No LAN/WAN access with Superscope

sharkbot221984
sharkbot221984 used Ask the Experts™
on
Hi,

I've setup a new scope on my DHCP server alongside my existing scope.  Then I created a new superscope.  The statistics for my superscope show:

Total Scopes 2
Total Addresses 222
In Use 69
Available 153

My first scope is usually fully depleted of IP addresses.
I connected a test laptop and set it to dynamic IP addressing.
It grabbed an IP from my DHCP server on the old scope.
The IP it got was from the address pool on the new scope.
This laptop can't ping a machine on my old scope, and can't access internet.
When I ping the laptop from my machine located on the old scope it gets a response from the laptop name, but with an IP from the old scope that is already assigned to a totally different machine!

I have my router configured with 2 default gateways: the default gateway from the old scope as the primary, and the default gateway from the new scope as secondary.

What am I missing to make the new scope have internet and local network access?

Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
What are the scopes? Can you provide IP addresses?
You should not set default gateway manually on a laptop, it should be assigned by DHCP.

Author

Commented:
The default gateway is not set manually on the laptop.  The DNS server is however.

I don't want to list my real IP's here as the old scope is all public IP's, but the new scope is private.

Old scope would be for example:
10.40.50.128-10.40.50.255
Default Gateway: 10.40.50.129
Subnet Mask: 10.40.50.128

New Scope:
192.168.10.0-192.168.10.255
Default Gateway: 192.168.10.1
Subnet Mask: 255.255.255.0

Commented:
Are these scopes on the same vlan? Can you provide a diagram?

I am not sure I understand your statement:
"It grabbed an IP from my DHCP server on the old scope.
The IP it got was from the address pool on the new scope."
Could you please elaborate.

Author

Commented:
Let's say my DHCP server has IP: 10.40.50.150
The laptop got an IP: 192.168.10.101 from the DHCP server at 10.40.50.150

So there seems to be some communication between the subnets.

The scopes are on the same physical network.  There are no vlans setup.

My goal is example #2 (I think) from this link:
http://technet.microsoft.com/en-us/library/cc757614(WS.10).aspx 

Commented:
Do you have routing enabled between the subnets?
When you ping, do you ping by name or by ip address?

Author

Commented:
Ping by name of the laptop at 192.168.10.101 returns an IP of 10.40.50.204
Ping by IP fails.

The router (Cisco 2800) is a managed by my ISP and this is the configuration that was loaded when I requested the addition of the 192.168.10.1 Default Gateway:

interface FastEthernet0/0
 description connection to customer LAN
 ip address 192.168.10.1 255.255.255.0 secondary
 ip address 10.40.50.129 255.255.255.128
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip route-cache flow
 no ip mroute-cache
 duplex auto
 speed auto
 no cdp enable
end

Commented:
If you ping by bane and get an answer from a different computer, that's a DNS issue.


Can you please get ipconfig /all results from the two laptops?

Author

Commented:
My machine:

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : MYDOMAIN.LOCAL
        Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
        Physical Address. . . . . . . . . : 11-21-29-20-66-FF
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . :     10.40.50.200
        Subnet Mask . . . . . . . . . . . :   255.255.255.128
        Default Gateway . . . . . . . . . : 10.40.50.129
        DHCP Server . . . . . . . . . . . :   10.40.50.150
        DNS Servers . . . . . . . . . . . :   10.40.50.150
                                                        10.40.50.151

Laptop:
Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : MYDOMAIN.LOCAL
        Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Ethernet NIC
        Physical Address. . . . . . . . . : 11-1E-C0-76-43-80
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . :     192.168.10.101
        Subnet Mask . . . . . . . . . . . :   255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.10.1
        DHCP Server . . . . . . . . . . . :   10.40.50.150
        DNS Servers . . . . . . . . . . . :   10.40.50.150

Commented:
Everything looks good.
I would check ip access-group 103 in to make sure nothing is blocking communication between the subnets
If you can post it here, I'll take a look

Author

Commented:
I'll have to request the ip access-group 103 settings from my ISP.  They always take overnight to get me stuff I'll post in the morning hopefully.

You were right about the incorrect IP being a DNS problem, I updated the DNS entry and it points to correct IP but still times out.

Author

Commented:
It appears that my ISP is blocking the communication between the subnets and for the new subnet to reach the internet at the router.  I've asked them to correct this, so maybe Monday it will work.

Here's what they gave me:

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 103 deny   53 any any
access-list 103 deny   55 any any
access-list 103 deny   77 any any
access-list 103 deny   pim any any
access-list 103 permit ip any any

Commented:
sharkbot221984:
can you ping default gateway from both subnets?

Author

Commented:
Hi SerhiyKo,

Hope you had a good weekend.

From my original subnet I can ping both default gateway addresses.

From the new subnet I can't ping either gateway.

My ISP says I need to authorize them to enable NAT for the new subnet on my fast ethernet.

I believe, from what I gather of the poor English from my ISP support desk, that this is the intended router configuration that needs to be applied:

interface fast Ethernet0/0
ip address 10.40.50.129 255.255.255.128
ip address 192.168.10.1 255.255.255.0 Secondary
ip nat inside
!
interface Serial0/1/0
ip address 13.128.68.63 255.255.255.252
ip nat outside
!
ip nat pool compact 10.40.50.130 10.40.50.135 netmask 255.255.255.128
ip nat inside source list 5 pool compact overload
!
access-list 5 permit 192.168.10.1 255.255.255.0
!

Is that correct?

Commented:
I am not sure why they would need NAT since both subnets use private ip addresses.
Can you please get them to email you an output from "show ip route" command?

Author

Commented:
My old subnet is not private it is public.

Commented:
Right, you did say the old ip address was public.

The access-list 5 permit 192.168.10.1 255.255.255.0 shoud read

access-list 5 permit 192.168.10.1 0.0.0.255

Author

Commented:
Thanks SerhiyKo,

I had my ISP enable NAT.  They said they needed one of my public IP's to assign to so I gave them 10.40.50.130.  They say my subnet has access and provide a tracert.  But my laptop on my new private subnet can't access internet and still can't ping other subnet.  Do you think there is something wrong with my DHCP superscope config?

Here's what my ISP gave me:

MISPAC01#sh run | i ip nat
 ip nat inside
 ip nat outside
ip nat pool compact 10.40.50.130 10.40.50.130 netmask 255.255.255.128
ip nat inside source list 5 pool compact overload


MISPAC01#sh ip access-lists 5
Standard IP access list 5
    10 permit 192.168.10.0, wildcard bits 0.0.0.255 (22 matches)
MISPAC01#traceroute 5.3.3.3 source 192.168.10.1

Commented:
Frankly, I do not think NAT was necessary for subnet-to-subnet communication; but if your ISP insists...
Anyway, try getting these:
1) tracert from a computer on 10.40.50.X subnet to 192.168.10.x
2) tracert from a computer on 192.168.10.x subnet to 10.40.50.X
3) results of "sh ip route" on your router
4) results of "sh ip nat translations" on your router

Also, did you check if you were getting a valid IP address on the "new" subnet?

Author

Commented:
Here's what I get for tracert's from old subnet to new subnet:
C:\>tracert 192.168.10.101

Tracing route to 192.168.10.101 over a maximum of 30 hops

  1     1 ms    <1 ms     1 ms  10.40.50.129
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10  ^C

And from the new subnet to the old subnet:
C:\>tracert 10.40.50.201

Tracing route to 10.40.50.201 over a maximum of 30 hops

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10  ^C

The laptop on the new subnet is getting an ip from the 2nd scope I added to the DHCP server (192.168.10.101)

I've requested the other results should have them Monday.

Commented:
Looks like you can't even ping default gateway on the new subnet. Can you confirm?

Author

Commented:
You are correct, from my machine on the new subnet I can't ping either of my default gateways.

Author

Commented:
Well, I thought of this before but only messed with my rules settings: FIREWALL!

I added these static routes to my firewall:
Destination Network      Subnet Mask              Gateway     Interface
10.40.50.130                 255.255.255.255        0.0.0.0         WAN
192.168.10.0                 255.255.255.0            0.0.0.0         LAN
192.168.1.1                   255.255.255.255        0.0.0.0         WAN

Now I can ping from my old subnet to a machine on the new subnet.
The machine on the new subnet can ping the default gateways but not ping a machine on the old subnet.
The machine on the new subnet can't access internet still.  I pinged google.com and got 1 reply and 3 failures.

Commented:
So where is your firewall? I thought it was on the 2800 router.

Try adding 10.40.50.128 subnet to the routing table manually

Author

Commented:
Ah, no.  The firewall is standalone after the router.

Internet -> Router -> Firewall -> LAN

The 10.40.50.128 subnet is already in the routing table.
Here it is:
Destination Network      Subnet Mask      Gateway Address      Destination Link
0.0.0.0                                      0.0.0.0                     10.40.50.129           WAN
10.40.50.128                      255.255.255.128      0.0.0.0                      LAN
10.40.50.129                      255.255.255.255      0.0.0.0                      WAN
10.40.50.142                      255.255.255.255      0.0.0.0                      LAN
192.168.10.0                      255.255.255.0      0.0.0.0                      LAN
192.168.10.1                      255.255.255.255      0.0.0.0                      WAN
255.255.255.255                      255.255.255.255      0.0.0.0                      LAN

I removed the 10.40.50.130 entry, doesn't seem to have any impact.

Commented:
What are your firewall rules?

Author

Commented:
Well, there are many.  Most have to do with blocking unwanted SMTP traffic.

I tried these rules:
Source                                             Destination                                        Service             Action
*                                                       192.168.10.0-192.168.10.255 (*)     Any                   Allow
192.168.10.0-192.168.10.255 (*)    *                                                        Any                   Allow

Where the (*) = LAN or WAN

Doesn't seem to have any effect.

Commented:
What about 10.40.50.X firewall rules?

Author

Commented:
I don't think I see any 10.40.50.x firewall rules that should interfere.  But the attachment is all the rules that don't have to do with SMTP.
New-Text-Document--3-.txt

Commented:
What kind of FW is that? Usually, firewalls act as a router -- intrnally they would have 192.168.10.x and 10.40.50.X addresses, and externally something else.
What are your interfaces' IP addresses on the firewall?

Author

Commented:
SonicWall.  In transparent mode.  DHCP and DNS disabled.  I think the WAN and LAN interfaces are both 10.40.50.142
Commented:
I am not familiar with Sonic Wall. But I would suggest you looking at adding 192.168.10.x addresses to the FW interfaces

Author

Commented:
Thanks for all the help.  Turns out that once again I am foiled by the firewall.  The OS version I have doesn't support multiple subnets.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial