[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

static route issue

Posted on 2011-10-18
25
Medium Priority
?
259 Views
Last Modified: 2012-05-12
Hi ,

i am trying to ping a public IP from my work station.
the tracert dies at the core switch.

From the core switch ( i have a static route to the router )  here is what i get

sw01#traceroute 208.134.161.11

Type escape sequence to abort.
Tracing the route to 208.134.161.11

  1 172.16.1.36 0 msec 0 msec 8 msec
  2  *  *  *
  3  *  *  *
  4  *  *  *
  5  *  *  *
  6  *  *  *
  7  *  *  *
  8  *  *  *

( the 1.36 is my router)

From the router ( 1.36) i am able to ping the IP

Router#traceroute 208.134.161.11

Type escape sequence to abort.
Tracing the route to 208.134.161.11

  1 10.201.128.21 0 msec 0 msec 0 msec
  2 133.0.74.93 4 msec 4 msec 5 msec
  3 172.25.85.177 48 msec 48 msec 44 msec
  4 172.24.65.181 44 msec 48 msec 44 msec
  5 172.22.160.69 44 msec 48 msec
    172.22.160.65 44 msec
  6 208.134.161.3 44 msec 44 msec 48 msec


what am i missing ??

seems the icmp goes from my workstation to the core switch and dies somewhere there or in the router ( from what i see , it makes to the router )

Any ideas ?
0
Comment
Question by:c_hockland
  • 14
  • 11
25 Comments
 

Author Comment

by:c_hockland
ID: 36986607
Just a thought...
Do i need an access list on the router that permits all traffic coming from the core switch ?

0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36987011
Do you have NAT active on the router? Please remember that a device will always use the IP address of the port that the packet exits at, so when you use your router to ping, it will use the internet-facing interface's IP. That of course should work.
0
 

Author Comment

by:c_hockland
ID: 36987121
no , i dont have any NAT on the router,
here is the router config

trafigbloomberg#sh run
Building configuration...

4w6d: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 1127 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
aaa new-model
enable secret 5 $1$CTiV$xCdlSeS3EFuf3xEqDjfve.
!
username root password 0 xxx
clock timezone GMT 0
ip subnet-zero
no ip source-route
!
!
ip domain-name abc.com
ip name-server 172.20.3.21
!
partition flash 2 16 16
!
!
!
!
interface FastEthernet0/0
 ip address 172.16.1.36 255.255.255.0
 ip access-group 10 in
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 10.201.128.20 255.255.255.0
 no keepalive
 speed 100
 full-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.201.128.21
ip route 172.0.0.0 255.0.0.0 172.16.1.1
ip route 172.16.14.1 255.255.255.255 172.16.1.1
no ip http server
!
access-list 10 permit 0.0.0.0
!
line con 0
 exec-timeout 35700 0
 logging synchronous
line aux 0
line vty 0 4
 exec-timeout 35700 0
 logging synchronous
 transport input pad v120 telnet rlogin udptn
line vty 5 15
 exec-timeout 35700 0
 logging synchronous
 transport input pad v120 telnet rlogin udptn
!
end


I think that the router doesnt :know" how to get back to the switch , because i cannot pint the default gateway from the router.,
From the gateway though i can ping the router.
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 18

Accepted Solution

by:
Garry Glendown earned 2000 total points
ID: 36987228
a) what's the point of using that access list on the internal interface? Assuming you want the permit-statement to let everything through, just drop the access statement on the interface ...
b) the router connected to fa0/1 most likely only knows its own /24, so you can't get back ... if you can't change its configuration, NAT will take care of that for you ...

int fa0/0
ip nat inside

int fa0/1
ip nat outside

ip nat inside source list INSIDENAT int fa0/1 overload

ip access-list extended INSIDENAT
permit ip 172.0.0.0 0.255.255.255 any

Open in new window


Please also note that 172/8 is NOT all private IP space ... only 172.16 through 172.31 is for internal use ...
0
 

Author Comment

by:c_hockland
ID: 36987813
this is what i have right now


interface FastEthernet0/0
 ip address 172.16.1.36 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 10.201.128.20 255.255.255.0
 ip nat outside
 no keepalive
 speed 100
 full-duplex
!
ip nat inside source list INSIDENAT interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.201.128.21
ip route 172.0.0.0 255.0.0.0 172.16.1.1
ip route 172.16.14.1 255.255.255.255 172.16.1.1
no ip http server
!
!
ip access-list extended INSIDENAT
 permit ip 172.0.0.0 0.255.255.255 any
access-list 10 permit 0.0.0.0
!



from the router

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 208.134.161.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/47/49 ms
trafigbloomberg#

i can ping the public IP

but from my workstation it dies at the core switch
from the core switch i can ping the router
From the router i cannot ping the core switch , thats why i think icmp reply doesnt know how to get back from the router to the switch and to the workstation.

0
 

Author Comment

by:c_hockland
ID: 36987825
also on my core switch i have the static routes for this domain

ip route 0.0.0.0 0.0.0.0 172.16.1.10 name ---->PIX_Internal_Int

ip route 69.184.0.0 255.255.0.0 172.16.1.36
ip route 69.191.192.0 255.255.192.0 172.16.1.36
ip route 160.43.250.0 255.255.255.0 172.16.1.36
ip route 199.105.176.0 255.255.255.0 172.16.1.36
ip route 199.105.184.0 255.255.255.0 172.16.1.36
ip route 205.183.246.0 255.255.255.0 172.16.1.36
ip route 205.216.112.0 255.255.255.0 172.16.1.36
ip route 206.156.53.0 255.255.255.0 172.16.1.36
ip route 208.22.56.0 255.255.255.0 172.16.1.36
ip route 208.22.57.0 255.255.255.0 172.16.1.36
ip route 208.134.161.0 255.255.255.0 172.16.1.36
0
 

Author Comment

by:c_hockland
ID: 36987884
ok , latest update

from the core switch i can ping the router and the remote location

sw01#ping 172.16.1.36

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.36, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
sw01#ping 208.134.161.11

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 208.134.161.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 42/50/59 ms

also from my workstation

i can ping the default GW
C:\>ping 172.16.14.1

Pinging 172.16.14.1 with 32 bytes of data:

Reply from 172.16.14.1: bytes=32 time=1ms TTL=255
Reply from 172.16.14.1: bytes=32 time=5ms TTL=255
Reply from 172.16.14.1: bytes=32 time=2ms TTL=255
Reply from 172.16.14.1: bytes=32 time=1ms TTL=255

i cannot ping vlan 101 where the router is located.

Ping statistics for 172.16.14.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 5ms, Average = 2ms

C:\>ping 172.16.1.1

Pinging 172.16.1.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.16.1.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

I can ping google though....
C:\>ping www.google.com

Pinging www.l.google.com [74.125.73.147] with 32 bytes of data:

Reply from 74.125.73.147: bytes=32 time=23ms TTL=55
0
 

Author Comment

by:c_hockland
ID: 36987909
i guess i need some kind of rule to allow workstations from vlan114 to "talk" to vlan 101
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36987926
Glad you disclosed a bit more about your infrastructure ... you didn't mention you had a firewall there, which can take care of the NAT ...

Everything should work when you change the access list to this:

ip access-list extended INSIDENAT
deny ip 172.0.0.0 0.255.255.255 172.0.0.0 0.255.255.255
permit ip 172.0.0.0 0.255.255.255 any

Open in new window


(if all you're using is 172.16/16, you ought to alter that to just the /16 though)

Anyway, I don't quite understand your network topology, so there may be a better way to do this ...
0
 

Author Comment

by:c_hockland
ID: 36987961
Hey Gary ,

i think i need to remove something here..too many NAT's

!
interface FastEthernet0/0
 ip address 172.16.1.36 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 10.201.128.20 255.255.255.0
 ip nat outside
 no keepalive
 speed 100
 full-duplex
!
ip nat inside source list INSIDENAT interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.201.128.21
no ip http server
!
!
ip access-list extended INSIDENAT
 permit ip 172.0.0.0 0.255.255.255 any
 deny   ip 172.0.0.0 0.255.255.255 172.0.0.0 0.255.255.255
access-list 10 permit 0.0.0.0
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36987979
You need to switch the sequence of the NAT access list ...

Simplest way, "no ip access-list extended INSIDENAT", then add it again in the correct sequence ...
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36987991
Oh, and you may be missing routes to the inside networks ... you had the 172/8 route in earlier ...
0
 

Author Comment

by:c_hockland
ID: 36988049
Hi gary ,

thanks so much for your help. I think the issue is that the workstion is on vlan 114 and the router is on vlan101.  Because from the workstation i cannot ping the new router on vlan101.
I can access the internet through my main router.

see what i mean

C:\>tracert 74.125.73.147

Tracing route to tul01m01-in-f147.1e100.net [74.125.73.147]
over a maximum of 30 hops:

  1     3 ms     3 ms     3 ms  10.100.9.1
  2     8 ms     3 ms     3 ms  64.128.27.97
  3    84 ms    61 ms    13 ms  216-110-27-181.static.twtelecom.net [216.110.27.
181]
  4    17 ms    75 ms    15 ms  dal2-pr2-xe-2-2-0-0.us.twtelecom.net [66.192.241
.78]
  5    21 ms    16 ms    34 ms  72.14.233.65
  6    17 ms    29 ms    19 ms  72.14.237.219
  7    47 ms    42 ms    62 ms  209.85.243.178
  8    24 ms    31 ms    29 ms  216.239.46.39
  9    86 ms    37 ms    43 ms  72.14.232.57
 10    30 ms    27 ms    28 ms  tul01m01-in-f147.1e100.net [74.125.73.147]

Trace complete.

C:\>tracert 208.134.161.11  ( this is the remote domain, it should go through the 172.16.1.36 the internal int of the new router )
Tracing route to 208.134.161.11 over a maximum of 30 hops

  1     3 ms     3 ms     3 ms  10.100.9.1
  2     8 ms     3 ms     3 ms  64.128.27.97
  3    23 ms     9 ms    27 ms  216-110-27-181.static.twtelecom.net [216.110.27.
181]
  4    31 ms

0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36988070
Do you have the core switch configured for inter-vlan-routing?
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36988080
Maybe you could add some drawing of the network structure with all involved components and connections, IP addresses etc.?
0
 

Author Comment

by:c_hockland
ID: 36988098
can i add a rule that certain vlan to be able to access the new router ?
maybe just for the vlan 114 to vlan101 ?
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36988155
What's the IPs on the core switch for those VLANs? The route would need to be on there ...
0
 

Author Comment

by:c_hockland
ID: 36988167
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  unassigned      YES NVRAM  up                    up      
Vlan2                  192.168.205.1   YES NVRAM  down                  down    
Vlan69                 1.1.1.1         YES NVRAM  up                    up      
Vlan101                172.16.1.1      YES NVRAM  up                    up      
Vlan102                172.16.2.1      YES NVRAM  up                    up      
Vlan103                172.16.3.1      YES NVRAM  up                    up      
Vlan104                172.16.4.1      YES NVRAM  up                    up      
Vlan105                172.16.5.1      YES NVRAM  up                    up      
Vlan106                172.16.6.1      YES NVRAM  up                    up      
Vlan107                172.16.7.1      YES NVRAM  up                    up      
Vlan108                172.16.8.1      YES NVRAM  up                    up      
Vlan109                172.16.9.1      YES NVRAM  up                    up      
Vlan110                172.16.10.1     YES NVRAM  up                    up      
Vlan111                172.16.11.1     YES NVRAM  up                    up      
Vlan112                172.16.12.1     YES NVRAM  up                    up      
Vlan113                172.16.13.1     YES NVRAM  down                  down    
Vlan114                172.16.14.1     YES NVRAM  up                    up      
Vlan115                172.16.15.1     YES NVRAM  up                    up      
Vlan121                172.16.21.1     YES manual up                    up  


0
 

Author Comment

by:c_hockland
ID: 36988186
my workstation ison vlan114
router in on vlan101

maybe if i create a static route on vlan101  to allow all traffic from 114 , that would do it ?
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36988205
Does the core switch have a default route towards the router at 172.16.1.36?
Also, the router needs the return route, eg

ip route 172.16.0.0 255.255.224.0 172.16.1.1
0
 

Author Comment

by:c_hockland
ID: 36988251
The return routed has been added back

the default route is
ip route 0.0.0.0 0.0.0.0 172.16.1.10 name ---->PIX_Internal_Int

0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36988260
So what device is actually going to the internet - the router, or the PIX?
0
 

Author Comment

by:c_hockland
ID: 36988271
so i have the core switch and my router

then i added this router that connects with the ABC company's router and this provides an electronic trnasaction software just for the users in vlan 114

so this is why i have these static routes. If they need to access this domain they will do via the second router.

for everything else ( no there is not mastercard)  , they will access via the default route.
0
 

Author Comment

by:c_hockland
ID: 36988344
or...can i add an access list on vlan101 to allow all traffic from vlan114 ?
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36988532
OK, so the Cisco router is only there for the destinations you have configured with the static routes above, PIX is for Internet.

If this is so, put all those static routes on the Cisco router, with the gateway 10.201.128.21, and the default route back towards the core switch ...
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question