Routing
Network
Routing Analysis
VPN Routing
Analysis
Don't add
default gateway across disjoint networks
Is
it possible both sites of the VPN using the same IP range
Metric is the same for both the remote gateway and the local gateway
One router goes to the corporation email server and another one goes to the
Internet
Route command and examples
Routing issue if the LAN and VPN are in different subnets
Routing order
Two gateways for
redundancy
Understanding Route Automatic Metric
We have a PIX 515. what's the command to block outside people ping public ip
Post your questions, comments, feedbacks and suggestions
Contact a consultant
For how to setup multiple routers, visit this page:
http://www.howtonetworking.com/Networking/multiplerouters1.htm.
Network
Routing Analysis
In our Lab,
we have a network small network connecting to our main network through 3COM
wireless router and the main network has another Cisco router connecting to
the Internet. The computers in the Lab can ping main network computers and
the Internet. But computers in the main network can't ping the lab
computers. Here are settings:
LAB IP: 192.168.2.0 mask 255.255.255.0, GW (default gateway): 192.168.2.1
connecting to 3com router and then to 10.0.0.100 as GW in main network that
10.0.0.0 and 255.255.0.0. Main network has Cisco router GW is 10.0.0.2.
Analysis
1: before changing the route table, any computers in 192.168.2.0 can
access the resources on 10.0.0.0 network and the Internet because all
traffic goes to 192.168.2.1 GW to 10.0.0.0 network and then through 10.0.0.2
GW to the Internet. However, computers on network 10.0.0.0 can't access the
192.168.2.0 network because all traffic will go to 10.0.0.2 GW.
Resolutions:
all 10.0.0.X
clients need to know how to get back to the 192.168.2.0 network. This can
be accomplished in several ways:
1) Add a GW
to each client pointing to 10.0.0.100 by using add 192.168.2.0 mask
255.255.0.0 10.0.0.100. Here is the route table after adding the route.
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 01 03 28 89 cf ...... 3Com EtherLink PCI
0x1000004 ...00 90 27 55 44 07 ...... Intel(R) PRO Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface
Mretric
0.0.0.0 0.0.0.0 10.0.0.2 10.0.0.11 1
10.0.0.0 255.255.0.0 10.0.0.11 10.0.0.11 1
10.0.0.11 255.255.255.255 127.0.0.1 127.0.0.1 1
10.0.0.20 255.255.255.255 10.0.0.11 10.0.0.11 1
10.255.255.255 255.255.255.255 10.0.0.11 10.0.0.11 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.2.0 255.255.255.0 10.0.0.100 10.0.0.11 1
224.0.0.0 224.0.0.0 10.0.0.11 10.0.0.11 1
255.255.255.255 255.255.255.255 10.0.0.11 10.0.0.11 1
Default Gateway: 10.0.0.2
===========================================================================
Persistent Routes:
None
2) Add route
on the Cisco pointing 192.168.2.0 mask 255.255.255.0 10.0.0.100. The client
then would send the 192.168.2 traffic to
10.0.0.2 which should then forward the packet to 10.0.0.2 and send the
client an ICMP Redirect to use 10.0.0.2 when talking to
192.168.2.x.
3) Also rather than adding static routes, you could configure the 2 routers
to dynamically learn each others routes via a routing protocol like RIP or
OSPF.
Analysis 2: After we tried one of the
resolutions, still, we can't ping 192.168.2.x. The tracert shows any traffic
to 192.168.2.0 will stop at GW 10.0.0.100. So, we know that the route table
is correct but the 3COM router block the traffic. After called 3COM tech
support, we found this is one way router.
Resolution: we must setup VPN to establish the
connection between the networks.
VPN Routing
Analysis
B. VPN Client Routing
Before connecting to the VPN server, all traffic except 192.168.0.0 will
go through default gateway 192.168.0.1.
Network Destination Netmask Gateway
Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1
192.168.0.105 30
.............
Default Gateway: 192.168.0.1
After connecting to the VPN server with using default gateway on remote
network settings, all traffic except 192.168.0.0 will go to default gateway
192.168.1.3 (VPN server assigned ip). If subnet
192.168.1.x doesn't point to the Internet default gateway, the VPN client
won't be able to access the Internet.
Network Destination Netmask Gateway
Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1
192.168.0.105 31
0.0.0.0 0.0.0.0
192.168.1.3 192.168.1.3 1
67.203.43.194 255.255.255.255 192.168.0.1
192.168.0.105 30
............
192.168.1.3 255.255.255.255 127.0.0.1
127.0.0.1 50
192.168.1.255 255.255.255.255 192.168.1.3
192.168.1.3 50
..............
Default Gateway: 192.168.1.3
The VPN client may be able to access the Internet if you uncheck Use default
gateway in remote network. However, if your remote network resources are
located in another subnet like 10.x.x.x, you may not be able to access the
resources because the traffic goes to Default Gateway
192.168.0.1.
Network Destination Netmask
Gateway Interface Metric
0.0.0.0 0.0.0.0
192.168.0.1 192.168.0.105 30
67.203.43.194 255.255.255.255 192.168.0.1
192.168.0.105 30
.................
192.168.1.0 255.255.255.0 192.168.1.3
192.168.1.3 1
192.168.1.3 255.255.255.255 127.0.0.1
127.0.0.1 50
..................
Default Gateway: 192.168.0.1
To solve this problem, you may add 10.0.0.0 subnet into the route table
so that you can access to 10.0.0.0 network. To do this, type command on
client: route add 10.0.0.0 mask 255.255.0.0 192.168.0.1. The route table
looks like the below after adding 10.0.0.0 subnet.
Network Destination Netmask
Gateway Interface Metric
0.0.0.0 0.0.0.0
192.168.0.1 192.168.0.105 30
10.0.0.0 255.255.0.0 192.168.1.3
192.168.1.3 1
67.203.43.194 255.255.255.255 192.168.0.1
192.168.0.105 30
.................
192.168.1.0 255.255.255.0 192.168.1.3
192.168.1.3 1
192.168.1.3 255.255.255.255 127.0.0.1
127.0.0.1 50
..................
Default Gateway: 192.168.0.1
Alternatively, to be able to access the Internet and also 10.0.0.0
subnet, you may need to modify the route table manually. You may use the
following commands route delete 0.0.0.0, route add 10.0.0.0 mask
255.255.0.0 192.168.1.3 and route add 0.0.0.0 mask 0.0.0.0 192.168.0.1.
After the modification, the VPN client should have this route table and the
client will be able to access the remote network, the local network and the
Internet:
Network Destination Netmask
Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1
192.168.0.105 1
10.0.0.0 255.255.0.0 192.168.1.3
192.168.1.3 1
67.203.43.194 255.255.255.255 192.168.0.1
192.168.0.105 30
.................
Default Gateway: 192.168.0.1
[ads/yahoobanner240.htm]
Don't add
default gateway across disjoint networks
It is not recommend that you add default gateways across
disjoint networks such as proxy servers and multihomed server that are
typically configured to connect two or more subnets: one public Internet and
one or more private intranets. In this situation, you should not assign the
default gateways on the private interfaces, as doing so may result in
improper routing on your network.
Is it
possible both sites of the VPN using the same IP range
Theoretically, you should not do setup both sites to use the same IP
range. However, if this is the case, what you may do is modifying the
routing table manually and accordingly. For the consultants, refer to case
121504RL.
Metric is the same for both the remote gateway and the local gateway
Symptom: Whenever connecting to VPN server,
my laptop the routing table shows that the Interface Metric is the same for
both the remote gateway and the local gateway, and I can't access the remote
network.
Resolution: if you unchecked "use default
gateway on remote network" option in the properties of the VPN connection
and you setup the Automatic Metric manually, you may have the same Metric.
Check "use default gateway on remote network" option and you should be able
to access the remote network.
One router goes to the corporation email server and another one goes to the
Internet
Symptoms: you have one router connecting to the corporation for email and
the Internet access. However, the corporate Proxy server filters web sites
and watches you access. Then, you add another router for the Internet access
and want to use the corporate router for the email only, but the traffic
always go to the corporation router.
Resolution: You need to modify the routing table. Make all traffic go to
the Internet and point the email server to the corporation ip range.
For consultants, refer to the case 110104TC.
Route command and examples
PRINT Prints a route - route PRINT 157* ....
Only prints those matching 157*
ADD Adds a route - route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3
IF 2
DELETE Deletes a route - route DELETE 157.0.0.0
CHANGE Modifies an existing route - route CHANGE 157.0.0.0 MASK 255.0.0.0
157.55.80.5 METRIC 2 IF 2.
Routing issue if the the LAN and VPN are in different subnets
If your LAN is 10.0.0.0 and VPN is 192.168.1.0, you must enable the RRAS
server as a LAN router as well as a remote access server.
The
Automatic Metric feature is enabled by default in XP, and it can also be
manually configured to assign a specific metric if the routing table
contains multiple routes for the same destination. For example, if you have
a computer with a 10 MB NIC and a 100 MB NIC, and the computer has a default
gateway that is configured on both NICs, you may want to assigns a higher
metric to the slower NIC. This will force all of the traffic to use the
fastest NIC to access the Internet. The traffic will use slower NIC only if
the faster NIC is not available. Also refer to MS Q299540.
Routing order
If you have two NICs in the same subnet on one w2k/xp computer, you
wonder which NIC is been used as primary NIC to access the Internet. In most
cases, when adding the second NIC on a w2k/xp computer, the first one is the
primary NIC. You may change the order by going to Advanced menu of the
Network Connection>Advanced Settings>Adapter and Bindings. If the settings
doesn't work (by default, the faster NIC will be chooses as primary NIC) or
if you want to override the settings, you can assign metric # manually by
going to the Properties of the Network Connection>the Properties of the
Network Connection>Advanced.
We have a PIX 515. what's the command to block outside people ping public
ip?
To Block outside people to ping your public
IP, do one of them:
1) by default it
should deny pings. 2) conduit permit
icmp any any echo-reply, and icmp deny any echo outside.
3) access-list acl_outside deny icmp any OUTSIDE_IP_ADDR.
4) add access-list acl_outside deny icmp any any. |