04-15-2010 12:32 PM - edited 03-06-2019 10:38 AM
Greetings here is my test setup:
INTERNET (public IP)
|
Pfsense firewall (192.168.1.1)
|
Pfsense firewall #2 (10.1.1.254)
|
Cisco 871
fa4.100 (10.1.1.1)
fa4.110 (10.1.10.1)
fa4.120 (10.1.20.1)
fa4.130 (10.1.30.1)
fa4.140 (10.1.40.1)
|
Cisco 2950
fa0/1 (vlan 100) - to pfsense fw#2
fa0/2 (vlan 100) - test pc
fa0/7 (vlan 110) - test pc
fa0/24 - TRUNK to Cisco 871
| |
Test PC1 TestPC2
10.1.1.100 10.1.10.100
255.255.255.0 255.255.255.0
10.1.1.1 (gw) 10.1.10.1 (gw)
10.1.1.254 (dns) 10.1.1.254 (dns)
The issue is Test PC1 can connect to the Internet, however Test PC2 cannot. I would like all pc's to access Internet then start to control resources through the use of ACL's. Below is the config's of the router, switch and both Pfsense boxes are running rip along with the 871. Please advise and thanks ahead of time for your help. Yes I know this is a vanilla config and there isn't much I have done in the way of security. Gotta make it work first.
Router#sh run
Building configuration...
Current configuration : 1481 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 HIDDEN
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
username admin password 0 HIDDEN
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface FastEthernet4.100
encapsulation dot1Q 100
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet4.110
encapsulation dot1Q 110
ip address 10.1.10.1 255.255.255.0
!
interface FastEthernet4.120
encapsulation dot1Q 120
ip address 10.1.20.1 255.255.255.0
!
interface FastEthernet4.130
encapsulation dot1Q 130
ip address 10.1.30.1 255.255.255.0
!
interface FastEthernet4.140
encapsulation dot1Q 140
ip address 10.1.40.1 255.255.255.0
!
interface Vlan1
no ip address
!
router rip
network 10.0.0.0
network 192.168.1.0
!
ip default-gateway 10.1.1.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.0.0.0 255.0.0.0 10.1.1.0
ip route 192.168.1.0 255.255.255.0 10.1.1.254
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password HIDDEN
login
!
scheduler max-task-time 5000
end
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up up
FastEthernet4 unassigned YES manual up up
FastEthernet4.100 10.1.1.1 YES manual up up
FastEthernet4.110 10.1.10.1 YES manual up up
FastEthernet4.120 10.1.20.1 YES manual up up
FastEthernet4.130 10.1.30.1 YES manual up up
FastEthernet4.140 10.1.40.1 YES manual up up
Vlan1 unassigned YES unset up up
Router#sh vlans
Virtual LAN ID: 1 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface: FastEthernet4
This is configured as native Vlan for the following interface(s) :
FastEthernet4
Protocols Configured: Address: Received: Transmitted:
Other 0 1466
4401 packets, 847838 bytes input
1466 packets, 549268 bytes output
Virtual LAN ID: 100 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface: FastEthernet4.100
Protocols Configured: Address: Received: Transmitted:
IP 10.1.1.1 21652 22423
Other 0 67
21652 packets, 2239446 bytes input
22490 packets, 1551269 bytes output
Virtual LAN ID: 110 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface: FastEthernet4.110
Protocols Configured: Address: Received: Transmitted:
IP 10.1.10.1 2498 1461
Other 0 151
2498 packets, 253466 bytes input
1612 packets, 829266 bytes output
Virtual LAN ID: 120 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface: FastEthernet4.120
Protocols Configured: Address: Received: Transmitted:
IP 10.1.20.1 0 673
Other 0 5
0 packets, 0 bytes input
678 packets, 92340 bytes output
Virtual LAN ID: 130 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface: FastEthernet4.130
Protocols Configured: Address: Received: Transmitted:
IP 10.1.30.1 0 675
Other 0 5
0 packets, 0 bytes input
680 packets, 92640 bytes output
Virtual LAN ID: 140 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface: FastEthernet4.140
Protocols Configured: Address: Received: Transmitted:
IP 10.1.40.1 0 673
Other 0 5
0 packets, 0 bytes input
678 packets, 92320 bytes output
Router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 10.1.10.0/24 is directly connected, FastEthernet4.110
C 10.1.1.0/24 is directly connected, FastEthernet4.100
S 10.0.0.0/8 [1/0] via 10.1.1.0
C 10.1.30.0/24 is directly connected, FastEthernet4.130
C 10.1.20.0/24 is directly connected, FastEthernet4.120
C 10.1.40.0/24 is directly connected, FastEthernet4.140
S 192.168.1.0/24 [1/0] via 10.1.1.254
S* 0.0.0.0/0 [1/0] via 192.168.1.1
Router#debug ip rip
RIP protocol debugging is on
Router#
*Mar 4 00:15:43.871: RIP: received v1 update from 10.1.1.254 on FastEthernet4.100
*Mar 4 00:15:43.871: 10.1.1.0 in 1 hops
*Mar 4 00:15:43.871: 192.168.1.0 in 1 hops
*Mar 4 00:15:47.271: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.140 (10.1.40.1)
*Mar 4 00:15:47.271: RIP: build update entries
*Mar 4 00:15:47.271: subnet 10.1.1.0 metric 1
*Mar 4 00:15:47.271: subnet 10.1.10.0 metric 1
*Mar 4 00:15:47.271: subnet 10.1.20.0 metric 1
*Mar 4 00:15:47.271: subnet 10.1.30.0 metric 1
*Mar 4 00:15:52.056: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.120 (10.1.20.1)
*Mar 4 00:15:52.056: RIP: build update entries
*Mar 4 00:15:52.056: subnet 10.1.1.0 metric 1
*Mar 4 00:15:52.056: subnet 10.1.10.0 metric 1
*Mar 4 00:15:52.056: subnet 10.1.30.0 metric 1
*Mar 4 00:15:52.056: subnet 10.1.40.0 metric 1
*Mar 4 00:15:58.728: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.110 (10.1.10.1)
*Mar 4 00:15:58.728: RIP: build update entries
*Mar 4 00:15:58.728: subnet 10.1.1.0 metric 1
*Mar 4 00:15:58.728: subnet 10.1.20.0 metric 1
*Mar 4 00:15:58.728: subnet 10.1.30.0 metric 1
*Mar 4 00:15:58.728: subnet 10.1.40.0 metric 1
*Mar 4 00:15:59.417: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.100 (10.1.1.1)
*Mar 4 00:15:59.417: RIP: build update entries
*Mar 4 00:15:59.417: subnet 10.1.10.0 metric 1
*Mar 4 00:15:59.417: subnet 10.1.20.0 metric 1
*Mar 4 00:15:59.417: subnet 10.1.30.0 metric 1
*Mar 4 00:15:59.417: subnet 10.1.40.0 metric 1
*Mar 4 00:16:00.681: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.130 (10.1.30.1)
*Mar 4 00:16:00.681: RIP: build update entries
*Mar 4 00:16:00.681: subnet 10.1.1.0 metric 1
*Mar 4 00:16:00.681: subnet 10.1.10.0 metric 1
*Mar 4 00:16:00.681: subnet 10.1.20.0 metric 1
*Mar 4 00:16:00.681: subnet 10.1.40.0 metric 1
*Mar 4 00:16:13.478: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.140 (10.1.40.1)
*Mar 4 00:16:13.478: RIP: build update entries
*Mar 4 00:16:13.478: subnet 10.1.1.0 metric 1
*Mar 4 00:16:13.478: subnet 10.1.10.0 metric 1
*Mar 4 00:16:13.478: subnet 10.1.20.0 metric 1
*Mar 4 00:16:13.478: subnet 10.1.30.0 metric 1
*Mar 4 00:16:13.870: RIP: received v1 update from 10.1.1.254 on FastEthernet4.100
*Mar 4 00:16:13.870: 10.1.1.0 in 1 hops
*Mar 4 00:16:13.870: 192.168.1.0 in 1 hops
Router#ping 10.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Router#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Router#ping 74.125.67.99
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.67.99, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/16 ms
Switch#sh run
Building configuration...
Current configuration : 1376 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 100
switchport mode access
...
!
interface FastEthernet0/7
switchport access vlan 110
switchport mode access
!
...
!
interface FastEthernet0/24
switchport mode trunk
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan100
ip address 10.1.1.2 255.255.255.0
no ip route-cache
!
ip http server
!
line con 0
line vty 5 15
!
!
end
Switch#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES unset administratively down down
Vlan100 10.1.1.2 YES manual up up
FastEthernet0/1 unassigned YES unset up up
FastEthernet0/2 unassigned YES unset up up
FastEthernet0/3 unassigned YES unset down down
FastEthernet0/4 unassigned YES unset down down
FastEthernet0/5 unassigned YES unset down down
FastEthernet0/6 unassigned YES unset down down
FastEthernet0/7 unassigned YES unset up up
FastEthernet0/8 unassigned YES unset down down
FastEthernet0/9 unassigned YES unset down down
FastEthernet0/10 unassigned YES unset down down
FastEthernet0/11 unassigned YES unset down down
FastEthernet0/12 unassigned YES unset down down
FastEthernet0/13 unassigned YES unset down down
FastEthernet0/14 unassigned YES unset down down
FastEthernet0/15 unassigned YES unset down down
FastEthernet0/16 unassigned YES unset down down
FastEthernet0/17 unassigned YES unset down down
FastEthernet0/18 unassigned YES unset down down
FastEthernet0/19 unassigned YES unset down down
FastEthernet0/20 unassigned YES unset down down
FastEthernet0/21 unassigned YES unset down down
FastEthernet0/22 unassigned YES unset down down
FastEthernet0/23 unassigned YES unset down down
FastEthernet0/24 unassigned YES unset up up
Switch#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/24 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/24 1-4094
Port Vlans allowed and active in management domain
Fa0/24 1,100,110
Port Vlans in spanning tree forwarding state and not pruned
Fa0/24 1,100,110
Switch#ping 10.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Switch#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Tracing the route to 192.168.1.1
1 * * *
2 * * *
....
Test PC 1 can ping anything & access the Internet (currently on this pc now)
Test PC 2 can ping 10.1.10.1 and can ping 10.1.1.1 & 10.1.1.254, however it cannot ping 192.168.1.1, nor anything on the Internet.
Again pfsense routers are Running RIPv1 (pfsense#2 on both lan&wan, pfsense#1 on lan only). Updates are being recieved as shown above.
Any further information please let me know. Thanks again.
04-15-2010 03:36 PM
Have you checked if the first firewall (192.168.1.1) has a route back to all the vlans?
Are you sure there are no filters in place that would block the pings.
HTH
Victor
04-15-2010 03:54 PM
Yes on both accounts. The 192.168.1.1 router is performing RIP and I have verified the routes are being shared. From the router I can ping this router and the Internet, however from the switch I cannot, nor from any vlan besides 10.1.1.x. I have tried applying ips to each vlan and that did not change the results.
04-15-2010 04:07 PM
Interesting...
When you ping the 192 address from the cisco router, do you run an extended ping and source the vlan that cannot reach the Internet?
04-15-2010 05:26 PM
Bear with me here making some notes:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080093f22.shtml
Kinda learning my way here bear with me... a real reply is forthcoming.
04-15-2010 05:45 PM
No I was not. Here are the results:
Router#ping
Protocol [ip]:
Target IP address: 192.168.1.1
Repeat count [5]: 25
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 25, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.10.1
.........................
Success rate is 0 percent (0/25)
04-15-2010 05:56 PM
Well, there you have it....you have to make sure that the router has a route to the 192 network and a route to the vlan...which we know it does.
Then you have to make sure that firewall 2 has a route to 192, which we know it does, and that it has a route back to the vlan - that we DONT know.
Then, you must verify that firewall 1 has a route back to the vlan...VERIFY again
You cant just view RIP messages going back and forth and assume that all is well. You must be able to examine the routing table for each appliance -- hop by hop -- and make sure there is the correct route entry(ies).
HTH
Victor
04-15-2010 05:56 PM
Further info:
I tried to hit 10.1.1.254 (LAN side of pfsense#2) and was successful. So the problem is with the pfsense box?!? Maybe?
Router#ping
Protocol [ip]:
Target IP address: 10.1.1.254
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds:
Packet sent with a source address of 10.1.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
04-15-2010 06:05 PM
Jim:
Please verify the routing table entries as I recommended before.
Thanks
04-15-2010 05:55 PM
Hi,
Definitely your Switch cannot ping any network other than 10.1.1.0/24 as the switch doesn't have a default gateway configured.
For the router it doesnt seem like a routing issue, but it does seem like a NAT issue. Who is doing the NAT. Have you checked there is a NAT entry for 10.1.10.0/24 network?.
Regards,
Shahal.
04-15-2010 06:01 PM
Shah:
NAT issue? He cant PING the 192 address on firewall 1 from the router when he sources the vlans L3 interface. How can this have anything to do with NAT?
04-15-2010 06:26 PM
lmav I think you are right. I am working on confirming this, however I think it might be pfsense#2 altogether. Pfsense allows vlans and I was playing with them, yet I think the issue may be the old vlan info still cached in the routing table. I will research & confirm. But here is the info for now in case you are wondering:
On PFSENSE#2 (10.1.1.254)
# netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default REMOVED UGS 0 47394 bge1
10.1.1.0 link#1 UC 0 0 bge0
10.1.1.100 00:26:18:9f:16:c2 UHLW 1 2544 bge0 1167
gw 00:24:8c:b3:1e:f3 UHLW 1 0 lo0
10.1.10.0 10.1.1.1 UGS 0 764 bge0
10.1.20.0 10.1.1.1 UGS 0 0 bge0
10.1.30.0 10.1.1.1 UGS 0 0 bge0
10.1.40.0 10.1.1.1 UGS 0 0 bge0
localhost localhost UH 1 0 lo0
192.168.1.0 link#2 UC 0 0 bge1
REMOVED 00:1a:92:6c:77:ce UHLW 2 166 bge1 833
192.168.1.101 00:b0:d0:fe:c0:14 UHLW 1 0 bge1 1199
REMOVED localhost UGHS 0 0 lo0
Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UHL lo0
fe80::%bge0 link#1 UC bge0
fe80::224:8cff:feb 00:24:8c:b3:1e:f3 UHL lo0
fe80::%bge1 link#2 UC bge1
fe80::224:8cff:feb 00:24:8c:b3:1f:c5 UHL lo0
fe80::%lo0 fe80::1%lo0 U lo0
fe80::1%lo0 link#3 UHL lo0
fe80::%vlan0 link#7 UC vlan0
fe80::224:8cff:feb 00:24:8c:b3:1e:f3 UHL lo0
fe80::%vlan1 link#8 UC vlan1
fe80::224:8cff:feb 00:24:8c:b3:1e:f3 UHL lo0
ff01:1:: link#1 UC bge0
ff01:2:: link#2 UC bge1
ff01:3:: ::1 UC lo0
ff01:7:: link#7 UC vlan0
ff01:8:: link#8 UC vlan1
ff02::%bge0 link#1 UC bge0
ff02::%bge1 link#2 UC bge1
ff02::%lo0 ::1 UC lo0
ff02::%vlan0 link#7 UC vlan0
ff02::%vlan1 link#8 UC vlan1
On PFSENSE #1 (192.168.1.1)
# netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default gw UGS 0 1126922196 bge1
10.1.1.0 192.168.1.130 UGS 0 11 bge0
10.1.10.0 192.168.1.130 UGS 0 27 bge0
10.1.20.0 192.168.1.130 UGS 0 0 bge0
10.1.30.0 192.168.1.130 UGS 0 0 bge0
10.1.40.0 192.168.1.130 UGS 0 0 bge0
localhost localhost UH 0 843070 lo0
192.168.1.0 link#1 UC 0 0 bge0
HOSTNAMEREMOVED 00:1a:92:6c:77:ce UHLW 1 462 lo0
192.168.1.10 00:00:4c:0f:79:61 UHLW 1 73 bge0 1096
192.168.1.101 00:b0:d0:fe:c0:14 UHLW 1 227367 bge0 1198
192.168.1.124 00:01:02:85:28:d5 UHLW 1 58368056 bge0 1199
192.168.1.127 00:1b:b9:a7:29:28 UHLW 1 82077 bge0 890
192.168.1.130 00:24:8c:b3:1f:c5 UHLW 6 96024 bge0 579
192.168.1.133 00:22:15:45:ce:87 UHLW 1 703883 bge0 1190
192.168.1.136 00:0c:f1:eb:17:99 UHLW 1 6517 bge0 1194
192.168.1.139 00:0d:87:a9:17:c9 UHLW 1 766386 bge0 1193
192.168.1.143 00:26:bb:68:77:bc UHLW 1 2503534 bge0 193
192.168.1.144 00:07:e9:43:9f:fa UHLW 1 1 bge0 912
192.168.1.145 00:19:db:6b:6b:3b UHLW 1 746042 bge0 1141
192.168.1.147 00:1b:b9:8b:ee:b4 UHLW 1 108508 bge0 944
192.168.1.148 00:1c:25:86:0b:67 UHLW 1 7 bge0 303
CannonBCA0B9 00:00:85:bc:a0:b9 UHLW 1 1 bge0 1104
IP REMOVED 4 SECURITY REASONS link#2 UC 0 23 bge1
gw 00:0e:38:ef:91:06 UHLW 2 91570 bge1 1199
cache1 00:e0:81:63:b1:f0 UHLW 1 23796 bge1 1142
Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UHL lo0
fe80::%bge0 link#1 UC bge0
fe80::21a:92ff:fe6 00:1a:92:6c:77:ce UHL lo0
fe80::%bge1 link#2 UC bge1
fe80::21a:92ff:fe6 00:1a:92:6c:78:85 UHL lo0
fe80::%lo0 fe80::1%lo0 U lo0
fe80::1%lo0 link#5 UHL lo0
ff01:1:: link#1 UC bge0
ff01:2:: link#2 UC bge1
ff01:5:: ::1 UC lo0
ff02::%bge0 link#1 UC bge0
ff02::%bge1 link#2 UC bge1
ff02::%lo0 ::1 UC lo0
I will update ASAP & award points. Thanks for your help again and again.
04-15-2010 06:37 PM
OK, Jim....sounds good. Verifying the routing is a first step....and you take it from there...
Victor
04-15-2010 07:29 PM
Lamav,
My reasoning being that RIP updates to FW2 contain all the networks of the router. Also being that the 10.1.1.0 network is behind FW2 and if FW1 is reaching that network, it might reach the others as well (as RIP is running between them).
I just thought that the FW2 might be doing the NATing, and also might be the FW2 will not allow untranslated packets to go through( I am not sure, I just guessed, although most firewalls allow untranslated packets to go through). If that is the case then even the router cannot ping FW1 without the NAT entry being there. I didn't mean that routing is definitely not the cause, it can be, just that I wanted to get his attention to the NAT problem as well.
I can see that my initial guess is right as we can see both Firewalls know the way to reach 10.1.10.0 network.
Also Jim specified that he didn't configure any security stuff, so I completely eliminated those thoughts from my decision.
Regards,
Shahal
04-15-2010 07:44 PM
"My reasoning being that RIP updates to FW2 contain all the networks of the router. Also being that the 10.1.1.0 network is behind FW2 and if FW1 is reaching that network, it might reach the others as well (as RIP is running between them)."
Perhaps, but that is precisely why I asked him to verify the routing. One should take a few minutes to verify the obvious before you start going on what may end up being a wild goose chase. If its not the routing, then you move on to the next possibility.
And anyway, all the routing updates show is that the router is sending the updates, it doesnt mean the firewall is accepting the routes and placing them in the routing table -- or that some routing conflict doesnt otherwise exist.
"I just thought that the FW2 might be doing the NATing, and also might be the FW2 will not allow untranslated packets to go through( I am not sure, I just guessed, although most firewalls allow untranslated packets to go through). If that is the case then even the router cannot ping FW1 without the NAT entry being there. I didn't mean that routing is definitely not the cause, it can be, just that I wanted to get his attention to the NAT problem as well."
I'm sorry, but I still dont get your logic.
"I can see that my initial guess is right as we can see both Firewalls know the way to reach 10.1.10.0 network."
That remains to be seen.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide