We help IT Professionals succeed at work.

Routing problem

yllee
yllee asked
on

LAN ---> switch ---> firewall ---> router ---> Internet  
(172.19.29.x) ^      (int : 172.19.29.x)
(NAT          |       ext : 202.190.160.x)
202.190.160.x)
              |
           branch (192.168.18.x)


First of all, I have a network with such configuration shown as above.  

Internal LAN (HQ) with IP address 172.19.29.x, and all internet connection must reach to firewall internal IP address (172.19.29.10), forward to external IP address (202.190.160.10), to router and out to Internet.  Meanwhile, there is a branch LAN with IP address (192.168.18.x), connect to HQ LAN via leased line.  HQ LAN and branch LAN can communicate between each other without any problem.

Firewall is installed in Sun Machine which have Quad Ethernet card.  Hme0 set as 202.190.160.x and qfe0 set as 172.19.29.x.

By set up gateway (172.19.29.10), NAT and DNS server, HQ LAN can access Internet successfully, but branch (192.168.18.x) can not (same setting apply as HQ).  Branch pc can ping to 172.19.29.10 but fail to ping 202.190.160.10 (HQ can ping both).  From firewall machine, i fail to ping 192.168.18.x network.  When I do traceroute to 192.168.18.x, it stop at router (172.19.29.1).  


What is the problem? How to solve it?

Thank you very much.
Comment
Watch Question

Top Expert 2005

Commented:
One problem is that your firewall system doesn't know to route data back to the 192.168.18 network. The firewall needs a static route set that tells it that the 192.168.18 network is reachable via some IP in the 172.19.29 network. And that IP would be on the router that is the local end of the leased line. It's not shown in your question so I can't tell what it is, but route statement would look something like:

route add 192.168.10.0 netmask 255.255.255.0 172.19.29.x

Also you are going to need to configure your firewall to NAT the 192.168.18 network. You'll have to consult your firewall docs for that.

Commented:
jlevie is right, but don't forget that router 172.19.29.1 has an IP 192.168.10.y on 192.168.10 LAN.
So, 192.168.10.y becomes the default gateway for all clients on 192.168.10 LAN, so that those machines can route packets outside their LAN.
It means you should add a static route on each 192.168.10 client:
route add default 192.168.10.y.
And your router 192.168.10.y should also know its default route:
route add default 172.19.29.10

Enjoy!!!
BRONZE EXPERT

Commented:
No comment has been added lately, so it's time to clean up this Topic Area.
I will leave a recommendation for this question in the Cleanup topic area as follows:

- PAQ, no refund

Please leave any comments here within the next 7 days

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER !

tfewster
Cleanup Volunteer
Unlocked in preparation for cleanup

SpideyMod
Community Support Moderator @Experts Exchange
per recommendation

SpideyMod
Community Support Moderator @Experts Exchange

Explore More ContentExplore courses, solutions, and other research materials related to this topic.