Network doesn't see its own network

Posted on 2000-04-17
Last Modified: 2010-04-17
I have setup a router and XYZ company's 128Kbps Frame Relay line at my office. (I will call this frame relay service company XYZ to explain) I also setup a web server and connected to the router.  I have been using the line quite a while without any problem. I can access outside and from the out side, I can access the router and the web server.  And recently I noticed a very serious problem.

From any where else, I can access the web server without any problem.  However, when I use the same company(XYZ) DSL or phone dial-up service to get on to the Internet and type the web server address, it cannot find the web server.

I can telnet to the router, but I cannot access the web server from any network of XYZ.  I cannot even ping to the web server if I am on the XYZ network through DSL or dial-up line.

Is this something about the router table on the router or the web server?

Here is the current information on the router
Destination        Gateway         IF       Flg   Pref Met     Use     Age     wan5     SG       0   1   59524  286710     wan5     rGPT    60   1       0   69016     wan5     rPT     60   1      68   69016     wan5     *SP    120   7       3  286710    -               ie0      C        0   0    2537  286710  -               ie0      C        0   0   61061  286710  -               local    CP       0   0   15254  286710        -               bh0      CP       0   0       0  286710       -               local    CP       0   0       0  286710       -               rj0      CP       0   0       0  286710     wan5     SGP    120   7       0  286710     wan5     SGP    120   7       0  286710        -               mcast    CP       0   0       0  286710       -               bh0      CP       0   0       0  286711       -               bh0      CP       0   0       0  286711       -               local    CP       0   0       0  286711 -               ie0      CP       0   0    7922  286711
Information on the webserver
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface  *      UH    0      0        0 eth0       *            U     0      0        0 lo        *            U     0      0        0 eth0
default         UG    0      0        0 eth0
Numbers are slightly modified, but best represent the configuration.                                                                                                              

So to sum up the long story, it is basically that within the LAN, I can access the web server. From out side, I can access the web server except from the own company's Internet service.

Any help is greatly appreciated.
Question by:yjh123

Expert Comment

Comment Utility
the company(XYZ) did not gave you the facility to connect to your router or server through dial-up line or dsl,so you can only connect through the frame relay connection (whatever it is (leased-line) maybe). so go back to your provider and ask him if their system can accept other connection type to get to your router or server,so check their system's ability for that.

Author Comment

Comment Utility
Here is the situation.

We setup a frame relay line and we have a web server connected to the router.  This line is from one of two major ISP companies in the nation.

Everyone can ping the web server and browse the contents on the server fine.

Only problem is that if you are connected to the Internet via this company's own network (e.g., dial-up or DSL subscribers, or anything), you cannot get to this web server.

So the situation is that if you are on your own network (other than LAN), you can not access the router.


Expert Comment

Comment Utility
Ok. Is your web server on your end of the Leased Line, or over at the ISP's office?

Can you do it the other way around? Can you connect via dial-up, and ping your dial-up connection from the Web server?

Do you have any type of security system running, either on your net or on the ISP's end? (Firewall, NAT, etc...)

What type of router is it on your end? (Just so I know what type of info I can ask.)




Expert Comment

Comment Utility
It may be that your provider has an erroneous route somewhere that doesn't affect traffic from outside, but does inside. When you are dialed up, try tracerouting to your webserver and see where it dies. This will at least give you an idea of what is happening internally. Also, try doing a traceroute from outside their network and compare the two.

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).


Expert Comment

Comment Utility
What kind of router is this?

Try pinging the web server from the interface that your web traffic comes from . (specific ping)

Also, make sure that your web server has the correct subnet mask /28. This can cause nodes to be unreachable from certain router interfaces.



Author Comment

Comment Utility
It's Lucent Superpipe 155.

The other way around works fine.

I verified the IP address and mask...


Expert Comment

Comment Utility
The funny thing is this:

If you can do it the other way around, meaning you can ping the Dial-up connection from your web server, you have all your routes correctly configured. (Since when the "echo reply" packets need to get to your web server, the route is found), it works)

Is it possible that you have some type of access list, either locally on your router or on the ISP's router, filtering out some types of inbound packets?

This is my best guess right now.



Expert Comment

Comment Utility
Any feedback?

Accepted Solution

snkhad earned 200 total points
Comment Utility
You can access the web server from
within the LAN as well as from a third
party network but not from your own
network via the DSL or dialup link.

This means either the connecting
address or the responding address is
being recognized as one assigned to the
internal LAN and being deliberately
dropped as a forged attack packet since
it is seen coming from the WAN

Check any firewall configuration and
VPN setup at both the frame relay link
and the DSL/dialup link.

If you really want to do this, you
could implement NAT at one or both
sides and use the public address(es)
when connecting the long way round.

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

New Server  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now