Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-10-2012 05:01 AM
Hi
gotta really wierd problem...
PA 200
configured for DHCP
eth1/2 Layer 3 IP address 10.130.8.25/24
default route via eth 1/2
eth1/2 connected to port on CISCO 2960S switch
PC connected to port on same CISCO 2960S switch
IP config IP Address. . . . . . . . . . . . : 10.130.8.151
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.130.8.25
Switch config..... interface Vlan1 ip address 10.130.8.20 255.255.255.0
and also ip default-gateway 10.130.8.25
all interfaces are in this default vlan1
PC gets IP address from PA ok
PC can ping switch IP 10.130.8.20
PC cannot ping PA eth 1/2 10.130.8.25
PA has 1 rule ANY ANY ALLOW
COnsole access to PA and cannot ping switch at 10.130.8.20
LAN does not seem to be up in PA 200....
appreciate any help...problem is driving me insane
thanks
02-10-2012 10:37 AM
Hi Sue,
In order to ping the firewall's interface, you'll need to attach a management profile allowing ping. Create a new management profile with ping enabled on the Network Tab > Network Profiles > Interface Mgmt page and then select this management profile on ethernet1/2's interface configuration page.
When you perform the ping operation on the firewall, be sure to specify the source interface IP address that is capable of reaching the switch's IP of 10.130.8.20. So the command would be "ping source 10.130.8.25 host 10.130.8.20". Without specifying a source, the firewall will default to using the IP address assigned to the dedicated management port. I'm guessing that your management port cannot reach the 10.130.8.0/24 subnet.
Thanks,
Nick Campagna
02-10-2012 06:10 AM
Have you done a debug icmp trace on the cisco switch to see if the packets are making it to the switch? make sure to do a term mon and logging console or monitor on the cisco switch.
change the rule on the pa to deny any any and then check the PA traffic log to see if it's registering ICMP requests from your PC or Switch.
Rod
02-10-2012 10:37 AM
Hi Sue,
In order to ping the firewall's interface, you'll need to attach a management profile allowing ping. Create a new management profile with ping enabled on the Network Tab > Network Profiles > Interface Mgmt page and then select this management profile on ethernet1/2's interface configuration page.
When you perform the ping operation on the firewall, be sure to specify the source interface IP address that is capable of reaching the switch's IP of 10.130.8.20. So the command would be "ping source 10.130.8.25 host 10.130.8.20". Without specifying a source, the firewall will default to using the IP address assigned to the dedicated management port. I'm guessing that your management port cannot reach the 10.130.8.0/24 subnet.
Thanks,
Nick Campagna
02-13-2012 06:24 AM
thanks Nick - I had overlooked that...
Sue
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
