Troubleshoting BGP and static router

superlubis · ‎01-06-2012

I have a router connected to internet with bgp routing , my router connect to my firewall with static route , strangely from outside/internet they can access my dmz/public server, but from inside i cant ping my ip public server. i believe this is not acl issue but routing issue ?

INTERNET

|

ROUTER

|

FIREWALL --------- DMZ

|

CORE

my router config :

interface GigabitEthernet0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex auto

speed auto

media-type rj45

no mop enabled

!

interface GigabitEthernet0/0.3628

encapsulation dot1Q 3628

ip address 192.168.129.78 255.255.255.252

no cdp enable

!

interface GigabitEthernet0/0.3629

encapsulation dot1Q 3629

ip address 192.168.129.82 255.255.255.252

no cdp enable

!

interface GigabitEthernet0/1

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

media-type rj45

no mop enabled

!

router bgp 65100

no synchronization

bgp log-neighbor-changes

network 118.97.126.0 mask 255.255.255.192

neighbor 192.168.129.77 remote-as 17974

neighbor 192.168.129.77 description LOCAL

neighbor 192.168.129.77 soft-reconfiguration inbound

neighbor 192.168.129.81 remote-as 17974

neighbor 192.168.129.81 description GLOBAL

neighbor 192.168.129.81 soft-reconfiguration inbound

no auto-summary

!

ip forward-protocol nd

ip route 10.100.0.0 255.255.224.0 118.97.126.62

ip route 118.97.126.0 255.255.255.192 118.97.126.62

ip route 172.16.0.0 255.255.0.0 118.97.126.62

ip route 192.168.0.0 255.255.0.0 118.97.126.62

ip route 192.168.100.0 255.255.255.0 118.97.126.62

my firewall config :

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 118.97.126.62 255.255.255.252

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.16.100.2 255.255.255.252

!

interface GigabitEthernet0/2

nameif dmz

security-level 0

ip address 192.168.0.254 255.255.255.0

!

interface GigabitEthernet0/3

nameif dmz-2

security-level 0

ip address 192.168.100.254 255.255.255.0

!

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit 118.97.126.0 255.255.255.192 outside

icmp permit 172.16.0.0 255.255.0.0 inside

icmp permit 192.168.0.0 255.255.255.0 dmz

icmp permit 192.168.100.0 255.255.255.0 dmz-2

icmp permit 10.100.0.0 255.255.224.0 dmz-2

icmp permit 172.16.30.0 255.255.255.0 management

route outside 0.0.0.0 0.0.0.0 118.97.126.61 1

route inside 10.2.0.0 255.255.0.0 172.16.100.1 1

route inside 10.3.0.0 255.255.0.0 172.16.100.1 1

route inside 10.6.0.0 255.255.0.0 172.16.100.1 1

route dmz-2 10.8.8.1 255.255.255.255 192.168.100.140 1

route dmz-2 10.100.0.0 255.255.224.0 Cisco-Wifi-Gateway 1

route inside 172.16.0.0 255.255.0.0 172.16.100.1 1

jefsims · ‎01-07-2012

Hi Ibrahim,

To clarify, your trying to ping from a end-host say a desktop PC, to your server that lives in the DMZ?

For example:

F/W-------(DMZ)------> SERVER

^

CORE

^

END-HOST

From reading the details though:

ip route 192.168.0.0 255.255.0.0 118.97.126.62

ip route 192.168.100.0 255.255.255.0 118.97.126.62

You have these static routes in place for 192.168.X.X to 118.97.126.62 and 192.168.100.X via the same IP?

Further reading it suggests your pushing those routes at your firewall which protects your LAN and DMZ and appears to be an ASA or ASR device

Question(s) posed:

1. Have you checked there is a route present for internal corporate users to access the DMZ?

- I'm not 100% on firewall software however in the IOS world it would be 'show ip route X.X.X.X' (changing X.X.X.X for the IP of the box your trying to reach).

2. Have you put in place an ACL that permits the corporate LAN users to reach those devices within the DMZ?

-- You should be able to confirm this by seeing the hits on the ACL

3. Are you sure the firewall is correctly configured to handle the packets coming at it from both sides?

-- You would need to check this with the firewall forums to make sure it's configured properly.

4. Do you have a traceroute (tracert for windows) from the box your testing to the server in question? This will tell you where the issue lies as the last hop will give you an idea of where to start looking.

Let me know how you get on.

Jeff

superlubis · ‎01-07-2012

- my internal/END-HOST can ping my dmz server with their local IP(192.168.0.x & 192.168.100.x), but my end-host cant ping my dmz server with their nat public ip ( 118.97.126.x )

- my dmz server can ping their ip local IP(192.168.0.x & 192.168.100.x), but my dmz server cant ping their nat/public ip

( 118.97.126.x )

- internet user can ping my dmz public ip

in my firewall :

route outside 0.0.0.0 0.0.0.0 118.97.126.61 1 <--- route all ip to router ip

in my router :

ip route 118.97.126.0 255.255.255.192 118.97.126.62 <-- route 118.97.126.0/26 to firewall outside.

jefsims · ‎01-07-2012

So, to clarify...

118.97.126.x is your public IP and it lives on the router that is above the firewall in the diagram you drew?

This does not seem like a BGP problem at all. It seems more like an issue with your ACL/Firewall configuration. Can you provide a traceroute from both directions to see where the packets flow to?

This will tell us where the problem is and can start pointing you in the right direction.

Kind Regards,

Jeff