routing issues

par13 · ‎08-08-2009

Help with routing issues.

Presently a new router is in place which connect to a firewall, then, it connects to the internet.

The router is configure with four vlans, but only two subnets are allow to access the internet. VLAN 100 and VLAN 200 are just for managing the networ internal switches, and their gateways or next hop is the firewall interface.

On the other hand, the other two vlans 400 and 401 are allowed to go to the internet using the firewall.

The firewall serve as the next hop for this two vlans. Therefore, there are static routes on the firewall that match any trafic coming from vlan 400 and 401 to match the use firewall interfaces to go out.

Here is a brief view of the router configuration.

My issue is only one of the vlans, 401, is working properly. The second vlan, 400, only reach the firewall and pass the firewall. But, internet traffic, and/or email does not work. Only ping command executed against www address seems to respond.

interface Vlan1

description Management VLAN

ip address 10.1.1.1 255.255.255.0

no ip redirects

standby 1 ip 10.1.1.254

standby 1 priority 120

standby 1 preempt

!

interface Vlan100

description Academic-Network

ip address 10.31.1.194 255.255.255.192

no ip redirects

!

interface Vlan200

description Administrative-Network

ip address 10.31.1.130 255.255.255.192

no ip redirects

interface Vlan301

description WAP-Clients

no ip address

no ip redirects

!

interface Vlan400

description Academic Network

ip address 10.5.50.1 255.255.255.0

no ip redirects

!

interface Vlan401

description administrative-network

ip address 10.5.27.254 255.255.255.0

ip helper-address 10.5.27.3

no ip redirects

standby 1 ip 10.5.27.1

standby 1 priority 120

standby 1 preempt

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.31.1.129

!

ip access-list extended wlan

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq domain

permit udp any any eq domain

!

mahmoodmkl · ‎08-08-2009

Hi,

can u post u r firewall config.

Make sure tht u have defined nat statements for both the subnets.

Thanks

Mahmood

par13 · ‎08-09-2009

the firewall two interface for internal subnet are:

ip address 10.31.1.194 255.255.255.192

ip address 10.31.1.130 255.255.255.192

then, there are two static routes

static route add -net 10.31.1.194 10.5.50.1

static route add -net 10.31.1.130

10.5.27.1

Inside the router the two vlans 400,and 401 needs to connect to the two interfaces on the firewall. However, the traffic is only moving thru vlan 401.

My impression is that I'm missing a routing line on the router that allows traffic from vlan 400 to connect to the firewall and internet. I have notices only the router can ping the firewall interface. The clients can not reach the firewall interface.

thanks

Hitesh Vinzoda · ‎08-09-2009

Can you send the output of "Sh ip route" of router and "sh route" of firewall along with "sh ip int br" and output of extended ping from router to Firewall with source as Vlan 401 and Vlan 400.

Regards

par13 · ‎08-09-2009

I will you the rest of the outputs. So far I can only provide the router.

sh ip route

Gateway of last resort is 10.31.1.129 to network 0.0.0.0

10.31.0.0/16 is variably subnetted, 3 subnets, 2 masks

C 10.31.1.128/26 is directly connected, Vlan200

C 10.31.1.0/24 is directly connected, Vlan300

C 10.31.1.192/26 is directly connected, Vlan100

10.0.0.0/8 is variably subnetted, 5 subnets, 4 masks

C 10.5.12.1/32 is directly connected, Loopback0

146.186.0.0/24 is subnetted, 2 subnets

C 10.5.50.0 is directly connected, Vlan400

C 10.5.27.0 is directly connected, Vlan401

--More--

from vlan 400

Pinging 10.31.1.193 with 32 bytes of data:

Request timed out.

from vlan 401

Pinging 10.31.1.129 with 32 bytes of data:

Reply from 10.31.1.129: bytes=32 time=18ms TTL=63

Reply from 10.31.1.129: bytes=32 time=1ms TTL=63

Reply from 10.31.1.129: bytes=32 time=16ms TTL=63

Reply from 10.31.1.129: bytes=32 time=1ms TTL=63

par13 · ‎08-09-2009

just a small correction,in the router sh ip route out put, it shows a subnet that loks similar to vlan 100 and 400. this has been corrected. However, the issue still persits.

thanks

par13 · ‎08-10-2009

here is the firewall information

default gateway 128.118.102.161

10.5.27.0/24 ---- 10.31.1.130

10.5.50.0/24 ---- 10.31.1.194

Mohitkumarp · ‎08-10-2009

if the router can reach the firewall but not the clients the reason could be as follows

1) check the sunet mask for the interface and you can reach only from the particular subnet and not with other subnet.

2) try adding a route for that subnet, if not troublshoot where the worng with subnet mask.

if the above is not rectified, please paste the traceroute command from the both router as well as firewall.

par13 · ‎08-11-2009

Hi,

I think the issue has been resolved. The ip default-route (router) was pointing to one of the firewall interfaces. This situation works just fine for onll one of the subnet configure as static route on the firewall and the subnet in the router.

After changing the static route on the firewall to point to router ip default-network, all subnets started to work.

Do you know if cisco 6509 support more than one ip default-route?

thanks

Mohitkumarp · ‎08-11-2009

Thats really a great,

As per my understanding it does not support