• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 773
  • Last Modified:

network routing issue

Hi,

I have a network routing problem that I need help with. We have a DEV network which is accessible on our LAN. I have made this accessible by installing MS routing and remote access services. I have created a virtual machine with 2 vm nics, one nic is connected to a virtual switch that has an up-link connected to the LAN network and one nic connected to an internal virtual switch with no physical up-link. Other VMs are connected to the internal switch and I can ping all these VMs from the LAN network. I have configured a routing rule on our SonicWall Pro 2040 device so that LAN clients know how to access the DEV VMs. Here are the network addresses

LAN Network - 10.2 /22
DEV Network - 172.16.10 /24

I have specified on the SonicWall Pro 2040 device that if you want to get to the 172.16.10 /24 network, then go to IP gateway of 10.2.4.100. This is the LAN IP address of the VM that has 2 nics and I use this as the gateway for the DEV network.

The problem is I cannot access the DEV network from outside the LAN. For example, I have a DMZ network, 172.16.0 /24 and I need to be able to access the DEV network from the DMZ network. I can ping machines on the LAN from the DMZ, but I cannot ping machines on the DEV network form the DMZ. I noticed that I cannot ping the10.2.4.100 address from the DMZ, but I can ping all other 10.2.4 addresses I chose. I also have site to site VPNs and I need remote sites to be able to access the DEV network so they can access DEV websites and the like.

I am only concerned at the moment about being able to ping IP addresses and not DNS names. Once I get the IP routing working, I will implement DNS for the DEV VMs. I have this working on the LAN at the moment, ie I can ping the DEV machine names and IP address from the LAN.

There are a few things that might come to mind that I have checked. I.e., firewall settings etc. But I think this is a routing issue rather than a firewall config issue. I think there must be something I need to configure on the SonicWall Pro 2040 device to tell machines that if you want to access the DEV network from the DMZ, then routing this way..

Any help would be appreciated

Cheers,
GLAdmins
0
gladmins
Asked:
gladmins
  • 4
  • 3
1 Solution
 
woolnoirCommented:
It looks like you have the routing setup on the sonicwall - assuming that works, i would check the gateway machine that you have setup. Does it have any static routes setup on it.. i.e does it know how to get traffic to the DMZ machines ?

Can you access the dev network from the LAN, if so that suggests that section of the routing is ok, i'd be looking at what the Default gateway on the DevGateway machine is, does it have any static routes to let it know how to get the DMZ and other networks that you will need it to...

I'm thinking that its logical (depending on the layout of your network) that the DevGateway machine has the sonicwall as the default GW ? or does it have a IP address on your coreswitches/routers ? if so, do they have routes for the development ip range ?
0
 
woolnoirCommented:
step 1 : try a tracetroute from the developmentgateway machine to the DMZ range... see where it goes.
step 2 : if you have any layer3 switching going on (depends on the size of your network) check that the routing table on the switch knows about the development network, do a traceroute to it, and post the results.

0
 
woolnoirCommented:
>I cannot ping the10.2.4.100 address from the DMZ, but I can ping all other 10.2.4 addresses I chose

that makes me think even more ... default GW on Developmentgateway machine or does a route exist or...
does your core router/switch know about the development IP.

The fact you can reach the 10.2.4.X range from the DMZ means the routing is in place, the fact that the 10.2.4.100 address doesnt work, suggests that its the traffic FROM the machine back towards your network thats the issue.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
gladminsAuthor Commented:
woolnoir

Thanks for your comments.  We have no layer 3 in place. It is all layer 2

I can now ping the DEV 10.2.4.100 address from the DMZ after implementing the following KB article

http://support.microsoft.com/kb/258030

I also removed all firewall restrictions and can now ping from DMZ to DEV..

But I cannot tracert from DMZ to DEV. I can from DMZ to LAN.

I'll pick this up tomorrow but I think I have made progress. Thanks for your help. I will award points when I see it working as you have definitely helped.

Cheers,

Gladmins
0
 
woolnoirCommented:
Pinging the LAn interface on that box is some progress, but what will aid in diagnosis is if you can ping a VM machine inside, or even traceroute to a VM machine. That will verify if the routing is really working. Once you have that working you can step back and get the DMZ working.
0
 
gladminsAuthor Commented:
Hi woolnoir,

This arcticle definately helped me as the external NIC was not replying to pings.

http://support.microsoft.com/kb/258030

Enabling ICMP on the external nic helped me trouble shoot what could ping what.

Then I had my default gateways on my W2k3 router messed up. Once I specified only one default gateway to point to the LAN IP address, all my DEV machines then knew how to get to the LAN gateway address and then the SonicWall took care of routing to the DMZ..

Thanks for your help, as you helped covers the basics and which helped sort out this issue..

Cheers,
GLadmins
0
 
gladminsAuthor Commented:
The answers provided by woolnoir helped but it wasn;t the complete solution.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now