Routing problem - can't get to third subnet

Answered Question
Nov 8th, 2007
User Badges:

Hello, I am having a routing problem, everything was working and then something happened.

Thanks ahead of time for anyone attempting to read all this crap


I have 4 networks:


10.0.1.0 in a remote location (router is 10.0.1.253)

10.0.0.0 Here, main lan (router is 10.0.0.253)

192.168.10.0 DMZ, also here.

10.1.1.0/3 for point to point t1 (serial int)


Devices are using the routers as gateways with policies directing traffic to the Internet

or the t1 point to point


I also have 2 firewalls (sonicwalls) one at each location


10.0.0.254 which also hosts the DMZ on 192.168.10.1 int

10.0.1.254 at the remote location


The Sonicwalls have routes added for the remote traffic as follows:


Any 10.0.1.0/24 any 10.0.0.253 X0 (lan int)


Devices on 10.0.1.0 can no longer reach 192.168.10.0


What am I missing? I have a static route on the 10.0.1.253 router:

ip route 192.168.10.0 255.255.255.0 10.1.1.1

I have a static route on the 10.0.0.253 router:

ip route 192.168.10.0 255.255.255.0 FastEthernet0/1 10.0.0.254


This is what I get pinging from host 10.0.1.1 to the DMZ


Pinging 192.168.10.7 with 32 bytes of data:


Reply from 10.0.1.253: TTL expired in transit.

Reply from 10.0.1.253: TTL expired in transit.

Reply from 10.0.1.253: TTL expired in transit.

Reply from 10.0.1.253: TTL expired in transit.


And traceroute:


Tracing route to www.generic.com [192.168.10.7]

over a maximum of 30 hops:


1 1 ms <1 ms <1 ms 10.0.1.253

2 37 ms 1 ms <1 ms 10.0.1.253

3 1 ms 1 ms 1 ms 10.0.1.253

4 2 ms 1 ms 1 ms 10.0.1.253

5 2 ms 1 ms 1 ms 10.0.1.253




ICMP Debug on 10.0.1.253


004674: *Nov 8 09:19:19.685 CST: ICMP: redirect sent to 10.0.1.1 for dest 192.1

68.10.7, use gw 10.0.1.254

004675: *Nov 8 09:19:19.749 CST: ICMP: time exceeded (time to live) sent to 10.

0.1.1 (dest was 192.168.10.7)

004676: *Nov 8 09:19:20.697 CST: ICMP: redirect sent to 10.0.1.1 for dest 192.1

68.10.7, use gw 10.0.1.254

004677: *Nov 8 09:19:20.721 CST: ICMP: time exceeded (time to live) sent to 10.

0.1.1 (dest was 192.168.10.7)

004678: *Nov 8 09:19:21.713 CST: ICMP: redirect sent to 10.0.1.1 for dest 192.1

68.10.7, use gw 10.0.1.254

004679: *Nov 8 09:19:21.737 CST: ICMP: time exceeded (time to live) sent to 10.

0.1.1 (dest was 192.168.10.7)

004680: *Nov 8 09:19:22.725 CST: ICMP: redirect sent to 10.0.1.1 for dest 192.1

68.10.7, use gw 10.0.1.254

004681: *Nov 8 09:19:22.753 CST: ICMP: time exceeded (time to live) sent to 10.

0.1.1 (dest was 192.168.10.7)



show ip route (on 10.0.1.253)


Gateway of last resort is xxx to network 0.0.0.0


XX.0.0.0/30 is subnetted, 1 subnets

C XX.XX.XX.XX is directly connected, Serial0/1/0

S 192.168.10.0/24 [1/0] via 10.1.1.1

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C 10.1.1.0/30 is directly connected, Serial0/0/0.1

D 10.0.0.0/24 [90/3847680] via 10.1.1.1, 1d17h, Serial0/0/0.1

C 10.0.1.0/24 is directly connected, FastEthernet0/1

XX.0.0.0/27 is subnetted, 1 subnets

C XX.XXX.XXX.xXX is directly connected, FastEthernet0/0

S* 0.0.0.0/0 [1/0] via XX.XX.XX.XX


Probably something stupid I am missing, router configs are attached. Any help would be much appreciated

Thanks!





Attachment: 
Correct Answer by Jon Marshall about 9 years 8 months ago

Hi


These are the route map statements on your 10.0.1.253 router


access-list 198 permit ip 10.0.1.0 0.0.0.255 any

access-list 199 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0

route-map ToSonicwall permit 10

match ip address 199

set ip default next-hop 10.1.1.1

!

route-map ToSonicwall permit 20

match ip address 198

set ip next-hop 10.0.1.254

set ip default next-hop 10.0.1.254

!


Any traffic going to 192.168.10.x will match against access-list 198 and therefore be sent to the the sonicwall. Policy routing will override the normal routing table so your static is being ignored


Easiest way to fix is to add following line to access-list 199


access-list 199 permit ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255


If you do this you do not need the static route


ip route 192.168.10.0 255.255.255.0 10.1.1.1


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 11/08/2007 - 10:51
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


These are the route map statements on your 10.0.1.253 router


access-list 198 permit ip 10.0.1.0 0.0.0.255 any

access-list 199 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0

route-map ToSonicwall permit 10

match ip address 199

set ip default next-hop 10.1.1.1

!

route-map ToSonicwall permit 20

match ip address 198

set ip next-hop 10.0.1.254

set ip default next-hop 10.0.1.254

!


Any traffic going to 192.168.10.x will match against access-list 198 and therefore be sent to the the sonicwall. Policy routing will override the normal routing table so your static is being ignored


Easiest way to fix is to add following line to access-list 199


access-list 199 permit ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255


If you do this you do not need the static route


ip route 192.168.10.0 255.255.255.0 10.1.1.1


HTH


Jon

jamie.mai Thu, 11/08/2007 - 11:37
User Badges:

Yes! That did it, obvious after you pointed it out. I don't work on this stuff that often so it falls out of my head. Thanks a lot Jon!

Actions

This Discussion