Solved

Router on local lan, no ping, no sharing

Posted on 2004-10-01
9
805 Views
Last Modified: 2008-02-01
Have a bit of a LAN problem. We have one Cisco 2611xm router. We have two Pix firewalls. All devices connected to Lan switch with 192.168.0.x/24 addressing. We have two seperate Wan circuits.

1-High Speed Cable(providing internet access to all users)
2-T1 Line(providing special app (X) access to 8 users)

All users using 192.168.0.x/24 subnet. All users default gateway is Pix506(192.168.0.3) except (X) users gateway is Router(192.168.0.1). (X) users traffic for special app is routed to T1 and Internet traffic to High Speed Cable. The router route statements are as follows:
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.3
ip route 10.32.20.0 255.255.255.128 192.168.0.4
ip route 207.61.230.98 255.255.255.255 192.168.0.4

Although two Lan interfaces on Router, only fastethernet 0/0 is connected. Router is routing all traffic back through same ethernet interface(not ideal set-up). All internet traffic routed to Pix506. Pix 506 is running NAT.

QUESTION:Current configuration works however I am unable to ping or file share with (X) users on LAN. (X) users accessing proper route for Internet and special app on T1. I believe something may be wrong with route statements, but not sure what ?
All users windows xp.  Maybe requires a different subnet for (X) users ?

0
Comment
Question by:mmm5
  • 4
  • 3
  • 2
9 Comments
 
LVL 5

Expert Comment

by:netspec01
ID: 12199748
Can you do an ASCII net diagram?

pc----switch----router----firewall---router----T1
                           |
                           -------firewall---cable modem
           

0
 

Author Comment

by:mmm5
ID: 12200832
Not sure. I can try.

         switch
             |------- Pc's
             |--------router
             | -------firewall(pix506)---cable modem
             |--------firewall(pix501)---Router---T1
             |--------Nt server

All devices attached to switch ports.

Hope this is what you asked for.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12200917
>Current configuration works however I am unable to ping or file share with (X) users on LAN.
Assuming that your setup is like netspec01's diagram, and your explanation that all users, including (X) users are all on the same 192.168.0.x / 24 subnet, then everyone is local to each other and routers/firewalls are not even in the picture. However, since you have dual PIX's on the LAN, you need to disable proxyarp on one of them. Suggest that on 192.168.0.4 (T1 firewall), you disable proxyarp on the inside interface:
   sysopt noproxyarp inside

It wouldn't hurt to turn it off on both PIX's..

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 5

Assisted Solution

by:netspec01
netspec01 earned 250 total points
ID: 12201154
From your diagram, it doesn't look like you even need the router.  Unless you are using it for intervlan routing or some other function.

Assuming that you don't need the router, you could set the following routes on all PCs (either manually or via DHCP).

set default gateway to 192.168.0.3                                
route add 10.32.20.0 255.255.255.128 192.168.0.4
route add 207.61.230.98 255.255.255.255 192.168.0.4

I am assuming that your switch is layer 2 switch and does not perfrom any routing functionality.  Also we have only a single network/mask defined on all devices.
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12201183
You didn't install XP service pack 2 by any chance did you?  By defualt ALL file sharing (including administrative shares) and ICMP (ping traceroute)  is shut off.  You can allow these by exception in the firewall configuration or shut off the firewall feature.
0
 

Author Comment

by:mmm5
ID: 12205874
Did not install SP2, thanks for tip.

Router will be used in future multiple subnets, therefore would like to resolve using router statements. However, did not even think of XP route statements as interim, sounds about right, will try next week and post result.

Could you briefly explain "sysopt noproxyarp inside" main purpose.

It also may be important to mention that CheckPoint vpn client software is running on (X) users, altough I do select the KILL command on Securemote Icon that shows up in the system tray.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12207953
Understanding Proxy Arp
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml

With two PIX's on your LAN, they are competing against each other for local arp. Whenever you have two PIX's on the same lan, trust me, you must disable proxy arp on at least one of them, it won't hurt to disable on both.
0
 

Author Comment

by:mmm5
ID: 12228865
Problem solved, it req'd a vpn "diable policy" and "kill" within the VPN software. However, suggestions regarding pc route and diabling proxy arp do apply in some respects. I will split points to both responders. Thank you very much for the assistance. I will be calling again!
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12232803
Glad we could help!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

823 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question