jksoft
asked on
Cisco Route setup - (2) 2620's over point-to-point
I am attempting to set up a point-to-point T1 connection between two locations and I am having trouble getting the two networks to talk to each other. I can ping between the routers without a problem, but I can't seem to ping from Network A to Network B, but I can ping the other direction from Network B to Network A.
I can ping from Router B to the 10.100.200.0 network, but from router A to the 10.100.100.0 network. Router A also has a Frame Relay connection to another location and I have obscured the numbers pertaining to that connection. I don't believe they are relevant. Both of these routers are running the same IOS version. Here are the router configs:
Network A's router
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname A
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
no ip bootp server
!
!
!
interface FastEthernet0/0
ip address 10.100.200.11 255.255.255.0
no ip directed-broadcast
duplex auto
speed auto
!
interface Serial0/0
description Point-to-Point T1
ip address 10.100.202.1 255.255.255.0
no ip directed-broadcast
!
interface Serial0/1
description Frame Relay connection to XXXXXXXX
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
service-module 56k clock rate 64
frame-relay lmi-type ansi
!
interface Serial0/1.17 point-to-point
ip address 10.254.x.xx 255.255.255.252
no ip directed-broadcast
frame-relay interface-dlci 17
!
ip classless
ip route 10.100.100.0 255.255.255.0 10.100.202.2
ip route 10.100.200.0 255.255.255.0 FastEthernet0/0
ip route 32.xx.xx.x 255.255.255.0 10.254.x.xx
no ip http server
!
!
line con 0
transport input none
line aux 0
line vty 0 4
access-class 16 in
password XXXXX
login
!
end
Network B router config:
Current configuration:
!
version 12.0
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
!
hostname B
!
logging buffered 4096 debugging
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX
!
!
!
!
!
clock timezone EST -5
ip subnet-zero
no ip domain-lookup
!
no ip bootp server
!
!
!
interface FastEthernet0/0
ip address 10.100.100.2 255.255.255.0
ip directed-broadcast
duplex auto
speed auto
!
interface Serial0/0
description Link to Home Office
ip address 10.100.202.2 255.255.255.0
ip directed-broadcast
service-module t1 timeslots 1-24
!
ip classless
ip route 10.100.100.0 255.255.255.0 FastEthernet0/0
ip route 10.100.200.0 255.255.255.0 10.100.202.1
no ip http server
!
!
line con 0
login
transport input none
line aux 0
password 7 XXXXXXXXXXXXXXX
login
modem Dialin
transport input all
line vty 0 4
exec-timeout 0 0
password 7 XXXXXXXXXXXXXXX
login
!
ntp clock-period 17180659
ntp server 10.6.0.1
no scheduler allocate
end
I can ping from Router B to the 10.100.200.0 network, but from router A to the 10.100.100.0 network. Router A also has a Frame Relay connection to another location and I have obscured the numbers pertaining to that connection. I don't believe they are relevant. Both of these routers are running the same IOS version. Here are the router configs:
Network A's router
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname A
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
no ip bootp server
!
!
!
interface FastEthernet0/0
ip address 10.100.200.11 255.255.255.0
no ip directed-broadcast
duplex auto
speed auto
!
interface Serial0/0
description Point-to-Point T1
ip address 10.100.202.1 255.255.255.0
no ip directed-broadcast
!
interface Serial0/1
description Frame Relay connection to XXXXXXXX
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
service-module 56k clock rate 64
frame-relay lmi-type ansi
!
interface Serial0/1.17 point-to-point
ip address 10.254.x.xx 255.255.255.252
no ip directed-broadcast
frame-relay interface-dlci 17
!
ip classless
ip route 10.100.100.0 255.255.255.0 10.100.202.2
ip route 10.100.200.0 255.255.255.0 FastEthernet0/0
ip route 32.xx.xx.x 255.255.255.0 10.254.x.xx
no ip http server
!
!
line con 0
transport input none
line aux 0
line vty 0 4
access-class 16 in
password XXXXX
login
!
end
Network B router config:
Current configuration:
!
version 12.0
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
!
hostname B
!
logging buffered 4096 debugging
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX
!
!
!
!
!
clock timezone EST -5
ip subnet-zero
no ip domain-lookup
!
no ip bootp server
!
!
!
interface FastEthernet0/0
ip address 10.100.100.2 255.255.255.0
ip directed-broadcast
duplex auto
speed auto
!
interface Serial0/0
description Link to Home Office
ip address 10.100.202.2 255.255.255.0
ip directed-broadcast
service-module t1 timeslots 1-24
!
ip classless
ip route 10.100.100.0 255.255.255.0 FastEthernet0/0
ip route 10.100.200.0 255.255.255.0 10.100.202.1
no ip http server
!
!
line con 0
login
transport input none
line aux 0
password 7 XXXXXXXXXXXXXXX
login
modem Dialin
transport input all
line vty 0 4
exec-timeout 0 0
password 7 XXXXXXXXXXXXXXX
login
!
ntp clock-period 17180659
ntp server 10.6.0.1
no scheduler allocate
end
ASKER
I removed the suggested routes and it didn't affect the config.
>I can ping from Router B to the 10.100.200.0 network, but [not?] from router A to the 10.100.100.0 network.
You have it right, I cannot ping from router A to the 10.100.100.0 network. The computers on the 10.100.100.0 network do NOT have the routers Fast0/0 IP address as their default gateway. Their default gateway is a firewall, which has a route to the router. This is actually the same configuration on both sides. To rule the firewall out as the problem, shouldn't I be able to ping from router A to network B and vice versa since it should never be hitting the firewall or am I missing something here?
It is my understanding that the flow of traffic should be from Router A(10.100.202.1), to Router B(10.100.202.2) to the FE interface on Router B(10.100.100.2) then onto the proper host, say 10.100.100.10. Is this correct?
>I can ping from Router B to the 10.100.200.0 network, but [not?] from router A to the 10.100.100.0 network.
You have it right, I cannot ping from router A to the 10.100.100.0 network. The computers on the 10.100.100.0 network do NOT have the routers Fast0/0 IP address as their default gateway. Their default gateway is a firewall, which has a route to the router. This is actually the same configuration on both sides. To rule the firewall out as the problem, shouldn't I be able to ping from router A to network B and vice versa since it should never be hitting the firewall or am I missing something here?
It is my understanding that the flow of traffic should be from Router A(10.100.202.1), to Router B(10.100.202.2) to the FE interface on Router B(10.100.100.2) then onto the proper host, say 10.100.100.10. Is this correct?
Actually, here is the traffic flow:
Ping packet source IP host 10.100.202.10 destination ip 10.100.100.10
--> host says "that destination is not in MY host table, I send to my default gateway
--> default gateway happens to be the firewall. Assuming the Firewall has a route statement:
Destination network 10.100.100.x, forward to another inside gateway 10.100.202.2, 1 hop
--> Firewall sends redirect packet - maybe (not all firewalls will) - to the PC. Since it is not a router, it will not 'route' the packet nor forward the packet on its own as a router will
-->IF the packet makes it to the destination host, you have the same situation in reverse. Host 10.100.100.10 tries to reply back to 10.100.202.2
--> that network is not local, host sends to default gateway - the firewall
--> firewall has(?) static route statement - destination 10.100.202.x, forward to gateway 10.100.100.2
The issue is the firewalls.
Solution:
add a default route to the routers pointing to the local firewall:
A:
ip route 0.0.0.0 0.0.0.0 10.100.202.1 <-- assuming .1 is the firewall
B:
ip route 0.0.0.0 0.0.0.0 10.100.100.1 <-- assuming .1 is the firewall
Now, point all users to the router as their gateway, not the firewall... the router will then do what routers do, and redirect the packet, not just send an icmp redirect to the host.
Ping packet source IP host 10.100.202.10 destination ip 10.100.100.10
--> host says "that destination is not in MY host table, I send to my default gateway
--> default gateway happens to be the firewall. Assuming the Firewall has a route statement:
Destination network 10.100.100.x, forward to another inside gateway 10.100.202.2, 1 hop
--> Firewall sends redirect packet - maybe (not all firewalls will) - to the PC. Since it is not a router, it will not 'route' the packet nor forward the packet on its own as a router will
-->IF the packet makes it to the destination host, you have the same situation in reverse. Host 10.100.100.10 tries to reply back to 10.100.202.2
--> that network is not local, host sends to default gateway - the firewall
--> firewall has(?) static route statement - destination 10.100.202.x, forward to gateway 10.100.100.2
The issue is the firewalls.
Solution:
add a default route to the routers pointing to the local firewall:
A:
ip route 0.0.0.0 0.0.0.0 10.100.202.1 <-- assuming .1 is the firewall
B:
ip route 0.0.0.0 0.0.0.0 10.100.100.1 <-- assuming .1 is the firewall
Now, point all users to the router as their gateway, not the firewall... the router will then do what routers do, and redirect the packet, not just send an icmp redirect to the host.
ASKER
Changing the default gateways on the hosts and adding the default routes to the routers appears to have done the trick. I guess the one firewall wasn't routing properly. One followup question. I have added 50 points to this question for a total of 450 points.
I have a VPN tunnel connecting these same two networks with the firewalls. What would be the best way to configure the routers so they use the point-to-point route T1 if it is available, but use the vpn if the p2p T1 route is down?
I have a VPN tunnel connecting these same two networks with the firewalls. What would be the best way to configure the routers so they use the point-to-point route T1 if it is available, but use the vpn if the p2p T1 route is down?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
One is a Watchguard FireboxII and the other is a Sonicwall 3060. The Sonicwall has an option for RIP but I don't see any options in the Firebox for a routing protocol. It doesn't appear as setting up a routing protocol one the firewalls is an option.
You have been a tremendous help and taught and I learned an important lesson in networking. I guess even though firewalls allow the addition of route statements, they are not routers and a router should be allowed to do its job.
Thank you for your help.
You have been a tremendous help and taught and I learned an important lesson in networking. I guess even though firewalls allow the addition of route statements, they are not routers and a router should be allowed to do its job.
Thank you for your help.
ASKER
Here's the extra 50 points.
Router A
>ip route 10.100.200.0 255.255.255.0 FastEthernet0/0
Router B
>ip route 10.100.100.0 255.255.255.0 FastEthernet0/0
You don't need static routes to directly connected networks.
>I can't seem to ping from Network A to Network B, but I can ping the other direction from Network B to Network A.
>I can ping from Router B to the 10.100.200.0 network, but [not?] from router A to the 10.100.100.0 network.
Assuming that you are trying to ping a host from the router console....
Examine the host that you are trying to ping. What is its default gateway? Is it the router's Fast 0/0 IP address? Is the subnet mask correct?
If you are trying to ping host-to-host, examine the pinging host to make sure its default gateway is the router's Fast 0/0 ip address and its subnet mask is correct.
95% of the time when you have a one-way ping it is due to firewall software running on the PC that can ping, but can't be pinged. Even a 1-way ping proves routing. If the echo request packet makes it to the host, and the reply makes it back in one direction, there is no logical reason that it won't go the other way..