• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 264
  • Last Modified:

static route issue

Hi ,

i am trying to ping a public IP from my work station.
the tracert dies at the core switch.

From the core switch ( i have a static route to the router )  here is what i get

sw01#traceroute 208.134.161.11

Type escape sequence to abort.
Tracing the route to 208.134.161.11

  1 172.16.1.36 0 msec 0 msec 8 msec
  2  *  *  *
  3  *  *  *
  4  *  *  *
  5  *  *  *
  6  *  *  *
  7  *  *  *
  8  *  *  *

( the 1.36 is my router)

From the router ( 1.36) i am able to ping the IP

Router#traceroute 208.134.161.11

Type escape sequence to abort.
Tracing the route to 208.134.161.11

  1 10.201.128.21 0 msec 0 msec 0 msec
  2 133.0.74.93 4 msec 4 msec 5 msec
  3 172.25.85.177 48 msec 48 msec 44 msec
  4 172.24.65.181 44 msec 48 msec 44 msec
  5 172.22.160.69 44 msec 48 msec
    172.22.160.65 44 msec
  6 208.134.161.3 44 msec 44 msec 48 msec


what am i missing ??

seems the icmp goes from my workstation to the core switch and dies somewhere there or in the router ( from what i see , it makes to the router )

Any ideas ?
0
c_hockland
Asked:
c_hockland
  • 14
  • 11
1 Solution
 
c_hocklandAuthor Commented:
Just a thought...
Do i need an access list on the router that permits all traffic coming from the core switch ?

0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Do you have NAT active on the router? Please remember that a device will always use the IP address of the port that the packet exits at, so when you use your router to ping, it will use the internet-facing interface's IP. That of course should work.
0
 
c_hocklandAuthor Commented:
no , i dont have any NAT on the router,
here is the router config

trafigbloomberg#sh run
Building configuration...

4w6d: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 1127 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
aaa new-model
enable secret 5 $1$CTiV$xCdlSeS3EFuf3xEqDjfve.
!
username root password 0 xxx
clock timezone GMT 0
ip subnet-zero
no ip source-route
!
!
ip domain-name abc.com
ip name-server 172.20.3.21
!
partition flash 2 16 16
!
!
!
!
interface FastEthernet0/0
 ip address 172.16.1.36 255.255.255.0
 ip access-group 10 in
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 10.201.128.20 255.255.255.0
 no keepalive
 speed 100
 full-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.201.128.21
ip route 172.0.0.0 255.0.0.0 172.16.1.1
ip route 172.16.14.1 255.255.255.255 172.16.1.1
no ip http server
!
access-list 10 permit 0.0.0.0
!
line con 0
 exec-timeout 35700 0
 logging synchronous
line aux 0
line vty 0 4
 exec-timeout 35700 0
 logging synchronous
 transport input pad v120 telnet rlogin udptn
line vty 5 15
 exec-timeout 35700 0
 logging synchronous
 transport input pad v120 telnet rlogin udptn
!
end


I think that the router doesnt :know" how to get back to the switch , because i cannot pint the default gateway from the router.,
From the gateway though i can ping the router.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
Garry GlendownConsulting and Network/Security SpecialistCommented:
a) what's the point of using that access list on the internal interface? Assuming you want the permit-statement to let everything through, just drop the access statement on the interface ...
b) the router connected to fa0/1 most likely only knows its own /24, so you can't get back ... if you can't change its configuration, NAT will take care of that for you ...

int fa0/0
ip nat inside

int fa0/1
ip nat outside

ip nat inside source list INSIDENAT int fa0/1 overload

ip access-list extended INSIDENAT
permit ip 172.0.0.0 0.255.255.255 any

Open in new window


Please also note that 172/8 is NOT all private IP space ... only 172.16 through 172.31 is for internal use ...
0
 
c_hocklandAuthor Commented:
this is what i have right now


interface FastEthernet0/0
 ip address 172.16.1.36 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 10.201.128.20 255.255.255.0
 ip nat outside
 no keepalive
 speed 100
 full-duplex
!
ip nat inside source list INSIDENAT interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.201.128.21
ip route 172.0.0.0 255.0.0.0 172.16.1.1
ip route 172.16.14.1 255.255.255.255 172.16.1.1
no ip http server
!
!
ip access-list extended INSIDENAT
 permit ip 172.0.0.0 0.255.255.255 any
access-list 10 permit 0.0.0.0
!



from the router

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 208.134.161.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/47/49 ms
trafigbloomberg#

i can ping the public IP

but from my workstation it dies at the core switch
from the core switch i can ping the router
From the router i cannot ping the core switch , thats why i think icmp reply doesnt know how to get back from the router to the switch and to the workstation.

0
 
c_hocklandAuthor Commented:
also on my core switch i have the static routes for this domain

ip route 0.0.0.0 0.0.0.0 172.16.1.10 name ---->PIX_Internal_Int

ip route 69.184.0.0 255.255.0.0 172.16.1.36
ip route 69.191.192.0 255.255.192.0 172.16.1.36
ip route 160.43.250.0 255.255.255.0 172.16.1.36
ip route 199.105.176.0 255.255.255.0 172.16.1.36
ip route 199.105.184.0 255.255.255.0 172.16.1.36
ip route 205.183.246.0 255.255.255.0 172.16.1.36
ip route 205.216.112.0 255.255.255.0 172.16.1.36
ip route 206.156.53.0 255.255.255.0 172.16.1.36
ip route 208.22.56.0 255.255.255.0 172.16.1.36
ip route 208.22.57.0 255.255.255.0 172.16.1.36
ip route 208.134.161.0 255.255.255.0 172.16.1.36
0
 
c_hocklandAuthor Commented:
ok , latest update

from the core switch i can ping the router and the remote location

sw01#ping 172.16.1.36

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.36, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
sw01#ping 208.134.161.11

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 208.134.161.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 42/50/59 ms

also from my workstation

i can ping the default GW
C:\>ping 172.16.14.1

Pinging 172.16.14.1 with 32 bytes of data:

Reply from 172.16.14.1: bytes=32 time=1ms TTL=255
Reply from 172.16.14.1: bytes=32 time=5ms TTL=255
Reply from 172.16.14.1: bytes=32 time=2ms TTL=255
Reply from 172.16.14.1: bytes=32 time=1ms TTL=255

i cannot ping vlan 101 where the router is located.

Ping statistics for 172.16.14.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 5ms, Average = 2ms

C:\>ping 172.16.1.1

Pinging 172.16.1.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.16.1.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

I can ping google though....
C:\>ping www.google.com

Pinging www.l.google.com [74.125.73.147] with 32 bytes of data:

Reply from 74.125.73.147: bytes=32 time=23ms TTL=55
0
 
c_hocklandAuthor Commented:
i guess i need some kind of rule to allow workstations from vlan114 to "talk" to vlan 101
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Glad you disclosed a bit more about your infrastructure ... you didn't mention you had a firewall there, which can take care of the NAT ...

Everything should work when you change the access list to this:

ip access-list extended INSIDENAT
deny ip 172.0.0.0 0.255.255.255 172.0.0.0 0.255.255.255
permit ip 172.0.0.0 0.255.255.255 any

Open in new window


(if all you're using is 172.16/16, you ought to alter that to just the /16 though)

Anyway, I don't quite understand your network topology, so there may be a better way to do this ...
0
 
c_hocklandAuthor Commented:
Hey Gary ,

i think i need to remove something here..too many NAT's

!
interface FastEthernet0/0
 ip address 172.16.1.36 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 10.201.128.20 255.255.255.0
 ip nat outside
 no keepalive
 speed 100
 full-duplex
!
ip nat inside source list INSIDENAT interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.201.128.21
no ip http server
!
!
ip access-list extended INSIDENAT
 permit ip 172.0.0.0 0.255.255.255 any
 deny   ip 172.0.0.0 0.255.255.255 172.0.0.0 0.255.255.255
access-list 10 permit 0.0.0.0
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
You need to switch the sequence of the NAT access list ...

Simplest way, "no ip access-list extended INSIDENAT", then add it again in the correct sequence ...
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Oh, and you may be missing routes to the inside networks ... you had the 172/8 route in earlier ...
0
 
c_hocklandAuthor Commented:
Hi gary ,

thanks so much for your help. I think the issue is that the workstion is on vlan 114 and the router is on vlan101.  Because from the workstation i cannot ping the new router on vlan101.
I can access the internet through my main router.

see what i mean

C:\>tracert 74.125.73.147

Tracing route to tul01m01-in-f147.1e100.net [74.125.73.147]
over a maximum of 30 hops:

  1     3 ms     3 ms     3 ms  10.100.9.1
  2     8 ms     3 ms     3 ms  64.128.27.97
  3    84 ms    61 ms    13 ms  216-110-27-181.static.twtelecom.net [216.110.27.
181]
  4    17 ms    75 ms    15 ms  dal2-pr2-xe-2-2-0-0.us.twtelecom.net [66.192.241
.78]
  5    21 ms    16 ms    34 ms  72.14.233.65
  6    17 ms    29 ms    19 ms  72.14.237.219
  7    47 ms    42 ms    62 ms  209.85.243.178
  8    24 ms    31 ms    29 ms  216.239.46.39
  9    86 ms    37 ms    43 ms  72.14.232.57
 10    30 ms    27 ms    28 ms  tul01m01-in-f147.1e100.net [74.125.73.147]

Trace complete.

C:\>tracert 208.134.161.11  ( this is the remote domain, it should go through the 172.16.1.36 the internal int of the new router )
Tracing route to 208.134.161.11 over a maximum of 30 hops

  1     3 ms     3 ms     3 ms  10.100.9.1
  2     8 ms     3 ms     3 ms  64.128.27.97
  3    23 ms     9 ms    27 ms  216-110-27-181.static.twtelecom.net [216.110.27.
181]
  4    31 ms

0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Do you have the core switch configured for inter-vlan-routing?
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Maybe you could add some drawing of the network structure with all involved components and connections, IP addresses etc.?
0
 
c_hocklandAuthor Commented:
can i add a rule that certain vlan to be able to access the new router ?
maybe just for the vlan 114 to vlan101 ?
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
What's the IPs on the core switch for those VLANs? The route would need to be on there ...
0
 
c_hocklandAuthor Commented:
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  unassigned      YES NVRAM  up                    up      
Vlan2                  192.168.205.1   YES NVRAM  down                  down    
Vlan69                 1.1.1.1         YES NVRAM  up                    up      
Vlan101                172.16.1.1      YES NVRAM  up                    up      
Vlan102                172.16.2.1      YES NVRAM  up                    up      
Vlan103                172.16.3.1      YES NVRAM  up                    up      
Vlan104                172.16.4.1      YES NVRAM  up                    up      
Vlan105                172.16.5.1      YES NVRAM  up                    up      
Vlan106                172.16.6.1      YES NVRAM  up                    up      
Vlan107                172.16.7.1      YES NVRAM  up                    up      
Vlan108                172.16.8.1      YES NVRAM  up                    up      
Vlan109                172.16.9.1      YES NVRAM  up                    up      
Vlan110                172.16.10.1     YES NVRAM  up                    up      
Vlan111                172.16.11.1     YES NVRAM  up                    up      
Vlan112                172.16.12.1     YES NVRAM  up                    up      
Vlan113                172.16.13.1     YES NVRAM  down                  down    
Vlan114                172.16.14.1     YES NVRAM  up                    up      
Vlan115                172.16.15.1     YES NVRAM  up                    up      
Vlan121                172.16.21.1     YES manual up                    up  


0
 
c_hocklandAuthor Commented:
my workstation ison vlan114
router in on vlan101

maybe if i create a static route on vlan101  to allow all traffic from 114 , that would do it ?
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Does the core switch have a default route towards the router at 172.16.1.36?
Also, the router needs the return route, eg

ip route 172.16.0.0 255.255.224.0 172.16.1.1
0
 
c_hocklandAuthor Commented:
The return routed has been added back

the default route is
ip route 0.0.0.0 0.0.0.0 172.16.1.10 name ---->PIX_Internal_Int

0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
So what device is actually going to the internet - the router, or the PIX?
0
 
c_hocklandAuthor Commented:
so i have the core switch and my router

then i added this router that connects with the ABC company's router and this provides an electronic trnasaction software just for the users in vlan 114

so this is why i have these static routes. If they need to access this domain they will do via the second router.

for everything else ( no there is not mastercard)  , they will access via the default route.
0
 
c_hocklandAuthor Commented:
or...can i add an access list on vlan101 to allow all traffic from vlan114 ?
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
OK, so the Cisco router is only there for the destinations you have configured with the static routes above, PIX is for Internet.

If this is so, put all those static routes on the Cisco router, with the gateway 10.201.128.21, and the default route back towards the core switch ...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

  • 14
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now