Routing Issue

I have an issue where I can ping one way successfully, but not the other way.


My Rt1 has a IP of         g0/0 - 10.1.2.2
                                  g0/1 - 10.1.1.30


g0/0 interfaces to 10.1.2.1 which is a Verizon provided Adtran router

Both of these devices are on a Cisco switch


My RT 2 has a IP of g0/0 - 10.1.3.2


RT2 can ping successfully RT1 g0/0, but not g0/1, but can ping devices on 10.1.1.xxx

RT1 can successfully ping my entire network.

I am confused on why I can ping everything but my 10.1.1.30. ACL's look good.

Any help is appreciated. I just may have been looking at this too long and might be missing something that is obvious. Thanks.
dassr23Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Fred MarshallPrincipalCommented:
Well, one might *assume* that all the subnets are 255.255.255.0 or /24 but that would only be an assumption.  It matters.  So, what are they all?

You have "routers" that have in the case of Router 2, only one IP address.  That's odd.
What have you not told us?

Why would one expect one subnet to be able to ping another without routes, etc?

What magic is the switch providing?
0
AkinsdNetwork AdministratorCommented:
What's the gateway of the devices on 10.1.1.x
0
dassr23Author Commented:
Yes all are 255.255.255.0 /24

It is a private IP network built by Verizon, but we closed one of the five sites, now down to four and that is when the routing issue happened. Basically the site that was hosting the 10.1.1.xxx network is now in the same building as the 10.1.2.xxx network. Hence, why they are on a switch.

My 10.1.3.xxx, 10.1.4.xxx, 10.1.5.xxx are the other subnets in the Private cloud. I have a Cisco 2821 on the end of the 10.1.1.xxx network and the 10.1.3.xxx network that serve as my internet points.

10.1.1.30 is the GW on Cisco RT1.

I added 10.1.2.2 to the g0/0 interface on RT1 because that enabled me to talk to the rest of the network via 10.1.2.1 (Adtran). It’s the clients/servers that are not talking
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

Fred MarshallPrincipalCommented:
I think I'm beginning to understand but not quite there yet.
The sites are connected with a Verizon-provided MPLS-type network that basically looks like a switch with each of the sites connected to it.  Right?

When you brought 10.1.1.0/24 subnet into the same building with the 10.2.2.0/24 subnet you lost one of the Verizon site ports so you added a switch.  A simple switch connected like this would seem to do the trick:
10.1.1.0/24< >|                                          | <>10.1.3.0/24
                        |  Switch <> Verizon MPLS |<>10.1.4.0/24
10.1.2.0/24< >|                                            |<>10.1.5.0/24

Whatever you are using to route between the site subnets should remain to support routing between 10.1.1.0/24 and 10.1.2.0/24.  It seems that perhaps you've lost that.  I doubt that Verizon was providing this but maybe so.

So, I'm a little confused as to just what you have.  I have a similar setup that has a "main site" with an intersite router and an internet gateway router.  All the other sites have an intersite router that also serves as their internet gateway via the main site.

Each intersite router provides NAT to an "interim LAN" which only serves to connect all the intersite router "outside" ports together via the MPLS.
Each intersite router has routes to the site LANs pointing to their respective intersite router's "outside" port addresses on the interim LAN.
Like this:

192.168.1.0 Main site LAN
192.168.1.100 Main site intersite router LAN address
192.168.200.201 Main site intersite router WAN address to MPLS
Route to 192.168.2.0 to 192.168.200.202
Gateway address on the LAN side of 192.168.1.1
[Doing this with simple routers like an RV042 and using NAT requires that the WAN side be on the LAN and the LAN side be on the interim LAN "outside" connection.]

192.168.2.0 2nd site LAN
192.168.2.100 2nd site intersite router LAN address
192.168.200.202 2nd site intersite router WAN address to MPLS
Route to 192.168.1.0 to 192.168.200.201
Route to 0.0.0.0 to 192.168.200.201

Then, in addition, the main site gateway 192.168.1.1
has a route to each site subnet:
192.168.2.0/24 to 192.168.1.100
etc.
This is needed so that any return packets which hit the gateway first will be directed to the right place.  Incoming packets don't have this hop.

I'm not sure if this description at all helpful to you but it's one way to make the intersite connectivity work and I'm hoping that you might glean some insight from it in dealing with your own situation.
0
Ricardo MartínezInformation SecurityCommented:
Have you configured some routing protocol? or is all static? can you place the route table of the Cisco 2821 (the 10.1.1.x gateway)?
0
dassr23Author Commented:
The Private IP (Verizon adtran) routers are using BGP. My cisco routers are static.



Gateway of last resort is 63.125.125.221 to network 0.0.0.0

     172.31.0.0/25 is subnetted, 1 subnets
S       172.31.139.0 [1/0] via 10.1.2.1
     10.0.0.0/24 is subnetted, 5 subnets
S       10.1.3.0 [1/0] via 10.1.2.1
C       10.1.2.0 is directly connected, GigabitEthernet0/0
C       10.1.1.0 is directly connected, GigabitEthernet0/1
S       10.1.5.0 [1/0] via 10.1.2.1
S       10.1.4.0 [1/0] via 10.1.2.1
     208.250.50.0/29 is subnetted, 1 subnets
S       208.250.50.168 [1/0] via 10.1.2.1
     63.0.0.0/30 is subnetted, 1 subnets
C       63.125.125.220 is directly connected, MFR1.500
S*   0.0.0.0/0 [1/0] via 63.125.125.221
0
Craig BeckCommented:
So are Verizon routing to 10.1.1.0 via 10.1.2.2?
0
AkinsdNetwork AdministratorCommented:
add a static route pointing 10.1.1.0 through 10.1.2.1
0
dassr23Author Commented:
static route does not work.

if i try to route 10.1.1.0 traffic via 10.1.2.2 I get the error:

%Invalid next hop address (it's this router)
0
AkinsdNetwork AdministratorCommented:
your next hop address is the address on the next router you are connected to.
10.1.2.2 is the interface on your router.

Your next hop address is 10.1.2.1
0
Craig BeckCommented:
Verizon need to do this - not you.

If your router has 10.1.1.0 on Gi0/1 and 10.1.2.2 on the Gi0/0 interface (which points to Verizon's cloud) you need Verizon to route to 10.1.1.0/24 via 10.1.2.2.

As you're not advertising your routes to Verizon you need to tell them where your subnets are, and how to get to them.
0
AkinsdNetwork AdministratorCommented:
That is flat wrong.

You cannot route to your own local interface

The static route is on the local router.
Is it Verizon that manages the router?

Why would Verizon manage local router

You always route to next hop
Please revise your routing technology
0
dassr23Author Commented:
Verizon manages the 10.1.2.1.

So i need to call them and tell them to add a static route to route to 10.1.1.0/24 via 10.1.2.2?
0
AkinsdNetwork AdministratorCommented:
No
You static route needs to point to 10.1.2.1, NOT 10.1.2.2


ip route 10.1.1.0 255.255.255.0 10.1.2.1
0
dassr23Author Commented:
I had that route in there before. Just added it back, but only the router can ping across the network, not the clients. Clients can still only access anything on 10.1.1.xxx
0
AkinsdNetwork AdministratorCommented:
Route is a 2-way street.

That's why I asked earlier what the gateway is on the computers on the 10.1.1.0 network

If their gateway is 10.1.2.1, then verizon is blocking icmp traffic to your router.

The static route to 10.1.2.1 is not needed then if your router is not the gateway for the clients.

Try a traceroute from your router and see where it dies
0
dassr23Author Commented:
Sorry i Missed that. The client gateway is 10.1.1.30 which is g0/1 on my cisco 2821.
0
Craig BeckCommented:
@Akinsd - explain?  I think you misunderstand.

The OP's local router has:

C       10.1.2.0 is directly connected, GigabitEthernet0/0
C       10.1.1.0 is directly connected, GigabitEthernet0/1

Therefore why would you route to 10.1.1.0 via 10.1.2.1?  It's local to that router.  There doesn't need to be a static route via 10.1.2.1.  That would be wrong anyway as you get to 10.1.1.0/24 via 10.1.2.2 (the local Gi0/0 interface).

If you picked up one subnet and moved it to a different site routed via Verizon, you MUST tell Verizon how to get to the subnet via the other router.  If that bit is already done and you just can't ping the interface of the router (like the OP says) try doing a trace to a remote site using 10.1.1.30 as the source address and see which way it goes.
0
Craig BeckCommented:
That's why I asked earlier what the gateway is on the computers on the 10.1.1.0 network

If their gateway is 10.1.2.1, then verizon is blocking icmp traffic to your router.
Am I missing something here??  Clients on the 10.1.1.0/24 network CAN'T use 10.1.2.1 as their gateway!!
0
Fred MarshallPrincipalCommented:
This is all very confusing because there is no clear diagram.  Something like this:
10.1.1.0/24< >|                                          | <>10.1.3.0/24
                        |  Switch <> Verizon MPLS |<>10.1.4.0/24
10.1.2.0/24< >|                                            |<>10.1.5.0/24

I don't understand:
Verizon manages the 10.1.2.1
This needs to show up in the diagram in some fashion.
I don't understand if you are using switches as routers with VLANs and/or.... ?
I do understand that each site has a "Verizon Adran Router" but I'm not sure how they are addresses, etc.  Maybe something like this:
 
10.1.1.0/24< >|                                                | <>Verizon Adran<>10.1.3.0/24
                        |  Switch <> Verizon Adran<>|<>Verizon Adran<>10.1.4.0/24
10.1.2.0/24< >|                                                |<>Verizon Adran<>10.1.5.0/24

This seems close to what you've described.  Please cut and paste at will to correct this.
One question would be: what are the Adran "outside" IP addresses?
Are the Adran routers also internet gateways or is that separate?  At the main site or at all sites?

Perhaps no matter, as I understand the issue, everything works except routing between 10.1.1.0 and 10.1.2.0 at the same site, right?  I think that BGP and Access Lists only confuse the issue and have nothing to do with fundamental routing.  Let's try to keep it simple and direct if possible.
0
dassr23Author Commented:
I put this together real quickly. You are correct 10.1.1.0 and 101.2.0 are not talking to each other in the same site.

To add I from the .1 network I can ping devices that are not behind the Verizon Adtran router that are on .2 and they are on the same switch as the adtran.
Drawing1.jpg
0
Fred MarshallPrincipalCommented:
Are the circles the Adtran routers then?  
And the little rectangular box a simple switch (i.e. no VLANs or routing?)?

I don't yet understand the problem site topology.  But, in the interest of time and help, I'll make some assumptions.

The device with 10.1.1.30 is an Adtran router or some other.  It has NAT enabled to go between 10.1.1.0 and 10.1.2.0.  with 10.1.1.0/24 on the "inside" perhaps LAN side.  It has 10.1.2.2 on the "outside" perhaps WAN side.  Yes?
Well, I'm not sure that NAT has to be enabled.  It could still work as a plain router with different subnets on each port.

I glean from your descriptions that Rt2 is the one at 10.1.3.0.  Yes?
And that Rt1 is the one connected to both 10.1.1.0 and 10.1.2.0.  Yes?
You can't ping from anywhere on the network to 10.1.1.0/24 subnet.

OK.  Well, that all makes sense.
None of the routers on the network know about 10.1.1.0.
In order for packets destined for 10.1.1.0, there have to be routes to get the packets to the router at Site 1 that has address 10.1.2.1.

The routes at the other routers would look like:
10.1.1.0/24 next hop 10.1.2.1. <<<<<<<<<<<<<<<<<<<<<<<<<<<<

Then, in that target router there will have to be a route:
10.1.1.0/24 next hop 10.1.2.2.  <<<<<<<<<<<<<<<<<<<<<<<<<<<

Presumably the router at 10.1.1.0 has a default route
0.0.0.0 next hop 10.1.2.1 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
This may be inherent in how it's set up if the port with 10.1.2.2 is a WAN port on a commodity router.

Then, at 10.2.3.0 there are internet ports / gateways.
This one may be unique in that the gateway and the intersite ports are different i.e. with different IP addresses.  If it's all in the same device then it may not be an issue.
But, if different devices then the gateway device needs to have routes to all the other subnets with next hop being the device with 10.1.3.??? (you didn't say). going to the intersite connections.
This route is needed because:
Packets originating at one site and destined for the 10.1.3.0 subnet will get there without going through the gateway.
But, packets returning / responding will naturally go to the gateway as the default route.
So, from there, there has to be a route to the intersite router on the same local subnet.
0
dassr23Author Commented:
From what I am getting from this I really don't even need the 10.1.2.2. I need Verizon to create the routes on the Adtrans in order to advertise the 10.1.1.0 network?

10.1.2.2 is not a WAN port. the traffic is NAT'd behind the 10.1.1.30. I only created the 10.1.2.2 interface because it was the only way I could get pings to work when I was testing, but its only working one way out, not in.
0
Fred MarshallPrincipalCommented:
Well, it's very hard to tell which boxes or diagram figures are ADTRAN boxes and why you don't need 10.1.2.2.  It looks like we're both confused.

It appears that everything works except the hosts on 10.1.1.0.  Isn't that right?
So the question is, how to fix that?
First we need to know what is connected to what and how at that site.  Still most unclear.

It might look like this:

ADTRAN router (under Verizon control).
  10.1.2.1 on 10.1.2.0/24 and connected to other sites via Verizon.  Yes?
(When I say Yes?, I'd appreciate verification).
This interface is visible on the local LAN and the "other side" for you is immaterial it appears as Verizon controls all that MPLS or whatever stuff.
This then implies the entirety of subnet 10.1.2.0/24.

SUBNET 10.1.1.0/24 is still there
  It appears the question is, how to connect it.

Here are some ways:
1) Verizon could add routes
2) You could NAT behind the 10.1.2.1 router to get to 10.1.1.0.
in the latter case, any packets originating from 10.1.1.0 would be proxied into 10.1.2.0 with port numbers.  But, I see no nice way for 10.1.1.0 to be reached from the other sites if that's the case.
0
Craig BeckCommented:
I think you need to tell us what interfaces connect to what, and what IP addresses are on each interface.  That will help us understand where the traffic is going.
0
dassr23Author Commented:
ADTRAN router (under Verizon control).
  10.1.2.1 on 10.1.2.0/24 and connected to other sites via Verizon.  Yes?
(When I say Yes?, I'd appreciate verification).
This interface is visible on the local LAN and the "other side" for you is immaterial it appears as Verizon controls all that MPLS or whatever stuff.
This then implies the entirety of subnet 10.1.2.0/24.

The above is correct @ fmarshall

@ craigbeck -

Cisco 2821 g0/1 (10.1.1.30 my gateway) is connected to the same Cisco switch as the Verizon ADTRAN router ETH0/1 which is 10.1.2.1
0
AkinsdNetwork AdministratorCommented:
The 10.1.2.1 was a typo

I couldn't read through everything above. So pardon me if there's repetition.

Based on your diagram. I will assume that you have a switch connected to Gi0/1 and your devices are hooked to that.


RT2 10.1.3.2 can ping successfully RT1 g0/0, 10.1.2.2 but not g0/1 10.1.1.30, but can ping devices on 10.1.1.xxx

RT1 can successfully ping my entire network.

I am confused on why I can ping everything but my 10.1.1.30. ACL's look good.

Here is your answer
MPLS works like frame relay but a lot better and faster.
Same concept.
 MPLS uses Tags to identify next hop.
The MPLS delivers 10.1.1.0 traffic  to 10.1.2.2 via 10.1.2.1
Your router1 handles everything else from that point.

Try these 2 commands from RT1
ping 10.1.1.30 source 10.1.2.2

ping 10.1.1.30 source 10.1.1.30

Then from any workstation inside the 10.1.1.0, try pinging 10.1.1.30

The results from the above tests will narrow everything down.

On a side note. I think your network is fully converged (All routes seem to be in place from your outputs so far), so don't focus hard on routes.
0
dassr23Author Commented:
@ Akinsd

ALL pings you recommended were successful, but still cannot ping 10.1.2.1 or any next hop after that from a client, but my RT1 can...

I also did these:

ping 10.1.2.1 source 10.1.2.2 (g0/0) - Successful

ping 10.1.2.1 source 10.1.1.30 (g0/1) - unsuccessful
0
Craig BeckCommented:
10.1.2.2 is not a WAN port. the traffic is NAT'd behind the 10.1.1.30. I only created the 10.1.2.2 interface because it was the only way I could get pings to work when I was testing, but its only working one way out, not in.

You won't be able to ping 10.1.2.1 from outside networks if you're NAT'ing.
0
AkinsdNetwork AdministratorCommented:
I am confused on why I can ping everything but my 10.1.1.30. ACL's look good.


That is a different story from your initial statement quoted above.

Run the following commands on RT1
show access-list
show run | in nat
show ip nat translations



Also try this
traceroute ip 10.1.2.1 source 10.1.1.30
traceroute mpls ipv4 10.1.1.0 255.255.255.0 source 10.1.1.30 destination 10.1.2.1

The MPLS traceroute may not produce much since your 10.1.1.30 interface is not tagged by the ISP
0
dassr23Author Commented:
The sho ip nat translations list was pretty large, did you want something specific from that cmd. here is the rest:

Standard IP access list 1
    10 permit 10.1.1.0, wildcard bits 0.0.0.255 (1706076 matches)
    20 permit 10.1.2.0, wildcard bits 0.0.0.255 (174 matches)
    30 permit 10.1.3.0, wildcard bits 0.0.0.255 (9 matches)
    40 permit 10.1.4.0, wildcard bits 0.0.0.255
    50 permit 10.1.5.0, wildcard bits 0.0.0.255 (6 matches)
    60 permit 172.31.139.0, wildcard bits 0.0.0.255
    70 permit 152.179.79.0, wildcard bits 0.0.0.255 (1 match)
Extended IP access list 101
    10 permit udp any host 10.1.1.30 eq non500-isakmp
    20 permit udp any host 10.1.1.30 eq isakmp
    30 permit esp any host 10.1.1.30
    40 permit ahp any host 10.1.1.30
    41 permit udp any host 10.1.2.2 eq non500-isakmp
    42 permit udp any host 10.1.2.2 eq isakmp
    43 permit esp any host 10.1.2.2
    44 permit ahp any host 10.1.2.2
    50 deny ip host 255.255.255.255 any
    60 deny ip 127.0.0.0 0.255.255.255 any
    70 permit ip any any (76704404 matches)
Extended IP access list 102
    10 permit udp any host 63.xxx.xxx.xxx eq non500-isakmp (7 matches)
    20 permit gre any any
    30 permit tcp any host 63.xxx.xxx.xxx eq 22 (220713 matches)
    40 permit tcp any host 63.xxx.xxx.xxx eq ftp (1750 matches)
    50 permit tcp any host 63.xxx.xxx.xxx range 50000 50020 (1099 matches)
    60 permit udp any host 63.xxx.xxx.xxx eq isakmp (16 matches)
    70 permit esp any host 63.xxx.xxx.xxx
    80 permit ahp any host 63.xxx.xxx.xxx
    90 permit udp any any eq domain (4961 matches)
    100 permit udp any eq domain any (224 matches)
    110 permit tcp any host 63.xxx.xxx.xxx eq 1723 (26 matches)
    120 permit tcp any host 63.xxx.xxx.xxx eq smtp (2162453 matches)
    130 permit tcp any host 208.xxx.xxx.xxx eq 636
    140 permit tcp any host 208.xxx.xxx.xxx eq 389 (27310 matches)
    150 permit udp any host 208.xxx.xxx.xxx eq 389 (7937 matches)
    160 permit tcp any host 63.xxx.xxx.xxx eq 443 (19895137 matches)
    170 permit udp any host 63.xxx.xxx.xxx eq 443 (26 matches)
    180 permit tcp any host 208.xxx.xxx.xxx eq 443 (393948 matches)
    190 permit udp any host 208.xxx.xxx.xxx eq 443
    200 permit tcp any host 63.xxx.xxx.xxx eq www (22826 matches)
    210 permit tcp any host 63.xxx.xxx.xxx eq 8080 (32 matches)
    220 permit tcp any host 63.xxx.xxx.xxx eq 18082 (3208232 matches)
    230 permit tcp any host 63.xxx.xxx.xxx eq 8123 (1187498 matches)
    240 permit udp any host 63.xxx.xxx.xxx eq 18082
    250 permit udp any host 63.xxx.xxx.xxx eq 8132
    260 permit tcp any host 208.xxx.xxx.xxx eq www (2767491 matches)
    270 permit tcp 12.15.30.0 0.0.0.255 host 63.xxx.xxx.xxx eq www
    280 permit udp host 4.2.2.2 eq domain any
    290 permit icmp any host 63.xxx.xxx.xxx echo-reply (176 matches)
    300 permit icmp any host 63.xxx.xxx.xxx time-exceeded (528 matches)
    310 permit icmp any host 63.xxx.xxx.xxx unreachable (15654 matches)
    320 permit ip any 63.125.125.216 0.0.0.7 (1002595 matches)
    330 deny ip 10.0.0.0 0.255.255.255 any (3506 matches)
    340 deny ip 172.16.0.0 0.15.255.255 any
    350 deny ip 192.168.0.0 0.0.255.255 any (8 matches)
    360 deny ip 127.0.0.0 0.255.255.255 any
    370 deny ip host 255.255.255.255 any
    380 deny ip host 0.0.0.0 any
    390 deny ip any any log (343433 matches)


 ip nat outside
 ip nat inside
ip nat inside source list 1 interface MFR1.500 overload
ip nat inside source static tcp 10.1.1.4 21 63.xxx.xxx.xxx 21 extendable
ip nat inside source static tcp 10.1.1.2 25 63.xxx.xxx.xxx 25 extendable
ip nat inside source static tcp 10.1.1.1 389 63.xxx.xxx.xxx 389 extendable
ip nat inside source static udp 10.1.1.1 389 63.xxx.xxx.xxx 389 extendable
ip nat inside source static tcp 10.1.1.2 443 63.xxx.xxx.xxx 443 extendable
ip nat inside source static tcp 10.1.1.1 636 63.xxx.xxx.xxx 636 extendable
ip nat inside source static udp 10.1.1.1 636 63.xxx.xxx.xxx 636 extendable
ip nat inside source static tcp 10.1.1.3 3006 63.xxx.xxx.xxx 3006 extendable
ip nat inside source static tcp 10.1.1.3 8080 63.xxx.xxx.xxx 8080 extendable
ip nat inside source static tcp 10.1.1.1 8123 63.xxx.xxx.xxx 8123 extendable
ip nat inside source static tcp 10.1.1.1 18082 63.xxx.xxx.xxx 18082 extendable
ip nat inside source static tcp 10.1.1.4 50000 63.xxx.xxx.xxx 50000 extendable
ip nat inside source static tcp 10.1.1.4 50001 63.xxx.xxx.xxx 50001 extendable
ip nat inside source static tcp 10.1.1.4 50002 63.xxx.xxx.xxx 50002 extendable
ip nat inside source static tcp 10.1.1.4 50003 63.xxx.xxx.xxx 50003 extendable
ip nat inside source static tcp 10.1.1.4 50004 63.xxx.xxx.xxx 50004 extendable
ip nat inside source static tcp 10.1.1.4 50005 63.xxx.xxx.xxx 50005 extendable
ip nat inside source static tcp 10.1.1.4 50006 63.xxx.xxx.xxx 50006 extendable
ip nat inside source static tcp 10.1.1.4 50007 63.xxx.xxx.xxx 50007 extendable
ip nat inside source static tcp 10.1.1.4 50008 63.xxx.xxx.xxx 50008 extendable
ip nat inside source static tcp 10.1.1.4 50009 63.xxx.xxx.xxx 50009 extendable
ip nat inside source static tcp 10.1.1.4 50010 63.xxx.xxx.xxx 50010 extendable
ip nat inside source static tcp 10.1.1.4 50011 63.xxx.xxx.xxx 50011 extendable
ip nat inside source static tcp 10.1.1.4 50012 63.xxx.xxx.xxx 50012 extendable
ip nat inside source static tcp 10.1.1.4 50013 63.xxx.xxx.xxx 50013 extendable
ip nat inside source static tcp 10.1.1.4 50014 63.xxx.xxx.xxx 50014 extendable
ip nat inside source static tcp 10.1.1.4 50015 63.xxx.xxx.xxx 50015 extendable
ip nat inside source static tcp 10.1.1.4 50016 63.xxx.xxx.xxx 50016 extendable
ip nat inside source static tcp 10.1.1.4 50017 63.xxx.xxx.xxx 50017 extendable
ip nat inside source static tcp 10.1.1.4 50018 63.xxx.xxx.xxx 50018 extendable
ip nat inside source static tcp 10.1.1.4 50019 63.xxx.xxx.xxx 50019 extendable
ip nat inside source static tcp 10.1.1.4 50020 63.xxx.xxx.xxx 50020 extendable
ip nat inside source static tcp 10.1.1.3 80 208.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp 10.1.1.3 443 208.xxx.xxx.xxx 443 extendable

Open in new window

0
Craig BeckCommented:
We need to see configs from all your routers and we need a topology diagram which details which interfaces are used to connect it all together.
0
dassr23Author Commented:
I do not have access to the Adtran routers. Please the diagram for a better over view.

I only control the cisco routers.
diagram.jpg
0
Craig BeckCommented:
Ok so top-left corner...

The ADTRAN router has two interfaces, seemingly 10.1.2.1 on one interface and 10.1.2.2 on the other interface????
0
dassr23Author Commented:
NO the cisco has two interfaces. G0/1 is 10.1.1.30 and g0/0 is 10.1.2.2.

The adtran only has 10.1.2.1

Initially g0/0 wasn't configured. When i did configure it with 10.1.2.2,I was then able to ping to the 10.1.1.0 from all my other sites, but 10.1.1.0 clients can not ping anyone else on te network, only the router can.

I guess if there is a way to get the 10.1.1.0 to talk to 10.1.2.1 I may not even need the 10.1.2.2 interface??
0
Craig BeckCommented:
So how is the ADTRAN doing any routing?
0
dassr23Author Commented:
The rest of the network can talk to the ADTRAN that is on the .2.xxx. and its running BGP. Tried to configure BGP on the Cisco but it told me my IOS didn't support it.
0
Craig BeckCommented:
But that still doesn't explain how you have two interfaces on the ADTRAN but only one IP address??  That doesn't make any sense.
0
dassr23Author Commented:
NO the Cisco has two interfaces. g0/1 is 10.1.1.30 and g0/0 is 10.1.2.2.

The adtran only has 10.1.2.1
0
Craig BeckCommented:
I understand what you're saying.  You're not making any sense here though.

So let's make it simpler - Is the 10.1.2.1 address of the ADTRAN facing your Cisco router or facing the MPLS??

Basically your ADTRAN needs an IP address facing the MPLS and an IP address facing your Cisco router.  If the ADTRAN has 10.1.2.1 on the interface connecting to your Cisco router, the router needs 10.1.2.2 on its interface and it needs a static default route pointing to 10.1.2.1.

Then, the ADTRAN box needs to route to 10.1.1.0 via 10.1.2.2.  This will then be redistributed via BGP to the other ADTRAN boxes at your other sites.

That's it... nothing more is needed.

If you go to one of your other sites, what does a traceroute to 10.1.1.30 look like??
0
dassr23Author Commented:
The 10.1.2.1 address of the ADTRAN is facing the MPLS.

So I need Verizon to go in and route 10.1.1.0 via 10.1.2.2?

My static route should be ip route 10.1.1.0 255.255.255.0 10.1.2.1 ?
0
Craig BeckCommented:
No if the 10.1.2.1 address faces the MPLS that's not right.

Can you trace from the Cisco router to 10.1.3.2 and post the output?
0
dassr23Author Commented:
Type escape sequence to abort.
Tracing the route to 10.1.3.2

  1 10.1.2.1 0 msec 4 msec 0 msec
  2 68.138.36.225 8 msec 8 msec 8 msec
  3 152.187.190.201 20 msec 16 msec 16 msec
  4 152.192.57.58 12 msec 12 msec 12 msec
  5 10.1.3.2 12 msec *  12 msec
0
Craig BeckCommented:
Ok, and how about the other way, from 10.1.3.2 to 10.1.1.30?
0
dassr23Author Commented:
Looks like its bouncing back and forth between the adtran (.1) and cisco (.2)


Type escape sequence to abort.
Tracing the route to 10.1.1.30

  1 10.1.3.1 0 msec 0 msec *
  2 10.1.3.2 0 msec 0 msec 0 msec
  3  *  *
    10.1.3.1 0 msec
  4 10.1.3.2 0 msec 0 msec 4 msec
  5 10.1.3.1 0 msec 0 msec 0 msec
  6 10.1.3.2 4 msec 4 msec 0 msec
  7 10.1.3.1 4 msec *  0 msec
  8 10.1.3.2 4 msec 0 msec 4 msec
  9 10.1.3.1 0 msec 4 msec 0 msec
 10 10.1.3.2 0 msec 4 msec 0 msec
 11 10.1.3.1 4 msec 4 msec *
 12 10.1.3.2 0 msec 4 msec 4 msec
 13 10.1.3.1 4 msec *  *
 14 10.1.3.2 0 msec 4 msec 4 msec
 15 10.1.3.1 4 msec 4 msec 4 msec
 16 10.1.3.2 4 msec 4 msec 4 msec
 17 10.1.3.1 4 msec *  *
 18  *
    10.1.3.2 4 msec 0 msec
 19 10.1.3.1 4 msec 4 msec 4 msec
 20 10.1.3.2 4 msec *  *
 21 10.1.3.1 4 msec 4 msec 8 msec
 22 10.1.3.2 4 msec 4 msec 4 msec
 23 10.1.3.1 4 msec 8 msec *
 24 10.1.3.2 8 msec 8 msec 4 msec
 25  *  *
    10.1.3.1 4 msec
 26 10.1.3.2 8 msec 8 msec 4 msec
 27 10.1.3.1 8 msec 4 msec 4 msec
 28 10.1.3.2 4 msec 4 msec 8 msec
 29  *
    10.1.3.1 4 msec 4 msec
 30 10.1.3.2 4 msec 4 msec 8 msec

Open in new window


If i remove this statement from the 10.1.3.2 router -
ip route 10.1.1.0 255.255.255.0 10.1.3.1, it tries to route the traffic out my public internet...

1 152.179.79.153 0 msec 4 msec 4 msec     (Verizon GW IP)
  2 130.81.20.17 4 msec 8 msec 4 msec
  3 130.81.11.246 4 msec 4 msec 4 msec
  4  *  *  *
  5  *  *  *
  6  *
0
Craig BeckCommented:
So like I said previously, Verizon need to configure a route on the box with the 10.1.2.1 address to get to 10.1.1.0 via 10.1.2.2

Something like (in Cisco speak)...

ip route 10.1.1.0 255.255.255.0 10.1.2.2
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AkinsdNetwork AdministratorCommented:
There's already a route from Verizon if other sites can ping the clients in the 10.1.1.0 subnet
0
Craig BeckCommented:
Obviously there isn't a route, based on the trace from a different site.  Either that or Verizon's BGP isn't working across all sites.
0
Fred MarshallPrincipalCommented:
You originally said:
RT2 can ping successfully RT1 g0/0, but not g0/1, but can ping devices on 10.1.1.xxx
But ... but ... g0/1 has address 10.1.1.30 so it must also be pingable as it's in "devices in 10.1.1.xxx".  Yes?

I would like to see a better diagram of the upper left corner that's on the diagram provided most recently.  The addresses, etc. are a bit unclear.

I still think Verizon needs to add routes for 10.1.1.0/24 as the old routes to 10.1.1.0 can go nowhere at this point.  Isn't that right?  I'm confused because it sounded like they *were* accessible.  Any packets destined for 10.1..1.0/24 would be dropped at this point.  Isn't that what's happening?
0
AkinsdNetwork AdministratorCommented:
@ Craigbeck
Unless I misunderstood the previous communication from the author
RT2 can ping successfully RT1 g0/0, but not g0/1, but can ping devices on 10.1.1.xxx

How is RT2 able to ping 10.1.1.0 if there is no route?
Remember ping is 2-way. There has to be a route going and another route coming for ping to be successful when icmp is allowed.

@ dassr23
Your traffic from 10.1.1.0 network is NATted.
Other possibility is that the ISP did not include icmp traffic from 10.1.1.0 to be allowed in.
You may want to give them a call and ask them before spending too much time on this.

Bear in mind that, ping failure is not really an indication of disconnection in a network.


You can give the following a try.
ip route 10.1.2.1 255.255.255.255 10.1.2.2

For that to work, you will have to exclude traffic from 10.1.1.0 network with destination to 10.1.2.1 from being NATted somehow

This brings up the topic of Route Maps.

I'm not sure how important it is for you to have direct communication with 10.1.2.1 since you can't really do anything on the interface.
If it is critical, then route map is the way to go.
0
Craig BeckCommented:
Regardless of what the OP 'said', the results from the trace prove that a client from a distant network can't ping 10.1.1.30 as there's no route to it across the WAN.

Perhaps you can ask Verizon for the output from the routing table on the ADTRAN box?
0
Fred MarshallPrincipalCommented:
I think we've all been saying the same thing more or less.
Seems like it's time for action with Verizon.
Seems like there's no other solution.
Well, I suppose that 10.1.2.0 and 10.1.1.0 could be combined into 10.1.2.0 if that's possible.
- if there aren't too many hosts.
- etc.

Making 10.1.2.0/24 bigger as in /23 appears to ALSO need Verizon action.  
So the suggested approach seems better unless it can remain /24 and handle both groups of hosts.  That wouldn't require Verizon to do anything.

I have to wonder how one gets a network with a company like Verizon on the "inside" of the network.  This case makes the difficulties rather obvious as it takes architectural control away from the owner.
0
dassr23Author Commented:
Thank you all for your help. I have a ticket in with Verizon and will update this post once I hear back from them.
0
dassr23Author Commented:
Verizon needed to add a route on the 10.1.2.1 ADTRAN router:

ip route 10.1.1.0 255.255.255.0 10.1.2.2

My network can talk like before. Thanks for the help!
0
Fred MarshallPrincipalCommented:
Thank you for the points.
It's not clear to me why they didn't have to add routes like:

ip route 10.1.1.0 255.255.255.0 10.1.2.1
on all the other routers....
Otherwise, how do packets get from Site 3 to Subnet 1 at Site 1/2?
0
Craig BeckCommented:
They redistribute static routes into their BGP, so the static on one box will propagate to the others automatically.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.