HELP!!!!! Internal network cannot reach out through SonicWall Pro 3060 to the Internet

I have currently established a point to point network between three branches using Cisco routers using a T1 Circuit for connectivity to each other. Branch A contains a Cisco 2821 with dual serial interface WIC. Each one goes to the other branches. One to Branch B and the other to Branch C. Branch A will also provide the internet connection for those branches through the T1 Circuit. This is to eliminate the current ISP Branch B and C use to cut off those bills.

I can ping each location on the LAN and Router level. Only the LAN computers at Branch A can ping the LAN port on the SonicWall (x.x.0.2). The other LAN computers at the other branches cannot but their routers can hit the LAN on the SonicWall.

Also, according to the ISP set up with the old Netgear VPN router the WAN Settings are as follows:

SonicWall WAN IP (NAT Public) Address: x.x.50.118
WAN Subnet Mask xxx.xxx.255.252
WAN Gateway (Router) Address: x.x.50.117

I know the SonicWall has an internet connection. I am able to ping and trace route to www.yahoo.com through the diagnostics panel.

Everything on Branch A LAN including Cisco router can ping the LAN and WAN IPs on the SonicWall.

I have been working on this entire setup for weeks now. Each time I think I will have a successful launch I hit another wall. It is nerve racking. (I DON'T SLEEP BECAUSE OF IT)

I have ran out of options with my resources. I am in desperate need of help to understand what I am doing wrong or missing from the configuration. PLEASE HELP...I'M FREAKING!
MightyMikeyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BWaringCommented:
So if I understand...

- the SW at Branch A is connected off a switch somewhere, as is the Cisco
- everything at Branch A works and can get to the internet
- Branch B and C work correctly both within their own networks and to everything at Branch A except the SW (and Internet)

If the SW has it LAN x.x.0.2 and it's default gateway is the WAN gateway, then how does it know how to get back to the Branch B and C subnets (which are not x.x.0.2, right?)?

You need static routes in the SW like this:

source: any  dest: Branch B  service: any  gateway: Branch A Cisco  interface: LAN
source: any  dest: Branch C  service: any  gateway: Branch A Cisco  interface: LAN

That way, the SW now knows about the other two branch's local subnets and can route the traffic back to the Cisco instead of trying to send it to the Internet...
0
MightyMikeyAuthor Commented:
@BWaring

First Statement: Yes you are correct. I apologize for not giving all the detail. I was posting this up quickly. The anxiety was creeping on me which made me post in a rush. At Branch A, the Cisco 2821 Ethernet 0/0 is connected to a switch. As is the SW LAN is connected to the same switch.

Second Statement: I left that out. There is not internet connectivity at all from any branch using the ISP modem connected to the SW's WAN. (The firewall is not letting anything coming in from the outside as well as nothing going out from the inside) But the SW itself can ping out to Yahoo but I haven't tried pinging anything on the inside with the SW itself.

Third Statement: Yes, you are correct. Each branch can communicate with each other through the T1 Circuit. That connection is being used as a VPN.

Your question: Branch A is x.x.0.0 range, Branch B is x.x.4.0 range, and Branch C is x.x.1.0 range.

If I understand correctly, it should look like this on the static routes:

Destination Network:x.x.4.0 Subnet Mask:x.x.255.0 Default Gateway: 0.0.0.0 Interface: LAN
Destination Network:x.x.1.0 Subnet Mask:x.x.255.0 Default Gateway: 0.0.0.0 Interface: LAN
or
Destination Network:x.x.4.0 Subnet Mask:x.x.255.0 Default Gateway: x.x.0.250(Gigabit Ethernet 0/0) Interface: LAN
Destination Network:x.x.1.0 Subnet Mask:x.x.255.0 Default Gateway: x.x.0.250(Gigabit Ethernet 0/0) Interface: LAN

Thanks,

I hope this added information helps to pin point the issue.
0
BWaringCommented:
That does help! OK, so no Internet anywhere...

the static routes will still need to be there to get the traffic back to the branches - your second set of routes.... so if you ping from Branch B, it goes (assuming .250 is all Cisco):

x.x.4.x (some computer) -> x.x.4.250 (Branch B Cisco) -> x.x.0.250 (Branch A Cisco) -> x.x.0.2 (SonicWall)

and now the SonicWall knows that to get back to x.x.4.x, it needs to send to x.x.0.250 (Branch A Cisco)

Although you can ping yahoo from the SW, I would double check those from the ISP, if you haven't already...

Also, check the SW log and see if you see any messages when you try to ping from the LAN side... make sure you ping an IP address, not a name, to rule out a DNS issue... try 8.8.8.8 from the LAN side...

If you're not getting ANY traffic out of the SW, was this a new install of the 3060? You have X0 on the LAN, X1 on the WAN? There should be a firewall rule LAN -> WAN  any any any allow all...

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

MightyMikeyAuthor Commented:
@BWaring

If I remember correctly the Trace Route showed:

x.x.4.x ->x.x.4.250->x.x.101.250-> and then it stopped. x.x.101.x range is the IPs for the Serial on each Cisco router at each location. I will try and head to the closest branch and use hyperterminal to log in and make sure.

I see what you are saying but I did not know how to set the routes in SW to make it work in that manner.

So I will input the second set of routes from my reply?
"Destination Network:x.x.4.0 Subnet Mask:x.x.255.0 Default Gateway: x.x.0.250(Gigabit Ethernet 0/0) Interface: LAN
Destination Network:x.x.1.0 Subnet Mask:x.x.255.0 Default Gateway: x.x.0.250(Gigabit Ethernet 0/0) Interface: LAN"

Do you mean new install of the actual unit or just the software in it? The SW Pro3060 has X ports but we do not use them. There are two ports with the names LAN and WAN that we use. The IP's and settings are set up through the wizard on the OS on the SW.  
0
BWaringCommented:
That's ok.... that was not an 'exact' tracert, just an idea of how it get's from one end to the other.... the key point is that the SW needs to know that the x.x.4.0 is back through the Cisco.... once it sends it back there, the Cisco will know what to do with it, because it already knows where x.x.4.0 is... (you did say that all interbranch works, like you can ping from a device at each Branch to any other Branch, right? That means the Ciscos know what to do already)....

The SW ports are labeled X0-X5 under the ports. X0 is LAN and X1 is WAN (labeled on top)...

I was wondering if this was a new 3060, such that all the default settings were still basically intact, or if it's been 'changed' a lot... by default, the LAN -> WAN FW policy is there...

Get the Internet working at Branch A first, then yes, put in those routes...

What is the default gateway on the devices in Branch A set to? And what is the default gateway on the Cisco set to? If you're point the devices to the Cisco as the default gw, then the Cisco needs to have the SW as it's default gw....
0
MightyMikeyAuthor Commented:
@BWaring

Yes, I can ping each device at each end.

In regards to your last statement:

Yes, that is how I have it set. The default gateway for the devices is x.x.0.250 which is the Cisco router. The default gateway for the Cisco router is set to x.x.0.2 which is the LAN port on the SW.
0
BWaringCommented:
OK, good... just test pinging by IP to rule out DNS... try 8.8.8.8 from SW, then from Cisco, then from Branch A comp...
0
MightyMikeyAuthor Commented:
Ok. I will be heading to Branch A tomorrow. I was going to do it remotely but recalled I removed the cisco routers or SW from the switch to be able to access it remotely.
0
MightyMikeyAuthor Commented:
@BWaring

The firewall rule LAN -> WAN did the trick at Branch A. My devices could successfully ping 8.8.8.8 and access websites through the browser.

I added the routes to the SW as well. Although my assoc. at Branch B could not ping my Cisco router(GE0/0 or S0/0/0:0) ,LAN devices , or SW LAN port through his device at Branch B LAN. I could ping his Cisco router (FE0/0 and S0/0) but not his devices on his LAN through my device on Branch A LAN. Also non of the devices on Branch B could access the internet. Of course, that stems from not being able to ping each other from each LAN.

I suspect now a routing issue with the Cisco routers.

Branch A Cisco Routes:
ip default-gateway x.x.0.2
ip route 0.0.0.0 0.0.0.0 x.x.0.2

Branch B Cisco Routes:
ip default-gateway x.x.0.2
no ip routes set.

Another thing is the routing table on the SW looks odd. Can you look it over?
Destination Network       Subnet Mask       Gateway Address       Destination Link
0.0.0.0                              0.0.0.0                    x.x.50.117      WAN
x.x.50.116                      x.x.255.252                 0.0.0.0      WAN
x.x.50.117                      x.x.255.255                 0.0.0.0      WAN
x.x.50.118                      x.x.255.255                 0.0.0.0      LAN/DMZ
x.x.0.0                              x.x.255.0                         0.0.0.0      LAN
x.x.0.2                              x.x.255.255                 0.0.0.0      LAN
x.x.1.0                              x.x.255.0                     x.x.0.250      LAN*
x.x.4.0                              x.x.255.0                     x.x.0.250      LAN*
x.x.255.255                      x.x.255.255                 0.0.0.0      LAN

We did not set up anything dealing with DMZ. I am not sure why it is showing "LAN/DMZ" and also the "x.x.50.116" ip we did not even input anywhere during the setup. Is it because under the WAN setup, under WAN subnet mask has 252 at the end? I know this limits you to 2 hosts per subnet.

The * are the ones I added based on your help.

One last thing, what is the deal with the subnets ending in "255"?

Thanks for all you help so far. I have been making progress and learning more about this than I could have alone. I have been stressing less now too.
0
BWaringCommented:
OK, so the interbranch is not working then... I'll get to that...

Branch A is working then:

  - the Cisco is the default gw for all devices (x.x.0.250)
  - the default gw on the Cisco is x.x.0.2
  - the Cisco can ping 8.8.8.8
  - the devices can ping 8.8.8.8
- the devices can connect to web sites, so I'll assume DNS is working

Branch B & C:

  - they work ok within their own LAN, but cannot get to A
  - the Cisco at each site is the default gw for all devices (x.x.4.250 or x.x.1.250)

The issue between the branches now gets down to the Cisco's and the interbranch network... remember that a router (or any device) can only directly send to a network that it is attached. If it needs to go somewhere else, then it needs a defined route (static or dynamic) to get there, and when all else fails, it sends it to it's default gw...

The first question is, are the Cisco's running any routing protocol? It wouldn't seem like it, so...

Let's say the WAN IP's on the Cisco are as follows (I didn't see them above):

  A: x.x.101.250
  B: x.x.101.4
  C: x.x.101.1

For A to contact the LANs at B & C, it needs to know how to get to x.x.4.0 and x.x.1.0. Since it is only attached to x.x.0.0 and x.x.101.0, it needs a route. This needs to be added to the A Cisco:

  ip add route x.x.4.0 255.255.255.0 x.x.101.4
  ip add route x.x.1.0 255.255.255.0 x.x.101.1

Now A knows how to get to B & C - by sending the traffic to an interface it can talk to that is one step closer to those networks. A already has it's default set to the SW (x.x.0.2) so that half is done as well.

For B & C to contact the LAN at A (and therefore to get to the SW and out to the Internet), they need to know how to get to x.x.0.0. Since the are only attached to x.x.4.0 or x.x.1.0, and x.x.101.0, they need routes. In this case, since we are sending ALL unknown traffic to A, we just need to modify the default route - the default gw...

remove the existing default route:

  no ip route 0.0.0.0 0.0.0.0 x.x.0.2

and add the correct one:

  ip add route 0.0.0.0 0.0.0.0 x.x.101.250

Now B & C know that when they don't know where to send something, send it to x.x.101.250 - the A Cisco WAN port - which they have a direct connection to...

Now you should be able to get from B & C to the Internet:

x.x.4.0 -> x.x.4.250 -> x.x.101.250 -> x.x.0.2 -> Internet
x.x.1.0 -> x.x.1.250 -> x.x.101.250 -> x.x.0.2 -> Internet


Now, lastly, the SW routing table...

0.0.0.0                              0.0.0.0                    x.x.50.117      WAN
Default route

x.x.50.116                      x.x.255.252                 0.0.0.0      WAN
This is the network address of your public address range. It is the beginning of the range of the four address assigned to you. This is correct.

x.x.50.117                      x.x.255.255                 0.0.0.0      WAN
This is the ISP's router port that is your default GW for the SW. The .255 means it's just a single host in the table, not a subnet.

x.x.50.118                      x.x.255.255                 0.0.0.0      LAN/DMZ
This is your WAN port IP. I'm notsure why it lists LAN/DMZ there...

x.x.0.0                              x.x.255.0                         0.0.0.0      LAN
Local LAN at A

x.x.0.2                              x.x.255.255                 0.0.0.0      LAN
SW LAN port

x.x.1.0                              x.x.255.0                     x.x.0.250      LAN*
LAN at B - now it knows how to get there (through the Cisco)

x.x.4.0                              x.x.255.0                     x.x.0.250      LAN*
LAN at C - now it knows how to get there (through the Cisco)

x.x.255.255                      x.x.255.255                 0.0.0.0      LAN
Broadcast address for the LAN at A
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MightyMikeyAuthor Commented:
@BWaring

Cisco's  are running:
Router Rip Version 2
Network x.x.0.0
Network x.x.1.0
Network x.x.4.0
Network x.x.101.0
No Auto-Summary

Did you need the internal clock for each router?

Branch A WIC:
x.x.101.250
x.x.101.251

Branch B WIC:
x.x.101.252

Branch C WIC:
x.x.101.253

After reading:

For A to contact the LANs at B & C, it needs to know how to get to x.x.4.0 and x.x.1.0. Since it is only attached to x.x.0.0 and x.x.101.0, it needs a route. This needs to be added to the A Cisco:

  ip add route x.x.4.0 255.255.255.0 x.x.101.4
  ip add route x.x.1.0 255.255.255.0 x.x.101.1

Now A knows how to get to B & C - by sending the traffic to an interface it can talk to that is one step closer to those networks. A already has it's default set to the SW (x.x.0.2) so that half is done as well.

For B & C to contact the LAN at A (and therefore to get to the SW and out to the Internet), they need to know how to get to x.x.0.0. Since the are only attached to x.x.4.0 or x.x.1.0, and x.x.101.0, they need routes. In this case, since we are sending ALL unknown traffic to A, we just need to modify the default route - the default gw...

remove the existing default route:

  no ip route 0.0.0.0 0.0.0.0 x.x.0.2

and add the correct one:

  ip add route 0.0.0.0 0.0.0.0 x.x.101.250

Now B & C know that when they don't know where to send something, send it to x.x.101.250 - the A Cisco WAN port - which they have a direct connection to...

Now you should be able to get from B & C to the Internet:

x.x.4.0 -> x.x.4.250 -> x.x.101.250 -> x.x.0.2 -> Internet
x.x.1.0 -> x.x.1.250 -> x.x.101.250 -> x.x.0.2 -> Internet


I see it all clearly. When I first try to get the devices (routers and workstations) to communicate with each other over the T1 circuit. I keep playing around with similar ip routes with mixed results. The entire time I routed it to x.x.0.250. After reading your text I understand how Branch B and C do not know what or where that even is but it does Branch A x.x.101.250 and x.x.101.251.

Also makes sense to me why when I would trace route from Branch B to A I would end up seeing:

1   x.x.4.250
2   x.x.101.251
3   *  *  *   *


I will drive back out tomorrow and set this up ASAP.

Not sure why the WAN IP port is LAN/DMZ either. I will look into this.
0
coredatarecoveryCommented:
You need to be sure that the return route is setup on the end router, also you want to be sure you have forwarding on.

so if you're 3 deep

3>2>1>I
I must have route to 3 as 1
2 must have route to 3 as 2.

or the returning packet cannot get there I>1>2>3 to end user on that network.

You can test this by pinging from network 1 to a computer on network 3, if it works, then you are looking for a firewall rule blocking routed packets from 3 or 2
If you cannot ping both directions  look at your routing table.

Hope This Helps.
0
BWaringCommented:
If you have RIP configured correctly on the 3 Cisco's and you set the default gw at B & C to x.x.101.250, then everything else should work.... with only 3 sites, I usually just enter the manually routes and don't both with RIP (not that it wouldn't work that way)... if a 'show ip route' in each Cisco already shows all the networks - x.x.0.0, x.x.1.0, x.x.4.0, x.x.101.0 - then fixing the default gw should do it and you don't need the manual routes....

I don't think the LAN/DMZ is an issue...
0
MightyMikeyAuthor Commented:
@coredatarecovery

If possible, can you type out a template of what you mean. If I see it visually like the routes BWaring has supplied with. I will better understand how it will be entered and look like at the end router config. I will try your ping method and if I hit a wall use that to figure it out on my own. I somewhat have an idea how it should be setup. I know why it has to be done though.

@BWaring

When you say Default Gateway, do you mean Default Gateway under IP DHCP pool or IP Default-Gateway under router rip?

I will also check the "show ip route"

I don't hink LAN/DMZ is an issue either. I just made that statement in case I find out why it does that I would share that information with you.

Thanks to both of you. I will post my results tomorrow.
0
BWaringCommented:
No I'm just talking about the IP Default-Gateway - the default gateway of the Cisco. The DHCP default gateway your giving out to the DHCP clients should be the Cisco LAN IP...

I think coredatarecovery may be thinking that you are going through 3 levels end-to-end... it's only 2 levels, as the Internet is off the '2', so it's 3-2-I and 1-2-I, not 3-2-1-I (if that's what you meant, coredatarecovery)...
0
coredatarecoveryCommented:
I'm not a cisco guy, just linux based stuff. But diagnosing the logic is the same.

0
MightyMikeyAuthor Commented:
@BWaring


remove the existing default route:

  no ip route 0.0.0.0 0.0.0.0 x.x.0.2

and add the correct one:

  ip add route 0.0.0.0 0.0.0.0 x.x.101.250


If I remove 0.2 LAN A cannot reach out to the internet. When I add 101.250 it says invalid next hop address (it's this router)

0
BWaringCommented:
That's only on the B & C Cisco's. Leave A alone; A is working.
0
BWaringCommented:
For B & C to contact the LAN at A (and therefore to get to the SW and out to the Internet), they need to know how to get to x.x.0.0. Since the are only attached to x.x.4.0 or x.x.1.0, and x.x.101.0, they need routes. In this case, since we are sending ALL unknown traffic to A, we just need to modify the default route - the default gw...

remove the existing default route:

  no ip route 0.0.0.0 0.0.0.0 x.x.0.2

and add the correct one:

  ip add route 0.0.0.0 0.0.0.0 x.x.101.250

Now B & C know that when they don't know where to send something, send it to x.x.101.250 - the A Cisco WAN port - which they have a direct connection to...

Now you should be able to get from B & C to the Internet:

x.x.4.0 -> x.x.4.250 -> x.x.101.250 -> x.x.0.2 -> Internet
x.x.1.0 -> x.x.1.250 -> x.x.101.250 -> x.x.0.2 -> Internet
0
BWaringCommented:
From the B & C network devices and the B & C Cisco, you should be able to ping the LAN (x.x.x.250) and WAN (x.x.101.x) ports of the local Cisco, and if routing is working correctly on A, from B & C you should also be able to ping x.x.101.250. Then from B & C, ping 8.8.8.8 should send it to the local Cisco LAN, which then sends out it's WAN to the WAN of the A Cisco, which then sends it out it's LAN to the LAN of the SW, which then sends it out it's WAN to the Internet...
0
MightyMikeyAuthor Commented:
I have it working. Branch A and B have internet and LAN's can communicate with each other as well. I set up the router at Branch C over telnet. I will set up then LAN on Monday. I ran out of time today.

Thank you very much. Your replies were very helpful and informative.

Once the entire network is up. I shall grant you your points you deserve and accept your post as the solution.

Thank you again. I will keep you posted.
0
coredatarecoveryCommented:
Gotcha thought you had a bunch of subnets going on there.

You can ping through from both ends right?
0
MightyMikeyAuthor Commented:
@core

Yes. A computer from LAN A can ping through to a computer at LAN B. Vice Versa. They both access the internet. Branch A access it through the SW connected to the local switch. LAN B connects to the internet access of Branch A through the T1 Circuit that connects the branches.

Only thing left to do is head to Branch C. Switch them from the old network connection to the new one. Ping each end and make sure internet access is available. Then its complete. Well, there was a issue with not being able to remote connect to the severs but I am sure that is a matter of an access rule on SW.
0
MightyMikeyAuthor Commented:
@BWaring and others

I apologize for not touching base. It has been hectic here at the office. I haven't had a chance to jump back into the network switch over due to scheduling conflicts. I appreciate your patience. I will update, accept the solutions, and rewards the points as soon as we conduct the network switch.

Thanks
0
MightyMikeyAuthor Commented:
The network is up. I had restricted the access rules to the IPs of the servers thinking it would make it more secure but in turn it hindered us from RDP from the outside of the network.

Thank you all for your help.
0
MightyMikeyAuthor Commented:
Thank you to the experts. You gave very detailed and through instructions.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.