Solved

Cisco Route setup - (2) 2620's over point-to-point

Posted on 2003-10-25
7
1,006 Views
Last Modified: 2010-03-19
I am attempting to set up a point-to-point T1 connection between two locations and I am having trouble getting the two networks to talk to each other.  I can ping between the routers without a problem, but I can't seem to ping from Network A to Network B, but I can ping the other direction from Network B to Network A.  

I can ping from Router B to the 10.100.200.0 network, but from router A to the 10.100.100.0 network.  Router A also has a Frame Relay connection to another location and I have obscured the numbers pertaining to that connection.  I don't believe they are relevant.  Both of these routers are running the same IOS version.  Here are the router configs:

Network A's router
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname A
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
no ip bootp server
!
!
!
interface FastEthernet0/0
 ip address 10.100.200.11 255.255.255.0
 no ip directed-broadcast
 duplex auto
 speed auto
!
interface Serial0/0
 description Point-to-Point T1
 ip address 10.100.202.1 255.255.255.0
 no ip directed-broadcast
!
interface Serial0/1
 description Frame Relay connection to XXXXXXXX
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay IETF
 service-module 56k clock rate 64
 frame-relay lmi-type ansi
!
interface Serial0/1.17 point-to-point
 ip address 10.254.x.xx 255.255.255.252
 no ip directed-broadcast
 frame-relay interface-dlci 17  
!
ip classless
ip route 10.100.100.0 255.255.255.0 10.100.202.2
ip route 10.100.200.0 255.255.255.0 FastEthernet0/0
ip route 32.xx.xx.x 255.255.255.0 10.254.x.xx
no ip http server
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 access-class 16 in
 password XXXXX
 login
!
end

Network B router config:
Current configuration:
!
version 12.0
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
!
hostname B
!
logging buffered 4096 debugging
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX
!
!
!
!
!
clock timezone EST -5
ip subnet-zero
no ip domain-lookup
!
no ip bootp server
!
!
!
interface FastEthernet0/0
 ip address 10.100.100.2 255.255.255.0
 ip directed-broadcast
 duplex auto
 speed auto
!
interface Serial0/0
 description Link to Home Office
 ip address 10.100.202.2 255.255.255.0
 ip directed-broadcast
 service-module t1 timeslots 1-24
!
ip classless
ip route 10.100.100.0 255.255.255.0 FastEthernet0/0
ip route 10.100.200.0 255.255.255.0 10.100.202.1
no ip http server
!
!
line con 0
 login
 transport input none
line aux 0
 password 7 XXXXXXXXXXXXXXX
 login
 modem Dialin
 transport input all
line vty 0 4
 exec-timeout 0 0
 password 7 XXXXXXXXXXXXXXX
 login
!
ntp clock-period 17180659
ntp server 10.6.0.1
no scheduler allocate
end
0
Comment
Question by:jksoft
  • 4
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9619504
Suggest removing these routes:
Router A
>ip route 10.100.200.0 255.255.255.0 FastEthernet0/0
Router B
>ip route 10.100.100.0 255.255.255.0 FastEthernet0/0

You don't need static routes to directly connected networks.


>I can't seem to ping from Network A to Network B, but I can ping the other direction from Network B to Network A.
>I can ping from Router B to the 10.100.200.0 network, but [not?] from router A to the 10.100.100.0 network.
Assuming that you are trying to ping a host from the router console....
Examine the host that you are trying to ping. What is its default gateway? Is it the router's Fast 0/0 IP address? Is the subnet mask correct?
If you are trying to ping host-to-host, examine the pinging host to make sure its default gateway is the router's Fast 0/0 ip address and its subnet mask is correct.
95% of the time when you have a one-way ping it is due to firewall software running on the PC that can ping, but can't be pinged. Even a 1-way ping proves routing. If the echo request packet makes it to the host, and the reply makes it back in one direction, there is no logical reason that it won't go the other way..
0
 

Author Comment

by:jksoft
ID: 9619892
I removed the suggested routes and it didn't affect the config.  

>I can ping from Router B to the 10.100.200.0 network, but [not?] from router A to the 10.100.100.0 network.
You have it right, I cannot ping from router A to the 10.100.100.0 network.  The computers on the 10.100.100.0 network do NOT have the routers Fast0/0 IP address as their default gateway.  Their default gateway is a firewall, which has a route to the router.  This is actually the same configuration on both sides.  To rule the firewall out as the problem, shouldn't I be able to ping from router A to network B and vice versa since it should never be hitting the firewall or am I missing something here?  

It is my understanding that the flow of traffic should be from Router A(10.100.202.1), to Router B(10.100.202.2) to the FE interface on Router B(10.100.100.2) then onto the proper host, say 10.100.100.10.  Is this correct?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9619991
Actually, here is the traffic flow:

Ping packet source IP host 10.100.202.10  destination ip 10.100.100.10
--> host says "that destination is not in MY host table, I send to my default gateway
--> default gateway happens to be the firewall. Assuming the Firewall has a route statement:
      Destination network 10.100.100.x, forward to another inside gateway 10.100.202.2, 1 hop
--> Firewall sends redirect packet - maybe (not all firewalls will) - to the PC. Since it is not a router, it will not 'route' the packet nor forward the packet on its own as a router will

-->IF the packet makes it to the destination host, you have the same situation in reverse. Host 10.100.100.10 tries to reply back to 10.100.202.2
--> that network is not local, host sends to default gateway - the firewall
--> firewall has(?) static route statement - destination 10.100.202.x, forward to gateway 10.100.100.2

The issue is the firewalls.
Solution:
add a default route to the routers pointing to the local firewall:
A:
ip route 0.0.0.0 0.0.0.0 10.100.202.1  <-- assuming .1 is the firewall
B:
ip route 0.0.0.0 0.0.0.0 10.100.100.1 <-- assuming .1 is the firewall

Now, point all users to the router as their gateway, not the firewall... the router will then do what routers do, and redirect the packet, not just send an icmp redirect to the host.

0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:jksoft
ID: 9623244
Changing the default gateways on the hosts and adding the default routes to the routers appears to have done the trick.  I guess the one firewall wasn't routing properly.  One followup question.  I have added 50 points to this question for a total of 450 points.

I have a VPN tunnel connecting these same two networks with the firewalls.  What would be the best way to configure the routers so they use the point-to-point route T1 if it is available, but use the vpn if the p2p T1 route is down?  
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 450 total points
ID: 9623355
Progress is good...
As for your follow up question, that depends on the firewall, but should be invisible to the users.
If the router's current default gateway is the firewall, with a simple static (or even dynamically learned route) for the other network, pointing to the IP address of the remote end (as you have it now), when the T1 goes down, that route drops and everything then goes out the default to the firewalls..
What kind of firewalls do you have? perhaps they can run OSPF or some other dynamic protocol..

- Cheers!
0
 

Author Comment

by:jksoft
ID: 9623587
One is a Watchguard FireboxII and the other is a Sonicwall 3060.  The Sonicwall has an option for RIP but I don't see any options in the Firebox for a routing protocol.  It doesn't appear as setting up a routing protocol one the firewalls is an option.  

You have been a tremendous help and taught and I learned an important lesson in networking.  I guess even though firewalls allow the addition of route statements, they are not routers and a router should be allowed to do its job.

Thank you for your help.  
0
 

Author Comment

by:jksoft
ID: 9623589
Here's the extra 50 points.
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now