Cisco 2821 - routing issue to inside LAN

Unanswered Question
Apr 7th, 2009

On April 3rd, I posted a message entitled: Routing, Cisco 2821, problems with copy tftp. Laurent responded correctly saying that I had to tell the router which interface to use for tftp. I have a similar issue with another site. I have an IPSEC tunnel to the site in question from a head office. The tunnel allows all IP traffic from the 10.1.150.0/24 subnet at the head office to the 192.168.100.0/24 subnet at the remote site. The edge device at the remote site (a Juniper firewall) is directly connected to a Cisco 2821 whose config I attached to this convesation. I can from the head office telnet to the Juniper-facing interface of the Cisco 2821 (192.168.100.21). Going inside the network is a 3750 in IP routing mode and another 2821 (whose interfaces are in the 192.168.100.0/24 subnet) that I want to telnet to. Now, the inside facing interface of the first 2821 is 192.168.100.6. If I run a traceroute to this IP address from the corp office, the route shows that it hits the Juniper Internet interface and then goes back out to the Internet, not inside to the 2821. This is very puzzling, should not there be an entry for the 2821 that is in the traceroute statements?

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
murray-davis Tue, 04/07/2009 - 08:43

I forgot to mention. I re-checked the phase 2 rules and ACLs on the IPSEC tunnel to make sure that they are configured correctly, they are. So, I am confident that it is not a tunnel/firewall issue, but an issue arising from the config on the 2821. But again, I am not certain, since the traceroute should have touched the Juniper-facing interface of the 2821.

Here is the traceroute (sanitized):

C:\>tracert 192.168.100.21

Tracing route to 192.168.100.21 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.1.1.2 --- Corp firewall's inside interface

2 11 ms 9 ms 10 ms [1.2.3.4] --- Juniper's Internet interface at remote site.

3 12 ms 10 ms 10 ms 192.168.100.21 --- The Juniper facing interface of the 2821.

Trace complete.

C:\>tracert 192.168.100.6

Tracing route to 192.168.100.6 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 10.1.1.2

2 13 ms 10 ms 9 ms [1.2.3.4] --- Juniper's Internet interface interface at remote site

3 10 ms 9 ms 13 ms [1.2.3.5] --- The Internet router connected to the Juniper's Internet Interface

4 17 ms 18 ms 28 ms 5.4.3.1 --- The ISP's next hop.

5 * * * Request timed out.

6 * ^C

Cisco 2821 three interfaces

gig0/0/0 - 192.168.100.6 facing inside LAN

gig 0/1 - 192.168.100.17 facing a MetroNet

gig 0/0 - 192.168.100.21 facing the Juniper

murray-davis Tue, 04/07/2009 - 09:28

I seem to be answering my own question. I looked at the config on the Juniper. There was no route to 192.168.100.0/24 with the DG of 192.168.100.21. Telnet to 192.168.100.21 works because that interface is directly connected, no route is needed. So, the solution was to add the route. That now makes sense as to why the traceroute did not touch the 2821...there was no route, so it just bounced back out the Juniper's DG.

Actions

This Discussion