topic Re: Access Issue in Network Security

Access Issue

tuhinbhowmick — Mon, 11 Mar 2019 18:04:28 GMT

We are not able to ping the ip 10.2.1.240. Can anyone look into the issue and help us ? Here is the scenario described below........

server(192.162.2.X) -------> Switch------>Firewall-------->Router .

Now we need to access the IP 10.2.1.240 from the server.

From the server the tracert result is given below.....

C:\>tracert 10.2.1.240

Tracing route to 10.2.1.240 over a maximum of 30 hops

1    <1 ms    <1 ms    <1 ms 192.168.99.10------------------------------->Router IP
2     *        *        *     Request timed out.
3     *     ^C

In the router we have checked the below result......

Router#sh ip route 10.2.1.240
Routing entry for 10.2.1.0/24
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 10.252.126.1
Route metric is 0, traffic share count is 1

The following route has been configured on the router ........... ip route 10.2.1.0 255.255.255.0 10.252.126.1

Waiting for your help and suggestion.

Re: Access Issue

Jennifer Halim — Mon, 28 Jun 2010 08:21:17 GMT

Pls advise ip address of each hop. If you can share the config of the firewall and router, that would help.

Re: Access Issue

tuhinbhowmick — Mon, 28 Jun 2010 08:41:50 GMT

here is the router config for your reference......

Building configuration...

Current configuration : 5060 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname !
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
ip domain name yourdomain.com
ip name-server 213.42.20.20
!
!
!
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$
ip address 86.96.194.214 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.98.10 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1/0
description -- Connected TO LAN -----
switchport access vlan 100
!
interface FastEthernet0/1/1
description --- SITE TO SITE L3 LINK----
switchport access vlan 200
!
interface FastEthernet0/1/2
description --- *********MARKET WAN LINK -----
switchport access vlan 126
!
interface FastEthernet0/1/3
description -- ********MARKET CONNECTION -----
switchport access vlan 34
spanning-tree portfast
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
no ip address
!
interface Vlan34
ip address 10.16.34.5 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface Vlan100
ip address 192.168.99.10 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
!
interface Vlan126
ip address 10.252.126.2 255.255.255.252
ip nat outside
ip virtual-reassembly
!
interface Vlan200
ip address 192.168.100.26 255.255.255.252
ip ospf network point-to-point
ip ospf priority 0
ip ospf mtu-ignore
!
interface Vlan426
no ip address
!
router ospf 100
log-adjacency-changes
network 192.168.11.224 0.0.0.31 area 0
network 192.168.100.4 0.0.0.3 area 0
!
router ospf 1
log-adjacency-changes
network 192.168.99.10 0.0.0.0 area 0
network 192.168.100.26 0.0.0.0 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 86.96.194.209
ip route 10.2.1.0 255.255.255.0 10.252.126.1
ip route 10.50.5.0 255.255.255.0 10.16.34.1
ip route 10.250.126.0 255.255.255.0 192.168.99.9
ip route 150.100.0.0 255.255.0.0 10.16.34.1
ip route 172.168.10.0 255.255.255.0 192.168.98.9
ip route 172.168.10.0 255.255.255.0 192.168.3.34
ip route 192.168.30.0 255.255.255.0 10.16.34.1
ip route 213.42.105.160 255.255.255.224 10.16.34.1 10
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation timeout 60
ip nat pool DFM_M 10.16.34.10 10.16.34.10 netmask 255.255.255.0
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source list DFM pool DFM_M overload
ip nat inside source static 172.168.10.102 86.96.194.212
ip nat inside source static 172.168.10.8 86.96.194.213
ip nat inside source static 192.168.2.27 86.96.194.217
!
ip access-list extended DFM
permit ip any 213.42.105.0 0.0.0.255 log
permit ip any 213.42.105.160 0.0.0.31 log
permit ip any 192.168.30.0 0.0.0.255 log
permit ip any 150.100.0.0 0.0.255.255 log
permit ip any 10.50.5.0 0.0.0.255
!
no logging trap
access-list 100 deny   ip any 213.42.105.0 0.0.0.255 log
access-list 100 deny   ip host 172.168.10.8 any log
access-list 100 deny   ip host 86.96.194.213 any log
access-list 100 deny   ip host 172.168.10.102 any log
access-list 100 deny   ip host 86.96.194.212 any log
access-list 100 permit ip any any!
line con 0
logging synchronous
login
line aux 0
line vty 0 4
privilege level 15
password 7 02070D5D18070B2C1D40
logging synchronous
login
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Router#sh ip route 10.2.1.240
Routing entry for 10.2.1.0/24
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 10.252.126.1
Route metric is 0, traffic share count is 1

Router#ping 10.2.1.240

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.240, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 86.96.194.209 to network 0.0.0.0

O E2 192.168.14.0/24 [110/51] via 192.168.100.25, 01:11:46, Vlan200
     86.0.0.0/28 is subnetted, 1 subnets
C       86.96.194.208 is directly connected, GigabitEthernet0/0
C    192.168.99.0/24 is directly connected, Vlan100
     10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S       10.2.1.0/24 [1/0] via 10.252.126.1
C       10.252.126.0/30 is directly connected, Vlan126
S       10.250.126.0/24 [1/0] via 192.168.99.9
O E2 192.168.1.0/24 [110/51] via 192.168.100.25, 01:11:46, Vlan200
O    192.168.2.0/24 [110/11] via 192.168.99.9, 01:11:46, Vlan100
     192.168.100.0/30 is subnetted, 2 subnets
C       192.168.100.24 is directly connected, Vlan200
O E2    192.168.100.20 [110/1] via 192.168.100.25, 01:11:46, Vlan200
S*   0.0.0.0/0 [1/0] via 86.96.194.209

If anything else you require.....then let us know...

Re: Access Issue

Jennifer Halim — Mon, 28 Jun 2010 09:00:56 GMT

Can you advise what device is 10.252.126.1 and 192.168.99.9?

As advised earlier, you would need to check each hop to make sure that the traffic pass through each hop successfully. At this point, from the limited information, I won't be able to tell you where it's breaking.

Re: Access Issue

tuhinbhowmick — Mon, 28 Jun 2010 09:23:55 GMT

192.168.99.9 is the firewall ip

and 10.252.126.1 is the IP of the market WAN link (though we have limited information regarding the actual scenario) .....that is the next hop ip for any traffic from our network to the outside world. one of the vlan 126 has been configured on our side router with 10.252.126.2.

Also we are not able to ping the IP 10.252.126.1 from the router itself.......

Re: Access Issue

Jennifer Halim — Mon, 28 Jun 2010 10:25:42 GMT

Base on the topology describes so far, here is what i understand it:

10.2.1.240 -- Market WAN (10.252.126.1) -- (10.252.126.2) Router (192.168.99.10) -- (192.168.99.9) Firewall -- 192.168.2.x (server).

1) Is the server 192.168.2.x directly connected to the firewall?

2) If it is, can you ping the server from the firewall?

3) Does the firewall have any rules that might be blocking the access?

4) From the router, can you ping the server 192.168.2.x?

5) Since you can't even ping 10.252.126.1 from the router, you might want to check the Market WAN link, and see if it has routes back for 192.168.2.x back towards the router.

Re: Access Issue

tuhinbhowmick — Mon, 28 Jun 2010 11:14:46 GMT

we need to check from sever (192.168.2.X) towards outside and need to access the ip 10.2.1.240.

now we have checked and are able to reach router(192.168.99.10) from the server (192.168.2.X) using traceroute of the ip 10.2.1.240 and it shows that it reaches router and after that showing "request timed out".

so we have to check the router configuration, which i have already provided to you.

Please let me know if you need any further information.

Re: Access Issue

Jennifer Halim — Mon, 28 Jun 2010 11:19:55 GMT

Base on the traceroute, it reaches the router. Next hop would be the firewall, that's why it's showing request time out. You would need to check if the firewall is receiving the packet and passing it to the next hop. I don't see issue with the router configuration.

Re: Access Issue

tuhinbhowmick — Mon, 28 Jun 2010 12:30:21 GMT

i think i am not able to make you understand.........we are trying to reach

i have tested the traceroute from the server to 10.2.1.240...and here is the result for the same....

1st hop : 192.168.2.1 ----> Switch

2nd hop : 192.168.2.99 ----> Firewall

3rd hop : 192.168.99.10 ----> router

Now after router it is showing "request timed out".

Please let me know if you need any further clarification.

Re: Access Issue

Jennifer Halim — Mon, 28 Jun 2010 12:41:30 GMT

When I asked you earlier what is 192.168.99.9, you advised that it is a firewall.

Are there 2 firewalls in your network?

From the traceroute, it gave you a hop of the router, meaning it passes through the router OK, the next hop would be what is after the router interface of 192.168.99.10 (vlan 100). Base on the routing, it points to 192.168.99.9 which you advised earlier is a firewall. If it's not a firewall, please check what device it is, and what could be blocking it on that particular device.