johnritzer
asked on
2 Subnets Issue getting out via Internet and a different subnet
I have an issue that i cant seem to figure out what so ever and its a computer on the 192.168.14.0 subnet cant reach the internet but when i do a tracert i get
192.168.14.253
192.168.11.3
then it dies
also when i do a ping it seems to give me the ip of the google but then just hangs there..
request timed out x4
if i take out the 192.168.11.1 out of the dns servers list i get nothing.
just to get this network configuration set up i have
2 dhcp servers running
1 dhcp server is my Mitel PBX for our mitel phones
and the other dhcp server is my Windows SBS server.
and i have the dns going to 192.168.11.1 which is the PDC
and i can reach the internet if the machine was on the 11.0 subnet just fine.
my gateway is 192.168.14.253 which is this procurve switch. as you see below
__________________________ __________ __________ __________ __________ ____
ip default-gateway 192.168.11.3
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
forbid 1,13,21
untagged 2-12,14-20,23-26
ip address 192.168.11.2 255.255.255.0
no untagged 1,13,21-22
exit
vlan 2
name "Mitel"
untagged 1,13,21-22
ip address 192.168.14.253 255.255.255.0
tagged 2-12,14-20,23-24
exit
no dhcp-relay
ip route 192.168.14.0 255.255.255.0 192.168.11.1
ip route 0.0.0.0 0.0.0.0 192.168.11.3
ip route 192.168.255.0 255.255.255.0 192.168.11.3
ip route 192.168.11.0 255.255.255.0 192.168.11.1
ProCurve Switch 2626#
__________________________ __________ __________ __________ __
(oh and its port 22 on the procurve switch)
the computer is a member of the domain on the .14 network i can ping it from the 11 and vice versa
ping it from the router and the Procurve switch
do i have to add anything in the SBS server for the .14 subnet to go out through the internet
or do i have to change somthing on the Procurve switch
and in my cisco 831 setup i have
interface Ethernet0
ip address 192.168.11.3 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
ip directed-broadcast
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map NAT_Filter
interface Ethernet1
description Connected to TelePacific Internet
ip address PUBLIC IP 255.255.255.252
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip directed-broadcast
ip nat outside
ip inspect Firewall out
ip virtual-reassembly
ip route-cache flow
duplex auto
no cdp enable
crypto map VPN_Tunnel
crypto ipsec fragmentation before-encryption
i added this entry to see if it worked
(access-list 102 permit ip host 192.168.14.24 192.168.254.0 0.0.0.255)
access-list 102 deny ip PUBLIC IP 0.0.0.3 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip host 192.168.14.24 192.168.254.0 0.0.0.255
access-list 102 permit ip host 192.168.14.2 192.168.254.0 0.0.0.255
access-list 102 permit ip 192.168.14.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 102 deny ip 192.168.11.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 102 deny icmp any 192.168.254.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 103 permit ahp any host PUBLIC IP
access-list 103 permit esp any host PUBLIC IP
access-list 103 permit udp any host PUBLIC IP isakmp
access-list 103 permit udp any host PUBLIC IP eq non500-isakmp
access-list 103 permit esp any any
access-list 103 permit gre any any
access-list 103 permit tcp any any eq 1723
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 103 permit ip 192.168.254.0 0.0.0.255 host 192.168.11.28
access-list 103 permit ip 192.168.254.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 103 deny ip 192.168.254.0 0.0.0.255 any
access-list 103 permit ip 192.168.255.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 192.168.255.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 103 permit ip 192.168.255.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 103 deny icmp 192.168.254.0 0.0.0.255 any
access-list 103 deny icmp any host 24.120.190.66
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any timestamp-reply
access-list 103 permit icmp any any traceroute
access-list 103 permit icmp any any unreachable
access-list 103 deny icmp any any
access-list 103 permit udp any any eq ntp
access-list 103 permit tcp any host PUBLIC IP eq 161
access-list 103 permit tcp any host PUBLIC IP eq 162
access-list 103 permit udp any host PUBLIC IP eq snmp
access-list 103 permit udp any host PUBLIC IP eq snmptrap
access-list 103 permit tcp any host PUBLIC IP eq telnet
access-list 103 permit tcp any host PUBLIC IP eq smtp
access-list 103 permit tcp any host PUBLIC IP eq www
access-list 103 permit tcp any host PUBLIC IP eq 443
access-list 103 permit tcp any host PUBLIC IP eq 3389
access-list 103 permit tcp any host PUBLIC IP eq 4125
access-list 103 deny ip 192.168.11.0 0.0.0.255 any
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
as you can see access lies 102 is for the internal
and accesslist 103 was for the external ..
192.168.14.2 is the ip of our pbx switch
thanks ;)
192.168.14.253
192.168.11.3
then it dies
also when i do a ping it seems to give me the ip of the google but then just hangs there..
request timed out x4
if i take out the 192.168.11.1 out of the dns servers list i get nothing.
just to get this network configuration set up i have
2 dhcp servers running
1 dhcp server is my Mitel PBX for our mitel phones
and the other dhcp server is my Windows SBS server.
and i have the dns going to 192.168.11.1 which is the PDC
and i can reach the internet if the machine was on the 11.0 subnet just fine.
my gateway is 192.168.14.253 which is this procurve switch. as you see below
__________________________
ip default-gateway 192.168.11.3
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
forbid 1,13,21
untagged 2-12,14-20,23-26
ip address 192.168.11.2 255.255.255.0
no untagged 1,13,21-22
exit
vlan 2
name "Mitel"
untagged 1,13,21-22
ip address 192.168.14.253 255.255.255.0
tagged 2-12,14-20,23-24
exit
no dhcp-relay
ip route 192.168.14.0 255.255.255.0 192.168.11.1
ip route 0.0.0.0 0.0.0.0 192.168.11.3
ip route 192.168.255.0 255.255.255.0 192.168.11.3
ip route 192.168.11.0 255.255.255.0 192.168.11.1
ProCurve Switch 2626#
__________________________
(oh and its port 22 on the procurve switch)
the computer is a member of the domain on the .14 network i can ping it from the 11 and vice versa
ping it from the router and the Procurve switch
do i have to add anything in the SBS server for the .14 subnet to go out through the internet
or do i have to change somthing on the Procurve switch
and in my cisco 831 setup i have
interface Ethernet0
ip address 192.168.11.3 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
ip directed-broadcast
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map NAT_Filter
interface Ethernet1
description Connected to TelePacific Internet
ip address PUBLIC IP 255.255.255.252
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip directed-broadcast
ip nat outside
ip inspect Firewall out
ip virtual-reassembly
ip route-cache flow
duplex auto
no cdp enable
crypto map VPN_Tunnel
crypto ipsec fragmentation before-encryption
i added this entry to see if it worked
(access-list 102 permit ip host 192.168.14.24 192.168.254.0 0.0.0.255)
access-list 102 deny ip PUBLIC IP 0.0.0.3 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip host 192.168.14.24 192.168.254.0 0.0.0.255
access-list 102 permit ip host 192.168.14.2 192.168.254.0 0.0.0.255
access-list 102 permit ip 192.168.14.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 102 deny ip 192.168.11.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 102 deny icmp any 192.168.254.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 103 permit ahp any host PUBLIC IP
access-list 103 permit esp any host PUBLIC IP
access-list 103 permit udp any host PUBLIC IP isakmp
access-list 103 permit udp any host PUBLIC IP eq non500-isakmp
access-list 103 permit esp any any
access-list 103 permit gre any any
access-list 103 permit tcp any any eq 1723
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 103 permit ip 192.168.254.0 0.0.0.255 host 192.168.11.28
access-list 103 permit ip 192.168.254.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 103 deny ip 192.168.254.0 0.0.0.255 any
access-list 103 permit ip 192.168.255.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 192.168.255.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 103 permit ip 192.168.255.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 103 deny icmp 192.168.254.0 0.0.0.255 any
access-list 103 deny icmp any host 24.120.190.66
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any timestamp-reply
access-list 103 permit icmp any any traceroute
access-list 103 permit icmp any any unreachable
access-list 103 deny icmp any any
access-list 103 permit udp any any eq ntp
access-list 103 permit tcp any host PUBLIC IP eq 161
access-list 103 permit tcp any host PUBLIC IP eq 162
access-list 103 permit udp any host PUBLIC IP eq snmp
access-list 103 permit udp any host PUBLIC IP eq snmptrap
access-list 103 permit tcp any host PUBLIC IP eq telnet
access-list 103 permit tcp any host PUBLIC IP eq smtp
access-list 103 permit tcp any host PUBLIC IP eq www
access-list 103 permit tcp any host PUBLIC IP eq 443
access-list 103 permit tcp any host PUBLIC IP eq 3389
access-list 103 permit tcp any host PUBLIC IP eq 4125
access-list 103 deny ip 192.168.11.0 0.0.0.255 any
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
as you can see access lies 102 is for the internal
and accesslist 103 was for the external ..
192.168.14.2 is the ip of our pbx switch
thanks ;)
ASKER
i figured it out actually
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 101 deny ip 192.168.14.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny ip 192.168.14.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 101 deny ip 192.168.14.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 101 deny ip 192.168.255.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 192.168.11.0 0.0.0.255 any
i added
ip access-list extended 101
55 permit ip 192.168.14.0 0.0.0.255 any and it worked haha
sorry ... for bugging found my own question.. hehe
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 101 deny ip 192.168.14.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny ip 192.168.14.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 101 deny ip 192.168.14.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 101 deny ip 192.168.255.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 192.168.11.0 0.0.0.255 any
i added
ip access-list extended 101
55 permit ip 192.168.14.0 0.0.0.255 any and it worked haha
sorry ... for bugging found my own question.. hehe
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
but dont know where to look that much
i saw this in my router
ip nat inside source route-map Nat interface Ethernet1 overload
route-map NAT_Filter permit 1
match ip address 106
set ip next-hop 1.1.1.2
!
route-map Nat permit 1
match ip address 101
!
interface Loopback0
description Virtual NAT Interface
ip address 1.1.1.1 255.255.255.252
i dont know where to look to where it says match ip address 101
does it mean acl 101
....
access-list 106 permit ip host 192.168.11.1 192.168.3.0 0.0.0.255
access-list 106 permit ip host 192.168.11.1 192.168.10.0 0.0.0.255
access-list 106 permit ip host 192.168.11.1 192.168.255.0 0.0.0.255
access-list 106 remark Route Map Rules
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 101 deny ip 192.168.14.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny ip 192.168.14.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 101 deny ip 192.168.14.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 101 deny ip 192.168.255.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 192.168.11.0 0.0.0.255 any
no i might be thinking do i just permite the acl 101 for the .14 subnet to be able to reach out..
thanks..