We help IT Professionals succeed at work.

Network 10.10.10.0/24  Gateway 10.10.10.1 New network 10.10.11.0/24 via router with WAN ID 10.10.10.xx

normanchoi
normanchoi asked
on
2,783 Views
Last Modified: 2006-11-17
10.10.11.0/24 can ping 10.10.10.0/24 but not vice versa. Database Applications unable to work in new network 10.10.11.0
Comment
Watch Question

CERTIFIED EXPERT

Commented:
If you can ping one way and not the other then the likly cause is a missing route one end (the end you cannot ping from).

What operating system is it?
Pete LongTechnical Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Agree, or a firewall :)
Top Expert 2009

Commented:
If you do a traceroute from the host you are unable to ping from, where does it time out?
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
If ping response gets back to a pinger, then routing is not usually an issue.
99% of the time, one-way ping is result of firewall, specifically running on the one that can ping, but cannot BE pinged.
Many applications install their own firewall that causes this behavior. IPSEC VPN clients software, several AV products as well as personal firewalls. Even if a personal firewall was installed at one time and then later removed, residual affects linger.
CERTIFIED EXPERT

Commented:
I have seen issues where a machine A can ping B but machine B cannot ping machine A which has been down to a routing issue. Some operating systems will automatically send a reply back to the same MAC address that it came from even if it does not have or has a different route to that network.
Top Expert 2004

Commented:
If you can't ping one device on the target network, but you can ping other devices, and the one device CAN ping it's gateway and other devices on it's, network then check the routing table on the target device, the subnet mask, and the default gateway.

How many different "can't ping scenarios" can we think of before there's an author response ... ;)
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Looking at this logically, I still don't agree that it could be a routing issue.
If source IMCP echo sourced from host 10.10.11.11 to host 10.10.10.10 and a reply is received, then 10.10.11.x obviously has a route to the 10.10.10.x subnet, and vice-versa the reply will be sourced from host 10.10.10.10 to host 10.10.11.11, so the echo-reply followed the correct path. If the echo-reply knows how to get back to the 10.10.11.x subnet, so would any other ip packet. That rules out a routing issue.
Firewall/router access-lists are notorious for blocking icmp, especially since the MSBlaster disaster. Perhaps one side blocks only icmp echo requests (from 10.10.11.0 to anything else), but does not block echo-reply. This is typically how we setup blocking access-lists to mitigate effects of blaster/welchia/sasser worms. All you have to block is icmp echo at the egress port.

Else, the host that you are trying to ping has a software firewall running, or had running at one time with the blocking still in effect.

The only other thing I can think of would be a subnet mask mis-match. You can get odd behavior like this sometimes.

How about it, normanchoi?

CERTIFIED EXPERT
Top Expert 2004

Commented:
As asked earlier, what is the operating system? The non-pingable server may be running ipchains (Linux) or some other server-based firewall (Norton, BlackIce, etc.) that disallows incoming pings. this is very common.
CERTIFIED EXPERT

Commented:
Got this email from the author
------------------------
10.10.11.0/24 can ping 10.10.10.0/24 but not vice versa. Database Applications unable to work in new network 10.10.11.0
 
They are in NT4 domain, all users using 98/NT/2000/XP
 
Thanks your interest on my question.
Norman
--------------------------

Please could you post your responses here instead and not email people directly.
CERTIFIED EXPERT

Commented:
Can you do some basic tests.
One 10.10.10.0 can you pick a machine and open a DOS windows and type "ipconfig /all". Then do the same on a machine on the other network.

What router are you using?
Can you post its configuration.

Author

Commented:
10.10.11.0 is a LAN in a NAT beyond a wireless router with a WAN IP in 10.10.10.0, each user use a "HOST" file in their c:\windows\system32  folder to route to 10.10.10.0 disired servers to obtain desired resources. Problem resolved by using a regular router to route the two networks.

Commented:
Quoting the author

"10.10.11.0/24 can ping 10.10.10.0/24 but not vice versa.
10.10.11.0 is a LAN in a NAT beyond a wireless router with a WAN IP in 10.10.10.0"

Is 10.10.11.0 natted to a single IP as in NAT overload? In that case, only outbound connections from 10.10.11.0 will go through. Inbound traffic will fail. You need to do a one to one nat for specific hosts which need inbound access, or nat the entire range.

" Problem resolved by using a regular router to route the two networks."

Did you disable the natting whcih was done earlier?
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:

Can you close this question?
Thanks!

Commented:
Yes, can we close this? Or can the moderators step in and assign the points?
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
we'll have to wait for the cleanup crew to get around to this TA..

fullerms - would you like to be a Cleanup Volunteer? We could use your expertise.
I'm already an Expert, Page Editor, and CV working some other TA's at the moment...spreading myself too thin...

Commented:
lrmoore,

Thanks for the offer. I sure would love to be a volunteer. However, I am in the middle of something right now and its taking up all my time. I am okay to take up this responsibility from February 2006.
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
OK. When you're ready, post here...
https://www.experts-exchange.com/Community_Support/CleanUp/Q_21604166.html
Don JohnstonInstructor
CERTIFIED EXPERT
Top Expert 2015

Commented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

RECOMMENDATION: PAQ refund points

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

donjohnston
EE Cleanup Volunteer
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.