08-08-2009 08:46 PM - edited 03-06-2019 07:09 AM
Help with routing issues.
Presently a new router is in place which connect to a firewall, then, it connects to the internet.
The router is configure with four vlans, but only two subnets are allow to access the internet. VLAN 100 and VLAN 200 are just for managing the networ internal switches, and their gateways or next hop is the firewall interface.
On the other hand, the other two vlans 400 and 401 are allowed to go to the internet using the firewall.
The firewall serve as the next hop for this two vlans. Therefore, there are static routes on the firewall that match any trafic coming from vlan 400 and 401 to match the use firewall interfaces to go out.
Here is a brief view of the router configuration.
My issue is only one of the vlans, 401, is working properly. The second vlan, 400, only reach the firewall and pass the firewall. But, internet traffic, and/or email does not work. Only ping command executed against www address seems to respond.
interface Vlan1
description Management VLAN
ip address 10.1.1.1 255.255.255.0
no ip redirects
standby 1 ip 10.1.1.254
standby 1 priority 120
standby 1 preempt
!
interface Vlan100
description Academic-Network
ip address 10.31.1.194 255.255.255.192
no ip redirects
!
interface Vlan200
description Administrative-Network
ip address 10.31.1.130 255.255.255.192
no ip redirects
interface Vlan301
description WAP-Clients
no ip address
no ip redirects
!
interface Vlan400
description Academic Network
ip address 10.5.50.1 255.255.255.0
no ip redirects
!
interface Vlan401
description administrative-network
ip address 10.5.27.254 255.255.255.0
ip helper-address 10.5.27.3
no ip redirects
standby 1 ip 10.5.27.1
standby 1 priority 120
standby 1 preempt
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.31.1.129
!
ip access-list extended wlan
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq domain
permit udp any any eq domain
!
08-08-2009 09:39 PM
Hi,
can u post u r firewall config.
Make sure tht u have defined nat statements for both the subnets.
Thanks
Mahmood
08-09-2009 06:29 AM
the firewall two interface for internal subnet are:
ip address 10.31.1.194 255.255.255.192
ip address 10.31.1.130 255.255.255.192
then, there are two static routes
static route add -net 10.31.1.194 10.5.50.1
static route add -net 10.31.1.130
10.5.27.1
Inside the router the two vlans 400,and 401 needs to connect to the two interfaces on the firewall. However, the traffic is only moving thru vlan 401.
My impression is that I'm missing a routing line on the router that allows traffic from vlan 400 to connect to the firewall and internet. I have notices only the router can ping the firewall interface. The clients can not reach the firewall interface.
thanks
08-09-2009 09:05 AM
Can you send the output of "Sh ip route" of router and "sh route" of firewall along with "sh ip int br" and output of extended ping from router to Firewall with source as Vlan 401 and Vlan 400.
Regards
08-09-2009 12:34 PM
I will you the rest of the outputs. So far I can only provide the router.
sh ip route
Gateway of last resort is 10.31.1.129 to network 0.0.0.0
10.31.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 10.31.1.128/26 is directly connected, Vlan200
C 10.31.1.0/24 is directly connected, Vlan300
C 10.31.1.192/26 is directly connected, Vlan100
10.0.0.0/8 is variably subnetted, 5 subnets, 4 masks
C 10.5.12.1/32 is directly connected, Loopback0
146.186.0.0/24 is subnetted, 2 subnets
C 10.5.50.0 is directly connected, Vlan400
C 10.5.27.0 is directly connected, Vlan401
--More--
from vlan 400
Pinging 10.31.1.193 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
from vlan 401
Pinging 10.31.1.129 with 32 bytes of data:
Reply from 10.31.1.129: bytes=32 time=18ms TTL=63
Reply from 10.31.1.129: bytes=32 time=1ms TTL=63
Reply from 10.31.1.129: bytes=32 time=16ms TTL=63
Reply from 10.31.1.129: bytes=32 time=1ms TTL=63
08-09-2009 03:23 PM
just a small correction,in the router sh ip route out put, it shows a subnet that loks similar to vlan 100 and 400. this has been corrected. However, the issue still persits.
thanks
08-10-2009 04:48 AM
here is the firewall information
default gateway 128.118.102.161
10.5.27.0/24 ---- 10.31.1.130
10.5.50.0/24 ---- 10.31.1.194
08-10-2009 11:41 PM
if the router can reach the firewall but not the clients the reason could be as follows
1) check the sunet mask for the interface and you can reach only from the particular subnet and not with other subnet.
2) try adding a route for that subnet, if not troublshoot where the worng with subnet mask.
if the above is not rectified, please paste the traceroute command from the both router as well as firewall.
08-11-2009 03:32 AM
Hi,
I think the issue has been resolved. The ip default-route (router) was pointing to one of the firewall interfaces. This situation works just fine for onll one of the subnet configure as static route on the firewall and the subnet in the router.
After changing the static route on the firewall to point to router ip default-network, all subnets started to work.
Do you know if cisco 6509 support more than one ip default-route?
thanks
08-11-2009 06:02 AM
Thats really a great,
As per my understanding it does not support
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide