[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 380
  • Last Modified:

network question

Hi Network Experts,

I have two remote sites that have recently been connected using a point to point link.
The remote site has only 3 computers and below is how i have configured them:
-static IP addresses of 192.168.2.x (HQ ip range is 192.168.1.x)
-default gateway = ip address of remote site router
-dns server = ip address of dns server at HQ

There is no server at the remote site.

Static routes have been added on both routers to allow traffic.

From the router in HQ i can connect to the router in the remote site.
I can even see the computers in the network from teh router.
From HQ i can even remote desktop to the remote site.

Problem is that I cannot ping or access resources in HQ from the remote site.(email etc are centralized in HQ)
PLEASE HELP!

0
NormanMaina
Asked:
NormanMaina
  • 9
  • 7
  • 4
  • +3
1 Solution
 
Keith AlabasterCommented:
At the main office make sure all layer 3 devices know that traffic bound for the 192.168.2.0 network (includes firewalls etc) have to be sent to the device connecting the point-to-point link. I know that you have static routes in place but the symptoms suggest that not everything at the HQ end is aware of them.

Try a tracert to one of the remote ip addresses - what route is taken? Where is it timing out? (do the same from a remote PC to an HQ-located device)
0
 
JorisFRSTCommented:
If you can remote desktop from a PC in HQ to a pc in the remote site, then your routing is OK.

While you're remote desktoped into a PC in the remote site, can you ping/tracert to your own PC from that one ?

Only thing I can think of is an access list preventing connections.
0
 
JorisFRSTCommented:
or another rule somewhere.
Can you post configs of both routers ?
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
NormanMainaAuthor Commented:
@Keith> Thanks for your quick response.

A tracert from the remote site to a server in HQ fails after the HQ router.
See attached image
198.168.2.13 is the remote router
10.139.157.10 is the HQ router


tracert.jpg
0
 
Keith AlabasterCommented:
And the HQ router is where the point-to-point connection is established?

You have not mentioned what equipment you are using to join the link with but assuming it is a Cisco device, can you log on to it and post trhe results of a 'sh ip route' please?
0
 
NormanMainaAuthor Commented:
@JorisFRST:> see attached configs.

Let me explain that the HQ router is also teh internet router and hosts two point to point links.
The other one -named Nanyuki is workign fine.

@Keith>the equipment are all Ciscor routers.
See attached results from sh ip routes
HQ-router-config.txt
HQ-sh-IP-routes.txt
Mwea-router-config.txt
Mwea-Sh-IP-routes.txt
0
 
NormanMainaAuthor Commented:
We have an ISA server  in HQ and am not sure if its the one blocking the traffic.

Is it a matter of adding routes(from the command prompt) of the ISA server?
0
 
JorisFRSTCommented:
Is the nanyuki config much different ?
0
 
JorisFRSTCommented:
And your default gateway in HQ is the 192.168.1.13 ?

I think you got your routing covered, I must be missing something.

There's no acl's applied on the interfaces, so that should pass all traffic.
0
 
NormanMainaAuthor Commented:
Its the same as Mwea's

Am having a look at the ISA server Network config and as you can notice from below screenshot, the IP range for HQ and Nanyuki are decsribed in the Internal network and the VLAN ip range for Nanyuki and Nairobi  is configured.

When I try to add the IP range of Mwea i.e 192.168.2.1 - 192.168.2.75 and/or the VLAN ip for Mwea 10.139.157.9 -10.139.157.10  , I can no longer access the computers in Mwea.
At first i thought teh network had gone down but further testing revealed that after I apply teh settings, I can no longer access Mwea site computers.

Still my problem is for Mwea computers to be able to see the computers in HQ..which is where the domain controller resides
 
0
 
NormanMainaAuthor Commented:
0
 
JorisFRSTCommented:
Sorry, i'm not an ISA man, but I can tell you already that I think the cisco end is OK.
0
 
K_WilkeCommented:
I personally do not like relying on the routers alone for routing.
I would put a persistent static route on each PC/serer at each end that has to connect to another device across the router.
For instance at the remote site (if the router has a last octet of .99) I would do:
route add -p 192.168.1.0 mask 255.255.255.0 192.168.2.99
the first IP address is where you are going, then the subnet mask, then the router locally that is taking you to where you want to go

at the HQ site, let's say the router has a last octet of .20, then I would do:
route add -p 192.268.2.0 mask 255.255.255.0 192.168.1.20

Do this on each PC or server that has to talk across the router to get to the other site.
Thanks,
Kelly W.
0
 
NormanMainaAuthor Commented:
K_Wilke:>I agree with that ,but first I have to get past teh ISA from teh remote site.
Thats where am stuck atm
0
 
greg wardCommented:
i dont see how this can be an isa issue as it is not in the path.
i guess its a routing issue.
i would make sure routing is turned on for all devices
conf t
ip routing
you dont need two routes on the remote router
ip route 192.168.1.0 255.255.255.0 10.139.157.9 is covered by the line above.
I would look into using eigrp if you can, it makes it easier to configure.

Greg
0
 
Craig BeckCommented:
You need to add the address range for the remote site to the Internal network object on the ISA.
0
 
greg wardCommented:
I see that the ISA does not have the network, however the connection gets as far as the router.
on second glace, this is wrong
ip route 192.168.0.0 255.255.255.0 10.139.157.6 name TO-NANYUKI-via-SAFARICOM
ip route 192.168.2.0 255.255.255.0 10.139.157.10 name TO-MWEA-via-SAFARICOM

as the ip's are not configured locally.
I would try
ip route 192.168.0.0 255.255.255.0 10.139.157.5 name TO-NANYUKI-via-SAFARICOM
ip route 192.168.2.0 255.255.255.0 10.139.157.9 name TO-MWEA-via-SAFARICOM

Greg
0
 
JorisFRSTCommented:
I would not try that
0
 
greg wardCommented:
Ok but if the packet has got as far as the router's 10.139.157.9 ip address as the tracert shows, the problem is the next step.
either the packet does not make it to 192.168.1.1 an ip address on the same router (the router is not routing)
Or the packet can not make it back from 192.168.1.1 to 10.139.157.9
I am guessing we dont need to use ip classless so it leaves the route back to the ip 10.139.157.9 and i am thinking it might be going to the other network.
I agree the config on the isa looks to be different for the other network, but i dont know enough about the ISA to tell if this has blocked the connection.
If i am wasting my time please let me know Craig Beck

Greg
0
 
JorisFRSTCommented:
Try to ping 192.168.1.13
0
 
Keith AlabasterCommented:
open the ISA gui - assume it is isa2004/6 rather than ISA2000?
in configuration - networks - internal - properties - addresses, what is listed here? Should be 192.168.1.0 - 192.168.1.255. Does it also include the 192.168.2.x range as well?
0
 
NormanMainaAuthor Commented:
@Greg>the same config works with the other vlan for Nanyuki -its only Mwea which aint working.

I have tried to bypass ISA by using the router as the IP address but the way the network is configured,all trafik have to pass through the ISA..(i could be wrong here..)

Heres the setup:
Fibre cable from ISP goes to HQ router
The LAN port cable from router goes to the ISA server
Then from the ISA, a cable is connected to the LAN switch

@JorisFRST:>A ping of any of teh routers is succesful in both directions.
From a Mwea computer i can ping 192.168.1.13

@keith>Its ISA 2006 and the range of 192.168.2.x is not there.
When I add it-had mentioned earlier, I immediately cannot access Mwea site computers.

My guess is that its a mixture of adding persistent routes as mentioned above and adding the Mwea IP range on ISA.
I think,Mwea site trafik is blocked by ISA because its getting as far as the HQ router but cannot go to the LAN because its has to pass through ISA anyway and ISA doesnt recongnize it.

Will have another go at it tomorrow morning with the consultant who had setup the ISA server and post back the results.
0
 
JorisFRSTCommented:
In this setup you need a route on the ISA.
Normally this should already be covered if the ISA's default gateway is the HQ routers 10..... IP.

If that is OK it will be a rule on the ISA.
0
 
JorisFRSTCommented:
That should read 192.168.10.1
0
 
Craig BeckCommented:
JorisFRST is correct, you will need a route to the 192.168.2.0/24 network on the ISA, as its Internal NIC won't have a default gateway.

Can you post the output from the ROUTE PRINT command on the ISA?
0
 
greg wardCommented:
My bad, i did not know all traffic was going through the ISA.
Looks like this should be fixed in the morning anyway.

Greg
0
 
Keith AlabasterCommented:
Too many posters on this one now and we will contradict suggestions so I'll stay out.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 9
  • 7
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now