cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1247
Views
0
Helpful
10
Replies

Routing Issue with NAT and OSPF

gregory.taiapin
Level 1
Level 1

Hi there i van trouble connecting with a remote computer. Attached is the case i have. From Firewall B tot Computer A i can Ping en connect freely. But everthing behind the Firewall B is not able to ping computer A. Anyone have some pointers?

A traceroute to ip 10.60.46.46 from Computer B stops at 10.100.50.2 Router A outside interface. Strange.

See attachment.

Gregory

10 Replies 10

Jon Marshall
Hall of Fame
Hall of Fame

Can you post firewall config ?

yes this is the config:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 fo security20

enable password ODFL.6T0XAcuRi.o encrypted

passwd 0MOMg9hxBtXB/QMw encrypted

hostname Firewall_B

domain-name

clock timezone

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.10.10.201 Printer_Laserjet

access-list outside_access_in remark

access-list outside_access_in permit ip any any

pager lines 24

logging timestamp

logging trap debugging

logging host inside 10.10.10.12

mtu outside 1500

mtu inside 1500

mtu fo 1500

ip address outside 10.10.20.2 255.255.255.0

ip address inside 10.10.10.2 255.255.255.0

ip address fo 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 10.10.20.3

failover ip address inside 10.10.10.3

failover ip address fo 192.168.1.2

failover link fo

failover lan unit primary

failover lan interface fo

failover lan key ********

failover lan enable

pdm location Printer_Laserjet 255.255.255.255 inside

pdm location 10.10.10.1 255.255.255.255 inside

pdm location 10.10.20.1 255.255.255.255 inside

pdm location 10.10.20.1 255.255.255.255 fo

pdm location 10.10.10.211 255.255.255.255 inside

pdm location 10.10.10.209 255.255.255.255 inside

pdm location 10.10.10.12 255.255.255.255 inside

pdm location 10.60.46.0 255.255.255.0 outside

pdm location 10.60.46.0 255.255.255.0 inside

pdm location 10.10.10.213 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 10 10.10.20.50-10.10.20.254 netmask 255.255.255.0

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.10.20.4 10.10.10.1 netmask 255.255.255.255 0 0

static (inside,outside) 10.10.20.5 10.10.10.211 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

router ospf 1

  network 10.10.10.0 255.255.255.0 area 0

  network 10.10.20.0 255.255.255.0 area 0

  log-adj-changes

route outside 0.0.0.0 0.0.0.0 10.10.20.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.10.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.10.20.1 255.255.255.255 inside

telnet 10.10.10.211 255.255.255.255 inside

telnet 10.10.10.213 255.255.255.255 inside

telnet 10.10.20.1 255.255.255.255 fo

telnet timeout 5

ssh 10.10.10.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:d61fcefdac53f26fa0b4887019131127

: end

saturn#

thanks.

Sorry should have asked for these as well

1) "sh route" from the firewall

2) "sh ip route" from router A & B.

Presumably you have checked 10.60.46.46 to make sure it does not have a firewall running that is blocking the ICMP ?

Also what is the subnet mask of 10.60.46.46 because from your diagram it's default-gateway on router A is 10.60.0.9 so is the subnet mask 255.255.0.0 ?

Jon

Jon,

No Firewall is Running.

subnet mask for 10.60.46.46 is 255.255.0.0

attached the routing. Strange for me is that i can ping all the way tot 10.60.46.46 except from computers behind the firewall. has this something to do wiht NAT?

Thanks so much for your reply.

Gregory

I can't see anything wrong with the routing or the config of the firewalls. I'm assuming you don't have acls on the routers that might be blocking this ?

We may need to do some debugging but is it a production setup and how busy is the firewall ?

Jon

Jon,

Its a production setup. Not busy but important (need 100% uptime). I have several connections from router B to different but networks which work fine. The thing is when i do a tracerout from computer B the packet goes al the way to Router A outside interface. So my guess is there migth be something that is preventing the packet to reach 10.60.46.46. What confuses me is that everything outside of the firewall gets to 10.60.46.46 with no problem at all. Is there something special you need to do when using NAT ip adrresses when Using OSPF I assume When Router A receive the packet from Computer B on the interface with Ip address 10.100.50.2 it doesn't deliver it the 10.60.46.46 but drops the packet i guess.

So there must me something with the NAT addresses i think, but what?

gregory.taiapin wrote:

Jon,

Its a production setup. Not busy but important (need 100% uptime). I have several connections from router B to different but networks which work fine. The thing is when i do a tracerout from computer B the packet goes al the way to Router A outside interface. So my guess is there migth be something that is preventing the packet to reach 10.60.46.46. What confuses me is that everything outside of the firewall gets to 10.60.46.46 with no problem at all. Is there something special you need to do when using NAT ip adrresses when Using OSPF I assume When Router A receive the packet from Computer B on the interface with Ip address 10.100.50.2 it doesn't deliver it the 10.60.46.46 but drops the packet i guess.

So there must me something with the NAT addresses i think, but what?

That's the thing though. Router A knows about the 10.10.20.x network. Actually it also knows about the 10.10.10.x network.

Can you try pinging and tracerouting from 10.60.46.46. to 10.10.20.4 and post results.

Other than that we can try some debugging on the firewall ie.

debug packet outside dst 10.60.46.46

debug packet outside src 10.60.46.46

the above would show you packets leaving the outside interface going to 10.60.46.46 and those returning. To turn therm off just

no debug packet outside dst 10.60.46.46

no debug packet outside src 10.60.46.46

but as i say you do need to be careful with debugging.

Jon

Jon,

I will do a debug later today and will let you know. Thanks for the help so far.

Jon,

See Attached this is the only thing i got from the debug

Regards,

Gregory

Gregory

What debug command did you use to get this output ?

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: