[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


network routing issue

Posted on 2010-08-31
Medium Priority
Last Modified: 2012-05-10

I have a network routing problem that I need help with. We have a DEV network which is accessible on our LAN. I have made this accessible by installing MS routing and remote access services. I have created a virtual machine with 2 vm nics, one nic is connected to a virtual switch that has an up-link connected to the LAN network and one nic connected to an internal virtual switch with no physical up-link. Other VMs are connected to the internal switch and I can ping all these VMs from the LAN network. I have configured a routing rule on our SonicWall Pro 2040 device so that LAN clients know how to access the DEV VMs. Here are the network addresses

LAN Network - 10.2 /22
DEV Network - 172.16.10 /24

I have specified on the SonicWall Pro 2040 device that if you want to get to the 172.16.10 /24 network, then go to IP gateway of This is the LAN IP address of the VM that has 2 nics and I use this as the gateway for the DEV network.

The problem is I cannot access the DEV network from outside the LAN. For example, I have a DMZ network, 172.16.0 /24 and I need to be able to access the DEV network from the DMZ network. I can ping machines on the LAN from the DMZ, but I cannot ping machines on the DEV network form the DMZ. I noticed that I cannot ping the10.2.4.100 address from the DMZ, but I can ping all other 10.2.4 addresses I chose. I also have site to site VPNs and I need remote sites to be able to access the DEV network so they can access DEV websites and the like.

I am only concerned at the moment about being able to ping IP addresses and not DNS names. Once I get the IP routing working, I will implement DNS for the DEV VMs. I have this working on the LAN at the moment, ie I can ping the DEV machine names and IP address from the LAN.

There are a few things that might come to mind that I have checked. I.e., firewall settings etc. But I think this is a routing issue rather than a firewall config issue. I think there must be something I need to configure on the SonicWall Pro 2040 device to tell machines that if you want to access the DEV network from the DMZ, then routing this way..

Any help would be appreciated

Question by:gladmins
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 20

Expert Comment

ID: 33565844
It looks like you have the routing setup on the sonicwall - assuming that works, i would check the gateway machine that you have setup. Does it have any static routes setup on it.. i.e does it know how to get traffic to the DMZ machines ?

Can you access the dev network from the LAN, if so that suggests that section of the routing is ok, i'd be looking at what the Default gateway on the DevGateway machine is, does it have any static routes to let it know how to get the DMZ and other networks that you will need it to...

I'm thinking that its logical (depending on the layout of your network) that the DevGateway machine has the sonicwall as the default GW ? or does it have a IP address on your coreswitches/routers ? if so, do they have routes for the development ip range ?
LVL 20

Expert Comment

ID: 33565854
step 1 : try a tracetroute from the developmentgateway machine to the DMZ range... see where it goes.
step 2 : if you have any layer3 switching going on (depends on the size of your network) check that the routing table on the switch knows about the development network, do a traceroute to it, and post the results.

LVL 20

Accepted Solution

woolnoir earned 1500 total points
ID: 33565872
>I cannot ping the10.2.4.100 address from the DMZ, but I can ping all other 10.2.4 addresses I chose

that makes me think even more ... default GW on Developmentgateway machine or does a route exist or...
does your core router/switch know about the development IP.

The fact you can reach the 10.2.4.X range from the DMZ means the routing is in place, the fact that the address doesnt work, suggests that its the traffic FROM the machine back towards your network thats the issue.
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.


Author Comment

ID: 33566203

Thanks for your comments.  We have no layer 3 in place. It is all layer 2

I can now ping the DEV address from the DMZ after implementing the following KB article


I also removed all firewall restrictions and can now ping from DMZ to DEV..

But I cannot tracert from DMZ to DEV. I can from DMZ to LAN.

I'll pick this up tomorrow but I think I have made progress. Thanks for your help. I will award points when I see it working as you have definitely helped.


LVL 20

Expert Comment

ID: 33566506
Pinging the LAn interface on that box is some progress, but what will aid in diagnosis is if you can ping a VM machine inside, or even traceroute to a VM machine. That will verify if the routing is really working. Once you have that working you can step back and get the DMZ working.

Author Comment

ID: 33574047
Hi woolnoir,

This arcticle definately helped me as the external NIC was not replying to pings.


Enabling ICMP on the external nic helped me trouble shoot what could ping what.

Then I had my default gateways on my W2k3 router messed up. Once I specified only one default gateway to point to the LAN IP address, all my DEV machines then knew how to get to the LAN gateway address and then the SonicWall took care of routing to the DMZ..

Thanks for your help, as you helped covers the basics and which helped sort out this issue..


Author Closing Comment

ID: 33574048
The answers provided by woolnoir helped but it wasn;t the complete solution.

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question