Solved

Need help with routing Issue

Posted on 2014-11-18
5
367 Views
Last Modified: 2016-11-23
I have two networks that I need to join.  A and B

Network "A" is 10.0.0.x/24 behind a cable modem.  No special routing, etc.

Network "B" is more complex.  It is a 10.10.x.x/16 network behind a sonicwall TZ210, with a cable modem in front of that.   Behind the Sonicwall, there is a Cisco 3850 24 POE+.  Here is where it gets interesting:  Behind the Cisco are multiple subnetworks and VLANs.  Lets call them "B.1" etc.

Network "B.1" is a 10.10.10.x/24 network on VLAN 1.
Network "B.2" is a 10.10.15.x/24 network on VLAN 15.
Network "B.3" is a 10.100.100.x/24 network on VLAN 3.
Network "B.4" is an unknown network with only one node:  A managed Dell Switch.  The other side of which we will call Network "B.4.1" which also has multiple subnetworks and VLANs.

Network "B.4.1.1" is a 10.10.14.x/24 network on VLAN 4
Network "B.4.1.2" is a 10.10.1.x/24 network on VLAN 5

And finally, on network B.4.1.2 there is another Dell managed Switch, the other side of which we will call Network "B.4.1.2.1" which is a 128.10.1.x/24 on VLAN 5

Clear as mud?  Don't blame me.  I inherited it and I'm not allowed to change it.  (Yet ... )

So, What I need to do is give certain workstations on Network A access to a server on network "B.2" (10.10.15.x/24 network on VLAN 15) and also give access to certain workstations on network B (and various subnets and VLANs) to a server on Network A.

Here's what I did so far:
------------------------------

We ran a cable from a dumb switch on Network A to the Sonicwall's X6 port on Network B.  
 
The X6 port was assigned it's own zone and portshield group, and given the IP address of a node on Network A.  
 
I created a route in the sonicwall for access to the 10.0.0.0/24 network through the X6 port.  
 
Then I added rules to the firewall to allow ONLY the desired ports and nodes from Net A to get to the server on net B.  And Vica Versa.  
 
Then we tested.
 

The sonicwall, from the diagnostics page, can ping the desired server on network A. (joy!)  And the server on Net A can ping the sonicwall's X6 port.  (joy!)

However, the server on Net A, can NOT ping the nodes in Net B.  (understandable, since there is no route saved)
Nor can the nodes in net B ping the Server on net A. (odd, since there *is* a route in the sonicwall.)  Furthermore, I plugged a laptop directly into the sonicwall's LAN port and was still unable to ping the server on net A.

For giggles, I set the firewall rules to be wide open in both directions and re-tested.  Same results.

Help!

------------------------------
Also - Another new Sonicwall is on the way for network A.
0
Comment
Question by:cef_soothsayer
  • 3
  • 2
5 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40451088
I was just chatting through this with a Networking colleague of mine and he asks....

You say no special routes on network A.  So how does it know where B is?  You need a route from A to B OR make the sonicwall TZ210 port on the 'A' network the default gateway for a machine on Network A and then try.
0
 
LVL 1

Author Comment

by:cef_soothsayer
ID: 40451365
For traffic initiated withing the A network, it doesn't know how to get to net B.  that's stage 2, after the new Sonicwall arrives.  The new Sonicwall is for the Net A gateway, and I can add routing when I install it.

For traffic initiated in Net B headed to Net A, the old net B Sonicwall routes traffic to net A.  And the return traffic (should?**) go back naturally, as the switch in Net A knows the origin port & IP.  (The Net B/Sonicwall /X6 IP on Net A subnet).

So I'm not surprised that nodes on Net A can't reach the server on net B yet.  It's "Why cant nodes on Net B reach server on Net A?" that I'm concerned with right now.

Thanks.


** Am I wrong?
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 500 total points
ID: 40451768
Traffic wont know its way back no.

Either, on a single PC/Server in A, set a static route for the B network that is the X6 port
OR
Have the Sonicwall NAT all traffic from Network B to network A.

Either of the above should work.

Just because the traffic from B came in on the X6 port does not mean that any old device on Network A will reply to the X6 port.  If its not for its own subnet AND you dont have a static route then it will go to your Default Gateway.
0
 
LVL 1

Author Comment

by:cef_soothsayer
ID: 40454221
OMG I totally forgot about the NAT.  I had planned on putting it in and assumed I already had.  HA!

Fixing the NAT worked.  Thanks!
0
 
LVL 1

Author Closing Comment

by:cef_soothsayer
ID: 40454223
Doh! <facepalm>
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now