My problem is this: I have two Catalyst switches (a 2950 LRE and a
2950T) on remote subnets that I cannot telnet or http to. While the subnets are remote (different cities), they are all connected through the Internet via VPN tunnels. I can ping the switches from my subnet (192.168.1.x, the switches are on subnets 192.168.7.x and 192.168.9.x), but I cannot telnet or http to them.Making things more interesting: if I take remote control of a user's computer (RDP or SMS remote tools) that is on the same subnet as the switch, I CAN telnet or http to the switch!
No other devices seem to have this problem (HP switches, which are basically rebadged Cisco switches, or a older Cat1900, and no Cats on my local subnet). I thought it might be some weirdness with the VLANs, but all my equipment is set to VLAN1, Cisco and non-Cisco alike.
Here are the configs for the two switches (modified for my protection, natch)
SWITCH ON THE 192.168.7.X SUBNET
------------------------------------------------------------------------------------------ sh run Building configuration...
Current configuration : 2436 bytes ! ! Last configuration change at 12:26:29 EST Wed Dec 28 2005 ! NVRAM config last updated at 12:26:29 EST Wed Dec 28 2005 ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Cat2950T ! enable secret xxxxxxxxxx ! clock timezone EST -5 ip subnet-zero ! ip domain-name xxxxxxxxx ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! ! ! ! interface FastEthernet0/1 ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 ip address 192.168.7.5 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.7.1 ip http server
(bunch of snmp stuff deleted)
! line con 0 line vty 0 4 password yyyyyyyy login line vty 5 15 password yyyyyyyyyy login ! ntp clock-period 17179946 ntp server 192.168.1.81 ! end
------------------------------------------------------------------------------------------
SWITCH ON THE 192.168.9.X SUBNET
------------------------------------------------------------------------------------------- Current configuration : 1485 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname CiscoCat2950LRE ! enable secret xxxxxxxxxxxxxxx ! ip subnet-zero ! ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! ! ! controller LongReachEthernet 0 ! ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface LongReachEthernet0/1 cpe type CISCO575-LRE flowcontrol receive on flowcontrol send on ! interface LongReachEthernet0/2 flowcontrol receive on flowcontrol send on ! interface LongReachEthernet0/3 flowcontrol receive on flowcontrol send on ! interface LongReachEthernet0/4 flowcontrol receive on flowcontrol send on ! interface LongReachEthernet0/5 flowcontrol receive on flowcontrol send on ! interface LongReachEthernet0/6 flowcontrol receive on flowcontrol send on ! interface LongReachEthernet0/7 flowcontrol receive on flowcontrol send on ! interface LongReachEthernet0/8 flowcontrol receive on flowcontrol send on ! interface Vlan1 ip address 192.168.10.5 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.10.1 ip http server
(bunch of snmp stuff deleted)
! line con 0 line vty 0 4 password yyyyyyyyy login line vty 5 15 login ! ! end
------------------------------------------------------------------------------------------------------
As you can see, no access-lists blocking anything. As I said, I can ping OK, and SNMP queries (I deleted all the SNMP stuff above to make this long post a bit shorter) are returned w/ no problems. The VPNs are working OK, and there's nothing in the firewall rules (SonicWALL firewalls) to block anything on the VPN. And as I said, telnet and http work fine as long as I'm on a computer that's on the same subnet.
I've never come across this sort of problem with Cisco equipment, but I've always played in pure Cisco environments, not one with a mix of Cisco and non-Cisco equipment like this.
Anyone? Anyone? Bueller?