Users on a "stub" network can't access a particular host on the adjacent network (through which they successfully access the Internet via a PIX).
The "stub" network is 192.168.40.x/255.255.255.0, that connects via WAN to a 92.168.39.x/255.255.255.0 network.
39.1 is the gateway at the 39.x network (a PIX515E connected to the Internet).
40.1 is the gateway address for the users on the 40.x subnet.
Users on 40.x need to access a host at 39.8. They can ping 39.1, but not 39.8.
Tracert from 40.x users stop at 39.10, which is the LAN interface on the router in the 39.x network that connects back to the 40.x network.
I'm using static routes - this is a simple network with no changes planned or needed.
Can anyone suggest how I might correct the routing scheme to allow this to work?
Here's a diagram of the route:
[Internet]-Router-PIX515E (39.1)-LAN-(39.10)RouterA(41.2)-WAN-(41.1)RouterB(40.1)-LAN-40.x hosts
Thanks for the reply! The gateway for the .39 folks is the PIX at 39.1...I've got a static routes entered as:
route inside 192.168.40.0 255.255.255.0 192.168.39.10 2
route inside 192.168.41.0 255.255.255.0 192.168.39.10 1
I still can't seem to get it to work...anything else I should check? Would turning on RIP everywhere possibly solve the problem?
Your problem is that the pix is not a router!!! It cannot redirect traffic on the same interface.
Point the .39. users at the router .39.10. Give it a default route to the pix and a route to .40. over the wan (it probably already has those).
When .39. users go to the internet the router will redirect them so they send their traffic diretly to the pix.
Thanks for the reply...it is the users at .40 who can't get to the 39.8 server. The users on 39.x can see it just fine.
If the users can get to the router at 39.10, which is directly connected to the 39.x segment, shouldn't it work? The 39.10 router has a route entry for the 40.x network.
Thanks again for any help you can give!
The users on 40 are getting to 39. 39 cant find a way back to respond to them because they are sending their responses to the pix which cannot forward them to 39.10. Routing is a two way process. Each host has to find it own way to the other. Dont assume that just because you are not getting a response that your data isn't getting there. Seems like 90% of the time the problem is that the destination host cant find its way back to respond.
Your pc on .40. has a gateway pointed to the .40. router. It uses the gateway because the destination is not its network.
The .40. router has a route for the destination that points over the wan to the .39.10 router.
The .39. router is on the destination network so it arps for the host and sends the packet to it.
The dest host wants to respond and uses its gateway because .40. is in a different network. The gateway is the pix which drops the packet.
Change the gateway to 39.10 and it uses its route to send the packet over the wan to the .40. router. That router arps for your pc and sends it the packet.
The pc's on .39. gong to the internet will send their packet to 39.10. It will see that the next hop is in the same network (the pix) and send an icmp redirect message to the pc telling it to use the pix's addresses for that destination.
Wow - thanks for the excellent and clear explanation! It really filled in some gaps in my knowledge. I think I understand the issue now (for the first time).
For logistical reasons, since the only host (other than the PIX) that users on .40 need to access is 39.8, could I just change 39.8's gateway to 39.10 and leave all of the other 39.x's gateway set to 39.1?
Yes, it will work to just change the gateway on the hosts in 39 that need to reach the 40 network.
Have fun, this stuff is really cool when you start to understand how it works.