• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 393
  • Last Modified:

Routing to and fro a sub network

Hi,

Below is a synopsis of my network:

NETWORK_1
----------
Addr: 192.168.1.0/24, GW: 192.168.1.1(Firewall/Router)

NETWORK_2
----------
Addr: 192.168.2.0/24,
via router at 192.168.1.200 (Cisco)

Problem:
I have a host at NETWORK_2 with the IP 192.168.2.100. Hosts are reachable between NETWORK_1 and NETWORK_2 with the FW/Router(192.168.1.1) doing the routing.

Host at NETWORK_2 attempts to reach INTERNET via 192.168.1.1 (Firewall/Router), packet filter log shows ALLOWED. However response did not return.

An attempt to test from Internet to Host at NETWORK_2 was received by FW/Router(192.168.1.1) successfully and allowed according to packet filter logs. (NAT: Any->PUBLIC_IP/Any, (dst)192.168.2.100). However did not reach the destination.

My current static route is:
Source: Any
Service: Any
Destination: NETWORK_2 (192.168.2.0/24)
Target: Cisco Router (192.168.1.200)

The policy enables both NETWORK_1 and NETWORK_2 to reach each other. The FW/Router (192.168.1.1) can ping NETWORK_2 successfully.

What else needs to be done?

Thanks
Fred
0
pajiao
Asked:
pajiao
  • 7
  • 7
3 Solutions
 
from_expCommented:
check nat rules on your firewall
0
 
TreyHCommented:
Your Cisco router needs a default route of the firewall, something like:
ip route 0.0.0.0 0.0.0.0 192.168.1.1
(If it receives a destination address of anything other than 192.168.1.0/24 or 192.168.2.0/24, it will route it to the firewall)

Your firewall needs a route to know how to get back to Network2, something like:
route 192.168.2.0 255.255.255.0 192.168.1.200 (the Cisco router)

All hosts should have a gateway address of the respective interface of the Cisco router.
0
 
pajiaoAuthor Commented:
Hi Trey,

All are present, that is why firewall and router and ping to and fro.

Hi exp,

NAT rules are correct.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
from_expCommented:
hi!
please provide tracert -d <some host outside your network> from pc in the second subnet

please provide traceroute to your pc in second subnet from the 1.1 box
0
 
pajiaoAuthor Commented:
Tracert from outside to the subnet host stops at the public ip address.

Tracert from the pc in subnet to 192.168.1.1 firewall reaches successfully.
0
 
from_expCommented:
pajiao, i have asked for a bit different traces:

from pc with 192.168.2.x address to the real ip address within internet

from firewall(192.168.1.1) to your pc 192.168.2.x
0
 
pajiaoAuthor Commented:
from pc with 192.168.2.x address to the real ip address within internet
>> no problem.
from firewall(192.168.1.1) to your pc 192.168.2.x
>> no problem.
0
 
from_expCommented:
hm, this means that transmission is fine, so what do you mean by:
"Host at NETWORK_2 attempts to reach INTERNET via 192.168.1.1 (Firewall/Router), packet filter log shows ALLOWED. However response did not return. "?
0
 
pajiaoAuthor Commented:
Apologies. Some correction.

from pc with 192.168.2.x address to the real ip address within internet
>> tracert stops at the public ip address of the firewall (LAN:192.168.1.1).

from firewall(192.168.1.1) to your pc 192.168.2.x
>> no problem.
0
 
from_expCommented:
hi!
i suppose i would like to see your firewall's configuration.
it seems you have problem with acl permitting you out or more likely with nat rules
0
 
pajiaoAuthor Commented:
My firewall is not a cisco firewall.

Rules as below:
1) NAT: Any -> PUBLIC_IP_1 / Any   Src Translation: NETWORK_2_PC 192.168.2.100
2) Static Route: Any/Any  Destination: 192.168.2.0/24  Target: Cisco 192.168.1.200   (This enables NETWORK_1 to communicate with NETWORK_2)
3) Port 80 is opened. I tried having an IIS at NETWORK_2_PC which could access from NETWORK_1 but not from Internet.
4) No logs from Intrusion Detection system showing any activities that will be blocked.

Tracert from NETWORK_1
  1    <1 ms    <1 ms    <1 ms  192.168.1.1 (Firewall)
  2    <1 ms    <1 ms    <1 ms  PUBLIC_IP (public ip of the data center gateway)
  3      1 ms    1 ms    1 ms  TRACERT_DEST_IP

Tracert from NETWORK_2
  1    <1 ms    <1 ms    <1 ms  192.168.2.1 (Another Cisco router at NETWORK_2)
  2    <1 ms    <1 ms    <1 ms  MPLS_EXCHANGE IP
  3      1 ms      1 ms      1 ms  FIREWALL_PUBLIC_IP (This is the strange one as tracert from network1 shows the LAN_IP of the firewall instead)

Thanks
0
 
from_expCommented:
suppose your traces from network2 are taking different path. is it possible you have one more router there?
0
 
pajiaoAuthor Commented:
Hi pls close the question. Problem resolved
0
 
from_expCommented:
hmm, please describe the resolution and close case yourself. only owner(you) and moderator can close cases
0
 
pajiaoAuthor Commented:
Problem resolved
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now