Routing issue 1841

desotobocc · ‎03-28-2010

My network layout:

internet>cisco1841>asa5510>4006>network

From the 1841 I can ping outside I can ping the .193 and .194 address. I cannot ping the inside network 192.168.100.0.

From the Firewall and the Network I can ping the .170 the .193 and .194. I cannot ping the Gateway .169.

I know it is something simple that I am overlooking.

I have included the config files from all 3 devices.

Any help would be welcomed.

TIA

Leonard

Lei Tian · ‎03-28-2010

Hi Leonard,

On your 1841, I donot see the route for your inside network, 192.168.100.0. You can add a static route for your inside network and point nexthop to ASA.

HTH,

Lei Tian

Each time you rate a CSC discussion we'll donate $1 to the American Red Cross Haiti fund up to a maximum donation of $10,000 USD.

https://supportforums.cisco.com/docs/DOC-8895

desotobocc · ‎03-28-2010

Lei,

Thanks for the reply.

I tried adding ip route 192.168.100.0 255.255.255.0 xxx.xxx.xxx.194 and it didn't work.

Jon Marshall · ‎03-28-2010

Leonard

When you try to ping from the inside network what device IP address are you pinging from ?

Jon

desotobocc · ‎03-28-2010

Hi Jon,

I have tried it from the asa 192.168.100.5 and from my workstation 192.168.100.80.

Jon Marshall · ‎03-28-2010

Leonard

Are you sure the ISP is routing x.x.x.192 255.255.255.192 back to your 1841 router ?

Jon

desotobocc · ‎03-28-2010

Jon,

Here is the wierd part I can change the ip address on the asa to xxx.xxx.xxx.170 and hook the asa directly into their interface and I can get outside. I also have to change the default route to xxx.xxx.xxx.169. The problem with this is I cannot use my outside IP addresses.

Jon Marshall · ‎03-28-2010

desotobocc wrote:

Jon,

Here is the wierd part I can change the ip address on the asa to xxx.xxx.xxx.170 and hook the asa directly into their interface and I can get outside. I also have to change the default route to xxx.xxx.xxx.169. The problem with this is I cannot use my outside IP addresses.

Leonard

That makes sense. If you hook the ASA into their interface then your inside clients get Natted to the .170 address as they go out to the internet. This is routed correctly back to your ASA.

I suspect from what you are saying that the x.x.x.192/26 might not be routed back to your 1841.

Perhaps you could provide one of the x.x.x.192 addresses so i can do a traceroute to see if it is getting routed to you ?

Jon

desotobocc · ‎03-28-2010

216.45.247.193

Jon Marshall · ‎03-28-2010

desotobocc wrote:

216.45.247.193

Leonard

Just did a traceroute to the above address and the last hop reported before it timed out was 68.86.92.126 which does not appear to be the outside IP of your 1841 ie. x.x.x.170/30.

So i think your issue is with the ISP. You need to talk to the ISP who supplied the x.x.x.192/26 range to make sure they are routing that to you.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

desotobocc · ‎03-28-2010

Thanks Jon I have a call into them. Would that stop me from pinging the 192.168.100.5 from the router?

Jon Marshall · ‎03-28-2010

desotobocc wrote:

Thanks Jon I have a call into them. Would that stop me from pinging the 192.168.100.5 from the router?

From the router you can't ping 192.168.100.x addresses because these haven't been made available to the outside interface of your firewall ie. you are presenting internal 192.168.100.x addresses as x.x.x.192/26 addresses. If you wanted to ping a 192.168.100.x address from the router you would need something like -

static (inside,outside) 192.168.100.5 192.168.100.5 netmask 255.255.255.255

but i wouldn't do that to be honest unless you just want to test.

Jon