Unable to route

Vking02 · ‎02-23-2021

Hi,

I am trying to route traffic over to a different subnet then out to the internet but unsuccessful at doing so.

I am not sure what I am missing?

I have a gateway configured on the Cisco (172.16.5.95/22) router pointing to my ISP router (172.16.5.21/22) - the ping between the router and the ISP router is working.

=========================================

Router#ping 172.16.5.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.5.21, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/6 ms

=========================================

behind the Cisco there is a FW

FW and the Cisco are able to ping each other

FW: 192.168.99.2

Cisco 192.168.99.1

=========================================

Router#ping 192.168.99.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.99.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms

=========================================

The problem is when the traffic destined for 8.8.8.8 is passed to the router to go out to the internet.

here is the routing table on the router

=========================================

Gateway of last resort is 172.16.5.21 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 172.16.5.21
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.4.0/22 is directly connected, GigabitEthernet0/0
L 172.16.5.95/32 is directly connected, GigabitEthernet0/0
192.168.99.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.99.0/28 is directly connected, GigabitEthernet0/3
L 192.168.99.1/32 is directly connected, GigabitEthernet0/3

=========================================

Ping works from:

Router#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 11/11/12 ms

=========================================

HOWEVER, if i source it from 99.1 then it does not work

Router#ping 8.8.8.8 source 192.168.99.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.99.1
.....
Success rate is 0 percent (0/5)

Now, my question is why wont the ping to 8.8.8.8 work from 99.1 ?

Am i missing anything in the configuration?

This is a very basic configured

- 2 configured interfaces

- 1 default gateway pointing to ISP router.

any help would be appriciated.

Thank you all.

Georg Pauwen · ‎02-23-2021

Hello,

the most likelt reason is that your ISP router is not NATting traffic from 192.168.99.0/28. What model/brand/type is the ISP modem/router ?

Jon Marshall · ‎02-23-2021

If you want to test what Georg is saying on your router -

int gi0/0

ip address 192.168.99.1

ip nat inside

int gi0/1

ip address 172.16.5.95

ip nat inside

access-list 101 permit ip 192.168.99.0 0.0.0.255 any

ip nat inside source list 101 interface gi0/1 overload

Obviously your LAN and WAN interfaces may be something different.

Also if the ISP is not translating your 192.168.199.x traffic then they probably won't have a route for that either.

Jon

Vking02 · ‎02-23-2021

Hi Georg, thank you for your response.

It's a TP link VR600.

What would be the solution to this fault?

Is there a way to send 99.0 traffic out the internet without another nat as the firewall is doing Natting.

Do i need to include anything on the TPlink router?

I currently have a static route pointing to 99.0/28 network on the TPlink router.

Thank you

Jon Marshall · ‎02-23-2021

You have to do the NAT on the device with the public IP or do as suggested above.

If the firewall is doing NAT you cannot avoid more NAT as 192.168.199.x is private addressing (as is 172.16.5.x).

Jon

Vking02 · ‎02-23-2021

Thank you both for your help. Natting has worked, now i am able to get out fine.

I am trying to understand why do i need to NAT twice?

your natting a private address to another private address to get out?

Jon Marshall · ‎02-23-2021

You can ping internet IPs from the router when it is using it's 172.16.5.95 which means the ISP must be translating that IP to a public IP on it's router and obviously it knows how to reach that IP.

So all you are doing is translating all 192.168.99.x IPs to 172.16.5.95 which means it works.

Jon

Giuseppe Larosa · ‎02-23-2021

Hello @Vking02 ,

the provider gives you a private IP subnet and expects hosts to be members of it.

The final NAT on the ISP router changes your private IP address 172.16.5.x to a public routable address.

Your router converts the 192.168.99.X to its address in 172.16.5.Y making it able to go to the internet as it can be processed by the ISP router.

A static route on the ISP router is not enough.

Hope to help

Giuseppe

Vking02 · ‎02-25-2021

Hi,

Thank you all for your response. I seem to have connectivity from the router but not the host that sit behind the firewall.

The firewall is doing natting to 192.168.99.2

here is my NAT config on the router

interface FastEthernet0/0
ip address 172.16.5.96 255.255.252.0
ip nat outside
ip virtual-reassembly
duplex half

interface FastEthernet3/0
ip address 192.168.99.1 255.255.255.240
ip nat inside
ip virtual-reassembly
duplex half

ip route 0.0.0.0 0.0.0.0 172.16.5.21

ip nat inside source list 10 interface FastEthernet0/0 overload
!
access-list 10 permit 192.168.99.0 0.0.0.15 log
!

==================

I am able to ping out to the internet via the router.

Router#ping 8.8.8.8
*Feb 25 23:49:39.507: %SYS-5-CONFIG_I: Configured from console by console

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/13/24 ms

Router#ping 8.8.8.8 source 192.168.99.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.99.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/16/20 ms

The problem seem to be here.. the ping is from a subnet that sits behind a firewall.

the firewall policy is working as normal.

From the host 172.16.10.10

I can only reach up to 192.168.99.1 after that, the traceroute is dropping of.

I have uploaded a screenshot of the lab if it helps to understand a little better.

Thank you

Jon Marshall · ‎02-25-2021

Remove the "log" keyword from your acl on the router.

Also what firewall ie. if it is a Cisco have you enabled ICMP stateful inspection ?

Jon

Vking02 · ‎02-26-2021

Hi,

It is a Palo alto FW.

Sure, i will remove the log.

Thanks