I have a Netvanta 1335 that I have IP Firewall Enabled. I am using vlan 1, 2 and 200 in the 1335. I have vlan 2 and 200 setup with the Private Access policy overloading to vlan 1 which is setup for my Public Policy. All in the 1335 is working correct, I can get on the internet from any vlan. I also have a DHCP server on vlan 1. I have a trunk port configured on port 0/23 going to a 1234 Netvanta. The Trunk is setup to allow vlan 1,2 and 200. Firewall in the 1335 is not allowing clients in vlan 1 on the 1234 to get DHCP.
Interface vlan 1 on the 1335 is 192.168.0.254, interface vlan 1 on the 1234 is 192.168.0.253. I can ping int vlan 1 on the 1234 from the 1335 but cant ping from the 1234 back to int vlan 1 on the 1335 unless I turn off the ip firewall in the 1335. What could I do to correct this? Below is the configs for both switches
Thanks
I needed to create a couple of ACL's and apply then to the Public policy-class. This allowed the access that I needed from Vlan 1 to 200.
interface vlan 1
description Customer_Data
ip address 192.168.0.254 255.255.255.0
ip access-policy Public
ip route-cache express
no shutdown
!
interface vlan 2
description RSVP
ip address 192.168.2.254 255.255.255.0
ip access-policy Private
ip route-cache express
no shutdown
!
interface vlan 200
description Voice
ip address 192.168.200.254 255.255.255.0
ip access-policy Private
ip route-cache express
no shutdown
!
!
!
!
!
!
!
ip access-list standard PUBLIC
permit any
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended Remote
remark do not hand edit this ACL
permit tcp any any eq www log
permit tcp any any eq telnet log
permit tcp any any eq ssh log
permit tcp any any eq ftp log
permit icmp any any echo log
permit tcp any any eq https log
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended web-acl-5
remark Vlan_1_TO_Vlan_200
permit ip 192.168.0.0 0.0.0.255 192.168.200.0 0.0.0.255
!
ip access-list extended web-acl-7
remark Admin_Access
permit tcp 192.168.0.0 0.0.0.255 any eq www log
permit tcp 192.168.0.0 0.0.0.255 any eq telnet log
permit tcp 192.168.0.0 0.0.0.255 any eq https log
permit tcp 192.168.0.0 0.0.0.255 any eq ssh log
permit tcp 192.168.0.0 0.0.0.255 any eq ftp log
permit icmp 192.168.0.0 0.0.0.255 any echo log
!
!
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface vlan 1 overload
!
ip policy-class Public
allow list web-acl-5
allow list web-acl-7 self
!
I needed to create a couple of ACL's and apply then to the Public policy-class. This allowed the access that I needed from Vlan 1 to 200.
interface vlan 1
description Customer_Data
ip address 192.168.0.254 255.255.255.0
ip access-policy Public
ip route-cache express
no shutdown
!
interface vlan 2
description RSVP
ip address 192.168.2.254 255.255.255.0
ip access-policy Private
ip route-cache express
no shutdown
!
interface vlan 200
description Voice
ip address 192.168.200.254 255.255.255.0
ip access-policy Private
ip route-cache express
no shutdown
!
!
!
!
!
!
!
ip access-list standard PUBLIC
permit any
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended Remote
remark do not hand edit this ACL
permit tcp any any eq www log
permit tcp any any eq telnet log
permit tcp any any eq ssh log
permit tcp any any eq ftp log
permit icmp any any echo log
permit tcp any any eq https log
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
ip access-list extended web-acl-5
remark Vlan_1_TO_Vlan_200
permit ip 192.168.0.0 0.0.0.255 192.168.200.0 0.0.0.255
!
ip access-list extended web-acl-7
remark Admin_Access
permit tcp 192.168.0.0 0.0.0.255 any eq www log
permit tcp 192.168.0.0 0.0.0.255 any eq telnet log
permit tcp 192.168.0.0 0.0.0.255 any eq https log
permit tcp 192.168.0.0 0.0.0.255 any eq ssh log
permit tcp 192.168.0.0 0.0.0.255 any eq ftp log
permit icmp 192.168.0.0 0.0.0.255 any echo log
!
!
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface vlan 1 overload
!
ip policy-class Public
allow list web-acl-5
allow list web-acl-7 self
!
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor