Subnet advertising problems, 2821, 1841

Adam Hudson · ‎09-17-2012

I have two virtual servers that sit in my DMZ subnet. Pinging back and forth between these servers and other servers/machines at my main site (Site A) just fine. Between these servers and two my other sites (Site B and Site C) however, I cannot ping. Other devices that physically sit in the DMZ can connect to machines at these remote sites.

I thought it was an issue with the ACL so I pulled it and applied an "icmp any any" ACL but this didn't change my ping results. Upon checking the learned routes for my two remote sites I found that neither site had my DMZ subnet. Here's where the confusion comes in at, I have the subnet advertised to both sites. Can someone help with me this?

Sanitized configs will be attached.

=====

Facts:

Site A Firewall - Cisco ASA 5520

Site A Router - Cisco 2821

Site A to Site B connection: Fiber running EIGRP

Site B Router - Cisco 1841

Site A to Site C connection: MPLS line running BGP

Site C Router - Cisco 1841

=====

Testing:

Ping back and forth with ACL attached to DMZ interface, pings fail.

Pull ACL off of DMZ interface, pings fail.

Put "icmp any any" ACL on DMZ, pings fail.

Packet tracer ping test comes back successfully, but I never trust packet tracer results.

Jon Marshall · ‎09-17-2012

Adam

It's a bit confusing because you say "Other devices that physically sit in the DMZ can connect to machines at these remote sites" but you then say that the dmz route is not being learnt at the remote site so how do the machines connect ?

Could you clarify ?

If it is the case that the routes are not there can you post -

"sh ip route" and "sh ip bgp" from all sites.

Jon

Adam Hudson · ‎09-19-2012

I was unclear about the connection situation myself. After looking, the machine housing the virtual servers does have one interface plugged into a small switch that's plugged into our dmz port.

After doing more checking I was wrong about the other devices being able to connect remotely, they cannot.

Adam Hudson · ‎09-25-2012

A co-worker pointed out the "passive-interface dmz" line in the EIGRP section of my Site A FW config. I removed this, pings worked from Site A to Site C for a limited amount of time, then quit. Back to square one.

Adam Hudson · ‎09-25-2012

So I've added a static route into my Site A router (which I shouldn't have to do because the route to my DMZ shows up on the Site A firewall just fine. For some reason the route is being communicated between the router and firewall.) and now the route for the DMZ shows up in Site B and Site C routers as well, goodie.

But, when I ping back to the DMZ from Site B and Site C the pings fail. Trace routing traces back to the Site A router, but no further. This also doesn't make any sense to me because the Site A router knows the route back to the DMZ, so why isn't traffic being pushed back over the routers connection to the DMZ?

In addition, adding that default route has interupted communication the devices in the DMZ have with the local subnet.

The mystery deepens. Any help is appreciated.

Jon Marshall · ‎09-25-2012

Adam

As requested can you post from site A/B/C router -

1) sh ip route

2) sh ip bgp

and from the ASA firewall "sh route"

If the devices hve many routes then just post the output for the specific DMZ subnet.

Can you also specify what subnet you are pinging from at the remote end ?

Jon

Adam Hudson · ‎09-26-2012

Here are the "sh ip route" and "sh ip bgp"/"sh ip eigrp neighbor" from my routers:

SiteA#sh ip rou

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 11.254.1.1 to network 0.0.0.0

207.250.33.0/28 is subnetted, 4 subnets

D EX 207.250.33.16 [170/3072] via 11.254.1.1, 7w0d, GigabitEthernet0/0

D EX 207.250.33.0 [170/3072] via 11.254.1.1, 7w0d, GigabitEthernet0/0

D EX 207.250.33.144 [170/3072] via 11.254.1.1, 7w0d, GigabitEthernet0/0

D EX 207.250.33.128 [170/3072] via 11.254.1.1, 7w0d, GigabitEthernet0/0

199.37.161.0/30 is subnetted, 4 subnets

B 199.37.161.64 [20/0] via 13.116.127.81, 1w4d

B 199.37.161.40 [20/0] via 13.116.127.81, 1w4d

B 199.37.161.48 [20/0] via 13.116.127.81, 1w4d

B 199.37.161.56 [20/0] via 13.116.127.81, 1w4d

173.226.0.0/26 is subnetted, 1 subnets

D EX 173.226.50.128 [170/3072] via 11.254.1.1, 7w0d, GigabitEthernet0/0

11.1.0.0/8 is variably subnetted, 13 subnets, 2 masks

D 11.2.2.0/24 [90/30720] via 11.253.0.2, 3d16h, FastEthernet0/3/0

C 11.2.1.0/24 is directly connected, GigabitEthernet0/1

C 11.1.1.0/24 is directly connected, GigabitEthernet0/1

B 11.8.0.0/24 [20/0] via 13.116.127.81, 7w0d

S 11.2.40.0/24 is directly connected, GigabitEthernet0/1

S 11.2.70.0/24 is directly connected, GigabitEthernet0/1

S 11.101.0.0/24 [1/0] via 11.1.1.129

S 11.101.1.0/24 [1/0] via 11.1.1.129

S 11.2.100.0/24 is directly connected, GigabitEthernet0/1

C 11.254.1.0/30 is directly connected, GigabitEthernet0/0

C 11.253.0.0/30 is directly connected, FastEthernet0/3/0

B 11.254.3.0/30 [20/0] via 13.116.127.81, 7w0d

D 11.254.2.0/30 [90/30720] via 11.253.0.2, 3d16h, FastEthernet0/3/0

12.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C 13.116.127.80/30 is directly connected, Multilink1

B 12.38.168.0/24 [20/0] via 13.116.127.81, 7w0d

B 13.116.127.172/30 [20/0] via 13.116.127.81, 4w6d

73.0.0.0/26 is subnetted, 1 subnets

D EX 73.44.242.64 [170/3072] via 11.254.1.1, 7w0d, GigabitEthernet0/0

135.89.0.0/16 is variably subnetted, 4 subnets, 2 masks

B 135.89.152.56/29 [20/0] via 13.116.127.81, 7w0d

B 135.89.152.128/28 [20/0] via 13.116.127.81, 7w0d

B 135.89.154.152/29 [20/0] via 13.116.127.81, 7w0d

B 135.89.157.160/28 [20/0] via 13.116.127.81, 7w0d

S 193.169.222.0/24 [1/0] via 11.1.1.70

D*EX 0.0.0.0/0 [170/3072] via 11.254.1.1, 7w0d, GigabitEthernet0/0

==---==

SiteB#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 11.254.2.1 to network 0.0.0.0

207.250.33.0/28 is subnetted, 4 subnets

D EX 207.250.33.16 [170/28672] via 11.253.0.1, 3d17h, FastEthernet0/1/0

D EX 207.250.33.0 [170/28672] via 11.253.0.1, 3d17h, FastEthernet0/1/0

D EX 207.250.33.144 [170/28672] via 11.253.0.1, 3d17h, FastEthernet0/1/0

D EX 207.250.33.128 [170/28672] via 11.253.0.1, 3d17h, FastEthernet0/1/0

199.37.161.0/30 is subnetted, 4 subnets

D EX 199.37.161.64 [170/1709312] via 11.253.0.1, 3d17h, FastEthernet0/1/0

D EX 199.37.161.40 [170/1709312] via 11.253.0.1, 3d17h, FastEthernet0/1/0

D EX 199.37.161.48 [170/1709312] via 11.253.0.1, 3d17h, FastEthernet0/1/0

D EX 199.37.161.56 [170/1709312] via 11.253.0.1, 3d17h, FastEthernet0/1/0

173.226.0.0/26 is subnetted, 1 subnets

D EX 173.226.50.128 [170/28672] via 11.253.0.1, 3d17h, FastEthernet0/1/0

11.1.0.0/8 is variably subnetted, 10 subnets, 2 masks

C 11.2.2.0/24 is directly connected, FastEthernet0/1

D EX 11.2.1.0/24 [170/1709312] via 11.253.0.1, 3d17h, FastEthernet0/1/0

D EX 11.1.1.0/24 [170/1709312] via 11.253.0.1, 3d17h, FastEthernet0/1/0

D EX 11.8.0.0/24 [170/1709312] via 11.253.0.1, 3d17h, FastEthernet0/1/0

D EX 11.2.40.0/24 [170/1709312] via 11.253.0.1, 3d17h, FastEthernet0/1/0

D EX 11.2.70.0/24 [170/1709312] via 11.253.0.1, 3d17h, FastEthernet0/1/0

D 11.254.1.0/30 [90/28416] via 11.253.0.1, 3d17h, FastEthernet0/1/0

C 11.253.0.0/30 is directly connected, FastEthernet0/1/0

D EX 11.254.3.0/30 [170/1709312] via 11.253.0.1, 3d17h, FastEthernet0/1/0

C 11.254.2.0/30 is directly connected, FastEthernet0/0

12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

D EX 12.38.168.0/24 [170/1709312] via 11.253.0.1, 3d17h, FastEthernet0/1/0

D EX 13.116.127.172/30