Solved

Connecting 2 remote sites via PTP T1.  Unable to access one of the 2 sites networks.

Posted on 2004-04-19
5
237 Views
Last Modified: 2013-11-16
I currently have 2 sites connected via a PTP T1.  The routers names are MDF-POP-NC “Cisco 2610”and MDF-PTP-SC “Cisco 2610”.  The site where MDF-POP-NC resides is filtered using a Watch Guard 700.  The Watch Guard is not equipped with a csu/dsu so the router MDF-POP-NC is at the POP.  I need both sites filtered and I do not want to route traffic through my Watch Guard from MDF-POP-NC creating double the traffic and reducing my usable bandwidth.  I have a 3rd router MDF-PTP-NC “Cisco 2611” I want to use to bring traffic into that site from MDF-PTP-SC.  So the desired route traffic would take would be MDF-PTP-SC to MDF-PTP-NC to Watch Guard to MDF-POP-NC.  Currently all traffic at the site where MDF-POP-NC resides is filtered through the Watch Guard.  I have the router MDF-PTP-NC configured and tested it this weekend.  When in place I can ping all interface addresses of MDF-PTP-SC and addresses internal to that sites network from MDF-PTP-NC.  From MDF-PTP-SC I can ping all interface addresses of MDF-PTP-NC but no internal addresses to that network.  
Here is the configuration of both routers less Login methods and passwords.
hostname MDF-PTP-SC
!
ip subnet-zero
ip host MDF-POP-NC 0.0.0.0 0.0.0.0  "Edited External address's"
ip host MDF-PTP-SC 172.16.1.1 10.10.10.2
ip host MDF-PTP-NC 192.168.1.7 10.10.10.1
!
interface Ethernet0/0
 ip address 172.16.1.1 255.255.0.0
 no ip directed-broadcast
!
interface Serial0/0
 ip address 10.10.10.2 255.255.255.252
 no ip directed-broadcast
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 192.168.0.0 255.255.0.0 10.10.10.1
no ip http server
!
access-list 1 permit 167.58.253.0 0.0.0.255
access-list 2 permit 172.16.0.0 0.0.255.255
access-list 7 permit 0.0.0.0
access-list 50 deny   0.0.0.0
access-list 50 permit any
access-list 70 deny   10.0.0.0 0.255.255.255
access-list 70 deny   172.16.0.0 0.15.255.255
access-list 70 deny   192.168.0.0 0.0.255.255
access-list 70 permit any
access-list 80 deny   0.0.0.0
access-list 80 deny   10.0.0.0 0.255.255.255
access-list 80 deny   172.16.0.0 0.15.255.255
access-list 80 deny   192.168.0.0 0.0.255.255
access-list 80 permit any
access-list 101 deny   udp any any eq snmp
access-list 101 deny   udp any any eq snmptrap
access-list 101 permit ip any any
snmp-server engineID local 00000009020000014208EBE0
snmp-server enable traps snmp

hostname MDF-PTP-NC
!
ip subnet-zero
no ip domain-lookup
ip host MDF-POP-NC 0.0.0.0 0.0.0.0  "Edited External address's"
ip host MDF-PTP-SC 172.16.1.1 10.10.10.2
ip host MDF-PTP-NC 192.168.1.7 10.10.10.1
!
no ip bootp server
!
interface Ethernet0/0
 ip address 192.168.1.7 255.255.0.0
 no ip directed-broadcast
!
interface Serial0/0
 ip address 10.10.10.1 255.255.255.252
 no ip directed-broadcast
 no ip mroute-cache
 no fair-queue
!
interface Ethernet0/1
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial0/1
 no ip address
 no ip directed-broadcast
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.2  
   "192.168.1.2 = WatchGuard Firewall/Filter "forwards Traffic to Router MDF-POP-NC""
   All internet traffic at that location is filtered.

ip route 172.16.0.0 255.255.0.0 10.10.10.2
no ip http server
!
end
0
Comment
Question by:PosCon
  • 4
5 Comments
 
LVL 11

Accepted Solution

by:
PennGwyn earned 500 total points
ID: 10861809
PTP-NC is available on that network at 192.168.1.7.  But the WatchGuard is on that network at 192.168.1.2, and that's where the clients on that network are pointing for their default gateway.  So their ping responses to PTP-SC are getting sent to the
WatchGuard and dropped.

You need PTP-NC to be the default gateway for the 192.168.x.x LAN, with ITS default route pointed at the WatchGuard.

Simplest fix:
Move the WG to 192.168.1.7, put PTP-NC on 192.168.1.2, and change the default route on PTP-NC to

ip route 0.0.0.0 0.0.0.0 192.168.1.7

Better fix:
Put a private network (10.10.10.4/30?) between PTP-NC's Ethernet0/1 port and the WG's ethernet port (which will need an address on that private net instead of on  192.168.x.x).

0
 

Author Comment

by:PosCon
ID: 10863162
OK, I am not seeing how this will fix my problem.  I understand "You need PTP-NC to be the default gateway for the 192.168.x.x LAN, with ITS default route pointed at the WatchGuard".  
When I say I was issuing a ping command I mean from the router.  I was able to ping all PTP-NC interfaces from PTP-SC but nothing on the 192.168 network except interface e0/0 192.168.1.7.  
0
 

Author Comment

by:PosCon
ID: 10893045
I appriciate any help someone can give me!  I am at a loss why I cannot ping the 192.168 network.
0
 

Author Comment

by:PosCon
ID: 11050556
PennGwyn,

I understand what you were saying know.  That fixed the ping problem.  I had to add a network route for the 172. network into WatchGuard to get internet traffic routed to that network also.  

I have one more problem.  I cannot ping by hostname from the 172 network to the 192 network.  I need to join a Server in the 172 network to the Domain in the 192 network.  Do you have any suggestions.  After I get the server joined to the domain I should be good.  Again thanks for your responce and forgive my ignorance in the above reply.
0
 

Author Comment

by:PosCon
ID: 11051409
I added a host name to an ip address mapping entry on my  PTP-SC router and I can ping that specific hostname from the router now.  I still cannot ping the same host name from a workstation that has its default gateway pointed to PTP-SC.  The host name I mapped is the DNS server on the 192 network.  I have the DNS Server entry on my Local Area Connection on a workstation pointed to the same DNS server that I mapped on the router and I can access the internet with no problems.  
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

Suggested Solutions

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now