Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 823
  • Last Modified:

Router on local lan, no ping, no sharing

Have a bit of a LAN problem. We have one Cisco 2611xm router. We have two Pix firewalls. All devices connected to Lan switch with 192.168.0.x/24 addressing. We have two seperate Wan circuits.

1-High Speed Cable(providing internet access to all users)
2-T1 Line(providing special app (X) access to 8 users)

All users using 192.168.0.x/24 subnet. All users default gateway is Pix506(192.168.0.3) except (X) users gateway is Router(192.168.0.1). (X) users traffic for special app is routed to T1 and Internet traffic to High Speed Cable. The router route statements are as follows:
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.3
ip route 10.32.20.0 255.255.255.128 192.168.0.4
ip route 207.61.230.98 255.255.255.255 192.168.0.4

Although two Lan interfaces on Router, only fastethernet 0/0 is connected. Router is routing all traffic back through same ethernet interface(not ideal set-up). All internet traffic routed to Pix506. Pix 506 is running NAT.

QUESTION:Current configuration works however I am unable to ping or file share with (X) users on LAN. (X) users accessing proper route for Internet and special app on T1. I believe something may be wrong with route statements, but not sure what ?
All users windows xp.  Maybe requires a different subnet for (X) users ?

0
mmm5
Asked:
mmm5
  • 4
  • 3
  • 2
2 Solutions
 
netspec01Commented:
Can you do an ASCII net diagram?

pc----switch----router----firewall---router----T1
                           |
                           -------firewall---cable modem
           

0
 
mmm5Author Commented:
Not sure. I can try.

         switch
             |------- Pc's
             |--------router
             | -------firewall(pix506)---cable modem
             |--------firewall(pix501)---Router---T1
             |--------Nt server

All devices attached to switch ports.

Hope this is what you asked for.
0
 
lrmooreCommented:
>Current configuration works however I am unable to ping or file share with (X) users on LAN.
Assuming that your setup is like netspec01's diagram, and your explanation that all users, including (X) users are all on the same 192.168.0.x / 24 subnet, then everyone is local to each other and routers/firewalls are not even in the picture. However, since you have dual PIX's on the LAN, you need to disable proxyarp on one of them. Suggest that on 192.168.0.4 (T1 firewall), you disable proxyarp on the inside interface:
   sysopt noproxyarp inside

It wouldn't hurt to turn it off on both PIX's..

0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
netspec01Commented:
From your diagram, it doesn't look like you even need the router.  Unless you are using it for intervlan routing or some other function.

Assuming that you don't need the router, you could set the following routes on all PCs (either manually or via DHCP).

set default gateway to 192.168.0.3                                
route add 10.32.20.0 255.255.255.128 192.168.0.4
route add 207.61.230.98 255.255.255.255 192.168.0.4

I am assuming that your switch is layer 2 switch and does not perfrom any routing functionality.  Also we have only a single network/mask defined on all devices.
0
 
netspec01Commented:
You didn't install XP service pack 2 by any chance did you?  By defualt ALL file sharing (including administrative shares) and ICMP (ping traceroute)  is shut off.  You can allow these by exception in the firewall configuration or shut off the firewall feature.
0
 
mmm5Author Commented:
Did not install SP2, thanks for tip.

Router will be used in future multiple subnets, therefore would like to resolve using router statements. However, did not even think of XP route statements as interim, sounds about right, will try next week and post result.

Could you briefly explain "sysopt noproxyarp inside" main purpose.

It also may be important to mention that CheckPoint vpn client software is running on (X) users, altough I do select the KILL command on Securemote Icon that shows up in the system tray.

0
 
lrmooreCommented:
Understanding Proxy Arp
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml

With two PIX's on your LAN, they are competing against each other for local arp. Whenever you have two PIX's on the same lan, trust me, you must disable proxy arp on at least one of them, it won't hurt to disable on both.
0
 
mmm5Author Commented:
Problem solved, it req'd a vpn "diable policy" and "kill" within the VPN software. However, suggestions regarding pc route and diabling proxy arp do apply in some respects. I will split points to both responders. Thank you very much for the assistance. I will be calling again!
0
 
netspec01Commented:
Glad we could help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now