Routing to and fro a sub network

Hi,

Below is a synopsis of my network:

NETWORK_1
----------
Addr: 192.168.1.0/24, GW: 192.168.1.1(Firewall/Router)

NETWORK_2
----------
Addr: 192.168.2.0/24,
via router at 192.168.1.200 (Cisco)

Problem:
I have a host at NETWORK_2 with the IP 192.168.2.100. Hosts are reachable between NETWORK_1 and NETWORK_2 with the FW/Router(192.168.1.1) doing the routing.

Host at NETWORK_2 attempts to reach INTERNET via 192.168.1.1 (Firewall/Router), packet filter log shows ALLOWED. However response did not return.

An attempt to test from Internet to Host at NETWORK_2 was received by FW/Router(192.168.1.1) successfully and allowed according to packet filter logs. (NAT: Any->PUBLIC_IP/Any, (dst)192.168.2.100). However did not reach the destination.

My current static route is:
Source: Any
Service: Any
Destination: NETWORK_2 (192.168.2.0/24)
Target: Cisco Router (192.168.1.200)

The policy enables both NETWORK_1 and NETWORK_2 to reach each other. The FW/Router (192.168.1.1) can ping NETWORK_2 successfully.

What else needs to be done?

Thanks
Fred
pajiaoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

from_expCommented:
check nat rules on your firewall
0
TreyHCommented:
Your Cisco router needs a default route of the firewall, something like:
ip route 0.0.0.0 0.0.0.0 192.168.1.1
(If it receives a destination address of anything other than 192.168.1.0/24 or 192.168.2.0/24, it will route it to the firewall)

Your firewall needs a route to know how to get back to Network2, something like:
route 192.168.2.0 255.255.255.0 192.168.1.200 (the Cisco router)

All hosts should have a gateway address of the respective interface of the Cisco router.
0
pajiaoAuthor Commented:
Hi Trey,

All are present, that is why firewall and router and ping to and fro.

Hi exp,

NAT rules are correct.
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

from_expCommented:
hi!
please provide tracert -d <some host outside your network> from pc in the second subnet

please provide traceroute to your pc in second subnet from the 1.1 box
0
pajiaoAuthor Commented:
Tracert from outside to the subnet host stops at the public ip address.

Tracert from the pc in subnet to 192.168.1.1 firewall reaches successfully.
0
from_expCommented:
pajiao, i have asked for a bit different traces:

from pc with 192.168.2.x address to the real ip address within internet

from firewall(192.168.1.1) to your pc 192.168.2.x
0
pajiaoAuthor Commented:
from pc with 192.168.2.x address to the real ip address within internet
>> no problem.
from firewall(192.168.1.1) to your pc 192.168.2.x
>> no problem.
0
from_expCommented:
hm, this means that transmission is fine, so what do you mean by:
"Host at NETWORK_2 attempts to reach INTERNET via 192.168.1.1 (Firewall/Router), packet filter log shows ALLOWED. However response did not return. "?
0
pajiaoAuthor Commented:
Apologies. Some correction.

from pc with 192.168.2.x address to the real ip address within internet
>> tracert stops at the public ip address of the firewall (LAN:192.168.1.1).

from firewall(192.168.1.1) to your pc 192.168.2.x
>> no problem.
0
from_expCommented:
hi!
i suppose i would like to see your firewall's configuration.
it seems you have problem with acl permitting you out or more likely with nat rules
0
pajiaoAuthor Commented:
My firewall is not a cisco firewall.

Rules as below:
1) NAT: Any -> PUBLIC_IP_1 / Any   Src Translation: NETWORK_2_PC 192.168.2.100
2) Static Route: Any/Any  Destination: 192.168.2.0/24  Target: Cisco 192.168.1.200   (This enables NETWORK_1 to communicate with NETWORK_2)
3) Port 80 is opened. I tried having an IIS at NETWORK_2_PC which could access from NETWORK_1 but not from Internet.
4) No logs from Intrusion Detection system showing any activities that will be blocked.

Tracert from NETWORK_1
  1    <1 ms    <1 ms    <1 ms  192.168.1.1 (Firewall)
  2    <1 ms    <1 ms    <1 ms  PUBLIC_IP (public ip of the data center gateway)
  3      1 ms    1 ms    1 ms  TRACERT_DEST_IP

Tracert from NETWORK_2
  1    <1 ms    <1 ms    <1 ms  192.168.2.1 (Another Cisco router at NETWORK_2)
  2    <1 ms    <1 ms    <1 ms  MPLS_EXCHANGE IP
  3      1 ms      1 ms      1 ms  FIREWALL_PUBLIC_IP (This is the strange one as tracert from network1 shows the LAN_IP of the firewall instead)

Thanks
0
from_expCommented:
suppose your traces from network2 are taking different path. is it possible you have one more router there?
0
pajiaoAuthor Commented:
Hi pls close the question. Problem resolved
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
from_expCommented:
hmm, please describe the resolution and close case yourself. only owner(you) and moderator can close cases
0
pajiaoAuthor Commented:
Problem resolved
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.