Re: Simple(?) routing problem

jmx2020 · ‎03-21-2003

Hello! I can't seem to figure out why I can't setup IP routing over a previously IPX/SPX-only WAN link between two sites. The sites are connected "behind the firewall" via a dedicated WAN link, currently routing IPX/SPX only. I want to route IP traffic that will occur between some servers on each side of the WAN.

I've tried using static routes as well as RIP-2 but must be missing something. Each site has its' own Internet connection, which may be complicating the matter... Here's what I've got:

SITE A:

Internet Router<-->PIX Outside<-->PIX Inside 192.168.99.1/24

(NAT & PAT used to give hosts access to the Internet)

SITE B:

Internet Router/firewall 192.168.50.1/24

(NAT & PAT used to give hosts access to the Internet)

WAN Connection:

SITE A<-->Router (e0:192.168.99.10, s0:192.168.40.1)<-->WAN T1<-->SITE B Router (e0:192.168.50.10, s0:192.168.40.2)

Here's what I've tried:

My first attempt was to create a static route in each WAN router for the other site's private subnet. I added a static route to the SITE A PIX & the SITE B Internet router. My routes indentified the 192.168.xx.10 router as the gateway to the other site's particular subnet. From either WAN router, I could ping the s0 interface on the other router across the WAN, however I could not ping any hosts. The servers at each site also could not "find" each other via IP.

Thinking I was screwing up the static routes, I took them out everywhere, & turned on RIP-2 on everything. Same result - I can ping from WAN router to WAN router, but not past that.

Am I missing a concept here? If each router "knows" how to get to a particular subnet that shows up in the routing tables, isn't that enough?

Thanks for any help!!

thisisshanky · ‎03-21-2003

On SiteB, Put a static route to Site A subnets, with Site A wan ip address as gateway (next-hop). On Site A router, put a static route to Site B subnets, with Site B wan ip address as next-hop.

What is the default gateway for the hosts on site A ?

Since site B has router and firewall in the same unit ( i guess u r using IOS firewall), probably there are access-lists filtering packets. Check the access-lists. how are the access-lists configured, inbound or outbound, on which interface the s0 or e0 of site B router ? If the above is true, you might have to permit traffic from hosts subnet on site B to site A.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

jmx2020 · ‎03-21-2003

Hello & thanks for yuor advice!

The default gateeway for hosts is their local firewall, at 192.168.9.1.

Basically, each site has their own internet connection, and each hosts gateway IP address is set to that firewall.

The connection I'm trying to establish would never pass through either firewall since the WAN link terminaties inside each site.

michael-faust · ‎03-21-2003

I would guess that it is a firewall issue. If the routes are in the forwarding table at each end that would indicate that the RIP updates are getting from router to router. But that doesn't mean that the firewall will allow traffic to pass through. Check your firewall config and do some debugs and diagnostics.

If you want to see if traffic is being pass through the firewall do this: Create an access on the Internet Router A.

access-list 101 permit 192.168.40.0 0.0.0.255 any log

access-list 101 permit any any

Apply the access list inbound on e0 and outbound on s0. Try to ping. If every thing is working correctly, the log should show that a packet was received on e0 and sent on s0. If this works but the ping fails, do a similar test on the other end. Track the failure back toward the source until you find the problem. Good hunting!

jmx2020 · ‎03-23-2003

Thanks for your reply. None of the desired IP traffic has to pass through either firewall. Although both sites have an Internet connection & firewall, it is a seprate WAN link between the sites (behind both firewalls) that I'm trying to route IP across....I think it's just a route-related issue, but I can't seem to resolve it...

a.manosca · ‎03-23-2003

A quick review of the posts, if I'm looking at the setup correctly,

I think the problem is that, the default gateway of the hosts, and

probably servers too, is the PIX on sites A and B. So even if you

added a static route on the WAN routers, the hosts will still forward

the packets to the PIX. One solution could be, you'll have to add

a route entry (static) on the hosts. Say for example, host 192.168.99.100

needed to send a packet to host 192.168.50.100, you should add a route

on host 192.168.99.100 similar to:

route add 192.168.50.0 mask 255.255.255.0 192.168.99.10

But this could not be the best solution if you have hundreds of hosts.

I think it is better to add the route in the PIX firewall:

[PIX at Site A]

route inside 192.168.50.0 255.255.255.0 192.168.99.10

[PIX at Site B]

route inside 192.168.99.0 255.255.255.0 192.168.50.10

HTH.

jmx2020 · ‎03-24-2003

Thanks for the reponse! I had not even thought about adding the route to each host. That wouldn't be too big of a problem actually...

Actually, each site is using it's "local" internet connection to get out to the Internet. SITE A has the PIX, while SITE B just has an IOS firewall. In any case, I think I see the point you're making.

Thanks for taking the time to review my post & the replies - your help may save the day for me!!

JMX