Thursday, January 30, 2020

Devices connected to switch cannot ping the internet, but the switch can


I have an annoying issue, and I think I am missing something really simple and fundamental. I have a Cisco WS-C2960X-48LPD-L and it's connected to a Cisco ASA to a physical interface that has 4 logical interfaces with different VLANs on each (and different subnets). The ASA has 4 src-nat definitions allowing those interfaces to masquerade behind the external address of the ASA.

I can connect to the switch via SSH from a different internal network, and it can ping out to the internet just fine from the CLI. The issue is that if I connect a host to one of the interfaces on the switch, configure a suitable static IP address on the host (for the VLAN of the port it is connected to) and try and ping out to the internet, it never gets there, and just times out.

Few mistakes I made before I got to where I am were:

  • I hadn't specified the default-gateway for the switch itself so I could never connect to it. Fixed that and can now talk to the switch
  • I hadn't defined src-nat rules to allow traffic from any of the 4 subnets/VLANs out to the internet. Fixed that and from the CLI the switch can ping

The firewall rules for the various logical interfaces I've added have an any/any rule. I just can't see what I need to do to get a host connected to the switch to talk to the internet. The switch itself can, but a device connected to it cannot.

No comments:

Post a Comment