LICOMPGUY
asked on
Static Route on main file server (good/bad)?
This company just acquired a piece of equipment that is controlled by a Windows 7 computer, behind a Cisco router (controlled by the equipment vendor). There is a port on this router that is Natted out so it should see the resources on the Prod network. There is the main file server on the prod network that this Win 7 machine needs to map a drive to. The company that manages the Cisco router, and their controlling PC behind the router are not willing to modify the config of the Cisco, such as adding a route to be able to see the Prod file server. It appears that the only way to get the Cisco router and their equipment behind it to see the file server on the Prod network is to do a route add to the main Prod file server Win 2016. Is there any way that could create problems for connectivity to the main file server by doing route add that's permanent on the main file server? I like to keep things as clean as possible and in all my years of doing this, I never had to do this before. Is it true when you do it as persistent it actually creates an entry in the registry?
Pros? Cons?
Thanks all - be safe!!
Pros? Cons?
Thanks all - be safe!!
^^ Pretty much spot on, cant fault that answer.
Just to cover the last bit. Yes it creates a registry entry at; 'HKEY_LOCAL_MACHINE\SYSTEM
It's not elegant, but it's not in any way harmful, unless in the future you want to use the same subnet and spend hours troubleshooting why that one server cant there of course :)
</P>
Just to cover the last bit. Yes it creates a registry entry at; 'HKEY_LOCAL_MACHINE\SYSTEM
It's not elegant, but it's not in any way harmful, unless in the future you want to use the same subnet and spend hours troubleshooting why that one server cant there of course :)
</P>
ASKER
Kevin
Thanks for the response. The network for the business is clean and doesn't have ANY issues, it is what occurs, from the Cisco router and equipment and that router managed by the vendor BEHIND the CISCO router.
Every device outside of the Cisco router that should be visible is totally visible to all devices that should have access to it. So it isn't a poorely designed network, What is poorely designed is from the Cisco, inclusive of that Cisco router and the equipment behind it.
Thanks for the response. The network for the business is clean and doesn't have ANY issues, it is what occurs, from the Cisco router and equipment and that router managed by the vendor BEHIND the CISCO router.
Every device outside of the Cisco router that should be visible is totally visible to all devices that should have access to it. So it isn't a poorely designed network, What is poorely designed is from the Cisco, inclusive of that Cisco router and the equipment behind it.
ASKER
Pete
The network that hasn't any issues is on a TZ500 with HA, absolutely no issues on the network at all, it is from the Cisco and equipment provided by the hardware company from the Cisco - back to their controlling PC to their equipment. I even went over it with one of the senior Sonicwall Engineers. So to clarify, is it that you agree with it falling on the config of the Cisco? I think that is where the route should be defined.
Thanks!
The network that hasn't any issues is on a TZ500 with HA, absolutely no issues on the network at all, it is from the Cisco and equipment provided by the hardware company from the Cisco - back to their controlling PC to their equipment. I even went over it with one of the senior Sonicwall Engineers. So to clarify, is it that you agree with it falling on the config of the Cisco? I think that is where the route should be defined.
Thanks!
I cannot draw out a network diagram based on what you have written before. If you need to add a static route to any device that is not a router, the network as a whole isn't well implemented because IMHO all routing configurations should be made on routers and not endpoints. Now maybe you can't get all of the routers configured properly, in which case you may need to add a static route on the server. It is a workaround, and a hack, but it totally supported won't cause any issues other than the additional complexity.
ASKER
I am pretty confident they need the route entry on the natted port on the cisco router which again, I have no access to the equipment vendor manages that, but ONCE it hit's the prod network (I have full access to all config), When doing a tracert from their machine behind THEIR router, it drops before it even hits the prod router/sonicwall. I am pretty confident the problem is on their part, that is simply what I was trying to confirm.
In fact, it can't even ping the very next hop which is a ruckus switch. That is why I feel it is on their side, again, just trying to confirm that - do you agree?
Thanks again for your time and feedback
In fact, it can't even ping the very next hop which is a ruckus switch. That is why I feel it is on their side, again, just trying to confirm that - do you agree?
Thanks again for your time and feedback
I cannot draw out a network diagram based on what you have written before. If you need to add a static route to any device that is not a router, the network as a whole isn't well implemented because IMHO all routing configurations should be made on routers and not endpoints. Now maybe you can't get all of the routers configured properly, in which case you may need to add a static route on the server. It is a workaround, and a hack, but it totally supported won't cause any issues other than the additional complexity.
Provide a network diagram and traceroute. Then I can give an opinion. Are you able to resolve via static route?
ASKER
Yes - can resolve static route. To be clear, every node on the network with the exception of what they have behind their natted Cisco router, can access all resources without any problem. It is what is behind the Cisco which doesn't have any access. I cannot provide you with a diagram for that, the equipment manager that provided their controller PC, and the CIsco router manage that.
Otherwise on the Prod network they simply have their cisco router, with a port that is "supposed to be" natted out so it can see the Prod network. BUT it can't even ping the switch it is patched into on the prod network, next hop is a Ruckus switch which the server is also patched into, The only other change I can make, would be to patch the server directly into the Sonicwall, which I would imagine would net the same issue, unless i did a rule or static route on the Sonicwall.
Otherwise on the Prod network they simply have their cisco router, with a port that is "supposed to be" natted out so it can see the Prod network. BUT it can't even ping the switch it is patched into on the prod network, next hop is a Ruckus switch which the server is also patched into, The only other change I can make, would be to patch the server directly into the Sonicwall, which I would imagine would net the same issue, unless i did a rule or static route on the Sonicwall.
When youre the owner of the product, let youre CEO contact the support company and let them change the configuration.
its nuts to make a dirty solution to make it work. go for the real fix and let them escalate this. they are a support company. and no is not an awnser for a support party.
its nuts to make a dirty solution to make it work. go for the real fix and let them escalate this. they are a support company. and no is not an awnser for a support party.
ASKER
Hey Benajmin
Actually that is EXACTLY how I feel, that it is a dirty bandaid fix. There is NOTHING incorrect about the prod network, they are having issues with the Cisco router config and port that is natted to the Prod network.
Thank you for that I wanted to make sure I wasn't being unreasonable.
I appreciate it
Actually that is EXACTLY how I feel, that it is a dirty bandaid fix. There is NOTHING incorrect about the prod network, they are having issues with the Cisco router config and port that is natted to the Prod network.
Thank you for that I wanted to make sure I wasn't being unreasonable.
I appreciate it
Youre correct, its youre device and the support company is to serve you. Go to this direction. And you will have the solution you want. When its posible even dont nat but route
go for this direction. And you will end up happy.
go for this direction. And you will end up happy.
ASKER
Hey Benjamin
Yes, for the life of me, being that there is not a single issue on this newely configured Prod network with the Sonicwall TZ500, and the problem is only from that third partys cisco router and back to their PC, I really felt it was them. Hell, I would think if they had the natted port set up correctly on their Cisco, they should be able to ping the switch it is patched into on the Prod network and can't even get to that. I just didn't have a ton of experience with route adds writing to the registry on a server, and it seemed like a dirty fix to me that down the road could be an issue if it is forgotten that it is there etc., and a bandaid fix, which is not how we like to do things.
Thank you for sharing.
Have a great evening
Yes, for the life of me, being that there is not a single issue on this newely configured Prod network with the Sonicwall TZ500, and the problem is only from that third partys cisco router and back to their PC, I really felt it was them. Hell, I would think if they had the natted port set up correctly on their Cisco, they should be able to ping the switch it is patched into on the Prod network and can't even get to that. I just didn't have a ton of experience with route adds writing to the registry on a server, and it seemed like a dirty fix to me that down the road could be an issue if it is forgotten that it is there etc., and a bandaid fix, which is not how we like to do things.
Thank you for sharing.
Have a great evening
FWIW, I wouldn't even let a router and PC managed by another company directly on my network. Make sure all traffic goes through your firewall between the rest of your production network and their Cisco router. Without a network diagram, I don't even know why there is a Cisco router involved.
ASKER
No choice, it manages a robotics system that moves large panels of wood that is laser guided. Behind the Cisco they have their own network with a couple of computers, one controls the system that moves the wood, the other has a computer that controls a CNC Router. It is helpful for that computer to have access to a network share on the Prod network. I gave them a static address for the port coming off the Cisco facing the Prod network, but it appears to me that they needed to set up a static route or rule for that port, which they have not. There is a lot of resistance on their side regarding the config of the locked down Router.
Kevin - thanks for your input it is appreciated!
Kevin - thanks for your input it is appreciated!
If the "solution" is a static route on their router, then there is nothing that a static route on your file server can accomplish.
I would absolutely firewall off their network from the rest of yours. Twenty years ago they would have been putting in Windows NT 4, and then you would have been trying to figure out how to secure the environment in 2015 because the vendor had gone out of business and/or nobody want's to spend hundreds of thousands of dollars replacing the CNC equipment.
Be prepared for the possibility that they don't want to make configuration changes to the Cisco because they don't really know what they're doing with it.
I would look to using an isolated file server. You don't want ransomware attacking your production file server because someone used an infected USB stick to transfer some files to the CNC side which is 5 years out of date for Windows updates and AV software. Maybe the gear is continuously patched and is properly managed, but then it also needs Internet access and care and feeding to make sure that updates are getting installed.
I would absolutely firewall off their network from the rest of yours. Twenty years ago they would have been putting in Windows NT 4, and then you would have been trying to figure out how to secure the environment in 2015 because the vendor had gone out of business and/or nobody want's to spend hundreds of thousands of dollars replacing the CNC equipment.
Be prepared for the possibility that they don't want to make configuration changes to the Cisco because they don't really know what they're doing with it.
I would look to using an isolated file server. You don't want ransomware attacking your production file server because someone used an infected USB stick to transfer some files to the CNC side which is 5 years out of date for Windows updates and AV software. Maybe the gear is continuously patched and is properly managed, but then it also needs Internet access and care and feeding to make sure that updates are getting installed.
ASKER
My bad actually not CNC but Homags Storteq and router (for cutting).
Kevin - actually REALLY good points. Thank you. The OS on the controlling PC is Windows 7, and really don't want them on the network either indefinitely. I was getting distracted by what they were attempting to accomplish.
Thank you
Kevin - actually REALLY good points. Thank you. The OS on the controlling PC is Windows 7, and really don't want them on the network either indefinitely. I was getting distracted by what they were attempting to accomplish.
Thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That is what THEY use as the controller PC for there several-hundred thousand peice of equipment. They do plan to test and move to Windows 10, I agree, with you. Unfortunately, not all things are in our control.
No significant harm in putting in a static route if it is a good and valid one.