- This topic is empty.
-
Posts
-
Hi all!…
This post is to tell all of you a problem that I have in my network, and I can’t find a solution.
Well… first of all, we have 2 sites, a local and a remote. The remote office host all of out production servers, and local office, host a local LAN and a a lot of VLANs assigned to our thecnicians, to test new products, o create some labs to learning, testing beta products… etc…
This first image is a simplification of our network diagram:
And there are some image captures form the Zeroshel config:
Zeroshell box Config:
http://img527.imageshack.us/i/zeroshellconfig.pdf/All seems to be ok…
– all users in the OFFICE LAN can reach the PRODUCTION LAN and the LABS VLANS.– all servers on PRODUCTION LAN can reach the OFFICE LAN… but NOT the LABS VLANS
– all servers on LABS VLANS can reach the OFFICE LAN… but NOT the PRODUCTION LAN.
– Every Server in a VLAN is configured with is VLAN Gateway
The zeroshell box through ETH00, can reach our CISCO 1 router, but can’t from any VLAN:
root@zeroshell root> ping -I ETH02.101 192.168.0.254
PING 192.168.0.254 (192.168.0.254) from 192.168.101.1 ETH02.101: 56(84) bytes of data.
From 192.168.101.1 icmp_seq=1 Destination Host Unreachable
From 192.168.101.1 icmp_seq=2 Destination Host Unreachable
From 192.168.101.1 icmp_seq=3 Destination Host Unreachable
^C
— 192.168.0.254 ping statistics —
6 packets transmitted, 0 received, +3 errors, 100% packet loss, time 5018ms, pipe 3
root@zeroshell root>All seems to point to our CISCO 1 router…. but it is administrated by our carrier, and we can’t access to it… Oru carrier sais that only have 2 routes:
a 172.16.0.0/16 route to the line and a 192.168.0.0/16 to the LAN…I have tested a lot of combinations, but no succeded…
Checking with Wireshark,… the only strange thing I see is that CISCO 1 router a sending ARP Broadcast to know how is some of our VLAN servers, but it is not getting a reply…
Please,… any ideas?…
By the pattern of the responses I would bet on the fact that Cisco Router 1 has not adequate static routes, since it responds only when traffic comes from its directly connected interfaces.
There also seems to be a mixup of the networks. Production LAN has 192.168.0.0/16 which overlaps with the Office LAN as well as the Labs Vlans.
Is there any kind of NAT at the Cisco?
Any kind of tunnel?It would be much easier to enable dynamic routing, RIPv2 that is supported with ZS to announce at the Cisco routers your networks, as well as the default route. ZS would also learn the Production LAN and it’s state.
I suppose you have mistakenly written the Production LAN 192.168.0.0/16 instead of the correct 172.16.0.0/16 which seems to be correct.
My belief is that Cisco 1 has wrong gateway for the 192.168.0.0/16 to the LAN.Thanks for your response ppalias…
I think that if the problem is the route onn the CISCO 1 router, we’ll don’t have access to the OFFICE LAN…. but from PRODUCTION LAN we reach OFFICE LAN and viceversa…
From PRODUCTION LAN we can’t reach LABS VLANS, and viceversa…
And… how we can configure the RIPv2… over all interfaces? only over VLAN interfaces?….
You can reach interfaces that are directly connected on the Cisco routers.
It seems that static routing is not working, to be able to reach the networks connected on the ZS (LABS). So my suggestion is to enable RIPv2 on ETH00 of ZS and LAN interface of Cisco 1 (ask it from the netadmins).@ppalias wrote:
I suppose you have mistakenly written the Production LAN 192.168.0.0/16 instead of the correct 172.16.0.0/16 which seems to be correct.
My belief is that Cisco 1 has wrong gateway for the 192.168.0.0/16 to the LAN.The gateway of the Production LAN is 172.16.1.254, and this gateway has a route that every 192.168.0.0/16 are send by the CISCO 2 (172.16.1.253)
@ppalias wrote:
You can reach interfaces that are directly connected on the Cisco routers.
It seems that static routing is not working, to be able to reach the networks connected on the ZS (LABS). So my suggestion is to enable RIPv2 on ETH00 of ZS and LAN interface of Cisco 1 (ask it from the netadmins).Static routing on the CISCO 1, have this route:
ip route 192.168.0.0 255.255.0.0 192.168.0.1
I’m asked about activate RIPv2… I’m waiting…
@vviudez wrote:
@ppalias wrote:
I suppose you have mistakenly written the Production LAN 192.168.0.0/16 instead of the correct 172.16.0.0/16 which seems to be correct.
My belief is that Cisco 1 has wrong gateway for the 192.168.0.0/16 to the LAN.The gateway of the Production LAN is 172.16.1.254, and this gateway has a route that every 192.168.0.0/16 are send by the CISCO 2 (172.16.1.253)
This is not necessary, make Cisco 2 the default GW for Production LAN.
@vviudez wrote:
@ppalias wrote:
You can reach interfaces that are directly connected on the Cisco routers.
It seems that static routing is not working, to be able to reach the networks connected on the ZS (LABS). So my suggestion is to enable RIPv2 on ETH00 of ZS and LAN interface of Cisco 1 (ask it from the netadmins).Static routing on the CISCO 1, have this route:
ip route 192.168.0.0 255.255.0.0 192.168.0.1
I’m asked about activate RIPv2… I’m waiting…
Then maybe Cisco 2 doesn’t have a correct gateway for 192.168.0.0/16, which should be the wan interface of Cisco 1.
@ppalias wrote:
@vviudez wrote:
@ppalias wrote:
You can reach interfaces that are directly connected on the Cisco routers.
It seems that static routing is not working, to be able to reach the networks connected on the ZS (LABS). So my suggestion is to enable RIPv2 on ETH00 of ZS and LAN interface of Cisco 1 (ask it from the netadmins).Static routing on the CISCO 1, have this route:
ip route 192.168.0.0 255.255.0.0 192.168.0.1
I’m asked about activate RIPv2… I’m waiting…
Then maybe Cisco 2 doesn’t have a correct gateway for 192.168.0.0/16, which should be the wan interface of Cisco 1.
CISCO 2 has a route for all 192.168.x.x/16 to go throught the WAN line to the WAN interface of CISCO 1.
And CISCO 1 has a route for all 172.16.x.x/16 to go throught the WAN line to the WAN interface of CISCO 2.
@ppalias wrote:
I am out of ideas… Try to reload them just in case.
Well… I solved… damm!
The problem was on the mask of CISCO 1 router… it was 192.168.0.254/16… and every packet that are sended to an VLAN 192.168.x.y (where x is Z than 101), the router sends it to the office Lan, trying to find the destination machine using ARP request…
After change the mask to 24 bits, the router uses its routing table, to send it to the firewall…. and the firewall to the correct VLAN…
Very simple… little error!!!!
Thanks again for your help ppalias!!
Regards!
- You must be logged in to reply to this topic.