Inter-Vlan Routing question

I have a Cisco Catalyst 5505 with a Route Switch Feature Card. Configured i have inter-vlan routing setup and that part works great, however i am unable to access the internet from any of the vlans with the RSFC as my gateway on any vlan (1,10,20 etc). below are the running configs for the devices.

Thanks in Advance Daniel The BlueMonkeyFish

C5505 | 192.168.1.5 (vlan1) RSFC | 192.168.1.2 (vlan1) | | 192.168.1.1 (vlan1) PIX 520 | 72.245.42.34 | | 72.245.42.33 DSL Router | INTERNET

PIX 520 ===========================+ BEGINNING +========================= PIX Version 6.3(5) interface gb-ethernet0 1000auto interface gb-ethernet0 vlan3 logical interface ethernet0 100basetx interface gb-ethernet1 1000auto shutdown nameif gb-ethernet0 inside security100 nameif ethernet0 outside security0 nameif gb-ethernet1 standby security4 nameif vlan3 dmz security10 enable password cisco passwd cisco hostname CPTNYC-PIX520-F1 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names pager lines 24 logging on logging buffered debugging logging trap debugging logging host outside 192.168.1.100 mtu inside 1500 mtu outside 1500 mtu standby 1500 ip address inside 192.168.1.1 255.255.255.0 ip address outside 72.245.42.34 255.255.255.248 ip address standby 127.0.0.1 255.255.255.255 ip address dmz 192.168.3.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address inside no failover ip address outside no failover ip address standby no failover ip address dmz pdm history enable arp timeout 14400 global (outside) 1 72.245.42.35-72.245.42.38 netmask 255.255.255.248 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 72.245.42.33 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.100.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community CPTNYC snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.200-192.168.1.254 inside dhcpd lease 3600 dhcpd ping_timeout 750 terminal width 80 banner motd banner motd ********* Unauthorized Access Prohibited ********** banner motd * If you are not authorized to access this device * banner motd * please disconnect immediately. All access to & * banner motd * from this device is logged and reviewed daily. * banner motd * Any unauthorized access will be reported to the * banner motd * FBIs Computer Crime Devision immediately. To * banner motd * avoid any criminal prosecution, disconnect now! * banner motd *

----------------------------------------------- * banner motd * Property of Crackpot Technologies, Inc.

2007 * banner motd *************************************************** banner motd =============================+ END +=============================

RSFC/RSM

===========================+ BEGINNING +========================= Current configuration: ! ! No configuration change since last restart ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname CPTNYC_5505_R2 ! enable secret cisco enable password cisco ! ip subnet-zero ip cef ip domain-name CPTNYC.COM ip name-server 192.168.1.101 ip multicast-routing ip dvmrp route-limit 20000 mls rp ip ! ! ! interface Vlan1 description Management Vlan ip address 192.168.1.2 255.255.255.0 ip directed-broadcast ip pim dense-mode mls rp vtp-domain CPTNYC.COM mls rp ip ! interface Vlan10 description First Vlan ip address 192.168.10.1 255.255.255.0 ip helper-address 192.168.1.100 ip directed-broadcast ip pim dense-mode mls rp vtp-domain CPTNYC.COM mls rp ip ! interface Vlan20 description Second Vlan ip address 192.168.20.1 255.255.255.0 ip helper-address 192.168.1.100 ip directed-broadcast ip pim dense-mode mls rp vtp-domain CPTNYC.COM mls rp ip ! interface Vlan30 description Third Vlan ip address 192.168.30.1 255.255.255.0 ip helper-address 192.168.1.100 ip directed-broadcast ip pim dense-mode mls rp vtp-domain CPTNYC.COM mls rp ip ! interface Vlan40 description Fourth Vlan ip address 192.168.40.1 255.255.255.0 ip helper-address 192.168.1.100 ip directed-broadcast ip pim dense-mode mls rp vtp-domain CPTNYC.COM mls rp ip ! interface Vlan50 description Fifth Vlan ip address 192.168.50.1 255.255.255.0 ip helper-address 192.168.1.100 ip directed-broadcast ip pim dense-mode mls rp vtp-domain CPTNYC.COM mls rp ip ! interface Vlan60 description Sixth Vlan ip address 192.168.60.1 255.255.255.0 ip helper-address 192.168.1.100 ip directed-broadcast ip pim dense-mode mls rp vtp-domain CPTNYC.COM mls rp ip ! interface Vlan70 description Seventh Vlan ip address 192.168.70.1 255.255.255.0 ip helper-address 192.168.1.100 ip directed-broadcast ip pim dense-mode mls rp vtp-domain CPTNYC.COM mls rp ip ! interface Vlan80 description 8th Vlan ip address 192.168.80.1 255.255.255.0 ip helper-address 192.168.1.100 ip directed-broadcast ip pim dense-mode mls rp vtp-domain CPTNYC.COM mls rp ip ! interface Vlan90 description 9th Vlan ip address 192.168.90.1 255.255.255.0 ip helper-address 192.168.1.100 ip directed-broadcast ip pim dense-mode mls rp vtp-domain CPTNYC.COM mls rp ip ! router rip version 2 network 192.168.1.0 ! ip classless ip route 0.0.0.0 0.0.0.0 Vlan1 192.168.1.1 ip http server ! access-list 1 permit 192.168.0.0 0.0.0.255 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255 access-list 1 permit 192.168.3.0 0.0.0.255 access-list 1 permit 192.168.10.0 0.0.0.255 access-list 1 permit 192.168.20.0 0.0.0.255 access-list 1 permit 192.168.30.0 0.0.0.255 access-list 1 permit 192.168.40.0 0.0.0.255 access-list 1 permit 192.168.50.0 0.0.0.255 access-list 1 permit 192.168.60.0 0.0.0.255 access-list 1 permit 192.168.70.0 0.0.0.255 access-list 1 permit 192.168.80.0 0.0.0.255 access-list 1 permit 192.168.90.0 0.0.0.255 access-list 1 permit 192.168.100.0 0.0.0.255 access-list 1 permit 192.168.200.0 0.0.0.255 snmp-server community CPTNYC RO snmp-server community CPTNYC.COM RW snmp-server location Third Floor MDF banner motd ^ ********* Unauthorized Access Prohibited

********** * If you are not authorized to access this device * * please disconnect immediately. All access to & * * from this device is logged and reviewed daily. * * Any unauthorized access will be reported to the * * FBIs Computer Crime Devision immediately. To * * avoid any criminal prosecution, disconnect now! * * ----------------------------------------------- * * Property of Crackpot Technologies, Inc. 2007 * ***************************************************^ ! line con 0 exec-timeout 0 0 password tenletters login transport input none line vty 0 4 password tenletters login ! ntp authenticate ntp trusted-key 1 ntp clock-period 17180051 ntp update-calendar ntp server 192.168.1.100 end =============================+ END +=============================
Reply to
BlueMonkeyFish
Loading thread data ...

It has been a long day, so forgive me if I missed it....but I don't see a route on the pix back to 192.168.1.2 for the other VLANs? Nor did I see a routing protocol that would exchange such routes...other than RIP on the one side. The traffic is getting out, but not back in past the pix I would assume as it doesn't know where to send the traffic.

something like ip route 192.168.0.0 255.255.0.0 192.168.1.2

or whatever the pix syntax is.

Reply to
Trendkill

can you steer me in the right direction as far as the routing part goes, i know that a pix doesnt do rip, so what would you suggest i change? (after adding a dirivitive of the above route mentioned, i can now ping all vlans from the pix) i still can not ping from the RSFC to the outside world internet, however i can access the pix's inside interface.

Reply to
BlueMonkeyFish

=3D=3D=3D=3D+ BEGINNING +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D

=3D=3D=3D=3D=3D=3D+ END +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

=3D=3D=3D=3D+ BEGINNING +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D

=3D=3D=3D=3D=3D=3D+ END +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

I would think that something like: route inside 192.168.0.0 255.255.0.0 192.168.1.2 would work.

Basically, the pix just needs to know where to send traffic that is destined for 192.168.2.0 and beyond. It already knows about 1.0 because it is directly connected, but nothing else.

I think you can run RIP on a pix, and if you run RIP on the core router and ensure that all the 192.168 networks are in it, it should exchange those routes automatically without the need for the static route above. Let me know how you fair.

Reply to
Trendkill

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.