
*Feb 10 18:32:04.655: Di1 Added to neighbor route AVL tree: topoid 0, address 19.19.34.3
*Feb 10 18:32:04.655: Di1 IPCP: Route not installed to 19.19.34.3Please go through the link below may help you to configure the router
http://www.dslreports.com/faq/10952 -
Below is my Home Network layout. I am having trouble pinging the 50.2.30.0 subnet. I created OSPF routes and I am able to ping from HomeLAN router to BackUpHomeLAN router. My problem is that I can not ping from my laptop connected on the 192.168.1.0 subnet to the 50.2.30.0 subnet. Attached below is my current config for both routers.
HomeLAN
HomeLAN-Rotuer#show run
Building configuration...
Current configuration : 1761 bytes
! Last configuration change at 07:27:14 UTC Wed Mar 26 2014
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname HomeLAN-Rotuer
boot-start-marker
warm-reboot
boot-end-marker
no aaa new-model
dot11 syslog
ip source-route
ip vrf A
ip cef
ip domain name jjkkcc.org
ip name-server 68.105.28.16
ip name-server 68.105.29.16
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 192.168.1.252
ip name-server 192.168.1.242
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
crypto pki token default removal timeout 0
license udi pid CISCO2801 sn FTX1019Y2S4
username woodjl1650 privilege 15 password 0 henry999 secret
redundancy
interface FastEthernet0/0
ip address 10.2.10.2 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.1.5 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface Serial0/1/0
ip address 10.0.10.1 255.255.255.224
interface Serial0/2/0
ip address 10.0.10.3 255.255.255.224
router ospf 1
network 10.2.10.0 0.0.0.7 area 1
network 50.2.30.0 0.0.0.31 area 1
network 192.168.1.0 0.0.0.255 area 1
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list NAT interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.2.10.1
ip access-list standard NAT
permit 192.168.1.0 0.0.0.255
permit 10.2.10.0 0.0.0.7
permit 50.2.30.0 0.0.0.31
logging esm config
control-plane
gatekeeper
shutdown
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
scheduler allocate 20000 1000
end
BackUpHomeLAN
BackUpHomeLAN#show run
Building configuration...
Current configuration : 1695 bytes
! Last configuration change at 06:35:05 UTC Wed Mar 26 2014
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname BackUpHomeLAN
boot-start-marker
warm-reboot
boot-end-marker
no aaa new-model
dot11 syslog
ip source-route
ip vrf A
ip cef
ip domain name jjkkcc.com
ip name-server 68.105.28.16
ip name-server 68.105.29.16
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
crypto pki token default removal timeout 0
license udi pid CISCO2801 sn FTX1028W1PY
username woodjl1650 privilege 15 password 0 henry999 secret
redundancy
interface Loopback100
ip vrf forwarding A
no ip address
interface FastEthernet0/0
ip address 10.2.10.3 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
ip address 50.2.30.1 255.255.255.224
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface Serial0/1/0
ip address 10.0.10.2 255.255.255.224
router ospf 1
network 10.2.10.0 0.0.0.7 area 1
network 50.2.30.0 0.0.0.31 area 1
network 192.168.1.0 0.0.0.255 area 1
router ospf 3
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list NAT interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 24.234.191.225
ip access-list standard NAT
permit 192.168.1.0 0.0.0.255
permit 10.2.10.0 0.0.0.7
permit 50.2.30.0 0.0.0.31
logging esm config
control-plane
gatekeeper
shutdown
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
scheduler allocate 20000 1000
endDuplicate posts.
Go here: http://supportforums.cisco.com/discussion/12154051/ospf-unable-ping -
ASA5520 AnyConnect SSL VPN Connected but unable to ping my inside LAN
Hi there, please forgive if I have missed any forum protocols as this is my first post.
I am trying to configure Anyconnect SSL VPN. I am able to connect to the VPN on a laptop, witch is able to download the anyconnect client from the ASA. I am unable to ping any of my IP's that are on the inside of my ASA. Before posting here I have spent many hours on forums and watching videos on anyconnect SSL VPN creation and I am following it to the T but still no ping. Any help would be very much appreciated.
Inside 192.168.1.254/24
Outside dhcp
VPN Pool 192.168.250.1-50/24
Inside LAN 192.168.1.0/24
: Saved
ASA Version 8.4(4)1
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
interface GigabitEthernet0/1
nameif inside
security-level 99
ip address 192.168.1.254 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 99
ip address 192.168.100.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name dock.local
same-security-traffic permit inter-interface
object network inside-network-object
subnet 192.168.1.0 255.255.255.0
object network management-network-object
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.250.0_25
subnet 192.168.250.0 255.255.255.128
object-group network AllInside-networks
network-object object inside-network-object
network-object object management-network-object
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_pool 192.168.250.1-192.168.250.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic AllInside-networks interface
nat (inside,any) source static any any destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 4433
http 192.168.100.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_anyconnect internal
group-policy GroupPolicy_anyconnect attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
split-tunnel-network-list value split_tunnel
default-domain value dock.local
username test password JAasdf434ey521ZCT encrypted privilege 15
tunnel-group anyconnect type remote-access
tunnel-group anyconnect general-attributes
address-pool vpn_pool
default-group-policy GroupPolicy_anyconnect
tunnel-group anyconnect webvpn-attributes
group-alias anyconnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:24bcba3c4124ab371297d52260135924
: end :: Saved
ASA Version 8.4(4)1
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
interface GigabitEthernet0/1
nameif inside
security-level 99
ip address 192.168.1.254 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 99
ip address 192.168.100.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name dock.local
same-security-traffic permit inter-interface
object network inside-network-object
subnet 192.168.1.0 255.255.255.0
object network management-network-object
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.250.0_25
subnet 192.168.250.0 255.255.255.0
object-group network AllInside-networks
network-object object inside-network-object
network-object object management-network-object
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool Anyconnect-pool 192.168.250.1-192.168.250.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic AllInside-networks interface
nat (inside,outside) source static inside-network-object inside-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25
nat (inside,outside) source static management-network-object management-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.100.2 255.255.255.255 management
http 192.168.100.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_Anyconnect_VPN internal
group-policy GroupPolicy_Anyconnect_VPN attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value split_tunnel
default-domain value dock.local
username sander password f/J.5nLef/EqyPfy encrypted
username aveha password JA8X3IiqPvFFsZCT encrypted privilege 15
tunnel-group Anyconnect_VPN type remote-access
tunnel-group Anyconnect_VPN general-attributes
address-pool Anyconnect-pool
default-group-policy GroupPolicy_Anyconnect_VPN
tunnel-group Anyconnect_VPN webvpn-attributes
group-alias Anyconnect_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4636fa566ffc11b0f7858b760d974dee
: end: -
Multiple Internal IP in PIX 525 v7.2 unable to access from HQ
Hi Guys,
I got a problem where my HQ(private IP)unable to ping and access server with ip 10.45.x.42 reside at my branch.Both HQ and my Branch using private IP.My LAN using 2 IP Range.
LAN FW Exinda Router
10.45.x.0/19(old range)----->10.36.x.12----> 10.39.x.3 ----> 10.39.x.1----->Internet
10.36.x.0/16(New range)
Previously im using both IP Range in my network-object and i ask our provider to ping to my LAN but no reply.
Now the problem is from the HQ/provider cant ping to 10.45.x.0/19 it stuck at pix.
When i use packet-tracer i got this result.Seem it stuck at Nat.
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 access-list net36
nat-control
match ip inside 10.45.x.0 255.255.224.0 Net any
dynamic translation to pool 1 (10.39.x.2 [Interface PAT])
translate_hits = 3185, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0x4dc4d38, priority=2, domain=nat-reverse, deny=false
hits=1782778, user_data=0x4d2e470, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.45.x.0, mask=255.255.224.0, port=0
Here is my config of network-object
object-group network NET_CLIENT
network-object 10.36.x.0 255.255.0.0
network-object 10.45.x.0 255.255.224.0
access-list permit-all extended permit icmp any any
access-list permit-all extended permit ip any any
access-list permit-all extended permit udp any any
access-list permit-all extended permit tcp any any
access-list net36 extended permit ip object-group NET_CLIENT any
access-list net36 extended permit tcp object-group NET_CLIENT any
access-list net36 extended permit udp object-group NET_CLIENT any
access-list net36 extended permit icmp object-group NET_CLIENT any
I really appreciate your help and adviceHi Jouni,
I cant do the packet-tracer as the PIX already bypass by my superior.
As based on my config.How should I allowed ip 10.45.x.0 pingable from the outside interface eg my HQ.As this config was written, the Log show its has no translation group towards the dst 10.45.x.0/19
Jul 02 2013 20:13:30: %PIX-3-305005: No translation group found for tcp src Net:202.75.x.24/50204 dst inside:10.45.x.51/443
Jul 02 2013 20:13:30: %PIX-3-305005: No translation group found for tcp src Net:202.75.x.43/65025 dst inside:10.45.x.51/443
Jul 02 2013 20:13:30: %PIX-3-305005: No translation group found for tcp src Net:113.210.x.139/34736 dst inside:10.45.x.51/443
*Base on my config.Even allowing all for in and out i still stuck with the "No translation group".Can you guide my how to use the network-object with the acl so that outside can access server inside so that it will not stuck on Nat portion.
===============
PIX Version 7.2(1)
hostname SD
names
dns-guard
interface Ethernet0
nameif Net
security-level 0
ip address 10.39.x.x 255.255.255.128
interface Ethernet1
nameif inside
security-level 100
ip address 10.36.x.x 255.255.255.248
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
clock timezone MYT 8
dns server-group DefaultDNS
domain-name
same-security-traffic permit inter-interface
access-list permit-all extended permit icmp any any
access-list permit-all extended permit ip any any
access-list permit-all extended permit udp any any
access-list permit-all extended permit tcp any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging buffered notifications
logging trap debugging
logging history informational
logging asdm informational
logging host inside 10.36.x.17
logging ftp-bufferwrap
mtu Net 1500
mtu inside 1500
ip verify reverse-path interface Net
ip verify reverse-path interface inside
no failover
asdm image flash:/asdm-521.bin
asdm history enable
arp timeout 14400
nat-control
global (Net) 1 interface
nat (inside) 1 10.0.0.0 255.0.0.0
access-group permit-all in interface Net
access-group permit-all in interface inside
route Net 0.0.0.0 0.0.0.0 10.39.x.x 1
route inside 10.36.0.0 255.255.0.0 10.36.x.x 1
route inside 10.45.x.0 255.255.224.0 10.36.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.36.x.142 255.255.255.255 inside
snmp-server location level 2
snmp-server contact Network
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
telnet 10.36.x.x 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end -
WLAN Controller learning IP/MAC on wrong virtual interface
Hello
I believe since I upgraded my WiSM to 7.0.250.0 is it learning a MAC address on the wrong virtual interface.
The setup:
- a Linux server with 2 virtual interfaces, both use the same MAC address, one is the gateway of VLAN 116 and one is the gateway of VLAN 240
- a WiSM with several virtual interfaces, including one in 116 and one in 240
Here the arp table with the problem:
MAC Address IP Address Port VLAN Type
00:50:56:BD:32:92 172.16.240.9 29 240 Host
00:1E:4A:FA:87:8B 172.16.102.12 29 0 Permanent
00:1E:4A:FA:50:0B 172.16.102.13 29 0 Permanent
00:1E:4A:FA:81:2B 172.16.102.14 29 0 Permanent
00:50:56:BD:32:92 172.16.116.9 29 240 Host
00:1D:E0:31:55:23 172.16.116.185 29 116 Client
58:94:6B:68:50:E8 172.16.118.201 29 116 Client
1C:B0:94:B7:38:08 172.16.118.234 29 116 Client
And here after I made a PING from the controller to the listed ip address:
MAC Address IP Address Port VLAN Type
00:50:56:BD:32:92 172.16.240.9 29 240 Host
00:1E:4A:FA:87:8B 172.16.102.12 29 0 Permanent
00:1E:4A:FA:50:0B 172.16.102.13 29 0 Permanent
00:1E:4A:FA:81:2B 172.16.102.14 29 0 Permanent
00:50:56:BD:32:92 172.16.116.9 29 116 Host
00:1D:E0:31:55:23 172.16.116.185 29 116 Client
38:E7:D8:D3:7C:FA 172.16.118.92 29 116 Client
58:94:6B:68:50:E8 172.16.118.201 29 116 Client
1C:B0:94:B7:38:08 172.16.118.234 29 116 Client
18:AF:61:12:E9:FB 192.168.1.59 29 117 Client
Has anybody else the same problem?
The host 172.16.116.9 is also the configured DHCP server on VLAN 116.
Is there a way to statically configure this IP address on that VLAN? Because it causes every few days a service outage on that VLAN (which is bound to an SSID).Yup, I'd say still valid. Seeing as it is the gateway, if it had different mac addresses per interface, it might still work.
No, clients in the same subnet can communicate, but it is not recommended to 'bridge' wired and wireless with a WLC. The WLC doesn't like to bridge the communication by default, though there are work arounds.
I might also say that as it uses the same MAC address for both virtual interfaces L2 is going to be messed up as each time there were an ARP the entry would change.
Take a look and see if you can manually change the mac for one of the interfaces and test again.
HTH,
Steve -
Unable to Ping IP when using route redistribution
Hi Everyone,
I have below setup
R1 is running EIGRP and connected to R2 via EIGRP
R2 is Running OSPF and connected to R3 via OSPF.
R2 is doing the redistribution of eigrp to ospf and vice versa.
R1 config
interface FastEthernet1/0/1
ip address 10.1.12.1 255.255.255.0
R1# sh ip eigrp nei
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.1.12.2 Fa1/0/1 13 01:47:54 652 3912 0 14
R2 config
interface FastEthernet0/16
ip address 10.1.12.2 255.255.255.0
sh ip eigrp nei
EIGRP-IPv4:(100) neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.1.12.1 Fa0/16 12 01:49:44 1 200 0 36
interface FastEthernet0/19
ip address 10.1.23.2 255.255.255.0
sh ip ospf 10 neighbor
Neighbor ID Pri State Dead Time Address Interface
10.1.23.3 1 FULL/DR 00:00:38 10.1.23.3 FastEthernet0/19
Redistribution config on R2
router ospf 10
router-id 10.1.23.2
log-adjacency-changes
redistribute eigrp 100 subnets
network 10.1.23.0 0.0.0.255 area 10
distribute-list 1 out
router eigrp 100
redistribute ospf 10 metric 100 100 100 100 100
no auto-summary
network 10.1.12.0 0.0.0.255
R3 config
interface FastEthernet0/16
ip address 10.1.23.3 255.255.255.0
Neighbor ID Pri State Dead Time Address Interface
10.1.23.2 1 FULL/BDR 00:00:36 10.1.23.2 FastEthernet0/16
R1 Routing Table shows routes learned via ospf network of R1.
R1#sh ip route eigrp 100
10.0.0.0/8 is variably subnetted, 15 subnets, 2 masks
D EX 10.1.10.1/32 [170/25628160] via 10.1.12.2, 01:17:03, FastEthernet1/0/1
D EX 10.1.11.1/32 [170/25628160] via 10.1.12.2, 01:17:03, FastEthernet1/0/1
D EX 10.1.8.1/32 [170/25628160] via 10.1.12.2, 01:17:03, FastEthernet1/0/1
D EX 10.1.9.1/32 [170/25628160] via 10.1.12.2, 01:17:03, FastEthernet1/0/1
D EX 10.1.13.1/32 [170/25628160] via 10.1.12.2, 01:17:03, FastEthernet1/0/1
D EX 10.1.7.1/32 [170/25628160] via 10.1.12.2, 01:17:03, FastEthernet1/0/1
D EX 10.1.23.0/24 [170/25628160] via 10.1.12.2, 01:17:03, FastEthernet1/0/1
i am able to ping the IP of OSPF interface of R2 but not of R3 as shown below
R1# ping 10.1.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.23.2, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
R1# ping 10.1.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.23.3, timeout is 2 seconds:
Success rate is 0 percent (0/5)
R1#
Need to know even the route is in routing table why i am umable to ping the IP 10.0.23.3?
Also unable to ping the loopback IP of R3 below
R1# ping 10.1.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.10.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Regards
MaheshHi Alain,
Yes R3 was getting the filtered EIGRP routes from R1 via R2.
i removed the distribute list on R2 and ping worked fine now.
I understood now why ping was not working earlier as R1 int IP 10.1.12.1 was dropped by the distribute list.
Now i added this to ACL 1 on R2 which is used by distribute list on R2 and ping works fine now while using distribute list on R2.
Best regards
Mahesh
Maybe you are looking for
-
VA02 Price conditions is not modifiable same working in va01
Hi Experts , Howerver we tried the user-exit include MV45AFZZ and used the FORMS ( USEREXIT_FIELD_MODIFICATION and USEREXIT_PRICING_PREPARE_TKOMP ) to meet the requirement. the changes are working in VA01 but working improperly in VA02. when i run t
-
WHY WHEN I EXPORT A DOCUMENT TO WORD CAN´T EDIT?
WHY WHEN I EXPORT A DOCUMENT TO WORD CAN´T EDIT?
-
Recently I changed my vodeo ard from ATI to GTX 470. After installing all updates every thing seemed fine excapt that when I applied "Freez Frame" effect and got output on DVD there was terrible shake on the clip where I applkied this effect. IT happ
-
The frame won't contract.
Hello , In a matrix report I have a repeating frame and inside it I have a frame. Properties of repeating frame: Vertical elasticity: Expand Horizontal elasticity: Contract The other frame does not display sometimes by a formatting trigger. My proble
-
My MacPro 3 locks completely up during use of Mainstage, anyone else? Usually during a window resizing or patch change. Does anyonw else have this problem and a solution.