Home | Troubleshooting |  Quick Setup  |  Cisco How to  |  Wireless  |  Forums   | Site Map | Services  | About Us | Chicagotech MVP  | Search  | Contact Us  |              

 
Routing

Network Routing Analysis
VPN Routing Analysis
Don't add default gateway across disjoint networks
Is it possible both sites of the VPN using the same IP range
Metric is the same for both the remote gateway and the local gateway
One router goes to the corporation email server and another one goes to the Internet
Route command and examples
Routing issue if the LAN and VPN are in different subnets
Routing order
Two gateways for redundancy
Understanding Route Automatic Metric
We have a PIX 515. what's the command to block outside people ping public ip
 

Post your questions, comments, feedbacks and suggestions

Contact a consultant

For how to setup multiple routers, visit this page: http://www.howtonetworking.com/Networking/multiplerouters1.htm.

Network Routing Analysis

In our Lab, we have a network small  network connecting to our main network through 3COM wireless router and  the main network has another Cisco router connecting to the Internet. The computers in the Lab can ping main network computers and the Internet. But computers in the main network can't ping the lab computers. Here are settings:

 LAB IP: 192.168.2.0 mask 255.255.255.0, GW (default gateway): 192.168.2.1 connecting to 3com router and then to 10.0.0.100 as GW in main network that 10.0.0.0 and 255.255.0.0. Main network has Cisco router GW is 10.0.0.2.

Analysis 1: before changing the route table, any computers in 192.168.2.0 can access the resources on 10.0.0.0 network and the Internet because all traffic goes to 192.168.2.1 GW to 10.0.0.0 network and then through 10.0.0.2 GW to the Internet. However, computers on network 10.0.0.0 can't access the 192.168.2.0 network because all traffic will go to 10.0.0.2 GW.

Resolutions: all 10.0.0.X clients need to know how to get back to the 192.168.2.0 network.  This can be accomplished in several ways:

1) Add a GW to each client pointing to 10.0.0.100  by using add 192.168.2.0 mask 255.255.0.0 10.0.0.100. Here is the route table after adding the route.

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 01 03 28 89 cf ...... 3Com EtherLink PCI
0x1000004 ...00 90 27 55 44 07 ...... Intel(R) PRO Adapter
===========================================================================

===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface    Mretric
           0.0.0.0          0.0.0.0         10.0.0.2       10.0.0.11   1
          10.0.0.0      255.255.0.0        10.0.0.11       10.0.0.11   1
         10.0.0.11  255.255.255.255        127.0.0.1       127.0.0.1   1
         10.0.0.20  255.255.255.255        10.0.0.11       10.0.0.11   1
    10.255.255.255  255.255.255.255        10.0.0.11       10.0.0.11   1
         127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
       192.168.2.0    255.255.255.0       10.0.0.100       10.0.0.11   1
         224.0.0.0        224.0.0.0        10.0.0.11       10.0.0.11   1
   255.255.255.255  255.255.255.255        10.0.0.11       10.0.0.11   1
 Default Gateway:        10.0.0.2
===========================================================================
Persistent Routes:
None

2) Add route on the Cisco pointing 192.168.2.0 mask 255.255.255.0 10.0.0.100. The client then would send the 192.168.2 traffic to
10.0.0.2 which should then forward the packet to 10.0.0.2 and send the client an ICMP Redirect to use 10.0.0.2 when talking to
192.168.2.x.
3) Also rather than adding static routes, you could configure the 2 routers to dynamically learn each others routes via a routing protocol like RIP or OSPF.

Analysis 2: After we tried one of the resolutions, still, we can't ping 192.168.2.x. The tracert shows any traffic to 192.168.2.0 will stop at GW 10.0.0.100. So, we know that the route table is correct but the 3COM router block the traffic. After called 3COM tech support, we found this is one way router.

Resolution: we must setup VPN to establish the connection between the networks.

VPN Routing Analysis

B. VPN Client Routing

Before connecting to the VPN server, all traffic except 192.168.0.0 will go through default gateway 192.168.0.1.

Network            Destination                 Netmask             Gateway Interface     Metric
0.0.0.0                0.0.0.0                    192.168.0.1         192.168.0.105         30
.............
Default Gateway: 192.168.0.1

After connecting to the VPN server with using default gateway on remote network settings, all traffic except 192.168.0.0 will go to default gateway 192.168.1.3 (VPN server assigned ip). If subnet 192.168.1.x doesn't point to the Internet default gateway, the VPN client won't be able to access the Internet.

Network             Destination                 Netmask             Gateway Interface     Metric
0.0.0.0                 0.0.0.0                     192.168.0.1         192.168.0.105         31
0.0.0.0                 0.0.0.0                     192.168.1.3         192.168.1.3             1
67.203.43.194     255.255.255.255     192.168.0.1         192.168.0.105         30
............
192.168.1.3         255.255.255.255      127.0.0.1             127.0.0.1                 50
192.168.1.255     255.255.255.255       192.168.1.3         192.168.1.3             50
..............
Default Gateway: 192.168.1.3

The VPN client may be able to access the Internet if you uncheck Use default gateway in remote network. However, if your remote network resources are located in another subnet like 10.x.x.x, you may not be able to access the resources because the traffic goes to Default Gateway 192.168.0.1.

Network             Destination                 Netmask                 Gateway Interface     Metric
0.0.0.0                 0.0.0.0                     192.168.0.1             192.168.0.105         30
67.203.43.194     255.255.255.255     192.168.0.1             192.168.0.105         30
.................
192.168.1.0         255.255.255.0         192.168.1.3             192.168.1.3             1
192.168.1.3         255.255.255.255     127.0.0.1                 127.0.0.1                 50
..................
Default Gateway: 192.168.0.1

To solve this problem, you may add 10.0.0.0 subnet into the route table so that you can access to 10.0.0.0 network. To do this, type command on client: route add 10.0.0.0 mask 255.255.0.0 192.168.0.1. The route table looks like the below after adding 10.0.0.0 subnet.

Network             Destination                 Netmask             Gateway Interface             Metric
0.0.0.0                 0.0.0.0                     192.168.0.1         192.168.0.105                 30
10.0.0.0             255.255.0.0                 192.168.1.3         192.168.1.3                     1
67.203.43.194     255.255.255.255     192.168.0.1             192.168.0.105             30
.................
192.168.1.0         255.255.255.0         192.168.1.3             192.168.1.3                 1
192.168.1.3         255.255.255.255     127.0.0.1                 127.0.0.1                     50
..................
Default Gateway: 192.168.0.1

Alternatively, to be able to access the Internet and also 10.0.0.0 subnet, you may need to modify the route table manually. You may use the following  commands route delete 0.0.0.0, route add 10.0.0.0 mask 255.255.0.0 192.168.1.3 and route add 0.0.0.0 mask 0.0.0.0 192.168.0.1. After the modification, the VPN client should have this route table and the client will be able to access the remote network, the local network and the Internet:

Network             Destination                 Netmask             Gateway Interface             Metric
0.0.0.0                 0.0.0.0                     192.168.0.1         192.168.0.105                 1
10.0.0.0             255.255.0.0                 192.168.1.3         192.168.1.3                     1
67.203.43.194     255.255.255.255     192.168.0.1             192.168.0.105             30
.................
Default Gateway: 192.168.0.1

[ads/yahoobanner240.htm]

 

Don't add default gateway across disjoint networks

It is not recommend that you add default gateways across disjoint networks such as proxy servers and multihomed server that are typically configured to connect two or more subnets: one public Internet and one or more private intranets. In this situation, you should not assign the default gateways on the private interfaces, as doing so may result in improper routing on your network.

Is it possible both sites of the VPN using the same IP range

Theoretically, you should not do setup both sites to use the same IP range. However, if this is the case, what you may do is modifying the routing table manually and accordingly. For the consultants, refer to case 121504RL.

Metric is the same for both the remote gateway and the local gateway

Symptom: Whenever connecting to VPN server,  my laptop the routing table shows that the Interface  Metric is the same for both the remote gateway and the local gateway, and I can't access the remote network.

Resolution: if you unchecked "use default gateway on remote network" option in the properties of the VPN connection and you setup the Automatic Metric manually, you may have the same Metric.  Check "use default gateway on remote network" option and you should be able to access the remote network.

One router goes to the corporation email server and another one goes to the Internet

Symptoms: you have one router connecting to the corporation for email and the Internet access. However, the corporate Proxy server filters  web sites and watches you access. Then, you add another router for the Internet access and want to use the corporate router for the email only, but the traffic always go to the corporation router.

Resolution: You need to modify the routing table. Make all traffic go to the Internet and point the email server to the corporation ip range.

For consultants, refer to the case 110104TC.

Route command and examples

PRINT Prints a route - route PRINT 157* .... Only prints those matching 157*
ADD Adds a route - route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2
DELETE Deletes a route - route DELETE 157.0.0.0
CHANGE Modifies an existing route - route CHANGE 157.0.0.0 MASK 255.0.0.0 157.55.80.5 METRIC 2 IF 2.

Routing issue if the the LAN and VPN are in different subnets

If your LAN is 10.0.0.0 and VPN is 192.168.1.0, you must enable the RRAS server as a LAN router as well as a remote access server.

Understanding Route Automatic Metric

The Automatic Metric feature is enabled by default in XP, and it can also be manually configured to assign a specific metric if the routing table contains multiple routes for the same destination. For example, if you have a computer with a 10 MB NIC and a 100 MB NIC, and the computer has a default gateway that is configured on both NICs, you may want to assigns a higher metric to the slower NIC. This will force all of the traffic to use the fastest NIC to access the Internet. The traffic will use slower NIC only if the faster NIC is not available. Also refer to MS Q299540.

Routing order

If you have two NICs in the same subnet on one w2k/xp computer, you wonder which NIC is been used as primary NIC to access the Internet. In most cases, when adding the second NIC on a w2k/xp computer, the first one is the primary NIC. You may change the order by going to Advanced menu of the Network Connection>Advanced Settings>Adapter and Bindings. If the settings doesn't work (by default, the faster NIC will be chooses as primary NIC) or if you want to override the settings, you can assign metric # manually by going to the Properties of the Network Connection>the Properties of the Network Connection>Advanced.

We have a PIX 515. what's the command to block outside people ping public ip?

To Block outside people to ping your public IP, do one of them: 1) by default it should deny pings. 2) conduit permit icmp any any echo-reply, and icmp deny any echo outside. 3) access-list acl_outside deny icmp any OUTSIDE_IP_ADDR.  4) add access-list acl_outside deny icmp any any.

 
 
 


Hit Counter   This web is provided "AS IS" with no warranties.
Copyright 2002-2017 ChicagoTech.net, All rights reserved. Unauthorized reproduction forbidden.