cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1864
Views
30
Helpful
25
Replies

route problem?

suthomas1
Level 6
Level 6

Hi,

I have attached a rough network diagram of our scenario.

Existing:-

A 3750 is connected to an unmanaged switch. to this unmanaged switch, there is a 3845 router and a

netscreen firewall connected. The 3750 is doing eigrp as is the 3845.

3750 has servers connected to it.(10.96.0.91/10.96.0.95)

There is a second unmanaged switch, to which the Netscreen firewall and Internet modem is connected.

The netscreen is connected to both the unmanaged switch.

There is an ASA firewall , which connects to the second unmanaged switch so it links to the ISP modem.

Planned change( highlighted in red):-

Aim is to remove the Netscreen firewall and insert another juniper firewall as second firewall to the existing ASA.

Juniper srx lan portion connects to the First unmanaged switch ( shown with red line ) and the lan port of juniper

srx will be assigned ip in the same range as 10.96.0.50.

Routing:-

Servers connected to 3750 need to go out to some internet located destinations bearing ip 200.200.1.1.

3750 routes all traffic destined for above and few other internet ip's to the 3845 router.

From the 3845 , these internet destinations are routed towards the netscreen firewall which then goes out via

the ISP modem

Routing for change:-

insert routes in 3845 router for 200.200.1.1 pointing next hop as 10.96.0.50(Juniper srx firewall) and

remove old routes pointing towards netscreen firewall.

In the ASA appropriate nat rules are added for the sessions. Route on the ASA and Juniper srx is changed to

reflect the new path accordingly.

Problem:-

Even after changing the route on 3845, the server still goes out from the old path, i.e  the netscreen firewall.

If netscreen is disconnected, the server doesn't communicate.

We've tested with a server connected directly behind the Juniper srx firewall and it successfully communicates to

the internet ip 200.200.1.1 when the SRX is connected to the ASA, hence proving there is no problem between

that path.

Query:-

1. Do we need to clear any arp on any devices? Considering , interconnections are via unmanaged switches?

2. What could be wrong here and how should it be made working. Any other ideas?

Appreciate all inputs.Thanks in advance!

25 Replies 25

Kyle McKay
Level 1
Level 1

I would be interested to see the routing table on the 3845 router.

It almost sounds like there is some PBR or some other matching route taking precedence. Is that possible?

I did think on the same lines,  but there is no PBR on that router.

We can see the arp of netscreen firewall on the 3845 as well as the servers arp. gateway for servers is the 3845.

Static route exist on the 3845 towards the destination 200.200.1.1 .

ip route 81.200.201.149 255.255.255.255 10.96.0.2

Apart from that the router is running eigrp,

router eigrp 21

redistribute static metric 10000 100 255 1 1500

network 10.0.0.0

no auto-summary

Appreciate all help!

Abzal
Level 7
Level 7

Hi,

So your goal is just changing netscreen firewall with juniper?
If so just connect juniper and assign IP on the same range as netscreen. And put on 3845 static route to 200.200.1.1 pointing to juniper. See if it works.
And juniper point to ISP modem I suppose.
Clearing ARP won't help so much. Because it is L3 problem. Is 3750 pointed to 3845?

Sent from Cisco Technical Support iPhone App

Sent from Cisco Technical Support iPhone App

Best regards,
Abzal

Yes the new juniper srx will take its place. However the physical connections for the new firewall will be as described in the network diagram.the new firewall will be using 10.96.0.50 the same ip subnet as the existing netscreen.

we tried this way and changed the route accordingly, but it doesnt work.

The server still routes via the netscreen firewall and if the netscreen is disconnected, the connection doesnt work at all.

Appreciate all help

So I understood you correctly,

1. 3750 is default gateway for servers??

2. Then on 3750 default route points to 3845??

3. And from 3845 route to 200.200.1.1 points toward netscreen firewall (this one you want to replace with Juniper)?

4. Is there any routes configured on servers?

My suggestion was: connect juniper to switch then give it IP from the same range as netscreen(not 10.96.0.50) and point to it from 3845.

And I don't still get why there is unmanaged switch between 3750 and firewall/3845. Is there any goal for that?

Hope it will help.

Best regards,
Abzal

Appreciate your reply Abzal and here are the answers:-

1. No, 3845 router is the servers default gateway, i can see the servers arp in 3845 learned via ethernet0 port which is connected to the unmanaged switch , shown towards down side in the diagram

2. Yes , 3750 has default route towards 3845 for the internet destinations in consideration

3. Yes,  from 3845 route to 200.200.1.1 points to netscreen firewall and this is the one which will eventually be replaced with juniper

4. No routes , as per my knowledge

I got your suggestion, correct me if am wrong.

I did connect the juniper to the unmanaged switch ( as shown in diagram with red mark  connections ) and was given the same range ip as Netscreen. Netscreen currently is holding the IP in the range of 10.96.0.X.

So Juniper was connected and configured with the same range IP

I understand the curiosity about the unmanaged switch between the 3750 & 3845. but even am not sure why is it in place.

It was there for long time since this network was setup , i have so far not known the reason for it.

Appreciate your valuable inputs on this!

Ok, then

Can you show output of these commands?

3845:

sh run

sh ip route

3750:

sh run

Are servers and firewalls/3845 on separate subnet? Can you tell their IP addresses?

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

Below are the outputs, however i have truncated the outputs to keep it minimum due to the sensitivity. My apologies.

3845 sh run:

!

interface Dialer4

no ip address

no cdp enable

!

router eigrp 11

redistribute static metric 10000 100 255 1 1500

network 10.0.0.0

no auto-summary

!

ip classless

ip route 75.66.51.21 255.255.255.255 "netscreen IP"

ip route 177.148.25.41 255.255.255.255 "netscreen IP"

ip route 200.200.1.1 255.255.255.255 "netscreen IP"

!

bridge 1 protocol dec

========================

3845 Sh ip route:-

S       202.76.4.2 [1/0] via "netscreen IP"

     158.13.0.0/32 is subnetted, 2 subnets

S       158.13.71.241 [1/0] via "netscreen IP"

S       200.200.1.1 [1/0] via "netscreen IP"

========================

3750 Sh run:-

aaa session-id common

system mtu routing 1500

vtp domain xxx

vtp mode transparent

authentication mac-move permit

udld aggressive

ip subnet-zero

no ip source-route

ip routing

ip domain-name xxx

ip name-server 10.96.0.98

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree portfast bpduguard default

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

spanning-tree vlan 1,2,50 root primary

spanning-tree vlan 99 root secondary

!

vlan internal allocation policy ascending

!

Vlan 1

Name starting-Lan

!

vlan 2

name Management

!

vlan 50

name Sector

!

ip telnet source-interface Loopback0

ip ftp source-interface Loopback0

ip tftp source-interface Loopback0

!

ip ssh time-out 60

ip ssh version 2

!

ip rcmd source-interface Loopback0

!

interface Loopback0

ip address 10.96.5.254 255.255.255.255

!

interface Port-channel1

description portchannel GE0/47,GE0/48

switchport trunk encapsulation dot1q

switchport mode trunk

interface GigabitEthernet0/45

description  Provider Router

no switchport

ip address 172.54.65.1 255.255.255.248

interface Vlan1

description starting-Lan

ip address 10.96.0.239 255.255.255.0

ip helper-address 10.96.0.77

no shut

!

interface Vlan2

description Management

ip address 10.96.7.61 255.255.255.192

ip helper-address 10.96.0.77

no shut

!

interface Vlan50

description Sector

ip address 10.96.1.253 255.255.255.0

ip helper-address 10.96.0.77

no shut

!

ip routing

!

router eigrp 11

network 10.0.0.0

network 172.54.0.0

eigrp router-id 10.96.5.254

no eigrp log-neighbor-changes

!

ip classless

no ip http server

ip http secure-server

!

ip tacacs source-interface Loopback0

!

===================================

Servers ip address are 10.96.0.91,10.96.0.95

Netscreen ip is 10.96.0.50

Juniper to be assigned an ip in 10.96.0.X range

3845 ip is 10.96.0.13

Appreciate all help. Thanks!

Sometimes companies add the unmanaged switches to connect firewalls and routers to them directly for the outside world I guess so I understand that or to span the ports for monitoring purposes.  I don't like the idea to do it like this however and have single point of failure.

Also why put an ASA and then add another Juniper SRX behind it, I'm curious about the design ?

Ok, a few things but it's better to test off hours if these changes are critical to the business. And I suppose Juniper is configured and connected. Is EIGRP or any routing protocol configured on Juniper?

Something to check:

What is IP address of default gateway configured on servers? Is it 10.96.0.239? Subnet mask is it /24.

Best regards,
Abzal

Best regards,
Abzal

Mohammad,

The ASA has another critical server directly connected to it and it was actually meant to act as the first level firewall, as i learnt from the folks.

Juniper is now to be put in behind ASA to act as the second layer  firewall and to decomission the Netscreen.

Even, am curious on this , but am not getting any definitive answers from the people here, so i left it at that.

Abzal,

Juniper is not connected. It was when we tested it last time, but due to the problems described above during testing, it was removed later on. Only static routing is running on Juniper.

Default gateway on the servers that i found was 10.96.0.13, which is the 3845's address. Yes the mask on server is /24.

Thanks and really appreciate all help!

I think you can safely remove redistribution of static routes and leaving just static routes.

on 3845:

router eigrp 11

no redistribute static metric 10000 100 255 1 1500

ip route 75.66.51.21 255.255.255.255 "Juniper IP"

ip route 177.148.25.41 255.255.255.255 "Juniper IP"

ip route 200.200.1.1 255.255.255.255 "Juniper IP"

And traceroute from 3845 with destination 200.200.1.1.

Have a look on one of the server that you're testing from routing table just to make sure.

route print

Then you could try above commands when you will be able to.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

There are certain other devices also connected to this network , another pair of firewalls on the unmanaged switch.

however, they are used for some other business entity and are used for specific destinations not involved in our case.

Will removing the static redistribution cause any seen issues. Just keen to understand how removing the redistribution here would help.

Thanks again!

If there is any other EIGRP talking peers except of 3845/3750 and Juniper will be using only static routes you should leave it without changes as it is. Because I don't see the whole picture of your network but it's OK. I just thought Juniper will be running EIGRP too.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal
Review Cisco Networking for a $25 gift card