aclaus225
asked on
Routing Issue
I have an AVG virus server at 192.168.100.87 for internal computers. External computers should be able to get this by going to a different IP address, that then forwards to that computer. The mapping suggests that the AVG port (I forget what it is right now) goes from 192.168.101.2 to 192.168.100.87. This seems to work for external computers. Semi-internal computers, who get their internet access from a different place, should also be able to reach 192.168.101.2 via another port on the router. I have put in a route for 192.168.101.2 on the router to use FastE0/3/0. I can ping from my router and reach 192.168.101.2 but I cannot ping that IP from inside the network without it timing out. What do I need to do to remedy this?
forgot to add:
might need a route print on both devices (server + computer )
might need a route print on both devices (server + computer )
ASKER
Router 1
Fa0 192.168.101.2/30
Fa1 192.168.100.1/24
Fa3 192.168.101.5/30
Router 2
Fa0 192.168.200.6/30
Fa1 192.168.0.3/21
Fa3 192.168.101.6/30
Router2 has a route that says 192.168.100.1 255.255.255.0 Fa3, which should point to Router 1. I can ping from router 2 to 192.168.100.87, but I cannot get a computer from 192.168.0.0/21 to find 192.168.100.87.
Fa0 192.168.101.2/30
Fa1 192.168.100.1/24
Fa3 192.168.101.5/30
Router 2
Fa0 192.168.200.6/30
Fa1 192.168.0.3/21
Fa3 192.168.101.6/30
Router2 has a route that says 192.168.100.1 255.255.255.0 Fa3, which should point to Router 1. I can ping from router 2 to 192.168.100.87, but I cannot get a computer from 192.168.0.0/21 to find 192.168.100.87.
Hello, i would need a complete route print of the 2 routers.
You need a route on your router 1 :
ip route 192.168.0.0 255.255.248.0 192.168.101.6
something like that
You need a route on your router 1 :
ip route 192.168.0.0 255.255.248.0 192.168.101.6
something like that
ip configuration and all route from:
server avg
computer in network 192.168.0.x
router 1
router 2
server avg
computer in network 192.168.0.x
router 1
router 2
ASKER
AVG Server is at 192.168.100.87
It can successfully ping 192.168.1.17, which is the printer in the 192.168.0.0/21 network.
I can successfully ping 192.168.100.87 from a machine in the 192.168.0.0/21 network.
Router 1 routing table:
Gateway of last resort is 192.168.101.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.101.1
10.0.0.0/24 is subnetted, 1 subnets
S 10.10.0.0 [1/0] via 192.168.100.254
S 192.168.0.0/21 [1/0] via 192.168.101.6
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, FastEthernet0/1
L 192.168.100.1/32 is directly connected, FastEthernet0/1
192.168.101.0/24 is variably subnetted, 4 subnets, 2 masks
C 192.168.101.0/30 is directly connected, FastEthernet0/0
L 192.168.101.2/32 is directly connected, FastEthernet0/0
C 192.168.101.4/30 is directly connected, FastEthernet0/2/0
L 192.168.101.5/32 is directly connected, FastEthernet0/2/0
Routing table on Router 2:
Gateway of last resort is 192.168.200.5 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.200.5
C 192.168.0.0/21 is directly connected, FastEthernet0/1
192.168.0.0/32 is subnetted, 1 subnets
L 192.168.0.3 is directly connected, FastEthernet0/1
S 192.168.100.0/24 is directly connected, FastEthernet0/3/0
192.168.101.0/24 is variably subnetted, 3 subnets, 2 masks
S 192.168.101.2/32 is directly connected, FastEthernet0/3/0
C 192.168.101.4/30 is directly connected, FastEthernet0/3/0
L 192.168.101.6/32 is directly connected, FastEthernet0/3/0
192.168.200.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.200.4/30 is directly connected, FastEthernet0/0
L 192.168.200.6/32 is directly connected, FastEthernet0/0
It can successfully ping 192.168.1.17, which is the printer in the 192.168.0.0/21 network.
I can successfully ping 192.168.100.87 from a machine in the 192.168.0.0/21 network.
Router 1 routing table:
Gateway of last resort is 192.168.101.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.101.1
10.0.0.0/24 is subnetted, 1 subnets
S 10.10.0.0 [1/0] via 192.168.100.254
S 192.168.0.0/21 [1/0] via 192.168.101.6
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, FastEthernet0/1
L 192.168.100.1/32 is directly connected, FastEthernet0/1
192.168.101.0/24 is variably subnetted, 4 subnets, 2 masks
C 192.168.101.0/30 is directly connected, FastEthernet0/0
L 192.168.101.2/32 is directly connected, FastEthernet0/0
C 192.168.101.4/30 is directly connected, FastEthernet0/2/0
L 192.168.101.5/32 is directly connected, FastEthernet0/2/0
Routing table on Router 2:
Gateway of last resort is 192.168.200.5 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.200.5
C 192.168.0.0/21 is directly connected, FastEthernet0/1
192.168.0.0/32 is subnetted, 1 subnets
L 192.168.0.3 is directly connected, FastEthernet0/1
S 192.168.100.0/24 is directly connected, FastEthernet0/3/0
192.168.101.0/24 is variably subnetted, 3 subnets, 2 masks
S 192.168.101.2/32 is directly connected, FastEthernet0/3/0
C 192.168.101.4/30 is directly connected, FastEthernet0/3/0
L 192.168.101.6/32 is directly connected, FastEthernet0/3/0
192.168.200.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.200.4/30 is directly connected, FastEthernet0/0
L 192.168.200.6/32 is directly connected, FastEthernet0/0
From the computer trying to reach the server. can you try a tracert 192.168.100.87 ?
found something on your router 2:
Routing table on Router 2:
Gateway of last resort is 192.168.200.5 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.200.5
C 192.168.0.0/21 is directly connected, FastEthernet0/1
192.168.0.0/32 is subnetted, 1 subnets
L 192.168.0.3 is directly connected, FastEthernet0/1
S 192.168.100.0/24 is directly connected, FastEthernet0/3/0
192.168.101.0/24 is variably subnetted, 3 subnets, 2 masks
S 192.168.101.2/32 is directly connected, FastEthernet0/3/0
C 192.168.101.4/30 is directly connected, FastEthernet0/3/0
L 192.168.101.6/32 is directly connected, FastEthernet0/3/0
192.168.200.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.200.4/30 is directly connected, FastEthernet0/0
L 192.168.200.6/32 is directly connected, FastEthernet0/0
should not be: S 192.168.100.0/24 [1/0] via 192.168.101.5 ???
and shouldn't be: 192.168.101.6/30 ????
there is something wrong with your netmask there
can you show us your router 2 config ?
ip / route ....
i guess it's cisco router
Routing table on Router 2:
Gateway of last resort is 192.168.200.5 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.200.5
C 192.168.0.0/21 is directly connected, FastEthernet0/1
192.168.0.0/32 is subnetted, 1 subnets
L 192.168.0.3 is directly connected, FastEthernet0/1
S 192.168.100.0/24 is directly connected, FastEthernet0/3/0
192.168.101.0/24 is variably subnetted, 3 subnets, 2 masks
S 192.168.101.2/32 is directly connected, FastEthernet0/3/0
C 192.168.101.4/30 is directly connected, FastEthernet0/3/0
L 192.168.101.6/32 is directly connected, FastEthernet0/3/0
192.168.200.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.200.4/30 is directly connected, FastEthernet0/0
L 192.168.200.6/32 is directly connected, FastEthernet0/0
should not be: S 192.168.100.0/24 [1/0] via 192.168.101.5 ???
and shouldn't be: 192.168.101.6/30 ????
there is something wrong with your netmask there
can you show us your router 2 config ?
ip / route ....
i guess it's cisco router
ASKER
Router 2
interface FastEthernet0/0
description WirelessOutside
bandwidth 204800
ip ddns update sdm_ddns1
ip address 192.168.200.6 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description Wireless Students
ip address 192.168.0.3 255.255.248.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
service-policy input P2P
!
interface FastEthernet0/3/0
ip address 192.168.101.6 255.255.255.252
duplex auto
speed auto
!
ip default-gateway 174.77.164.81
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.200.5
ip route 192.168.100.0 255.255.255.0 FastEthernet0/3/0
ip route 192.168.101.2 255.255.255.255 FastEthernet0/3/0
interface FastEthernet0/0
description WirelessOutside
bandwidth 204800
ip ddns update sdm_ddns1
ip address 192.168.200.6 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description Wireless Students
ip address 192.168.0.3 255.255.248.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
service-policy input P2P
!
interface FastEthernet0/3/0
ip address 192.168.101.6 255.255.255.252
duplex auto
speed auto
!
ip default-gateway 174.77.164.81
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.200.5
ip route 192.168.100.0 255.255.255.0 FastEthernet0/3/0
ip route 192.168.101.2 255.255.255.255 FastEthernet0/3/0
ASKER
Router 1
interface FastEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
bandwidth 204800
ip ddns update sdm_ddns1
ip address 192.168.101.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
interface FastEthernet0/1
description Inside
bandwidth 10000000
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly drop-fragments
ip tcp adjust-mss 1452
duplex auto
speed auto
!
!
interface FastEthernet0/2/0
ip address 192.168.101.5 255.255.255.252
duplex auto
speed auto
!
!
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.100.54 3389 192.168.101.2 3389 extendabl
e
ip nat inside source static tcp 192.168.100.87 4158 192.168.101.2 4158 extendabl
e
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ip route 10.10.0.0 255.255.255.0 192.168.100.254
ip route 192.168.0.0 255.255.248.0 192.168.101.6
interface FastEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
bandwidth 204800
ip ddns update sdm_ddns1
ip address 192.168.101.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
interface FastEthernet0/1
description Inside
bandwidth 10000000
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly drop-fragments
ip tcp adjust-mss 1452
duplex auto
speed auto
!
!
interface FastEthernet0/2/0
ip address 192.168.101.5 255.255.255.252
duplex auto
speed auto
!
!
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.100.54 3389 192.168.101.2 3389 extendabl
e
ip nat inside source static tcp 192.168.100.87 4158 192.168.101.2 4158 extendabl
e
ip route 0.0.0.0 0.0.0.0 192.168.101.1
ip route 10.10.0.0 255.255.255.0 192.168.100.254
ip route 192.168.0.0 255.255.248.0 192.168.101.6
change this on router 2:
ip route 192.168.100.0 255.255.255.0 FastEthernet0/3/0
with
ip route 192.168.100.0 255.255.255.0 192.168.101.5
ip route 192.168.100.0 255.255.255.0 FastEthernet0/3/0
with
ip route 192.168.100.0 255.255.255.0 192.168.101.5
ASKER
I can ping .87, but the computer is still not connecting with the AVG server.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\wsc>tracert 192.168.100.87
Tracing route to 192.168.100.87 over a maximum of 30 hops
1 2 ms 4 ms 9 ms 192.168.0.3
2 2 ms 2 ms 2 ms 192.168.101.5
3 2 ms 1 ms 1 ms 192.168.100.87
Trace complete.
C:\Users\wsc>ipconfig
Windows IP Configuration
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::ccfd:b04e:bf68:48d4%12
IPv4 Address. . . . . . . . . . . : 192.168.4.45
Subnet Mask . . . . . . . . . . . : 255.255.248.0
Default Gateway . . . . . . . . . : 192.168.0.3
so far, from your computer you can ping the 192.168.100.87 right ?
ASKER
Yes, I am able to ping back and forth between 192.168.100.87 and a computer on the other network.
mmmmmm ..
but I cannot ping that IP from inside the network without it timing out <== what do you mean by that as you just said you can ping.
but I cannot ping that IP from inside the network without it timing out <== what do you mean by that as you just said you can ping.
ASKER
Originally the only route that I had installed told router 2 to use FastE 0/3/0 if it was looking for 101.2. Using that path the router was able to ping to the internal network. However, I then installed the path telling the router to use FastE0/3/0 if it was looking for the .100 network also. This resolved the pinging problem and now the only problem is that the computers on the .0 network cannot reach 192.168.100.87 port 6051, which is what is used for AVG.
if you add a route, add the next hop ip, not your interface.
check on the avg server logs if you see something.
or install wireshark on it and log everything that is coming into that server.
probably the server denying it now.
check on the avg server logs if you see something.
or install wireshark on it and log everything that is coming into that server.
probably the server denying it now.
ASKER
This is one of the two requests from 192.168.5.48 to 192.168.100.87. I do not make sense of this at all:
678 76.305911 192.168.5.48 192.168.100.87 TCP 62 [TCP Spurious Retransmission] 50053 → 4158 [SYN] Seq=0 Win=8192 Len=0 MSS=1452 SACK_PERM=1
Frame 678: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface 0
Interface id: 0 (\Device\NPF_{6D91314C-45A3-4C1E-B05 A-7FF693F0 B55B})
Encapsulation type: Ethernet (1)
Arrival Time: May 11, 2017 15:48:24.264848000 Pacific Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1494542904.264848000 seconds
[Time delta from previous captured frame: 0.116901000 seconds]
[Time delta from previous displayed frame: 0.116901000 seconds]
[Time since reference or first frame: 76.305911000 seconds]
Frame Number: 678
Frame Length: 62 bytes (496 bits)
Capture Length: 62 bytes (496 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags && !tcp.analysis.window_update]
Ethernet II, Src: Cisco_f9:f0:39 (00:1b:d5:f9:f0:39), Dst: Microsof_64:2a:00 (00:15:5d:64:2a:00)
Destination: Microsof_64:2a:00 (00:15:5d:64:2a:00)
Address: Microsof_64:2a:00 (00:15:5d:64:2a:00)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Cisco_f9:f0:39 (00:1b:d5:f9:f0:39)
Address: Cisco_f9:f0:39 (00:1b:d5:f9:f0:39)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.5.48, Dst: 192.168.100.87
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 48
Identification: 0x1743 (5955)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 126
Protocol: TCP (6)
Header checksum: 0xfaac [validation disabled]
[Header checksum status: Unverified]
Source: 192.168.5.48
Destination: 192.168.100.87
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 50053, Dst Port: 4158, Seq: 0, Len: 0
Source Port: 50053
Destination Port: 4158
[Stream index: 11]
[TCP Segment Len: 0]
Sequence number: 0 (relative sequence number)
Acknowledgment number: 0
Header Length: 28 bytes
Flags: 0x002 (SYN)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
[Expert Info (Chat/Sequence): Connection establish request (SYN): server port 4158]
[Connection establish request (SYN): server port 4158]
[Severity level: Chat]
[Group: Sequence]
.... .... ...0 = Fin: Not set
[TCP Flags: ··········S·]
Window size value: 8192
[Calculated window size: 8192]
Checksum: 0x669b [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
Options: (8 bytes), Maximum segment size, No-Operation (NOP), No-Operation (NOP), SACK permitted
Maximum segment size: 1452 bytes
Kind: Maximum Segment Size (2)
Length: 4
MSS Value: 1452
No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
TCP SACK Permitted Option: True
Kind: SACK Permitted (4)
Length: 2
[SEQ/ACK analysis]
[TCP Analysis Flags]
[Expert Info (Note/Sequence): This frame is a (suspected) spurious retransmission]
[This frame is a (suspected) spurious retransmission]
[Severity level: Note]
[Group: Sequence]
[Expert Info (Note/Sequence): This frame is a (suspected) retransmission]
[This frame is a (suspected) retransmission]
[Severity level: Note]
[Group: Sequence]
well the thing is that wireshark can filter what's incoming so you can see what is blocked. if you don't really know how to use it ... :/
what you can probably do is check yyour avg server logs and check if it denies something coming from your computer.
what you can probably do is check yyour avg server logs and check if it denies something coming from your computer.
ASKER
I understand how to use WireShark, but when I said I can't make sense of it, to me that frame looks like it should have gone through, since it was recognized, so we know that it is getting past the router to the computer. I do not see anything in the AVG server logs to indicate why it would be getting blocked. Looking at the bottom of the capture it says that it is a suspected retransmission, but that is an editorial comment, not an actual error.
mmmm try disabling your avg server firewall to test.
ASKER
AVG Firewall was not installed on the server. I disabled the Windows Firewall too. AVG simply says connection not available.
When I turned on Wireshark it was telling me the same thing again.
When I turned on Wireshark it was telling me the same thing again.
install some kind of service http or ftp or anything, and try it.
ASKER
HTTP worked and was reachable.
I did not see anything that looked bad with WireShark in regards to HTTP.
I did not see anything that looked bad with WireShark in regards to HTTP.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all your help.
A diagram would help a lot to resolve the issue.
Can you write all the ip configuration for the: avg virus server, (ip / netmask / gateway)
the same for a computer that should but can't connect to the server.
And ip configuration and route on your router (or l3 switch).
i'm pretty sure it's a route problem
Regards,