network routing issue

Posted on 2010-08-31
Last Modified: 2012-05-10

I have a network routing problem that I need help with. We have a DEV network which is accessible on our LAN. I have made this accessible by installing MS routing and remote access services. I have created a virtual machine with 2 vm nics, one nic is connected to a virtual switch that has an up-link connected to the LAN network and one nic connected to an internal virtual switch with no physical up-link. Other VMs are connected to the internal switch and I can ping all these VMs from the LAN network. I have configured a routing rule on our SonicWall Pro 2040 device so that LAN clients know how to access the DEV VMs. Here are the network addresses

LAN Network - 10.2 /22
DEV Network - 172.16.10 /24

I have specified on the SonicWall Pro 2040 device that if you want to get to the 172.16.10 /24 network, then go to IP gateway of This is the LAN IP address of the VM that has 2 nics and I use this as the gateway for the DEV network.

The problem is I cannot access the DEV network from outside the LAN. For example, I have a DMZ network, 172.16.0 /24 and I need to be able to access the DEV network from the DMZ network. I can ping machines on the LAN from the DMZ, but I cannot ping machines on the DEV network form the DMZ. I noticed that I cannot ping the10.2.4.100 address from the DMZ, but I can ping all other 10.2.4 addresses I chose. I also have site to site VPNs and I need remote sites to be able to access the DEV network so they can access DEV websites and the like.

I am only concerned at the moment about being able to ping IP addresses and not DNS names. Once I get the IP routing working, I will implement DNS for the DEV VMs. I have this working on the LAN at the moment, ie I can ping the DEV machine names and IP address from the LAN.

There are a few things that might come to mind that I have checked. I.e., firewall settings etc. But I think this is a routing issue rather than a firewall config issue. I think there must be something I need to configure on the SonicWall Pro 2040 device to tell machines that if you want to access the DEV network from the DMZ, then routing this way..

Any help would be appreciated

Question by:gladmins
  • 4
  • 3
LVL 20

Expert Comment

ID: 33565844
It looks like you have the routing setup on the sonicwall - assuming that works, i would check the gateway machine that you have setup. Does it have any static routes setup on it.. i.e does it know how to get traffic to the DMZ machines ?

Can you access the dev network from the LAN, if so that suggests that section of the routing is ok, i'd be looking at what the Default gateway on the DevGateway machine is, does it have any static routes to let it know how to get the DMZ and other networks that you will need it to...

I'm thinking that its logical (depending on the layout of your network) that the DevGateway machine has the sonicwall as the default GW ? or does it have a IP address on your coreswitches/routers ? if so, do they have routes for the development ip range ?
LVL 20

Expert Comment

ID: 33565854
step 1 : try a tracetroute from the developmentgateway machine to the DMZ range... see where it goes.
step 2 : if you have any layer3 switching going on (depends on the size of your network) check that the routing table on the switch knows about the development network, do a traceroute to it, and post the results.

LVL 20

Accepted Solution

woolnoir earned 500 total points
ID: 33565872
>I cannot ping the10.2.4.100 address from the DMZ, but I can ping all other 10.2.4 addresses I chose

that makes me think even more ... default GW on Developmentgateway machine or does a route exist or...
does your core router/switch know about the development IP.

The fact you can reach the 10.2.4.X range from the DMZ means the routing is in place, the fact that the address doesnt work, suggests that its the traffic FROM the machine back towards your network thats the issue.
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.


Author Comment

ID: 33566203

Thanks for your comments.  We have no layer 3 in place. It is all layer 2

I can now ping the DEV address from the DMZ after implementing the following KB article

I also removed all firewall restrictions and can now ping from DMZ to DEV..

But I cannot tracert from DMZ to DEV. I can from DMZ to LAN.

I'll pick this up tomorrow but I think I have made progress. Thanks for your help. I will award points when I see it working as you have definitely helped.


LVL 20

Expert Comment

ID: 33566506
Pinging the LAn interface on that box is some progress, but what will aid in diagnosis is if you can ping a VM machine inside, or even traceroute to a VM machine. That will verify if the routing is really working. Once you have that working you can step back and get the DMZ working.

Author Comment

ID: 33574047
Hi woolnoir,

This arcticle definately helped me as the external NIC was not replying to pings.

Enabling ICMP on the external nic helped me trouble shoot what could ping what.

Then I had my default gateways on my W2k3 router messed up. Once I specified only one default gateway to point to the LAN IP address, all my DEV machines then knew how to get to the LAN gateway address and then the SonicWall took care of routing to the DMZ..

Thanks for your help, as you helped covers the basics and which helped sort out this issue..


Author Closing Comment

ID: 33574048
The answers provided by woolnoir helped but it wasn;t the complete solution.

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question