Cisco Route setup - (2) 2620's over point-to-point

I am attempting to set up a point-to-point T1 connection between two locations and I am having trouble getting the two networks to talk to each other.  I can ping between the routers without a problem, but I can't seem to ping from Network A to Network B, but I can ping the other direction from Network B to Network A.  

I can ping from Router B to the 10.100.200.0 network, but from router A to the 10.100.100.0 network.  Router A also has a Frame Relay connection to another location and I have obscured the numbers pertaining to that connection.  I don't believe they are relevant.  Both of these routers are running the same IOS version.  Here are the router configs:

Network A's router
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname A
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
no ip bootp server
!
!
!
interface FastEthernet0/0
 ip address 10.100.200.11 255.255.255.0
 no ip directed-broadcast
 duplex auto
 speed auto
!
interface Serial0/0
 description Point-to-Point T1
 ip address 10.100.202.1 255.255.255.0
 no ip directed-broadcast
!
interface Serial0/1
 description Frame Relay connection to XXXXXXXX
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay IETF
 service-module 56k clock rate 64
 frame-relay lmi-type ansi
!
interface Serial0/1.17 point-to-point
 ip address 10.254.x.xx 255.255.255.252
 no ip directed-broadcast
 frame-relay interface-dlci 17  
!
ip classless
ip route 10.100.100.0 255.255.255.0 10.100.202.2
ip route 10.100.200.0 255.255.255.0 FastEthernet0/0
ip route 32.xx.xx.x 255.255.255.0 10.254.x.xx
no ip http server
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 access-class 16 in
 password XXXXX
 login
!
end

Network B router config:
Current configuration:
!
version 12.0
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
!
hostname B
!
logging buffered 4096 debugging
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX
!
!
!
!
!
clock timezone EST -5
ip subnet-zero
no ip domain-lookup
!
no ip bootp server
!
!
!
interface FastEthernet0/0
 ip address 10.100.100.2 255.255.255.0
 ip directed-broadcast
 duplex auto
 speed auto
!
interface Serial0/0
 description Link to Home Office
 ip address 10.100.202.2 255.255.255.0
 ip directed-broadcast
 service-module t1 timeslots 1-24
!
ip classless
ip route 10.100.100.0 255.255.255.0 FastEthernet0/0
ip route 10.100.200.0 255.255.255.0 10.100.202.1
no ip http server
!
!
line con 0
 login
 transport input none
line aux 0
 password 7 XXXXXXXXXXXXXXX
 login
 modem Dialin
 transport input all
line vty 0 4
 exec-timeout 0 0
 password 7 XXXXXXXXXXXXXXX
 login
!
ntp clock-period 17180659
ntp server 10.6.0.1
no scheduler allocate
end
jksoftAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Suggest removing these routes:
Router A
>ip route 10.100.200.0 255.255.255.0 FastEthernet0/0
Router B
>ip route 10.100.100.0 255.255.255.0 FastEthernet0/0

You don't need static routes to directly connected networks.


>I can't seem to ping from Network A to Network B, but I can ping the other direction from Network B to Network A.
>I can ping from Router B to the 10.100.200.0 network, but [not?] from router A to the 10.100.100.0 network.
Assuming that you are trying to ping a host from the router console....
Examine the host that you are trying to ping. What is its default gateway? Is it the router's Fast 0/0 IP address? Is the subnet mask correct?
If you are trying to ping host-to-host, examine the pinging host to make sure its default gateway is the router's Fast 0/0 ip address and its subnet mask is correct.
95% of the time when you have a one-way ping it is due to firewall software running on the PC that can ping, but can't be pinged. Even a 1-way ping proves routing. If the echo request packet makes it to the host, and the reply makes it back in one direction, there is no logical reason that it won't go the other way..
0
jksoftAuthor Commented:
I removed the suggested routes and it didn't affect the config.  

>I can ping from Router B to the 10.100.200.0 network, but [not?] from router A to the 10.100.100.0 network.
You have it right, I cannot ping from router A to the 10.100.100.0 network.  The computers on the 10.100.100.0 network do NOT have the routers Fast0/0 IP address as their default gateway.  Their default gateway is a firewall, which has a route to the router.  This is actually the same configuration on both sides.  To rule the firewall out as the problem, shouldn't I be able to ping from router A to network B and vice versa since it should never be hitting the firewall or am I missing something here?  

It is my understanding that the flow of traffic should be from Router A(10.100.202.1), to Router B(10.100.202.2) to the FE interface on Router B(10.100.100.2) then onto the proper host, say 10.100.100.10.  Is this correct?

0
lrmooreCommented:
Actually, here is the traffic flow:

Ping packet source IP host 10.100.202.10  destination ip 10.100.100.10
--> host says "that destination is not in MY host table, I send to my default gateway
--> default gateway happens to be the firewall. Assuming the Firewall has a route statement:
      Destination network 10.100.100.x, forward to another inside gateway 10.100.202.2, 1 hop
--> Firewall sends redirect packet - maybe (not all firewalls will) - to the PC. Since it is not a router, it will not 'route' the packet nor forward the packet on its own as a router will

-->IF the packet makes it to the destination host, you have the same situation in reverse. Host 10.100.100.10 tries to reply back to 10.100.202.2
--> that network is not local, host sends to default gateway - the firewall
--> firewall has(?) static route statement - destination 10.100.202.x, forward to gateway 10.100.100.2

The issue is the firewalls.
Solution:
add a default route to the routers pointing to the local firewall:
A:
ip route 0.0.0.0 0.0.0.0 10.100.202.1  <-- assuming .1 is the firewall
B:
ip route 0.0.0.0 0.0.0.0 10.100.100.1 <-- assuming .1 is the firewall

Now, point all users to the router as their gateway, not the firewall... the router will then do what routers do, and redirect the packet, not just send an icmp redirect to the host.

0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

jksoftAuthor Commented:
Changing the default gateways on the hosts and adding the default routes to the routers appears to have done the trick.  I guess the one firewall wasn't routing properly.  One followup question.  I have added 50 points to this question for a total of 450 points.

I have a VPN tunnel connecting these same two networks with the firewalls.  What would be the best way to configure the routers so they use the point-to-point route T1 if it is available, but use the vpn if the p2p T1 route is down?  
0
lrmooreCommented:
Progress is good...
As for your follow up question, that depends on the firewall, but should be invisible to the users.
If the router's current default gateway is the firewall, with a simple static (or even dynamically learned route) for the other network, pointing to the IP address of the remote end (as you have it now), when the T1 goes down, that route drops and everything then goes out the default to the firewalls..
What kind of firewalls do you have? perhaps they can run OSPF or some other dynamic protocol..

- Cheers!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jksoftAuthor Commented:
One is a Watchguard FireboxII and the other is a Sonicwall 3060.  The Sonicwall has an option for RIP but I don't see any options in the Firebox for a routing protocol.  It doesn't appear as setting up a routing protocol one the firewalls is an option.  

You have been a tremendous help and taught and I learned an important lesson in networking.  I guess even though firewalls allow the addition of route statements, they are not routers and a router should be allowed to do its job.

Thank you for your help.  
0
jksoftAuthor Commented:
Here's the extra 50 points.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.