Routing problem - can't get to third subnet

Answered Question
Nov 8th, 2007

Hello, I am having a routing problem, everything was working and then something happened.

Thanks ahead of time for anyone attempting to read all this crap

I have 4 networks:

10.0.1.0 in a remote location (router is 10.0.1.253)

10.0.0.0 Here, main lan (router is 10.0.0.253)

192.168.10.0 DMZ, also here.

10.1.1.0/3 for point to point t1 (serial int)

Devices are using the routers as gateways with policies directing traffic to the Internet

or the t1 point to point

I also have 2 firewalls (sonicwalls) one at each location

10.0.0.254 which also hosts the DMZ on 192.168.10.1 int

10.0.1.254 at the remote location

The Sonicwalls have routes added for the remote traffic as follows:

Any 10.0.1.0/24 any 10.0.0.253 X0 (lan int)

Devices on 10.0.1.0 can no longer reach 192.168.10.0

What am I missing? I have a static route on the 10.0.1.253 router:

ip route 192.168.10.0 255.255.255.0 10.1.1.1

I have a static route on the 10.0.0.253 router:

ip route 192.168.10.0 255.255.255.0 FastEthernet0/1 10.0.0.254

This is what I get pinging from host 10.0.1.1 to the DMZ

Pinging 192.168.10.7 with 32 bytes of data:

Reply from 10.0.1.253: TTL expired in transit.

Reply from 10.0.1.253: TTL expired in transit.

Reply from 10.0.1.253: TTL expired in transit.

Reply from 10.0.1.253: TTL expired in transit.

And traceroute:

Tracing route to www.generic.com [192.168.10.7]

over a maximum of 30 hops:

1 1 ms <1 ms <1 ms 10.0.1.253

2 37 ms 1 ms <1 ms 10.0.1.253

3 1 ms 1 ms 1 ms 10.0.1.253

4 2 ms 1 ms 1 ms 10.0.1.253

5 2 ms 1 ms 1 ms 10.0.1.253

ICMP Debug on 10.0.1.253

004674: *Nov 8 09:19:19.685 CST: ICMP: redirect sent to 10.0.1.1 for dest 192.1

68.10.7, use gw 10.0.1.254

004675: *Nov 8 09:19:19.749 CST: ICMP: time exceeded (time to live) sent to 10.

0.1.1 (dest was 192.168.10.7)

004676: *Nov 8 09:19:20.697 CST: ICMP: redirect sent to 10.0.1.1 for dest 192.1

68.10.7, use gw 10.0.1.254

004677: *Nov 8 09:19:20.721 CST: ICMP: time exceeded (time to live) sent to 10.

0.1.1 (dest was 192.168.10.7)

004678: *Nov 8 09:19:21.713 CST: ICMP: redirect sent to 10.0.1.1 for dest 192.1

68.10.7, use gw 10.0.1.254

004679: *Nov 8 09:19:21.737 CST: ICMP: time exceeded (time to live) sent to 10.

0.1.1 (dest was 192.168.10.7)

004680: *Nov 8 09:19:22.725 CST: ICMP: redirect sent to 10.0.1.1 for dest 192.1

68.10.7, use gw 10.0.1.254

004681: *Nov 8 09:19:22.753 CST: ICMP: time exceeded (time to live) sent to 10.

0.1.1 (dest was 192.168.10.7)

show ip route (on 10.0.1.253)

Gateway of last resort is xxx to network 0.0.0.0

XX.0.0.0/30 is subnetted, 1 subnets

C XX.XX.XX.XX is directly connected, Serial0/1/0

S 192.168.10.0/24 [1/0] via 10.1.1.1

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C 10.1.1.0/30 is directly connected, Serial0/0/0.1

D 10.0.0.0/24 [90/3847680] via 10.1.1.1, 1d17h, Serial0/0/0.1

C 10.0.1.0/24 is directly connected, FastEthernet0/1

XX.0.0.0/27 is subnetted, 1 subnets

C XX.XXX.XXX.xXX is directly connected, FastEthernet0/0

S* 0.0.0.0/0 [1/0] via XX.XX.XX.XX

Probably something stupid I am missing, router configs are attached. Any help would be much appreciated

Thanks!

Attachment: 
I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 1 month ago

Hi

These are the route map statements on your 10.0.1.253 router

access-list 198 permit ip 10.0.1.0 0.0.0.255 any

access-list 199 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0

route-map ToSonicwall permit 10

match ip address 199

set ip default next-hop 10.1.1.1

!

route-map ToSonicwall permit 20

match ip address 198

set ip next-hop 10.0.1.254

set ip default next-hop 10.0.1.254

!

Any traffic going to 192.168.10.x will match against access-list 198 and therefore be sent to the the sonicwall. Policy routing will override the normal routing table so your static is being ignored

Easiest way to fix is to add following line to access-list 199

access-list 199 permit ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255

If you do this you do not need the static route

ip route 192.168.10.0 255.255.255.0 10.1.1.1

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 11/08/2007 - 10:51

Hi

These are the route map statements on your 10.0.1.253 router

access-list 198 permit ip 10.0.1.0 0.0.0.255 any

access-list 199 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0

route-map ToSonicwall permit 10

match ip address 199

set ip default next-hop 10.1.1.1

!

route-map ToSonicwall permit 20

match ip address 198

set ip next-hop 10.0.1.254

set ip default next-hop 10.0.1.254

!

Any traffic going to 192.168.10.x will match against access-list 198 and therefore be sent to the the sonicwall. Policy routing will override the normal routing table so your static is being ignored

Easiest way to fix is to add following line to access-list 199

access-list 199 permit ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255

If you do this you do not need the static route

ip route 192.168.10.0 255.255.255.0 10.1.1.1

HTH

Jon

jamie.mai Thu, 11/08/2007 - 11:37

Yes! That did it, obvious after you pointed it out. I don't work on this stuff that often so it falls out of my head. Thanks a lot Jon!

Actions

This Discussion