Cannot ping hosts on the same vlan on the 2 switches.

Similar Questions

• ACI - cannot reach hosts outside the fabric until the traffic is inititated from a host outside in a host connected to the fabric

  I have a group of the same EPG and VLAN statically mapped ports on my fabric of ACI.  One port connects to a port on a stack of 3750 x uplink.  Hosts on the fabric, I cannot ping hosts on the 3750 until I have initiated traffic from hosts on the 3750 in the fabric.  Once it done on each host of 3750, they can talk to each other.  Why is this happening?

  Thank you!

  When traffic is a failure, the destination will probably not learned as an EP in the fabric.  You can check by looking at the operational tab of the EPG.

  Once you ping the 3750, we learn the EP and traffic works from the original source.  When the BD "Equipment Proxy" mode, the destination must be learned.

  If you change the mode of the 'Flood' comic, then inundate us and learn as a normal switch.

  Joey

• Comments cannot ping host

  Hi all:

  I have a strange problem of networking that VMware technical support has not been able to help.

  Summary of the problem: comments cannot ping host unless the host is a ping command, while the guest is ping to the host

  Details of the problem: I have intalled VMware Workstation 6.5.2 on the host Windows Vista Edition Home Premium (SP1). I installed several guests, including Ubuntu 8.04, openSUSE 11, Win XP and Win 2000. All guests use "bridged" network. The host has a static IP address. All guests have DHCP. All these people have the same problem - they cannot ping the host. It simply returns "Destination unreachable". However, if I run a ping from the host (it didn't ping the same customer, any ip address on the network) while the guest is ping to the host, and then will cross ping of the guest. For the next two minutes, the guest will be able to ping the host without any problem (without 'help' of the host). Then the guest will again be able ping on the host and you will have to repeat the same process. Quite strange, isn't? Another problem, I can access the internet from the hosts and guests can ping each other. (I can't access the printer connected to the host. However if the guest can ping on the host, then it can also access the printer as well.) I tried everything but still can't find the root cause of the problem. Here is a list of the things I've tried:

  1. tried VMware Workstation 6.5.2 on a Windows XP computer on the same network (equipped with a wireless card intel) and did NOT have this problem.

  2. firewalls, antivirus software, VPN clients, etc. were all off. It did not help.

  3. the problem disappears if I use the wired Ethernet connection

  4. the current wireless adapter is a D-Link, but I also tried with a Linksys Wireless card and had the same problem

  5. the same problem exists also for VMware 6.5.1

  6. I have installed the software VirtuaBox VM from Sun and installed the same comments from Ubuntu on the same host. The problem goes away!

  7. I also tried the "NAT" networking and had the same problem.

  8. I also tried DHCP for host and had the same problem.

  I've tried everything I can think of and nothing seemed to help. I have filed a request for assistance with VMware tech and traded a few emails with the support guy but have not heard from him for a few days. I would really appreciate if someone can offer a few ideas to help solve this problem. I'm not a networking guru, but I'm a software engineer, so you can talk to me in technical terms.

  Thank you in advance.

  Yes! as noted above, it is the arp tables.

  my router is assigned the same IP address for the host computer and the guest, so as soon as you ping from your host prompt, the mac and ip is back in the arp (invites) tables and from there he will communicate via newly assigned ARP table. You can check this scathing the hostname and it will be the same ip address as your guest (in my case)

  I then googled arp vmware and discovered that it is familir with chipset broadcom and vmware behavior.

  ARP - a displays the tables,

  ARP s 00-00-00-00-00-00 192.168.x.xxx - assign the IP address to a MAC address.

  I hope this helps.

• The VPN Clients cannot Ping hosts

  I'll include a post my config. I have clients that connect through the VPN tunnel on the 180.0.0.0/24 network, 192.168.1.0/24 is the main network for the office.

  I can connect to the VPN, and I received a correct address assignment. I belive tunneling can be configured correctly in the aspect that I can always connect to the internet then on the VPN, but I can't ping all hosts on the 192.168.1.0 network. In the journal of the ASDM debugging, I see pings to the ASA, but no response is received on the client.

  6

  February 21, 2013

  21:54:26

  180.0.0.1

  53508

  192.168.1.1

  0

  Built of ICMP incoming connections for faddr gaddr laddr 192.168.1.1/0 (christopher) 192.168.1.1/0 180.0.0.1/53508

  Any help would be greatly appreciated, I'm currently presuring my CCNP so I would get a deeper understanding of how to resolve these issues.

  -Chris

  hostname RegencyRE - ASA

  domain regencyrealestate.info

  activate 2/VA7dRFkv6fjd1X of encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  name 180.0.0.0 Regency

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  link to the description of REGENCYSERVER

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  link to the description of RegencyRE-AP

  !

  interface Vlan1

  nameif inside

  security-level 100

  192.168.1.120 IP address 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP x.x.x.x 255.255.255.248

  !

  passive FTP mode

  clock timezone PST - 8

  clock summer-time recurring PDT

  DNS lookup field inside

  DNS domain-lookup outside

  DNS server-group DefaultDNS

  Server name 208.67.220.220

  name-server 208.67.222.222

  domain regencyrealestate.info

  inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 Regency 255.255.255.224

  RegencyRE_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0

  outside_access_in list extended access permit icmp any one

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  mask Regency 180.0.0.1 - 180.0.0.20 255.255.255.0 IP local pool

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow any inside

  ICMP allow all outside

  ASDM 255.255.255.0 inside Regency location

  ASDM location 192.168.0.0 255.255.0.0 inside

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 12.186.110.2 1

  Route inside 192.0.0.0 255.0.0.0 192.168.1.102 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  the ssh LOCAL console AAA authentication

  LOCAL AAA authentication serial console

  http server enable 8443

  http 0.0.0.0 0.0.0.0 outdoors

  http 0.0.0.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH 0.0.0.0 0.0.0.0 inside

  SSH 0.0.0.0 0.0.0.0 outdoors

  SSH timeout 15

  SSH version 2

  Console timeout 0

  dhcprelay Server 192.168.1.102 inside

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  NTP server 69.25.96.13 prefer external source

  NTP server 216.171.124.36 prefer external source

  WebVPN

  internal RegencyRE group strategy

  attributes of Group Policy RegencyRE

  value of server DNS 208.67.220.220 208.67.222.222

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list RegencyRE_splitTunnelAcl

  username password encrypted adriana privilege 0

  christopher encrypted privilege 15 password username

  irene encrypted password privilege 0 username

  type tunnel-group RegencyRE remote access

  attributes global-tunnel-group RegencyRE

  Regency address pool

  Group Policy - by default-RegencyRE

  IPSec-attributes tunnel-group RegencyRE

  pre-shared key R3 & eNcY1.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  Review the ip options

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  call-home

  Profile of CiscoTAC-1

  no active account

  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

  email address of destination [email protected] / * /

  destination-mode http transport

  Subscribe to alert-group diagnosis

  Subscribe to alert-group environment

  Subscribe to alert-group monthly periodic inventory

  monthly periodicals to subscribe to alert-group configuration

  daily periodic subscribe to alert-group telemetry

  Cryptochecksum:35bc3a41701f7f8e9dde5fa35532896d

  : end

  Hello

  -be sure that the destination host 192.168.1.x has a route towards 180.0.0.0 by the ASA gateway.

  -Configure the following figure:

  capture capin interface inside match icmp 192.168.1.x host 180.0.0.x

  capture ASP asp type - drop all

  then make a continuous ping and get 'show capin cap' and 'asp cap.

  -then check the ping, the 'encrypted' counter is increasing in the VPN client statistics

  I would like to know about it, hope this helps

  ----

  Mashal

• Cannot Ping hosts after you connect to ASA5500 using a client connection

  I can ping hosts and gateways of the ASA5500, but after I connect I can't ping anything. The ASA5500 is connected to a layer 2 switch, this switch is shared resources for a layer 3. This 3 level switch is connected to another switch to level 3 where the gateways and hosts live. Again, I can ping hosts and gateways of the ASA5500 itself.

  ASA Version 8.2 (5)
  !
  activate 8Ry2YjIyt7RRXU24 encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  !
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  IP address 208.19.xxx.xx 255.255.255.240
  !
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  IP 10.47.146.199 255.255.255.0
  !
  interface GigabitEthernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  <--- more="" ---="">
  !
  interface GigabitEthernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  passive FTP mode
  DNS server-group DefaultDNS
  permit same-security-traffic inter-interface
  IP 10.47.138.0 allow Access - list extended SHEEP 255.255.255.0 172.16.1.0 255.255.255.0
  IP 10.47.140.0 allow Access - list extended SHEEP 255.255.255.0 172.16.1.0 255.255.255.0
  IP 10.47.141.0 allow Access - list extended SHEEP 255.255.255.0 172.16.1.0 255.255.255.0
  IP 10.47.148.0 allow Access - list extended SHEEP 255.255.255.0 172.16.1.0 255.255.255.0
  IP 10.47.149.0 allow Access - list extended SHEEP 255.255.255.0 172.16.1.0 255.255.255.0
  IP 10.47.150.0 allow Access - list extended SHEEP 255.255.255.0 172.16.1.0 255.255.255.0
  IP 10.47.151.0 allow Access - list extended SHEEP 255.255.255.0 172.16.1.0 255.255.255.0
  IP 10.47.133.0 allow Access - list extended SHEEP 255.255.255.0 172.16.1.0 255.255.255.0
  IP 10.47.212.0 allow Access - list extended SHEEP 255.255.255.0 172.16.1.0 255.255.255.0
  IP 10.47.153.0 allow Access - list extended SHEEP 255.255.255.0 172.16.1.0 255.255.255.0
  IP 10.47.157.0 allow Access - list extended SHEEP 255.255.255.0 172.16.1.0 255.255.255.0
  IP 10.47.154.0 allow Access - list extended SHEEP 255.255.255.0 172.16.1.0 255.255.255.0
  IP 10.47.146.0 allow Access - list extended SHEEP 255.255.255.0 172.16.1.0 255.255.255.0
  pager lines 24
  Within 1500 MTU
  Outside 1500 MTU
  mask 172.16.1.10 - 172.16.1.200 255.255.255.0 IP local pool VPNpool
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0
  Route outside 0.0.0.0 0.0.0.0 208.19.xxx.xx 1
  Route inside 10.47.133.0 255.255.255.0 10.47.146.1 1
  Route inside 10.47.138.0 255.255.255.0 10.47.146.1 1
  Route inside 10.47.140.0 255.255.255.0 10.47.146.1 1
  Route inside 10.47.141.0 255.255.255.0 10.47.146.1 1
  Route inside 10.47.148.0 255.255.255.0 10.47.146.1 1
  Route inside 10.47.149.0 255.255.255.0 10.47.146.1 1
  Route inside 10.47.150.0 255.255.255.0 10.47.146.1 1
  Route inside 10.47.151.0 255.255.255.0 10.47.146.1 1
  Route inside 10.47.153.0 255.255.255.0 10.47.146.1 1
  Route inside 10.47.154.0 255.255.255.0 10.47.146.1 1
  Route inside 10.47.157.0 255.255.255.0 10.47.146.1 1
  Route inside the 10.47.212.0 255.255.254.0 10.47.146.1 1
  Route inside the 10.47.214.0 255.255.254.0 10.47.146.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  No snmp server location
  No snmp Server contact
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  allow outside
  SVC disk0:/anyconnect-win-3.1.04072-k9.pkg 1 image
  enable SVC
  tunnel-group-list activate
  Anyconnect-policy group policy interns
  Anyconnect-policy-strategy of group attributes
  VPN - 100 simultaneous connections
  VPN-idle-timeout no
  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
  WebVPN
  SVC Dungeon-Installer installed
  SVC request to enable default timeout 20 svc
  username billuser1 password eS3lou7xhp / 8g 705 encrypted
  username billuser1 attributes
  type of remote access service
  tunnel-group bill type remote access
  tunnel-group invoice General attributes
  address pool VPNpool
  strategy-group-by default Anyconnect-policy
  tunnel-group bill webvpn-attributes
  activation of the Group billgroup_users alias
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  Review the ip options
  inspect the netbios
  inspect the rsh
  inspect the rtsp
  inspect the skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect the sip
  inspect xdmcp
  !
  global service-policy global_policy
  context of prompt hostname
  no remote anonymous reporting call
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/De destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:80003da27b3641b2123e30df5ef6b320
  : end
  cvpn #.

  Hello

  You must ensure that networks l3 behind firewalls have itinerary for your "VPNpool" subnet and you need create the rule of no - NAT as shown below

  NAT (inside) 0 access-list SHEEP

  HTH

  Averroès.

• Cannot ping computers on the subnet remote site vpn while to set up

  Hi all

  I encountered a problem of site to site vpn for ping answered nothing of machines of remote subnet.

  the ipsec tunnel is ok but I can ping the ASA distance inside the interface ip

  Here is my scenario:

  LAN1 - ASA5510 - ASA5505 - LAN2 - ordinateur_distant

  LAN1: 192.168.x.0/24

  LAN2: 172.25.88.0/24

  remote_machine_ip: 172.25.87.30

  LAN1 can ping to ASA5505 inside interface (172.25.88.1)

  but cannot ping ordinateur_distant (172.25.87.30)

  Inside of the interface ASA5505 can ping ordinateur_distant

  LAN2 can ASA5510 ping inside the machines on LAN1 and interface

  Is there something I missed?

  Thanks much for the reply

  I don't think it's something you really want to do.

  If you PAT the whole subnet to LAN1 ip (192.168.1.0/24) to 172.25.249.1, then LAN2, will not be able to reach the specific host on LAN1, cause now, you represent the LAN1 network, with a single ip address.

  So traffic will become a way from LAN1 can reach LAN2 and get the response of LAN2 through the PAT on 172.25.249.1

  But LAN2, is no longer specific hosts LAN1 ip traffic, since you only have 172.25.249.1, to represent the subnet to LAN1.

  If you still want to PAT the whole subnet to LAN1 (192.168.1.0/24) ip to 172.25.249.1, then you have to do outside the NAT.

  http://www.Cisco.com/en/us/customer/docs/security/ASA/asa80/command/reference/no.html#wp1737858

  Kind regards

• Cannot ping ASA inside the interface via VPN

  Hello

  I have a scenario with tunel VPN between a router and ASA and can ping subnet behind ASA subnet behind the router (and), but I cannot ping the ASA inside the interface on the VPN tunnel. I need to access the remote location ASDM. How can it be done?

  Thanks for your suggestions.

  Remi

  Hello

  You must have the 'inside access management' command configured on the SAA.

  If you run a 8.3 software or newer on the SAA, should also look at the configuration 'nat' IF the above command solves your problem

  -Jouni

• ASA5510 VPN L2L cannot reach hosts on the other side

  Hello experts,

  I have an ASA5510 with 3 VPN L2L and remote VPN access. Two VPN L2L, Marielle and Aeromique no problem, but for VPN ASPCANADA, to a host behind the ASA 192.168.100.xx, I can't reach 57.5.64.250 or 251 and vice versa. But the tunnel is up. Can you help me please, thank you in advance.

  Add these two lines to the NAT 0 access list:

  inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.251

  inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.250

  Also make sure this reflection of these statements are also in the distance of the ASA NAT 0-list of access.

  Test and validate results

  HTH

  Sangaré

  Pls rate helpful messages

• Cannot ping host or guest using VM Workstation 5.5

  Local host Machine Windows XP

  VMWare Network Adpater VMNet1 (host)

  IP 192.168.189.1

  Adpater Ethernet Local machine

  Suffix connection specific DNS: ISP

  IP address: 192.168.1.101

  VM guest computer

  Ethernet adapter PB PVT:

  Suffix connection specific DNS: white

  IP address: 161.228.210.176

  The network of the virtual computer is configured to use "Home" only

  When I ping the host computer I get "Request timed out".

  When I ping the Guest Machine (VM) I get "Request timed out".

  Logon at the prompt, right click on 'My network places', choose 'Properties', right click on the connection to the local network and choose "Properties". Open the properties of "Internet (TCP/IP) Protocol". Select "Obtain an IP address automatically" and "Obtain DNS server address automatically". Let him.

  If this does not work, provide "ipconfig/all" host AND guest, but also some screenshots of the tabs in the VMware virtual network Editor!

  If you found this information useful, please consider awarding points to 'Correct' or 'Useful' responses Thank you!!

  AWo

  VCP / vEXPERT 2009

• Cannot ping host VMWARE

  If lost the connection to one of my VMware vCenter servers.

  I can still do the following...

  • use the vSphere client to go directly to it.
  • Ping the servers running on it.

  I think I broke one of the VMKernel ports or its delivery. This would be the case?

  What should I change to get this working? I know it's a gateway or a routing problem but can not see what is wrong.

  

  In my view, the line I marked / highlighted must really point to 192.168.101.1. Is it possible to change this gateway "Local subnet" or have I got it all wrong.

  Any guidance would be greatly appreciated.

  Problem was with the vswitch for her ip and gateway.

• Cannot add the host to the distributed switch

  Hello

  Updated some time a go to vSphere.  Environment has 2 hosts and I left it with standard switches.  Today, I thought I'll add a distributed switch and use the extra features etc.  I added the switch d however when I come to add a host it there are none listed?  Can someone tell me how do I migrate from standard to distributed please?

  Kind regards

  Stuart.

  First of all. Do you have an Enterprise Plus license? Distributed virtual switches not working Enterpise more licenses or if you are using the Evaluation Version.

  Secondly, you have all available vmnic? unless a computer host a vmnic unused, the hosts will display not.

• Cannot ping via the VPN client host when static NAT translations are used

  Hello, I have a SRI 3825 configured for Cisco VPN client access.

  There are also several hosts on the internal network of the static NAT translations have a services facing outwards.

  Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.

  For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.

  Any help would be appreciated.

  Concerning

  !

  session of crypto consignment

  !

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group vpnclient

  key S3Cu4Ke!

  DNS 192.168.1.1 192.168.1.2

  domain domain.com

  pool dhcppool

  ACL 198

  Save-password

  PFS

  netmask 255.255.255.0

  !

  !

  Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac

  !

  Crypto-map dynamic dynmap 10

  86400 seconds, life of security association set

  game of transformation-3DES-SECURE

  market arriere-route

  !

  card crypto client cryptomap of authentication list drauthen

  card crypto isakmp authorization list drauthor cryptomap

  client configuration address card crypto cryptomap answer

  map cryptomap 65535-isakmp ipsec crypto dynamic dynmap

  !

  interface GigabitEthernet0/0

  NAT outside IP

  IP 1.2.3.4 255.255.255.240

  cryptomap card crypto

  !

  interface GigabitEthernet0/1

  IP 192.168.1.254 255.255.255.0

  IP nat inside

  !

  IP local pool dhcppool 192.168.2.50 192.168.2.100

  !

  Note access-list 198 * Split Tunnel encrypted traffic *.
  access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

  !
  Note access-list 199 * NAT0 ACL *.
  access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  access-list 199 permit ip 192.168.1.0 0.0.0.255 any

  !

  Sheep allowed 10 route map
  corresponds to the IP 199

  !
  IP nat inside source map route sheep interface GigabitEthernet0/0 overload

  !

  IP nat inside source static 192.168.1.1 1.2.3.5
  IP nat inside source static 192.168.1.2 1.2.3.6

  The problem seems to be that static NAT take your nat exemption.

  The solution would be:

  IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
  IP nat inside source static 192.168.1.2 1.2.3.6 sheep map route

  HTH

  Herbert

• Cannot ping Lan devices in Vlan

  Hello

  I looked for a solution to this for the week without success. I came across a Cisco C3560, which is used because of its ability of poe to power some Deskphones Voip. While the works of great poe, machines connected to the switch can only communicate with each other and don't can't ping or otherwise access any device connected directly to the router of the network.

  The Cisco switch is configured with a vlan and a default gateway, but nothing comes out by behind the switch. On connected devices can ping by default gateway (192.168.0.1 - a tp-link router), receive a lease dhcp from the router said successfully and can connect to the internet, but on the local network, nothing works. (unable to connect to the printer connetced directly to the router or other computers connected directly to the router.

  Any advice? I am new to cisco switches, don't know what I'm doing here. I'm just trying to get devices that are connected directly to the switch to communicate with devices connected directly to the router.

  Switch#show runBuilding configuration...

  Current configuration : 1528 bytes!version 12.2service configno service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname Switch!enable secret 5 {}{}{}{}{}{}{}{}{}{}{}{}!no aaa new-modelclock timezone UTC 2system mtu routing 1500ip subnet-zero!!!!no file verify autospanning-tree mode pvstspanning-tree extend system-id!vlan internal allocation policy ascending!interface FastEthernet0/1!interface FastEthernet0/2!interface FastEthernet0/3!interface FastEthernet0/4!interface FastEthernet0/5!interface FastEthernet0/6!interface FastEthernet0/7!interface FastEthernet0/8!interface FastEthernet0/9!interface FastEthernet0/10!interface FastEthernet0/11!interface FastEthernet0/12!interface FastEthernet0/13!interface FastEthernet0/14!interface FastEthernet0/15!interface FastEthernet0/16!interface FastEthernet0/17!interface FastEthernet0/18!interface FastEthernet0/19!interface FastEthernet0/20!interface FastEthernet0/21!interface FastEthernet0/22!interface FastEthernet0/23!interface FastEthernet0/24 switchport mode access!interface GigabitEthernet0/1!interface GigabitEthernet0/2!interface Vlan1 ip address 192.168.0.26 255.255.255.0 no ip route-cache!ip default-gateway 192.168.0.1ip classlessip default-network 192.168.0.0ip http server!access-list 1 permit any log!control-plane!!line con 0line vty 0 4 password XXXXXXXXX login length 0line vty 5 15 password XXXXXXXX login length 0!end

   Switch#show interface

  Vlan1 is up, line protocol is up Hardware is EtherSVI, address is 001e.bd27.c4c0 (bia 001e.bd27.c4c0) Internet address is 192.168.0.26/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 3 packets/sec 138534 packets input, 9472693 bytes, 0 no buffer Received 0 broadcasts (68 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 30296 packets output, 2248820 bytes, 0 underruns 0 output errors, 1 interface resets 0 output buffer failures, 0 output buffers swapped out

  FastEthernet0/2 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c484 (bia 001e.bd27.c484) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:56, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 46000 bits/sec, 37 packets/sec 5 minute output rate 582000 bits/sec, 71 packets/sec 1941044 packets input, 327622438 bytes, 0 no buffer Received 38375 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 30699 multicast, 0 pause input 0 input packets with dribble condition detected 3224783 packets output, 2069682884 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out
  
  FastEthernet0/4 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c486 (bia 001e.bd27.c486) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:01, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 129069 packets input, 64947010 bytes, 0 no buffer Received 9953 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 9759 multicast, 0 pause input 0 input packets with dribble condition detected 600269 packets output, 45540585 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out

  FastEthernet0/6 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c488 (bia 001e.bd27.c488) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:50, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 32693 packets input, 4244428 bytes, 0 no buffer Received 9942 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 9759 multicast, 0 pause input 0 input packets with dribble condition detected 588460 packets output, 45003331 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out

  FastEthernet0/8 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c48a (bia 001e.bd27.c48a) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:30, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 32694 packets input, 4243413 bytes, 0 no buffer Received 9934 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 9757 multicast, 0 pause input 0 input packets with dribble condition detected 588485 packets output, 45009466 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out

  FastEthernet0/12 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c48e (bia 001e.bd27.c48e) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:28, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 32742 packets input, 4252075 bytes, 0 no buffer Received 9947 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 9763 multicast, 0 pause input 0 input packets with dribble condition detected 588497 packets output, 45019272 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out

  FastEthernet0/13 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c48f (bia 001e.bd27.c48f) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:13, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 148160 packets input, 73818106 bytes, 0 no buffer Received 9973 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 9760 multicast, 0 pause input 0 input packets with dribble condition detected 599666 packets output, 49045070 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out

  FastEthernet0/14 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c490 (bia 001e.bd27.c490) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:05, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 129165 packets input, 68409495 bytes, 0 no buffer Received 9982 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 9773 multicast, 0 pause input 0 input packets with dribble condition detected 600283 packets output, 45551497 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out

  FastEthernet0/18 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c494 (bia 001e.bd27.c494) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:49, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 21000 bits/sec, 18 packets/sec 5 minute output rate 13000 bits/sec, 16 packets/sec 606386 packets input, 88151136 bytes, 0 no buffer Received 159883 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 55198 multicast, 0 pause input 0 input packets with dribble condition detected 941617 packets output, 308269004 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out

  FastEthernet0/20 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c496 (bia 001e.bd27.c496) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:54, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 1000 bits/sec, 1 packets/sec 5 minute output rate 1000 bits/sec, 2 packets/sec 515813 packets input, 87006769 bytes, 0 no buffer Received 21466 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 19952 multicast, 0 pause input 0 input packets with dribble condition detected 1858112 packets output, 1700009146 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out

  FastEthernet0/24 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 001e.bd27.c49a (bia 001e.bd27.c49a) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 546556 packets output, 41182636 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out

  GigabitEthernet0/1 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is 001e.bd27.c481 (bia 001e.bd27.c481) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not set Full-duplex, 1000Mb/s, link type is auto, media type is 10/100/1000BaseTX SFP input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 556000 bits/sec, 83 packets/sec 5 minute output rate 76000 bits/sec, 63 packets/sec 4457827 packets input, 3961330567 bytes, 0 no buffer Received 15028 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 11213 multicast, 0 pause input 0 input packets with dribble condition detected 3822373 packets output, 728132696 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out
  
  

  Switch#show vlan

  VLAN Name     Status         Ports---- -------------------------------- --------- -------------------------------1     default active    Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16                        Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24, Gi0/1, Gi0/21002 fddi-default act/unsup1003 token-ring-default act/unsup1004 fddinet-default act/unsup1005 trnet-default act/unsup

  VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------1 enet 100001 1500 - - - - - 0 01002 fddi 101002 1500 - - - - - 0 01003 tr 101003 1500 - - - - - 0 01004 fdnet 101004 1500 - - - ieee - 0 01005 trnet 101005 1500 - - - ibm - 0 0

  Remote SPAN VLANs------------------------------------------------------------------------------

  Primary Secondary Type Ports------- --------- ----------------- ------------------------------------------

  Hello

  first thing, please edit your post and remove your remote vty lines access password

  never send passwords on a public forum for the just in case production equipment

  line vty 0 4
  password xxxxxx

  ***********************

  Your question

  What is the configuration of the router as a switch which seems to work correctly you're saying and I configured its doing its job, don't forget you said that you cannot route no between the router and the router switch should take care of this, whats the vlan ports on the router are on is - what the same subnet do they get an ip address in the same subnet off dhcp as devices of switching, if they do, and you cannot ping them to the same subnet theres something upward on the side of the router it would treat for layer 3 routing ip traffic

  the ping to the router devices connected to the cisco switch and can the device on the router cannot ping devices switches

  If you move a device out of the router and attach it to the doe sit switch still work ok, reach the talk of the internet to other devices on the switch?

  As there is a layer 2 switch you don't need this command you have your entry door you can remove it.. .IP default-network 192.168.0.0

• Cannot ping to Internet

  Hello

  I am setting up and reconfiguration of a firewall PIX515 with 6.3 software (4) OS PIX.

  I cannot ping devices on the Internet from inside interface. There are a few addresses that I can ping if I am outside of the firewall.

  Looks like the firewall is not translate correctly on the return package. I can navigate and do other things but not ping.

  Here's my nat and global declarations:

  # Sh nat Pix1

  NAT (inside) 1 10.0.0.0 255.0.0.0 0 0

  NAT (dmz) 1 172.xx.xx.0 255.255.255.0 0 0

  Pix1 # global HS

  Global (outside) 1 6x.xxx.xxx.6 x - 6 x .xxx .xxx. 7 x

  Global 1 6x.xxx.xxx.6x (outside)

  Global interface (dmz) 1

  Here's an abbreviated ICMP trace:

  Pix1 debug icmp trace #.

  ICMP trace on

  WARNING: This can cause problems on busy networks

  Pix1 # 1:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = 89

  length 63 = 40

  2: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6

  3:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9219

  GTH = 40

  4: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6

  5:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9475

  GTH = 40

  6: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6

  7: ICMP echo-reply of the outside:6 x .xxx .xxx. 1 to the seq ID = 512 6x.xxx.xxx.6 = the 9475

  ngth = 40

  8:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9731

  GTH = 40

  9: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6

  Thanks in advance for your help.

  Doug.

  ICMP is not a protocol with the State, to allow ping trought the PIX, you must add extra lines in your access list on the outside!

  See: Handling ICMP Pings with the PIX firewall

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

  The PIX and the traceroute command

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

  examples:

  Traveroute

  Microsoft:

  Access-group 101 in external interface

  access-list 101 permit icmp any unreachable host YourPublicIP

  access-list 101 permit icmp any host YourPublicIP time exceeded

  access-list 101 permit icmp any host YourPublicIP echo-reply

  UNIX:

  Access-group 101 in external interface

  access-list 101 permit icmp any unreachable host YourPublicIP

  access-list 101 permit icmp any host YourPublicIP time exceeded

  ICMP command example

  ICMP deny everything outside

  ICMP allow any response of echo outdoors

  ICMP allow any response echo inside

  permit ICMP echo host 192.168.1.30 inside

  permit ICMP echo host 192.168.1.31 inside

  permit ICMP echo host 192.168.1.20 inside

  permit ICMP echo host 192.168.1.40 inside

  permit ICMP echo host 192.168.1.100 inside

  sincerely

  Patrick

• Impossible to ping Host

  Set address management
  Unable to ping host on the same network segment
  Checked firewall

  Dear Madlabs

  Please activate the correct network card as part of management network of DCUI