blind network

Unanswered Question
Jun 7th, 2007

Location Network/Subnet Router/Gateway

Site A 1.150.1.0/8 1.150.1.1

Site B 192.168.1.0/24 192.168.1.1

Site C 192.168.2.0/24 192.168.2.1

Site D 192.168.3.0/24 192.168.3.1

Site E 192.168.4.0/24 192.168.4.1

We have an MPLS that connects all of these locations. The 192.168 networks have a Cisco 1721 router. The 1.150 location has a Cisco 2811 router and a PIX firewall.

All computers at any Site can ping any other computer or router at any other Site.

However none of the 192.168 routers can ping anything on the 1.150 network. But a computer behind the 192.168 router CAN ping the 1.150 network. And this is where the problem is because I am setting up an Event Log/Syslog Server at Site A and I can?t get any syslog entries from the routers. I can get server logs because the servers sit behind the routers, but nothing from the actual routers since they can?t see the 1.150 network.

I think it has something to do with the firewall or router at Site A but I?m not sure. Site A is corporate so the configs are more complex than the other sites. I can post the firewall and/or router config if needed.

Thanks for your input!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 06/07/2007 - 12:37

Hi

Could you be a bit more specific about what can communicate what. When you do the ping from the routers are you doing an extended ping using the source interface of the routers that connects to the internal LAN at each site ie from site B what happens if you do an extended ping with the source interface of 192.168.1.1 ?

If you haven't done this and the extended ping works then you have no connectivity because th erouter is using it's external address and i'm guessing that there is no route back.

Could you test and let us know.

Jon

dexteroc1 Thu, 06/07/2007 - 13:00

I did an extended ping and it worked. I was able to ping Site A from the other Sites but it doesn't work with the normal ping command.

So if I understand you correctly, the router is using it's external address when pinging but when a ping comes from a computer on the network, it is using the local routers IP?

Jon Marshall Thu, 06/07/2007 - 13:06

Hi

Not quite. When a ping comes from the internal network then the source address will be 192.168.1.x where x is host address of the client.

When you use extended ping from the router you are using 192.168.1.1 as the source address. Your HQ site has routes back to this 192.168.1.0/24 network so your ping works.

I need to check tomorrow at work whether you can specify the source interface when sending syslog messages. If you can't then you need to make sure that your HQ site knows how to route back to subnets on the outside interface of your router ie. the one connected to the MPLS network.

HTH

Jon

dexteroc1 Thu, 06/07/2007 - 13:32

Yes there are route statements in the HQ router that point back to each network and it routes them to the MPLS IP address. Every route statement for each of the networks goes to the same mpls ip.

So what would a route statement look like on the HQ router to get back to each network?

Currently on the HQ router:

ip route 192.168.1.1 255.255.255.0 mpls.ip

ip route 192.168.2.1 255.255.255.0 mpls.ip

and so on.

What would and ip route statement look like on the HQ router to get back to the outside interface of each network router?

Fernando_Meza Thu, 06/07/2007 - 16:18

Hi .. as John mentioned the issue you are experiencing is a routing problem and/or access problem.

Unfortunately I don't think you can specify a source IP interfaces for snmp traps. Basically you need to make sure that the syslog server knows how to reach the EXTERNAL INTERFACES .. of the remote routers. In order to do this you would need to check the routing tables on the PIX and also on the 2800 router. Also you need to make sure that you firewall allows snmp from the routers towards the internal server, you might need to configure a static NAT for your syslog server so that it is reachable from the MPLS backbone IP range. Perhaps a topology diagram will provide more info to assist you.

Actions

This Discussion