You should be able to Ping the inside interface of your PIX. You can not ping
an outside interface. There must be route statements in your PIX so that it
knows where to send the reply.
At 08:52 AM 03/02/2001 -0500, Nabil Fares wrote:
>Rob,
>
>By default PIX does not allow pings! You can have connectivity though it
>but, you can't ping it. You have to create an access list allowing icmp.
>Of course thing assuming its not a subnetting issue. Cisco recommends this
>access-list be used for testing purposes only, remove when done.
>
>HTH,
>
>Nabil
>
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
>Rob Cabeca
>Sent: Thursday, March 01, 2001 9:37 PM
>To: groupstudy
>Subject: Help!, because Cisco says they can't. Firewall & Vlan problem.
>
>
>You guys have always been on target for me. I am hoping you give some
>insight to this. (the following addresses have been slightly altered for
>obvious reasons but they are true to the real ones).
>
>Overview.
>
>I am upgrading a network which has a 155.102.0.0 255.255.0.0 network. It is
>flat. I have implemented a new IP Scheme to be used in several VLAN's and
>am trying to migrate to it. IP range is 10.25.192.0 - 10.25.223.254 broken
>up into several /24's. There are 600 devices. Now to the nitty gritty.
>
>Network Description
>
>The 6506 has seven VLAN's configured as follows:
>VLAN 1 - 10.25.223.2 /24 Primary & 155.102.127.26 /16 secondary.
>VLAN 2 - 10.25.215.254 /24
>VLAN 3 - 10.25.216.254 /24
>to -
>VLAN 7 - 10.25.220.254 /24
>
>There are 2 2600's which are routing to an ASP. Their addresses are router
>A - 10.25.223.3 & B - .4 with .5 as HSRP.
>There is a Pix 515 using address 155.102.18.191 Nating to the internet.
>The 2600's have an extended access list on them which directs Port 80
>traffic from the 159.102.x.x network between the ASP WAN and the internet.
>They are also doing NAT from the ASP to the 155.102.x.x network. 1 class C
>NAT pool for each router. A- 10.25.213.0 /24, B - 10.25.214.0 /24.
>
>Problem
>
>I cannot ping the firewall interface from the MFSC or the 6506 or from any
>workstation that is using ANY of the VLAN default gateways. I have full
>connectivity to the asp wan. I have full connectivity to the other VLAN's.
>When devices use the 2600's HSRP address as default gateway, they have
>access to the firewall, the asp and the VLAN's. I have no access to the
>2600's as they do not belong to us.
>
>I spoke with the Cisco TAC a few times. They gave up and wouldn't escalate
>it because they could not find our service contract that we purchased. They
>were anxious to close the case.
>
>The trick to this migration is to maintain connectivity to all devices as
>they are being migrated to the new IP scheme.
>
>I will be very grateful to any serious replies to this situation.
>
>Thanks for your expertise!
>Rob
>
>
>_________________________________
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>_________________________________
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Darren S. Crawford - CCNA
Lucent Technologies Worldwide Services
2377 Gold Meadow Way Phone: (916) 859-5200 x310
Suite 230 Fax: (916) 859-5201
Sacramento, CA 95670 Pager: (800) 467-1467
Email: [EMAIL PROTECTED] Epager: [EMAIL PROTECTED]
<http://www.lucent.com>http://www.lucent.com Network Systems
Consultant
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
